Zero Day Recovery Against Zero Day Attacks

The cyberattack on the Alaskan borough of Matanuska-Susitna and its resulting effects, leading the borough’s staff to use dusty typewriters and writing receipts by hand highlights the importance of zero-day recovery against zero-day attacks.

What Is Zero Day Cyberattack?

Zero day cyberattack refers to a security vulnerability that has been exploited by an attacker or attackers as the software vendor is unaware of this security vulnerability or didn’t have sufficient time to issue a security update or patch.

According to Eric Wyatt, IT Director at Matanuska-Susitna Borough, the attack on the borough’s computers was a result of a zero day attack.

The zero day security vulnerability that was subsequently exploited by the attackers referred to by Wyatt was the new version of the malware called “Emotet”. This malware isn’t new. It was first observed in the wild in 2014. Since then, the makers of this malware have reinvented this malware, creating a number of variations through the years.

“Emotet is a polymorphic banking Trojan that can evade typical signature-based detection,” the United States Computer Emergency Readiness Team (US-CERT). “Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.”

According to US-CERT, Emotet initially infects a victim’s computer through an email containing malicious attachment or link that uses branding familiar to the recipient. Once a user opens or clicks the malicious download link, PDF, or macro-enabled Microsoft Word document attached in the malicious email, Emotet is then downloaded into the victim’s computer – typically an organization’s server.

Emotet presents problems for organizations as this malware is also a worm, which means that it can self-propagate or spread itself. While the initial infection requires action from the victim, that is, the opening or clicking of the malicious download link, PDF, or macro-enabled Microsoft Word document from a malicious email, the subsequent infections to other computers or workstations connected to the server is automatic.

According to Symantec, Emotet has evolved from being a banking trojan – a malware used to obtain confidential information from online banking and payment systems – to becoming an infrastructure that acts as a delivery service for other threat actors, for instance, to deliver another malware.

In the cyberattack against Matanuska-Susitna, its IT Director said that in addition to Emotet, the attackers also infected the borough’s computers with other malware programs, including Crypto Locker – a malware categorized as ransomware as it encrypts files on the compromised computer, locking out the user and asking the user to purchase a password in order to decrypt or unlock the files.

Crypto Locker, Matanuska-Susitna’s IT Director said, encrypted the files on nearly all of the 500 workstations (both Windows 7 and Windows 10), as well as encrypted the files on 120 of the 150 servers. While Crypto Locker is packaged as a ransomware, Matanuska-Susitna’s IT Director said that even when the ransom is paid, there’s still no way to unlock the files as the decryption codes are never given by the attackers. 

“This would indicate that the attack’s purpose is not based primarily on money from a particular victim, but to disrupt operations and potentially steal information that may lead to greater financial reward and more disruption from down stream victims,” Wyatt, Matanuska-Susitna’s IT Director said.

What Is Zero Day Recovery?

Zero Day Recovery refers to the quick recovery of systems and data, thereby, minimizing or even eliminating the damage caused by a destructive cyberattack.

Zero Day Recovery is a challenge for many organizations. As experienced by the staff members of Matanuska-Susitna Borough, they’ve to resort to using dusty typewriters and writing receipts by hand as the process of recovering the systems and data takes time.

According to Patty Sullivan, Public Affairs Director at the Matanuska-Susitna Borough, since the attack was discovered last July 24, computers have been disconnected from each other, from the server, internet, phones and email. Sullivan said that, as of July 30, 2018, although 110 workstations have been cleaned, reimaged and are ready for dissemination to employees, most employees have been left without computers.

Matanuska-Susitna’s IT Director said that the attackers tagged the attack on the borough as victim 210, which means that more than 200 organizations have been hit with this attack before the borough.

A similar cyberattack happened to the City of Valdez, also located in Alaska. “A computer virus that has recently been surfacing across the nation and recently struct the Mat-SU [Matanuska-Susitna] Borough was detected in the computer infrastructure at the City of Valdez early Friday morning,” the City of Valdez, in a statement said. “All city computers and servers are currently shut down and city email unavailable at this time in order to prevent further compromise.”

Prevention

Here are some of the cybersecurity measures in preventing Emotet and similar zero-day attacks:

• Use antivirus programs with automatic updates
• Apply security updates or patches in operating systems and other software after appropriate testing
• Mark external emails with a banner to distinguish them from internal emails to assist users in detecting spoofed emails
• Require employees not to open suspicious emails or click links contained in such emails
• Block file attachments that are commonly associated with malware, such as .dll and .exe, and attachments that can’t be scanned by antivirus software, such as .zip files

When all of the preventive measures fail, the last line of defense that your organization can undertake is the fast recovery of systems and data.

Ensuring that your organization’s systems and data are backed up properly allows your organization to set up an effective recovery process. When you need help, our experts are a phone call away. Call today at (416) 920-3000and protect your data.