Researchers from Cisco’s Talos Intelligence Group offer advice on how to thwart wiper malware, which attempts to destroy systems and/or data.
Cisco’s Talos Intelligence Group (TIG) has issued a warning. In the white paper, Wiper Malware: Attacking from the Inside, author Vitor Ventura, technical lead and security researcher at TIG, with contributions by Martin Lee, technical lead and manager of Talos Outreach EMEA, advise adversaries are changing their attack methodology. Here’s an excerpt from the paper:
“A wiper is a malware with the sole intention of destroying systems and/or data, usually causing great financial and/or reputation damage. The motivation behind these [wiper] attacks may be political, aimed at generating publicity, or it can also be pure and simple artifact destruction with the intention of preventing a forensics investigation. In the latter, this is usually preceded by data-gathering and exfiltration operations, which recently became a CISOs’ biggest concerns regarding cyber attacks.”
As to a wiper’s effectiveness, the two researchers believe it correlates directly to the speed at which the malware can destroy digital information, in particular:
- Backups: Most wipers delete the volume shadow copies and the actual backups.
- Boot section data: The first 10 sectors (master boot record) are either erased or overwritten with a new boot loader.
- Data files: An organization’s data is an obvious target. Ventura and Lee have found that wipers either overwrite the file’s header or overwrite a certain amount of bytes at random throughout the file. In either case, the affected files are rendered useless. Additionally, the authors caution both data-wiping methods destroy the master file table (NTFS for recent versions of Windows), further reducing the likelihood of data recovery.
How to mitigate a wiper malware attack
The researchers admit mitigating a wiper attack will require more than existing technology and suggest organizations take the following steps.
1: Cybersecurity incident response plan (CSIRP): Rapid response is predicated on knowing what to do, and that’s where CSIRPs come into play. From the TIG white paper: “The CSIRP needs to have clear definition of roles and responsibilities. These cannot be limited to the cyber security department, or even to the IT department. … Everyone in the organization needs to know their role, and what kind of decisions are expected from them. This includes the legal and public relations departments.”
2: Cybersecurity-aware business continuity plan: Most businesses have continuity plans for challenging situations—physical and digital. Ventura stresses it is crucial to include recovering from wiper attacks in continuity planning, in particular, protecting the organization’s backup infrastructure. To accomplish that, they suggest:
- Running backup software on non-Windows systems;
- Segmenting the backup network; and
- Using different usernames and passwords.
3: Risk-based patch management program: Ventura emphasizes the importance of reducing a company’s attack surface by keeping all software up to date. However, applying software patches can be problematic, which is why IT departments need to carefully weigh the risk of being vulnerable vs. the risk of affecting business.
4: Network and user segregation: One of the most important aspects of damage mitigation is network segregation, which is neither simple nor easy to accomplish; Ventura may have a solution though: “Intent-based networks can make this task [network segregation] much easier and quicker. Even if the network segregation is not applied during business-as-usual operations, having the capability to perform emergency segregation can make the difference between an attack having a severe impact on the business, or just being a minor disruption.”
Security professionals do not have that option with user segregation. The Talos white paper categorically states that user segregation must be at the core of a business’ operation. Some thoughts on how to obtain user segregation are:
- Every user does not need to log on to every computing system;
- Privileged credentials should not be used on regular workstations or servers; and
- Privileged credentials must be segregated and only used on trusted workstations specifically built for administrative tasks.
5: Cybersecurity technology stack: Businesses should not trust their digital environment to a single cybersecurity technology. As to why, Ventura repeatedly stated wiper attacks are designed to detect prevalent antimalware technology. Organizations need overlapping layers of security in order to complicate and obfuscate their digital defenses. To increase an organization’s cybersecurity technology stack, the author suggests using the following:
- EDR technology to reduce time to detect and time to recover from wiper malware attacks;
- Sandboxed execution, which allows security team members to analyze software behavior before allowing it on the company network; and
- Network-level tools, such as intrusion detection systems and intrusion prevention systems, capable of detecting and stopping penetration attempts by adversaries.
Besides the above, Ventura and Lee are encouraged by next-generation tools capable of finding malware patterns in encrypted traffic, adding that the tools, “… are incredibly useful in the detection and prevention of data exfiltration and ransomware.”
The bottom line
The main takeaways for cybersecurity pros are:
- Always consider internal and external networks suspect;
- Prompt action will reduce the overall impact of a wiper attack;
- Adversaries only need one way in, and security personnel need to defend every possible entrance point.