The WannaCry Ransomware Attack

Here we go. On Friday, May 12—just prior to the start of SAPPHIRE NOW—the world experienced the most extensive ransomware attack to date from a source linked to North Korea. Known as “WannaCry” the ransomware worm that infected computers in as many as 150 countries appears to have been released by a hacking organization known as the Lazarus Group. By Saturday, May 13, the worm was reported to have infected more than 230,000 computers belonging to Britain's National Health Service (NHS), Spain's Telefónica, FedEx, Deutsche Bahn and hundreds of other organizations across the globe.

WannaCry leverages an exploit known as EternalBlue—designed for use by the US National Security Agency (NSA)—that the hacker group identified as The Shadow Brokers made public on April 14, 2017. Associated with North Korea, the Lazarus Group is also believed to have been behind the well-documented hack of Sony Pictures in November of 2014 and to have successfully removed USD 81 million from the central bank of Bangladesh in 2016. The ransom demanded  to unlock encrypted hard drives in the WannaCry attack was relatively low at USD 300 to USD 600 per device (to be paid in Bitcoin).

Shortly after the attack began, a web security researcher based in the UK that blogs under the name  "MalwareTech" inadvertently discovered an effective kill switch by registering an unregistered domain name he found in the WannaCry code. MalwareTech pointed the newly registered domain to a sinkhole—a server that collects and analyzes malware traffic. This action greatly slowed the spread of the infection, effectively halting the outbreak by Monday, May 15. However, newer versions of the WannaCry code have since been detected that lack the kill switch feature. Security researchers have also found ways to recover data from some of the infected devices.

WannaCry Attack Presents Something New for Cybersecurity Experts

This latest global attack includes some surprises for cybersecurity experts who have noted that, as known State actors, the hackers at Lazarus Group appear to have turned to common monetary-induced cybercrime. The undifferentiated, global scale of the WannaCry attack—which exploited known vulnerabilities in older versions of Microsoft Windows—did not fit the profile of previous motives and targets identified with this group.

In fact, hackers affiliated with governments generally conduct espionage, steal intellectual property, attempt to shut down specific political organizations and take money from non-commercial banks. Operators at Lazarus are known for their patient preparation and precision in striking specific targets. But the WannaCry attack pattern matched the characteristics of an organized cyber crime unit.



 

SAP Solutions Help Combat Cyber Threats and Attacks

In order to provide some measure of protection for customers who don’t wanna cry each and every time there is a significant or even low level cyberattack on their systems and data, SAP provides critical solutions that help detect and prevent unwanted intrusions from hackers of all shapes and sizes. Chief among these solutions is SAP Enterprise Threat Detection.

SAP Enterprise Threat Detection leverages SAP HANA to efficiently monitor SAP software-centric landscapes. It allows our customers to perform real-time analysis and correlation with the vast quantity of log data that SAP and non-SAP systems generate. SAP Enterprise Threat Detection is a key customer resource to help fight cybercrime, insider attacks, and data breaches and to enhance data security and company protection (protecting intellectual property, sensitive data and the organization’s reputation).

SAP Enterprise Threat Detection detects and provides counter measures for:

• SAP vulnerabilities (Security Notes)


• Critical authorization assignments


• User manipulations/morphing


• Changes to standard users


• Brute force attacks


• Suspicious logons


• Failed logons


• Unusual communication and download patterns
  (users, technical users, systems)


• Security configuration changes


• Cross-landscape communication


• Access to critical resources


• Information disclosure


• Data manipulation


• Debugging


• Denial of Service (DNS)


• Web Security


• Cross-Site Request Forgery (CSRF) token attacks


• SPNego replay attacks

Utilizing key components inherent in SAP HANA, SAP HANA XS, SAP HANA Smart Data Streaming and SAP Fiori, SAP Enterprise Threat Detection offers each customer the following capabilities:

• Forensic lab resources


• Pseudonymization


• Log learning for non-SAP logs


• Anomaly detection


• SAP patch status information


• Graphical threat situation display


• Standardized events and attributes that reduce significant false alerts


• Event, indicator, alert and investigation triggers


• Pattern adjustments and pattern creation without coding


• System landscape information


• Send notifications


• Standard API’s that integrate into other security systems

SAP Offers Protection

Like all 21^st Century organizations, SAP customers are constantly exposed to a volatile global mix of sudden and potentially dangerous cyber-attacks from both highly organized and anonymous sources. For their sake, SAP’s powerful GRC & Security solutions portfolio includes solutions focused on threat definition, identification, analysis, and countermeasures involving SAP and non-SAP systems.

Learn more about the full range of SAP Security offerings and please continue to read all of the blogs in our GRC series.