Your failure to apply critical cybersecurity updates is putting your company at risk from the next WannaCry or Petya

Despite warnings and international cyber-incidents, too many organisations still aren't bothering to apply security patches, a report has warned.
Written by Danny Palmer, Senior Writer

Some organisations are still failing to take basic cybersecurity precautions by not applying critical patches and leaving themselves open to cyberattacks -- even when updates have been available for months.

This poor approach to security and patch management is detailed in Fortinet's Threat Landscape Report for Q2 2017. It highlights network and device hygiene as one of the most neglected areas of cybersecurity today -- a failing that, if rectified, could go a long way to preventing future attacks.

The researchers behind the report use the global spread of WannaCry ransomware, and the subsequent Petya outbreak a month later, to demonstrate the extent to which poor patching processes are commonplace.

WannaCry infected over 300,000 computers around the globe in May, using a leaked NSA exploit for a vulnerability in Windows' Server Message Block (SMB) v1 networking protocol, which allowed the malware to spread laterally across networks.

Microsoft released a patch to protect systems against the exploit two months prior to the WannaCry attack, then later released an emergency patch to protect out-of-support systems against the ransomware when the outbreak occurred.

But, despite the impact of WannaCry, a month later it seems that many organisations hadn't bothered to apply the correct patches, as Petya used the same exploit to spread itself across infected networks. It claimed a number of high-profile victims -- many of which are still dealing with the post-infection fallout.

"Something we don't talk about often enough is the opportunity everyone has to limit bad consequences by employing consistent and effective cybersecurity hygiene," said Phil Quade, chief information security officer at Fortinet.

"Cybercriminals aren't breaking into systems using new zero day attacks, they are primarily exploiting already discovered vulnerabilities."

See also: Ransomware: An executive guide to one of the biggest menaces on the web

Researchers say lessons must be learned and that if security patches are released then they need to be applied.

"Network and device hygiene are perhaps the most neglected elements of security today. WannaCry targeted vulnerabilities that Microsoft patched two months previous. In spite of its worldwide impact, NotPetya successfully exploited the exact same vulnerability a month later," said the report.

Unfortunately, researchers are unconvinced that lessons will be heeded and, despite the impact of WannaCry and Petya, predict there will still be organisations falling victim to future ransomware worm attacks because they fail to apply patches.

"We'd like to be able to say Q2 closed the curtain on ransomware worms, but we've seen this scene reenacted too many times for that. The lesson? Act fast after critical patch releases and heed related intel about exploit life cycles," said the report.

Months on from the WannaCry ransomware outbreak, there are still organisations which have found themselves infected by the malware. Even in August, LG Electronics was forced to take systems offline for two days after self-service kiosks were found to be infected with WannaCry.

While the South Korean company now says it has applied the relevant security patches, the wording of the statement suggests critical updates hadn't been completed previously.

Other large organisations, including Honda, also fell victim to WannaCry over a month on from the initial outbreak.

Previous coverage

Petya ransomware attack: What it is, and why this is happening again

Just six weeks on from WannaCry, the world has fallen victim to another fast-spreading ransomware in the form of Petya/GoldenEye. Why haven't lessons been learned?

WannaCrypt ransomware: Microsoft issues emergency patch for Windows XP

Microsoft takes unusual step of providing direct support to unsupported systems as targets in 74 countries - including vast swathes of UK hospitals - have been impacted by ransomware attack across the globe

Petya ransomware: Companies are still dealing with aftermath of global cyberattack

Weeks after the ransomware attack that rippled across the globe, businesses are still trying to deal with the damage.


Editorial standards