Posted May 18, 2017
In a recent briefing, LookingGlass Threat Researcher Steven Weinstein half-jokingly referred to the recent WannaCry attack as a “DDoS attack against security researchers.” This commentary has been making the rounds among security experts this week, and refers to the fact that the WannaCry attack was definitely high-visibility (it hit hundreds of thousands of machines), newsworthy (it impacted hospitals, where real lives, not just data and money, were on the line), and it spread on its own without requiring user action.
As an aside, we actually think the WannaCry headlines miss the two most important points; first, that the most basic routine patching discipline mitigates the risk of this particular campaign, and second the much bigger story that this was allegedly the result of nation-state tools being leaked and then repurposed. But those are both topics for another blog post on another day.
Every government body, Board of Directors, and news outlet wanted details and easy-to-understand answers about the campaign, resulting in last week’s news cycle being an all-WannaCry, all-the-time playlist. It only makes sense that most mainstream consumers, executives, and government officials thought WannaCry was the only big thing that’s happened in the cyber threat space for the past week.
Here are some bigger – and arguably more impactful – cybersecurity stories from the “In Case You Missed It” department:
- DocuSign Massive Phishing:
The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. Campaign: This attack masquerades as invoices and other “important” documents that require signatures, seemingly via e-document giant DocuSign.
Now, a phishing campaign using poisoned attachments is hardly new, but what makes this attack important is that it was not random. According to reports, recipients were targeted specifically because they are DocuSign users/account holders. As a result, not only is the DocuSign brand tarnished because of lookalike emails and typo-squatting domains being used (docusgn.com/dousign.com/etc.), but the attack was enabled by a data breach at DocuSign – a breach that the company was reportedly unaware of until the phishing campaign struck. One question raised among security researchers was why weren’t such obvious typo-squatting, trademark-infringing domains noticed, shut down and/or recovered by DocuSign when they were registered, which in many cases was months or even years ago?
- Election Hacking Stories and Concerns Spread Worldwide: In the wake of well-publicized hacking stories about the U.S. election, as well as the last-minute breach of the Macron campaign prior to the French presidential vote, (an action that some reports say may be linked to U.S. neo-Nazis), campaigns in the upcoming UK general election have been warned to expect attempts at meddling and data theft.Even Iran, a well-known actor in global cybercrime and nation-state hacking, is worried about its own highly-consequential election as evidence of hacking grows. The acceleration of news and activity in this sphere clearly raises real and thorny concerns regarding the integrity and security of future elections, across all cultures and geography.
- Risk of the Internet of Things (IoT): Perhaps the most light-hearted (or scary, depending on your perspective) story comes from International One Conference in the Netherlands. In a display that left many experts stunned, 11 year-old (that’s sixth grade for those of us in the U.S.) Reuben Paul used a $20 Raspberry Pi computer to demonstrate live on stage how he could hack some of the Bluetooth enabled devices in the room and “weaponize” a talking Teddy Bear. While this may seem just a bit of fun, his talk raises real questions about the level of thought (or lack thereof) given to security in the exploding field of internet-enabled <insert household item here> and the so-called Internet of Things (IoT).
From our perspective, these three stories have two things in common. First, they went almost completely unnoticed while last week while everyone was absorbed with the WannaCry attack.
Second and more importantly, these three stories reflect a variety of very serious, long-term issues that have bigger implications than that of WannaCry. The unfortunate truth behind WannaCry is that simple, routine patching of systems (block and tackle) would have prevented this attack. But the threats in these other drowned-out stories – continued lack of user awareness, spearphishing via weaponized domain names, insecure election technologies, and security uncertainty with IoT devices – are big, structural concerns that will still be with us long after the flash-in-the-pan of WannaCry is forgotten.