EXECUTIVE SUMMARY:
On Sunday, Italy’s National Cybersecurity Agency (ACN) revealed that computer servers in the country had been targets in a global ransomware attack. According to the General Director of Italy’s National Cybersecurity Agency, Roberto Baldoni, the attack occurred on a massive scale, affecting thousands of computer servers.
However, the number of infected machines represents merely a fraction of the tens of thousands of servers that could have been affected. Upon learning of Italy’s challenges, cyber security agencies in France, Canada and other countries published advisories that urged organizations to immediately patch vulnerable software.
Italy server hack
The attack relied on exploitation of a specific software vulnerability. While a patch does exist for the vulnerability, some organizations had clearly not applied it.
Following the attack, Euro News reports that millions of customers were left without internet and that ATM machines did not function properly.
However, the internet issue may not have actually been related to the ransomware event. It’s unclear at this time.
Expert analysis
“What is interesting here is the speed at which they [hackers] attacked the machines,” wrote Patrice Auffret, founder and CEO of Onyphe SAS, a French cyber security firm that scanned the internet for traces of the attackers’ malicious code.
“The time was chosen wisely – system administrators and security teams are nearly out for the weekend.” Attackers likely wanted to complete their attack during the weekend for maximum impact, said Auffret.
Vulnerability information
The disruptions represented the latest example of cyber attackers leveraging old vulnerabilities in popular and widely distributed software. The attackers likely studied this particular vulnerability far in advance of the attack to assess the extent to which they would or wouldn’t gain in exploiting it.
This particular vulnerability allows attackers to remotely encrypt data. This prevents a user from accessing the information until a ransom is paid.
Italian national newspaper Corriere della Sera reported that the cyber attackers involved in this incident demanded 2 Bitcoin, the rough equivalent of €42,000.
New EU legislation
Since the start of the coronavirus pandemic, ransomware attacks have proliferated. To keep up with new threats, the EU has issued new rules that take effect this year. For instance, operators of essential services “will have to take appropriate security measures and notify relevant national authorities of serious incidents.”
Further fallout
Is this latest ransomware attack related to the one that took place last week, and that disrupted derivatives trading globally? It remains to be determined. The attack last week was attributed to the Russia-linked LockBit ransomware group.
“No evidence has emerged pointing to aggression by a state or hostile state-like entity,” stated the Italian government. While the attack did not look highly sophisticated, according to analysts, it seems to have been directed towards Western countries.
For information about ransomware prevention, click here. Further, join us at the most exciting and inspiring cyber security industry event of the year, CPX 360.
Lastly, to receive cutting-edge cyber security news, best practices and resources in your inbox each week, please sign up for the CyberTalk.org newsletter.