AliCloud Wu Hanqing: Extortion virus directly attacks government and enterprise network security errors
Since May 12, the blackmail worm named WannaCrypt has spread on a large scale around the world. Nearly 100 countries in Britain, Russia and Italy have been attacked on a large scale, and China has not been spared. The attackers are required to pay Bitcoin to unlock.
At least 40 medical institutions in the UK have been hacked into their internal networks, and large enterprises such as Megafon, a Russian telecommunications company, have also been recruited. A similar situation has occurred in China, where institutions such as universities, state-owned enterprises and government agencies have become the hardest hit areas of the virus.
In this incident, Petrochina's gas stations in many cities across the country were affected. For the time being, they could not use Alipay, WeChat, UnionPay and other online payment methods, but only cash. At the same time, in order to prevent blackmail virus attacks, many government agencies suspended business. For example, Sanya suspended handling of traffic violations and vehicle driving management business; Luoyang suspended handling traffic police, household administration and exit entry business; Zhuhai urgently suspended provident fund business
Injured government enterprises: The danger has always existed, but it has finally attracted attention
Compared with the previous network security incident, the "feature" of this incident seems to be that this network was specially erupted in a large scale within the government enterprise private network. What's going on here?
In terms of the domestic situation, the direct reason for enterprises, institutions and government agencies to win the bid, many articles pointed out that this is related to WannaCry's communication channel, which uses the 445 port to spread. Since there have been many computer intrusions through the 445 port before, Chinese operators have blocked the 445 port for individual users, Therefore, hackers cannot connect these ports remotely on the Internet, which directly inhibits the SMB vulnerability from being exploited. As for the physically isolated campus network and the government enterprise intranet, they are independent and have not been set up, so the communication is limited to similar private networks.
The blackmail virus used the "Eternal Blue" 0day vulnerability in the National Security Agency (NSA) hacker toolkit leaked in April, while Microsoft actually released a patch for this vulnerability as early as March this year.
This may expose some misunderstandings of domestic governments, institutions and some enterprises in enterprise safety governance. Many key departments in China, such as petroleum, subway, colleges and universities, often set up physically isolated private networks for network security reasons.
Wu Hanqing, the chief security researcher of Alibaba Cloud, said, "In fact, whether or not to use physical isolation has nothing to do with your security level, but in China, because of superstition in physical isolation, they think they are very safe." This is also the reason why so many key departments in China are affected, because of superstition in physical isolation, which also leads them to patch upgrades and security responses, There are certain defects. Their intranet may also use very old systems, such as Windows 2000. It seems that there was no problem before, but it was not exposed because there was no blackmail software.
He pointed out that in this case, ransomware was more destructive, because they could not be removed simply with anti-virus software. If the system had to be reinstalled, the business would have to be interrupted and the problem would be exposed. In fact, the internal insecurity of these physically isolated private networks has always existed. Their ancient systems have also been running with diseases (probably there are many viruses above). They have never stopped their systems from serving before. This blackmail software exposed the problem.
We can't fill up the gas at the gas station, and can't get the license plate at the vehicle management office, which finally attracted the attention of the society.
From Wu Hanqing's description, it can be seen that today, when the Internet is so common, it is rarely possible to achieve real physical isolation of government enterprise private networks. For example, the data inserted into the USB stick of the computer may be downloaded through the network; Some companies install two different network cards on their servers, one for the internal network and the other for the external network, but they use the same computer, which does not make sense of physical isolation. "It's like fooling yourself."
He believes that enterprises and institutions should establish security management systems, which has nothing to do with physical isolation. Instead, they should use the most advanced security governance technology and increase investment in security.
Interestingly, Alibaba Cloud pointed out a phenomenon that many enterprises on the cloud have not suffered similar heavy losses this time. Alibaba Cloud believes that this also reflects some benefits of enterprise cloud. It has special security experts to help users evaluate similar things, such as focusing on global network security, researching new patches to remind users to fix. Alibaba Cloud said that after the NSA theft in mid April, Alibaba Cloud reminded users to repair the vulnerabilities involved in this incident.
The long lost large-scale "epidemic" reappears? Maybe there will be several more in the future
In recent years, we may have occasionally heard that some enterprises, including Yahoo, NetEase Email, JD, and even the recent Little Red Book, have suffered from hacker attacks, resulting in user information leakage. Similar network security events can be described as inexhaustible.
However, in retrospect, such a large-scale virus that can be "hot searched" or even reported by social media seems to be rare, except for the "panda burning incense" several years ago. This can not help but make people feel that what is special about this virus?
However, Wu Hanqing said that this virus is not very different from many worm viruses and blackmail software that has emerged in recent years. The uniqueness of this time is probably that the encryption method is used. According to public reports, this encryption algorithm is basically impossible to crack at the current level of technology.
Unless the anti-virus software can be intercepted after infection and before encryption, the only solution for the system infected with the blackmail virus is to quickly reinstall the system and software, and quickly restore the data through the existing backup, otherwise it can only find the source and let it hand over the secret key. There is almost no other way.
Wu Hanqing pointed out that the phenomenon that the lethality and the scale of influence are so large is related to two factors.
The first is the disclosure of NSA's "Eternal Blue" 0day vulnerability (Microsoft vulnerability number: MS17-101) in mid April. He said that there were few vulnerabilities on basic software with such a large coverage as Windows before, which also made this vulnerability inherently very destructive.
Secondly, this is also related to some new methods used by ransomware. In the black industry, extortion through loopholes and attacks has existed for a long time, but no ransom through encryption has been claimed before, which is only emerging in recent years.
He said that in fact, Alibaba Cloud had predicted that ransomware would explode on a large scale this year through cloud data monitoring in the second half of last year. Nowadays, ransomware is prevalent and runs into high-risk vulnerabilities. The two events together lead to the outbreak of this event. He predicted that the probability of similar large-scale events in the future would be higher and higher:
I can responsibly say that this is definitely not the first time. This is just the beginning. I expect there will be another three to four events of similar scale this year.
He explained that in the second half of last year, blackmail software was gradually gaining ground. The difference was that it was not Windows but other software vulnerabilities that were used at that time, but their methods of using and demanding ransom were similar. Therefore, they have a hunch that there may be more this year.
For what measures should enterprises take to prevent similar events, Wu Hanqing first emphasized that backup should be done well. "This is the top priority for every CIO."
Secondly, "today's problem is not a problem of Windows security vulnerabilities, but a problem of the entire enterprise security governance". They observed last year that any unsafe software used by enterprises may be subject to blackmail. Therefore, future ransomware may exploit other vulnerabilities of the system, but its ultimate destructive power is similar. Enterprise security should be more important and more investment should be made in security. Because the opportunity cost of network security is high:
In addition to restoring the system, there is no second way, which may directly lead to the bankruptcy of an enterprise.
