MY TAKE: ‘Bashe’ attack theorizes a $200 billion ransomware raid using NSA-class cyber weapons

A report co-sponsored by Lloyd’s of London paints a chilling scenario for how a worldwide cyberattack could trigger economic losses of some $200 billion for companies and government agencies ill-equipped to deflect a very plausible ransomware attack designed to sweep across the globe.

Related: U.S. cyber foes exploit government shutdown

AppSec/API Security 2022

The Cyber Risk Management (CyRiM) project lays out in detail how a theoretical ransomware attack – dubbed the “Bashe” campaign – could improve upon the real life WannaCry and NotPetya ransomware worms that plagued thousands of organizations in 2017.

The exercise was commissioned by Lloyd’s of London, the Cambridge Centre for Risk Studies and the Nanyang Technological University in Singapore, among others. In their construct, the fictional cyber ring behind Bashe leverages lessons learned from missteps made in WannaCry and NotPetya, with the aim of making Bashe “the most infectious malware of all time.”

It should not be forgotten that WannaCry and NotPetya made use of some of the  69 cyber weapons stolen from the NSA and released publicly by a group known as Shadow Brokers. These weapons were designed by NSA software engineers to take advantage of heretofore undisclosed security vulnerabilities in Windows, Linux, IBM and other core operating systems and applications widely used in commerce and government.

EternalBlue pedigree

Keep in mind, globe-spanning ransomware worms are just one of endless ways the NSA weapons, often referred to as “EternalBlue,” could be leveraged. While the Lloyd’s study focuses on the ransomware scenario, it’s reasonable to believe threat actors of every stripe are developing other ways to utilize EternalBlue-class cyber weaponry.

This creates a responsibility for every organization to consider this report and assess what damage control might entail, says Darin Pendergraft, vice president of product marketing at STEALTHbits Technologies, a Hawthorne, NJ-based supplier of systems to protect sensitive company data.

“Damage control depends on the privilege level of the employee’s user account,” Pendergraft says. “Right now, it’s highly common to find that regular users have Administrative rights on their PCs.  This allows email viruses that are opened to run with Administrative privilege – allowing them to become highly aggressive and to infect hundreds of other PCs and to even spread outside the organization.”

Pendergraft points out that a “least privilege access model” (LPAM) can recognize that not all users need full administrative access on their work computers. “In fact, most don’t need it at all,” he says. “In the case of ransomware and many other types of malware, the more access a compromised user has, the greater the damage.”

Technology and guidance for achieving LPAM is readily available to  most organizations. “Maybe Lloyds’ findings will wake companies up to this,” Pendergraft says. “Right now, too many companies give users Administrative level permissions on their PCs – which is the digital equivalent of storing large quantities of gasoline in your family home. It’s just asking for trouble.”

(Editor’s note: LW provides consulting services to some of the organizations included in our coverage.)

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: