Largest advertising company in the world still wincing after NotPetya punch

Lack of patches and enabling local admin rights blamed

The huge cyber attack that swept from Ukraine last week is still affecting companies, and several have been hit pretty hard, including the world's largest advertising business, UK-based WPP.

The malware attack, dubbed NotPetya because it masquerades as the Petya ransomware, affected several multinationals running Microsoft Windows. Most, if not all, confirmed cases stemmed from a malicious update to MeDoc, Ukraine's most popular accounting software.

One week after the attack and a number of WPP's agencies are still locked out of their network, with some staff only able to access webmail. It is not alone: Maersk, AP Moller-Maersm, Reckitt Benckiser and FedEx are also struggling to get back on their feet. It has prompted analysts to wonder why some were more susceptible than others.

WPP said it is "making steady progress towards resuming normal operations in parts of the Group that continue to experience some disruption". It said systems have been brought back online "in a measured and prudent way, again in line with good practice".

Outsourced support

The advertising and PR group has hundreds of small agencies grouped into six larger companies. The business signed an £800m cloud deal with IBM at the end of 2014, which led to its in-house IT team being transferred over to the company. Once the TUPE period ended, hundreds of staff were made redundant or left, according to multiple sources.

One insider claimed the lack of technical support remaining at WPP may have exposed the company to the attack.

He said IBM had not implemented a crucial central patch management system yet, meaning one of its agencies had not had a Windows patch for six months. Users were also given local admin rights, enabling the malware to spread like wildfire on the network.

He claimed the agencies not affected had taken a more proactive approach to maintaining systems because they either had a few IT support staff left, or had legacy policies in place that meant they were up to date. Others were unaffected because they mostly used MacBooks.

The insider said: "The lack of technical experts on the ground certainly exacerbated the problem."

IBM declined to comment.

WPP said it "had broadly patched as a response to WannaCry". However, external and internal analysis showed that the malware could utilise multiple vectors to spread, and the Microsoft-issued patch from March 2017 only mitigates one of these vectors.

"Upon becoming aware of the attack, WPP immediately shut down certain systems to implement all precautionary measures to protect business and client systems and data," the insider said. "It also deployed new antivirus updates, designed specifically for this malware, as soon as our global antivirus partner, Sophos, made them available.

"IBM has been working alongside our staff and IBMers have been invaluable in working tirelessly to help WPP resolve this issue."

Mysterious malware

Andy Patel, security expert at F-secure, said if a machine was infected by the malware, but the user did not have admin rights and other machines were patched, then the network would generally be safe.

He noted the most modern version of Windows contains a feature that prevents passwords from being stored in plain text (instead storing the hashes), which means the virus would not have been able to use lateral movements to spread.

Some companies, such as Maersk, did direct business with Ukraine, which would explain how the malware got on its system, the F-Secure man added. "However, one victim we spoke to had no ties to the Ukraine at all, so it is a mystery as to how they got infected. Its spread via VPN is one possibility."

Patel also blamed a lack of resourcing as being one factor in leaving some organisations more exposed. "So many companies under resource cyber security and IT, or they outsource it. In my earlier career every company had their own IT department, now we are seeing companies forgoing that. But if you have your IT guys, it is their job to make sure things don't go wrong."

Brian Honan, independent security consultant and founder of Ireland's Computer Security Incident Response Team, agreed that enabling local admin rights, a lack of network segmentation and inadequate patching are the emerging reasons as to why some organisations were more exposed than others.

Wake-up call

However, he cautioned against blaming outsourcing, adding that it's possible for a company with a large in-house IT team to be vulnerable too. "Organisations should never outsource responsibility for security," he said.

He added that although patching systems and removing local admin rights were simple steps to prevent exposure, in many enterprises it might not be as easy as it sounds. "For example, they may have legacy in-house applications that run on certain versions. And then if you patch a system, it may stop applications from running. So there is an inherent cost.

"Likewise, with local admin access there are many accounting applications that require local admin for applications to run. Also, from an IT support point of view it can be easier to allow local access rather than incur the cost of centralising it.

"Companies have to sit down and review the environments. I hate to use the phrase 'a wake-up call' as there have been so many, but hopefully after Petya and WannaCry people realise there are pretty basic things can do to increase security and make themselves resilient against attacks." ®


Biting the hand that feeds IT © 1998–2017