[BreachExchange] Largest advertising company in the world still wincing after NotPetya punch

Destry Winant destry at riskbasedsecurity.com
Fri Jul 7 23:56:35 EDT 2017


https://www.theregister.co.uk/2017/07/07/ad_giant_recovering_from_notpetya/

The huge cyber attack that swept from Ukraine last week is still
affecting companies, and several have been hit pretty hard, including
the world's largest advertising business, UK-based WPP.

The malware attack, dubbed NotPetya because it masquerades as the
Petya ransomware, affected several multinationals running Microsoft
Windows. Most, if not all, confirmed cases stemmed from a malicious
update to MeDoc, Ukraine's most popular accounting software.

One week after the attack and a number of WPP's agencies are still
locked out of their network, with some staff only able to access
webmail. It is not alone: Maersk, AP Moller-Maersm, Reckitt Benckiser
and FedEx are also struggling to get back on their feet. It has
prompted analysts to wonder why some were more susceptible than
others.

WPP said it is "making steady progress towards resuming normal
operations in parts of the Group that continue to experience some
disruption". It said systems have been brought back online "in a
measured and prudent way, again in line with good practice".

Outsourced support

The advertising and PR group has hundreds of small agencies grouped
into six larger companies. The business signed an £800m cloud deal
with IBM at the end of 2014, which led to its in-house IT team being
transferred over to the company. Once the TUPE period ended, hundreds
of staff were made redundant or left, according to multiple sources.

One insider claimed the lack of technical support remaining at WPP may
have exposed the company to the attack.

He said IBM had not implemented a crucial central patch management
system yet, meaning one of its agencies had not had a Windows patch
for six months. Users were also given local admin rights, enabling the
malware to spread like wildfire on the network.

He claimed the agencies not affected had taken a more proactive
approach to maintaining systems because they either had a few IT
support staff left, or had legacy policies in place that meant they
were up to date. Others were unaffected because they mostly used
MacBooks.

The insider said: "The lack of technical experts on the ground
certainly exacerbated the problem."

IBM declined to comment.

WPP said it "had broadly patched as a response to WannaCry". However,
external and internal analysis showed that the malware could utilise
multiple vectors to spread, and the Microsoft-issued patch from March
2017 only mitigates one of these vectors.

"Upon becoming aware of the attack, WPP immediately shut down certain
systems to implement all precautionary measures to protect business
and client systems and data," the insider said. "It also deployed new
antivirus updates, designed specifically for this malware, as soon as
our global antivirus partner, Sophos, made them available.

"IBM has been working alongside our staff and IBMers have been
invaluable in working tirelessly to help WPP resolve this issue."

Mysterious malware

Andy Patel, security expert at F-secure, said if a machine was
infected by the malware, but the user did not have admin rights and
other machines were patched, then the network would generally be safe.

He noted the most modern version of Windows contains a feature that
prevents passwords from being stored in plain text (instead storing
the hashes), which means the virus would not have been able to use
lateral movements to spread.

Some companies, such as Maersk, did direct business with Ukraine,
which would explain how the malware got on its system, the F-Secure
man added. "However, one victim we spoke to had no ties to the Ukraine
at all, so it is a mystery as to how they got infected. Its spread via
VPN is one possibility."

Patel also blamed a lack of resourcing as being one factor in leaving
some organisations more exposed. "So many companies under resource
cyber security and IT, or they outsource it. In my earlier career
every company had their own IT department, now we are seeing companies
forgoing that. But if you have your IT guys, it is their job to make
sure things don't go wrong."

Brian Honan, independent security consultant and founder of Ireland's
Computer Security Incident Response Team, agreed that enabling local
admin rights, a lack of network segmentation and inadequate patching
are the emerging reasons as to why some organisations were more
exposed than others.

Wake-up call

However, he cautioned against blaming outsourcing, adding that it's
possible for a company with a large in-house IT team to be vulnerable
too. "Organisations should never outsource responsibility for
security," he said.

He added that although patching systems and removing local admin
rights were simple steps to prevent exposure, in many enterprises it
might not be as easy as it sounds. "For example, they may have legacy
in-house applications that run on certain versions. And then if you
patch a system, it may stop applications from running. So there is an
inherent cost.

"Likewise, with local admin access there are many accounting
applications that require local admin for applications to run. Also,
from an IT support point of view it can be easier to allow local
access rather than incur the cost of centralising it.

"Companies have to sit down and review the environments. I hate to use
the phrase 'a wake-up call' as there have been so many, but hopefully
after Petya and WannaCry people realise there are pretty basic things
can do to increase security and make themselves resilient against
attacks."


More information about the BreachExchange mailing list