Support
Customer Portal

Innoculator

Legacy Software Breaches- A couple of lessons from history

learning from History

As we here at Innoculator excitedly get ready for our product launch, we thought we would dive a bit deeper into a couple of pertinent case studies that helped us realise the extent of the dangers and problems inherent in securing your Legacy Software. These systems are usually (otherwise why would you keep them?)  integral to business operations, can be challenging to secure. In this post, we’ll delve into two notable case studies where legacy software vulnerabilities led to significant security breaches.

Case Study 1: The WannaCry Ransomware Attack

The WannaCry ransomware attack occurred in May 2017 and targeted computers running Microsoft Windows. The ransomware encrypted files on infected computers and demanded ransom payments in Bitcoin to decrypt them. WannaCry spread rapidly using an exploit called EternalBlue, which was developed by the U.S. National Security Agency (NSA) and leaked by a group called The Shadow Brokers. The attack affected over 300,000 computers across 150 countries, including high-profile targets like the UK’s National Health Service (NHS).

Key Details

  • Date: The attack began on May 12, 2017, and was halted a few hours later on May 15, 2017.
  • Propagation: WannaCry spread using an exploit called EternalBlue, which was developed by the United States National Security Agency (NSA) and leaked by a group called The Shadow Brokers.
  • Impact: The attack affected over 300,000 computers across 150 countries, with total damages estimated to be in the range of hundreds of millions to billions of dollars.
  • Suspected Origin: Preliminary evaluations suggested that the attack originated from North Korea, and in December 2017, the United States and United Kingdom formally attributed the attack to North Korea. However, North Korea has denied any involvement.

Technical Details

  • Platform: Microsoft Windows
  • Exploit Used: CVE-2017-0145 (EternalBlue)
  • Written In: Microsoft Visual C++ 6.0
  • Filename: mssecsvc.exe
  • Ports Used: Server Message Block (SMB)

Impact on Healthcare

One of the most notable impacts of the WannaCry attack was on the National Health Service (NHS) in England. The attack led to the cancellation of thousands of appointments and operations, and in some areas, patients had to travel further to access emergency departments. At least 81 out of 236 trusts across England were affected, along with 603 primary care and other NHS organizations.

Response and Mitigation

  • Kill Switch: The spread of WannaCry was halted by the discovery of a kill switch by a security researcher named Marcus Hutchins.
  • Patches: Microsoft had released patches to close the EternalBlue exploit before the attack, but many organizations had not applied these patches.
  • Warnings: NHS Digital had issued critical alerts in March and April 2017, urging organizations to patch their systems.

Aftermath

The WannaCry attack was an eye opener for the IT world. It highlighted the effects a mass attack can have on infrastructure and the read this can have from the “virtual world” into the physical. It also highlighted the dangers inherent in legacy software and the need for organizations to keep their systems updated with the latest patches. It also underscored the potential consequences of cyberattacks on critical infrastructure, such as healthcare systems.

For more details, you can refer to CSO Online and Wikipedia. Investigation: WannaCry cyber attack and the NHS – NAO report

Case Study 2: Equifax Data Breach

The Equifax data breach happened between May and July 2017, exposing the personal information of 147.9 million Americans, 15.2 million British citizens, and about 19,000 Canadian citizens. The breach was caused by a vulnerability in the Apache Struts framework, which Equifax failed to patch. Attackers were able to move laterally within Equifax’s network due to inadequate segmentation and the use of plain-text passwords. The breach went undetected for months, and Equifax faced significant criticism for its handling of the incident.

Key Details

  • Date: The breach began in March 2017 and was publicly disclosed on September 7, 2017.
  • Propagation: The attackers exploited a vulnerability in the Apache Struts framework, which Equifax used for its online dispute portal.
  • Impact: The breach affected approximately 143 million consumers initially, which later grew to 148 million. This included sensitive information such as Social Security numbers, birth dates, addresses, and in some cases, driver’s license numbers.
  • Suspected Origin: The attackers were believed to be a group of hackers, but no specific individual or group has been officially identified as responsible.

Technical Details

  • Platform: Equifax’s online dispute portal
  • Exploit Used: CVE-2017-5638 (Apache Struts vulnerability)
  • Written In: Java (Apache Struts framework)
  • Filename: N/A
  • Ports Used: N/A

Impact on Consumers

The breach had a significant impact on consumers, exposing them to risks of identity theft and fraud. Equifax faced widespread criticism for its handling of the breach, including delays in notifying affected individuals and accusations of insider trading by top executives.

Response and Mitigation

  • Detection: Equifax discovered the breach in July 2017.
  • Public Disclosure: Equifax publicly disclosed the breach on September 7, 2017.
  • Patches: Equifax failed to apply the necessary patches to the Apache Struts vulnerability despite being alerted by the Department of Homeland Security.
  • Notifications: Equifax attempted to notify affected individuals and offered free credit monitoring services.
  • Investigations: Multiple federal agencies, including the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB), launched investigations into the breach and Equifax’s response.

Aftermath

The Equifax Data Breach highlighted the importance of timely application of patches to known security vulnerabilities. Interestingly The CVE was released on the 10th of march, the initial exploitation of Equifax was on the 12th of May. And Equifax detected it internally at the end of July. This highlights an interesting timeline where by the attackers to exploit a known CVE was 64 days, and from May 12th to end of July when it was detected was a further 81 days. If you consider our posts on the “Patch Gap” these numbers are significant, although it must be considered that this was 8 years ago.

Equifax data breach FAQ: What happened, who was affected, what was the impact? | CSO Online

2017 Equifax data breach – Wikipedia

Equifax-Report.pdf – Oversight Committee

 

 

 

Lets get in touch!

Say Hello

Links

Social Media