By Joshua Brant
This week, we’ve heard about the revival of two old ‘friends’ – SamSam and Spectre.
SamSam is ransomware credited for affecting high-profile targets in healthcare, financial, government and education spaces. It has been around since 2015 but captured national recognition over the past few months – most notably impacting the Atlanta city government in March.
In that instance, effects of the compromise were so severe that basic city functions were unavailable – citizens couldn’t pay bills, police officers couldn’t write tickets, even Wi-Fi was unavailable at Hartsfield-Jackson airport. While it’s unclear whether the city paid the ransom, it did spend nearly $3 million in emergency cleanup from the attack.
As Atlanta has worked to restore services and rebuild its reputation, we have continued to learn about the ransomware that wreaked havoc in their environment. Research conducted by security firm Sophos indicates that initial assumptions about SamSam may not have been accurate. Sophos determined that far more ransom money has been collected from SamSam than originally thought – upwards of $6 million, to date.
Through processes of cryptocurrency monitoring, they determined that ransoms have occurred across many industry verticals, including public and private organizations. Nearly 75% of the attacks have occurred within the US, with the remainder surfacing in Canada, the UK and middle east.
We now know that, unlike other types of ransomware like WannaCry or NotPetya, SamSam does not spread itself with worm-like capabilities. Instead, it relies upon a manual process of propagation – meaning attackers must spend a great deal of time understanding the victim’s environment and defenses. After gaining network access, the attacker focuses on privilege escalation to deploy and execute malware with PsExec or PaExec. After execution, encryption begins very quickly, and ransom demands of up to $50,000 are made to the victim.
SamSam encrypts not only standard document types but also system configuration files. So, in situations where backups include only documents and similar files, restoration will not be a viable recovery mechanism – reimaging will be necessary.
The initial vulnerabilities exploited to gain entry and deploy SamSam were against the JBoss application server or against vulnerabilities in Microsoft’s IIS and FTP servers, in some cases. As always, keeping systems patched is key to mitigating these vulnerabilities. You may find specific information about the vulnerabilities in the following CVEs.
Recently, researchers identified attackers using brute force login attempts against public-facing RDP servers as the primary attack vector. The best mitigation against such attacks is forcing complex passwords or implementing multi-factor authentication in your RDP and VPN environments. Endpoint protection tools are important for defense against SamSam and other variations of ransomware, along with the principle of least privilege.
Spectre is the vulnerability present in modern day processors that perform speculative execution. Through exploitation, attackers may be able to gain access to data located within a processor’s cache. The vulnerability was discovered by Google’s Project Zero and was publicly announced in January.
This week, students from the Austrian Graz University of Technology demonstrated a proof of concept for an attack called NetSpectre. This attack is based upon the original Spectre vulnerability, but in this case can be executed remotely over a network.
Experts indicate that execution of this attack is likely impractical but does broaden the potential attack surface to any affected device that has network connectivity. They also point out that exfiltration of large amounts of data would be extremely slow. However, small pieces of data, such as passwords could be stolen.
This is the first publicized Spectre modification used to generate an attack, which means that more attacks or malware could be around the corner. The LRS security team recommends that you make sure patches are up to -date, implement layered defenses, and continue to track the evolution of Spectre-related attacks.
About the author
Joshua Brant is our Security Subject Matter Expert; he focuses on helping customers identify gaps and achieve security goals. Prior to joining LRS, Joshua served for years as Chief Information Security Officer for a manufacturing corporation. He holds multiple certifications in the area of Information Security, including CISSP, CISM, and CCISO.