Warning Worms
The attacks of mid-2017 were a painful warning of what can happen when hackers sow their malware seeds on systems that have no way of controlling the longstanding risks inherent in protocols and the tools like NTLM and DCE/RPC. The best way to do this is to limit the use of these authentication protocols to instances of verified need by adding MFA challenges and real-time monitoring and analysis capabilities.
In the aftermath of NotPetya,
researchers found that after the initial infection, the attackers used a combination of Mimikatz, PsExec, and WMI to steal credentials and continue spreading from machine to machine, holding data ransom or outright destroying it.
Among the victims were
major international corporations, some of which suffered millions in damages and spent months restoring operations. Even more alarming, sites hacked by NotPetya but not activated in July distributed yet more malware in October. This attack, called
BadRabbit, was smaller but showed evidence of sophisticated planning and collaboration — fueling concerns that those responsible have more devious tricks in their arsenal.