This screen has popped up on critical infrastructure around the world this past week. Unfortunately, attackers have successfully hit corporations worldwide – this time by not only encrypting important files, but by also encrypting the master boot record rendering the system useless.
Petya, i.e. WannaCry 2.0, has been retrofitted with additional mechanisms to spread to other computers on the same network. The Internet of Things is particularly vulnerable given the fixed and therefore unprotected nature of these devices halting things from chocolate factories to energy grids and industrial control systems. The epicenter is in Ukraine, but has afflicted Europe, Asia, Africa, and the USA.
Machines are infected either by using a dropper (program that installs malware) or by the worm-like functionality of spreading to your computer from a nearby infected computer.
Critical System Protection Protects the Internet of Things
Symantec IOT customers leveraging Critical System Protection (CSP) are protected against both methods. By use of the CSP behavioral engine, protected devices already have a set of least-privilege policies that enforce any action on the system to be checked via specialized policies – and if abnormal, will be stopped.
CSP successfully blocks the initial infection via dropper due to the software installation policy restrictions and executable modification prevention. In fact, all three of our out-of-the-box strategies (Basic, Hardened and Whitelisting) will protect against the initial infection.
Petya’s retrofitted spreading mechanisms are clever; they attempt to use stolen administrator credentials on Psexec and WMIC (Windows Management Instrumentation Command-line) to install software. However, even with administrator privileges, CSP prevents infection by blocking the behavior of installing remotely via Psexec or WMIC.
Even with the additional methods implemented over WannaCry, both dangerous malwares can be prevented with Critical System Protection without an administrator, an internet connection, or generally any involvement. Of important note is the ability to reliably prevent this, as well as future attacks due to CSP’s unique approach to secure your devices.
What makes CSP the best fit for IoT endpoint security?
CSP is an ultra light-weight (<1% CPU) and compact (~20MB footprint) application that can be installed on a Linux, QNX, or Windows machine, with broad compatibility back to Windows 2000. At a high-level, CSP learns the behavior of all applications and enacts policies to dictate what applications, files, programs, can or cannot do; this concept is known as confinement jailing or sandboxing.
These sandboxing policies are often hand-crafted by the administrator, but can also be automatically profiled using machine learning on hygienic processes – as such, zero-day attacks, unusual memory allocations, or unrecognized network traffic can be prevented on a per application basis. Of particular note is that this goes beyond application whitelisting, because even if a signed malware happens to execute, CSP automatically isolates the process and blocks it from maliciously interacting with any other part of the system.
As attackers use fixed-function nature of IoT devices against itself, Symantec Critical System Protection is the answer in pioneering the use of fixed-function behavior to spearhead unbeatable security in a form-factor purpose-built for Industrial and Embedded IoT devices, (industrial control systems, SCADA, DCS) and more.