REvil / Sodinokibi: A case for better proactive cyber security
“An ounce of prevention is better than a pound of cure”.
Whatever way you quote this age-old adage, its hard to argue against it. So it goes in the cyber security context as well – preventing cyber threats is always going to be better than curing them. For more than a decade now, we have been depending on a wide variety of tools designed to detect and prevent cyber threats before they affect us. These tools have been typically in the form of vulnerability scanners which continue to be widely used in proactive security programs all over the world.
In addition to this, we have a plethora of options in the “reactive” space as well (think “the cure”). Here we have tools like Endpoint Detection and Response (EDR) sometimes also referred to as Next Generation Anti-Virus (NGAV) which work close to our endpoints (think “assets”) and continuously scan them for threats. Just like in medicine, we need these “cures” to identify and treat threats which manage to sneak past our proactive security scanners.
So we need both proactive and reactive tools, right?
Absolutely! In fact, “defense in depth” tells us we need even more tools and controls layered over each other in addition to scanners and NGAV for effective cyber defense. However we see that over the years, adding more tools or naming them in different Gartner Magic Quadrants isn’t really improving our exposure to attacks. While there are several examples of high and not-so-high profile attacks and breaches (2017 WannaCry anyone?), let us unpack one of the more recent ones.
SeaChange International, a US based leading supplier of video based software solutions confirmed that they have been impacted by a ransomware attack in April this year. Now, you may not have heard about SeaChange but they are listed on NASDAQ and have customers like BBC, Verizon and AT&T with 50 million subscribers in 50 countries. Pretty big!
So, what do we know about this attack? While the cyber forensic analysis is still on going and details are sketchy, we do know that this was caused ransomware named REvil or Sodinokibi. We have been hearing about this ransomware for more than a year based on information curated from our threat intelligence platform – ThreatWatch Attenu8. The earliest reports on this ransomware are from April of last year. We also know the two vulnerabilities which are weaponized by this ransomware – CVE-2018-8453 and CVE-2019-11510. Both vulnerabilities are more than a year old and have patches available for a while now. Both have been discussed online quite a bit, again in the context of this ransomware. Suffices to say that if these two vulnerabilities (or even one of these) are patched appropriately, your chances of getting hit by Sodinokibi are going to be very very low.
But then what went wrong at SeaChange? We can only speculate about that at the moment. However two things emerge:
1. Their detection and response (reactive) solutions didn’t work as expected.
2. They failed to detect and patch one or both vulnerabilities which could have prevented the ransomware attack in the first place.
Which leads us to two new questions:
1. Was there too much reliance on the cure (EDR) rather than the prevention (vulnerability scanning)?
2. Why did the vulnerability scanning fail to detect the two vulnerabilities?
Let us try and answer 2. first. CVE-2018-8453 would have been easy to identify as it is a boilerplate Windows vulnerability. Microsoft (still) does a fairly good job of testing and patching its older products. However, and this is the key, most vulnerability scanners will not be able to provide any insight into the level of weaponization of each impacting vulnerability (without expensive EDR add-ons). There would be no signal from the scanner to indicate the priority of CVE-2018-8453 vis-a-vis. the hundreds of other vulnerabilities that need to be addressed on a typical “Patch Tuesday”. So if you are purely depending on patching issues based on priority from your scanner, CVE-2018-8453 may not have made the cut. Not to say that this is what happened at SeaChange, but it looks like a likely scenario.
And as for the second vulnerability, CVE-2019-11510, its impact was on a VPN service being used by SeaChange. VPN and other network services are harder to scan using traditional tools. Scanning solutions will prioritize detection (writing test cases for) of vulnerabilities of certain vendors, products over others. They will also not be able to scan services which are not associated with traditional endpoints, making them useless in detecting vulnerabilities like CVE-2019-11510.
As for the first question, no doubt an EDR solution is required for effective “defense in depth”. Unfortunately, in the absence of an effective proactive scanning solution, organizations will tend to rely solely on reactive fire fighting. However, if indeed SeaChange was using some sort of EDR and it failed to detect a widely known ransomware in time, then it tells a lot of the efficacy of the EDR model as well. It is more likely that even if the EDR solution did manage to detect an active Sodinokibi within SeaChange’s networks, the damage was already done. The “cure” was too little and too late.
While this event is still unfolding and we will know more details about this in time, it is hardly an anecdote. Events like this are happening more often than we hear about them. Hackers are more motivated and relentless than ever before. There is significantly more reliance on reactive measures than proactive. Not because either approaches are fundamentally better than each other, but because the proactive solutions are just not able to highlight the potentially catastrophic threats early. The only way is to have a much stronger proactive security solution to complement any EDR/NGAV that you may have in place. Anything else might just be a headline waiting to happen.