2017's biggest security horror stories

Open padlock on circuit board
(Image credit: Bigstock)

Cybersecurity is always top of mind for businesses, but that's especially been the case in 2017.

From ransomware to botnets, this year's tech news has been dominated by a regular flow of security crises.

Here are some of the top cybersecurity incidents of 2017 that we don't want to see repeated in 2018.

Unsecured clouds and databases

Bucket leaking water

(Image credit: Big Stock)

Probably the trend that can most easily be prevented by users is databases facing the public internet that should have been secured, but weren't.

Two of the biggest bungles in this area relate to Amazon Web Services' (AWS) S3 cloud storage service and MongoDB's NoSQL database.

A spate of data leaks across 2017 came about because of unencrypted S3 buckets, affecting organisations including Accenture, WWE, the AA and Dow Jones.

These companies had apparently failed to read the small print of their contracts with AWS and hadn't realised this particular storage service wasn't encrypted by default.Thus, customer data was left exposed on the open web for anyone to see, leading to major security crises.

The issue was finally resolved in November when AWS decided it would add default encryption to S3 buckets, taking the onus off customers.

In the case of MongoDB, the situation was much the same. Users failed to encrypt their databases, which led to several waves of ransomware attacks rather than data leaks, with the cybercriminals encrypting the exposed servers and demanding Bitcoin for their release.

Unfortunately for the victims, there is no central resolution as with AWS S3, as MongoDB offers database software, rather than a cloud storage service, that can be installed on pretty much any server. The general advice, from both the company and the security community, is to turn on encryption, or at the very least password protection, at the point of installation sage advice for any IT administrator, irrespective of the service or software they are using.

Ransomware attacks

Graphic of a user engaging in a ransomware exchange

(Image credit: Bigstock)

While ransomware has been a popular tool for cybercriminals for many years, 2017 saw an uptick in large-scale attacks.

Two of the most notable global ransomware attacks were WannaCry, which hit in May, and NotPetya, which landed in June.

WannaCry made global news after it spread rapidly around the world, with theNHS in England and Wales being particularly badly hit. The attack was notable for several reasons. First, the speed of the spread; within hours of the first incidents being reported in Asia on 12 May, it had started to spread internationally. By the end of the day, over 230,000 computers in 150 countries were infected.

Second is the systems affected. WannaCry exclusively infected Windows operating systems, both server and desktop. Although Microsoft had issued a patch for the vulnerability in March 2017, many large organisations' systems hadn't been updated for one reason or another (sometimes due to staffing, sometimes due to dependent software or other technical reasons).

Many were quick to point to the continued use of Windows XP despite it no longer being supported by Microsoft for several years. However, research from Kaspersky Lab demonstrated that, in fact, most of the infected computers were running Windows 7, which was still covered by Microsoft support at the time.

The third interesting thing about WannaCry is its alleged provenance. While there's no indication the US National Security Agency (NSA) created the ransomware itself, it has been suggested that EternalBlue, the Windows vulnerability that allowed the malware to spread and infect numerous systems at such high speed, was discovered by the agency some years ago but not reported to Microsoft. Instead, the organisation allegedly used it as an offensive tool in cyber warfare and defence. The existence of EternalBlue and other similar tools were revealed by Shadow Brokers in 2016.

While WannaCry was fast and effective, it was short-lived British independent security researcher Marcus Hutchins discovered a so-called "kill switch" embedded in the ransomware's code and was able to disable the initial attack in one fell swoop.

The same can't be said for NotPetya. According to WebRoot, this malware strain was the most damaging and dangerous to emerge in 2017. Despite using the same EternalBlue exploit as WannaCry, NotPetya was less widespread, but it was more persistent: first emerging in June 2017, it continued to infect systems all the way through to the autumn.

The creator's MO was also different: although it looked like a traditional ransomware attack, including displaying a ransom message, it didn't simply encrypt the system it created utter havoc. Once affected, the files were irrevocably scrambled, meaning that even if victims did pay the ransom they still wouldn't get their files back. Indeed, it has been speculated by various researchers that havoc and infamy were the main objectives of these criminals, rather than generating money.


DDoS Attack on screen

(Image credit: Shutterstock)

Like the other tactics on this list, botnets aren't new. What is new, however, is how they're powered.

Continuing a trend started by the Mirai botnet in 2016, 2017 saw outbreaks of DDoS and other attacks from botnets powered by Internet of Things (IoT) devices.

As such devices aren't typically thought of as computers, consumers in particular have failed to change default passwords before connecting them to the internet. To make the situation worse, some of these so-called "headless" devices don't give users any control over security settings anyway, meaning there's no way to protect them once they're exposed online.

While Mirai continued to cause disruption through 2017, with a 54-hour DDoS attack on an American university in March being the most notable of these.

Later in the year, a new IoT botnet dubbed Reaper emerged, which security researchers claimed will be worse than Mirai. This is because rather than cracking default or weak passwords, as Mirai did, Reaper infiltrates IoT devices via unpatched vulnerabilities. Once again, this is something that is largely in the hands of vendors, rather than consumers, to secure.

Reaper is only partially mobilised, according to a report released in late 2017 by Arbor Networks,with several thousand infected devices lying dormant. This raises concerns of a potential wide-scale DDoS attack in 2018.

Cybersecurity is a constant game of cat and mouse and true total security is unattainable but that doesn't mean businesses, consumers and vendors can't do their best to mitigate vulnerabilities and build up protection. Let's hope that in 2018 we see greater use of basic security precautions to defend against these potential monster attacks.

Pictures: Bigstock

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.