According to Wired, Russian military hackers that operate under the alias of ‘Sandworm’, have been responsible for everything from blackouts in Ukraine to NotPetya, the most destructive malware in history. There seems no sign of the slippery actions abating, as the news of targeting older technologies testifies.
This theme is continued by Casey Ellis, who is the Chief Technology Officer at Bugcrowd, who tells Digital Journal that this incident highlights the risks of ageing software. These risks arise because older software is far more likely to be missing the most up-to-date security measures, and thus can open the door to an abundance of vulnerabilities as company operations scale over time.
Ellis sees many of the attacks aimed at finding loop holes in holder software as coming from rogue states: “Well funded, talented and motivated nation-states exist as a crowd of potential adversaries with diverse skill sets and a variety of motivations, goals, and incentives to get results. The threat model suggests that while a sufficiently motivated and resourced malicious adversary will ultimately always achieve their goals, an army of allies — also known as security researchers or ethical hackers — stands ready to help raise the bar, increase the cost of an attack and route the adversary into places where they can be more easily detected.”
Ellis carries on to consider the specific nature of the attack, noting: “As this incident solely targeted organizations using an obsolete and free version of Centreon software, it highlights the risks of aging software — which are more likely to be missing the most up-to-date security measures. This opens the door to various vulnerabilities as company operations scale over time. Vulnerabilities exist in every platform of every company, the number of exploitable vulnerabilities and their potential impact compounds as developers innovate at unprecedented rates — in part due to the new demands of remote work and widespread access triggered by the COVID-19 pandemic.”
Ellis adds that: “While many questions have been spurred regarding recent state-sponsored attacks, government agencies need to acknowledge the scale and distributed nature of the threats and recognize the need to accept the assistance of security researchers who are offering to help defend against a growing legion of adversaries.”
In terms of what needs to be done, Ellis conjectures: “Many governments and private organizations around the globe have recognized the threats they face and are leaning into the benefits of well-run vulnerability disclosure programs to roll out the red carpet to the digital locksmiths of the Internet, who work to counter and outsmart the adversary and – more importantly – to help create confidence in their constituents’ security ecosystem. The kind of security research and discovery of security issues that could frustrate the efforts of nation-states is happening whether there is an invitation or not, and the truth of this is making the implementation of a vulnerability disclosure programs an increasingly easy decision to make.”
