Despite WannaCry bringing in a fairly paltry amount in ransom considering the scale of the attack, the worst is far from over, experts have warned. Brace yourself: the same vulnerability that allowed WannaCry to spread across the globe in May can still allow far greater havoc. And South Africa is one of the most vulnerable countries in the world to cyberattacks.
EternalRocks, first detected by a Croatian security expert last week, includes more threats than WannaCry and is potentially more difficult to fight. It doesn’t include WannaCry’s kill switch. Also under way is Adylkuzz, discovered by researchers at ProofPoint. It is using hundreds of thousands of computers believed to be infected to mine virtual currency, reports AFP.
South Africa, meanwhile, is one of the most at-risk countries in the world.
A quick look at the stats. In 2014, South Africa was the most attacked country in Africa, amassing losses of R5-billion due to cybercrime. More recently, South Africa earned the dubious honour of being the global leader in economic crime, with 69% of companies affected; cybercrime is the fastest-growing economic crime, with a third of companies affected. The 2016 PwC Global Economic Crime Survey found a significant shift in South Africa towards external perpetrators between 2014 and 2016. It was becoming crucial to include cybercrime awareness in business continuity plans, said PwC Africa’s Junaid Amra. And although Africa was least affected by WannaCry, the attack did hit most of South Africa’s major cities.
IT security consultant Pieter Erasmus warns that South Africa’s lack of legislative protection is only the beginning.
Professor Basie von Solms, Director of the Centre for Cyber Security in the Academy for Computer Science and Software Engineering at the University of Johannesburg, agrees. He argues the problem may be far greater than estimated.
“Because we do not have compulsory reporting of cybercrime incidents, and because so many are swept under the carpet and cannot be included in statistics, it may actually be more than the two- to three-billion rand a year figure that is commonly quoted for South Africa,” he says.
Globally, ransomware extorted some $1-billion last year, and while WannaCry delivered relatively scant returns, Washington Post points out that the use of bitcoin was probably strategic. The currency has risen in value in recent years (although the malware did precipitate a sharp drop), and its relative anonymity protects hackers, an attribute that has drawn considerable criticism.
It’s unlikely we’ll see the back of ransomware any time soon; rather, believes Erasmus, it’s likely to become a weapon in contested political spaces. “Countries wage war in the cyber domain,” he argues, citing the back-and-forth over whether North Korea was involved in the WannaCry attack. Ironically, he adds, vulnerable corporates and government departments in South Africa remain “two steps behind” rather than collaborating effectively to “smoke these guys out”.
Last week, however, State Security Minister David Mahlobo said national government was taking steps to make cyberspace more secure. These included the Cybercrime and Cybersecurity Bill, currently before Parliament, and several capacity building programmes set to run in consultation with tertiary institutions.
“These initiatives will bolster the capacity of government to respond to cyber-insecurity [and] create a skills base that will improve cybersecurity for the public and private sectors,” he said.
But none of these are short-term measures, and the Bill – although the revised version has been described as “much better” than its widely criticised predecessor – will have limited legal clout where cybercriminals are operating internationally.
“Legislation is very difficult to enforce,” Erasmus explains. Partly because of international boundaries and limited traceability, but also due to the gruesome twosome of under-reporting and lack of transparency. Organisations, he says, fear the ensuing PR nightmare if data is stolen on large scale.
“There are central organisations for reporting,” he says, e.g. CSIR. “But cybercrimes are not reported for various reasons. Within organisations there is the perceived notion that it would create negative publicity.”
The public is owed better reporting, even if through channels like Anonymous, he argues. The blame for WannaCry, he believes, lies largely at the feet of the NSA.
This raises two questions. One, is Microsoft the bad guy for withholding the upgrade that could have slowed down WannaCry and similar attacks? And two, if state surveillance was the first vulnerability, does this apply to other countries where citizens’ information may be monitored in ways they are unaware of? Cyber spying and surveillance, after all, have been points of contention in South Africa.
To the first, Erasmus says Microsoft is in an “incredibly difficult position”. Strictly speaking, it did not withhold the upgrade. However, it sent it free to Windows 10 users and charged users of older operating systems a hefty fee; a move possibly intended to incentivise upgrades to Windows 10, but which backfired when droves of users were left vulnerable. Microsoft’s own data indicates that nearly two-billion users have not upgraded to Windows 10. Correspondingly, the majority of WannaCry victims were using Windows 7 or earlier. XP is still the third most popular OS worldwide.
“What is amazing from the recent attack is this: people have tools like antivirus and firewalls but don’t deploy them. It is astounding that the NSA or other organisations could operate with old and unpatched operating systems, delivering critical services like health. Using windows XP is unthinkable. It’s very, very bad,” says Erasmus.
The second question is more difficult, in part because it is not entirely clear to what extent South African government monitors citizens, through which channels, and, more specifically, how securely any information they do have – even if simply through administrative departments – is guarded. Not that the details are necessarily essential: Any time you send or receive information electronically it is recorded somewhere, points out Erasmus. And regardless of exactly how much Big Brother knows about you, your privacy has long been invaded by corporates. “Google knows everything about you,” he points out. “Facebook knows everything about you.” Even if you’re vigilant now, chances are some time in the last decade, you’ve shared information that could leave you vulnerable.
The disconcerting reality: your security is probably already out of your hands, at least partially. Not only is it possible for your contacts to share your personal information (via apps or viruses); organisations also must be aware that their security is only as strong as the weakest link in the chain. Cyber-attacks no longer require an individual to take action, as with older viruses, Erasmus stresses. “Modern viruses can activate without requiring people’s actions. They are all also worms. If you have an organisation like a bank or government depot, it only takes one machine to get infected.”
This raises the million-bitcoin question: exactly how secure is the information stored about us in banking, corporations, healthcare, government department databases? Microsoft has spotted opportunity in Africa, and issued a warning to South Africans to upgrade or face attacks. And yet users are often slow to upgrade, says Erasmus. At government level, the ICT security governance and minimum information security standards frameworks, set to be implemented by 2013, were delayed for years and it is still unclear to what extent they have been adopted. For individuals, one reason for not upgrading may be high data costs, which are still a factor even if upgrades are free. ISPs should incentivise users to download upgrades, Erasmus believes. If social traffic and entertainment can be incentivised, why not security upgrades?
WannaCry fundamentally changed the terms of cybersecurity, some argue. “We have almost certainly crossed the Rubicon in terms of quick-moving, globally disruptive ransomware attacks,” say analysts Ed McAndrew and Kim Phan. Companies must prepare accordingly, they add. “This variant of ransomware [infects] all computers networked with an infected computer — an attack type that is much more dangerous and increasingly common…an organisation’s cybersecurity is only as good as each individual user.”
Despite this somewhat sobering prognosis, efforts are under way to plug the gaps. George Michalakis, DA Member on Security and Justice in the NCOP, has called for faster legislative intervention and slammed poor maintenance of reporting services. “Our economy loses billions of rands through fraud and phishing attacks annually. These recent attacks will undoubtedly have even further major implications for the economy and state security,” he said last week.
He further slammed the delay in introducing the Cyber Security Bill, almost 16 years after South Africa signed the Budapest Convention on Cybercrime. Moreover, he added, “[T]he Department of Telecommunications and Postal Services website, Cybersecurity Hub, set up for … reporting incidents and communicating existing threats to the public, has not been updated since October 2016 and is only expected to be officially in force from March 2020.” He also called for a state-sponsored public awareness campaign on cybersecurity.
The Government Computer Security Incident Response Centre is monitoring the situation, Mahlobo says, and has sent advisories to government departments, financial institutions and state-owned enterprises to assist them in securing their networks.
Erasmus believes the interim solution lies at organisation and individual level. “We use the wrong controls,” he says. Solutions should include internal audit assessments, moving from reactive to proactive. Take a risk assessment based on the organisation’s strategy, implement corresponding strategic drivers; corresponding security controls. Awareness training and personnel vetting are essential, plus asset management, incident and event management. Most important of all, back everything up.
“Switching a couple of technical controls on is not good enough,” Erasmus says. “Especially on the people side. It is shocking how uneducated people are on security awareness.” According to IBM’s Cyber Security Index, 95% of all cyber-crime involves human error.
Ultimately, believes Erasmus, safety nets are limited, but greater individual efforts will add up to a more secure whole. Consumers must prepare for smarter, faster, more dangerous attacks by fiercely guarding their personal information, as even applying patches to vulnerable software isn’t a failsafe. “It would be a relatively simple matter to alter the code of the malware in order to circumvent a temporary solution that has been found to stop the attack,” Erasmus warns.
“And your fingerprints,” he adds, “are everywhere.” DM
Photo: A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout
"If you try to predict the future know that you will be wrong. The trick is to be as least wrong as possible; and be ready to change when you see how wrong you are!" ~ Sir Michael Howard