'Way' for hackers to penetrate the system to attack data encryption

Extending the "nightmare" of data encryption malware

The cyber attack incident on the VNDIRECT system, a company in the top 3 on the Vietnamese stock market, that occurred on the morning of March 24 has now been basically resolved. The data has now been decrypted and the My Account lookup system is working again.

VNDIRECT announced that the March 24 incident was carried out by a professional attack group, causing all company data to be encrypted. Ransomware attacks in recent years have always been a nightmare for businesses and organizations globally, because of the severe consequences it can cause. Experts also liken ransomware to a "nightmare" and a "ghost" in cyberspace.

According to the roadmap announced by VNDIRECT to customers and partners, systems, products and other utilities will continue to be gradually reopened by the operating unit. This unit plans to check the flow with stock exchanges on March 28.

However, from the analysis of information security experts, it can be seen that the hard days of the VNDIRECT technology team and experts scanning for vulnerabilities and thoroughly fixing the problem are still long. Ransomware is not a new form of cyber attack but is very complex, requiring a lot of time to clean data, completely restore the system, and return to normal operations.

“To completely overcome a ransomware attack, sometimes the operating unit also has to change the system architecture, especially the backup system. Therefore, with the problem VNDIRECT is experiencing, we think it will take more time, even months, for the system to fully recover.", Technical Director of NCS Company Vu ​​Ngoc Son expressed his opinion.

Mr. Nguyen Minh Hai, Technical Director of Fortinet Vietnam, said that depending on the severity of the attack, the ability to prepare in advance and the effectiveness of the response plan, the time needed to restore the system depends on the severity of the attack. System after a ransomware attack can vary greatly, from a few hours to a few weeks for complete recovery, especially in cases where large amounts of data need to be recovered.

“Part of this recovery process includes ensuring that the data encryption malware has been completely removed from the network and that no backdoors have been left behind that could allow attackers to gain access. return", Mr. Nguyen Minh Hai informed.

Experts also commented that, in addition to being a "wake-up call" for the units managing and operating important information systems in Vietnam, the cyber attack incident on VNDIRECT also once again showed that dangerous level of ransomware.

More than 6 years ago, WannaCry and variants of this data encryption malware caused many businesses and organizations to "struggle", when they quickly spread to more than 300.000 computers in nearly 100 countries and territories. territories around the world, including Vietnam.

In recent years, businesses have always been concerned about ransomware attacks. Last year, Vietnam's cyberspace recorded many ransomware attacks causing serious consequences; In particular, there are cases where hackers not only encrypt data for ransom, but also sell data to third parties to maximize the proceeds. According to NCS statistics, by 2023 there will be up to 83.000 computers and servers in Vietnam recorded to be attacked by ransomware.

Common 'paths' into the system

VNDIRECT's technology team is working with information security experts to deploy solutions to completely restore and ensure system safety. The cause of the incident and the 'path' the hacker used to penetrate the system are still being investigated.

According to Mr. Ngo Tuan Anh, CEO of SCS Smart Network Security Company, to attack data encryption, hackers often choose to penetrate the server containing important data and encrypt the data. There are two ways hackers often use to penetrate units' systems: directly through vulnerabilities and weaknesses of the server system; or choose to "circumvent" the administrator computer and thereby take control of the system.

Exchange with VietNamNet, Mr. Vu The Hai, Head of Information Security Supervision Department, VSEC Company also pointed out a number of possibilities for hackers to penetrate and install malicious code into the system: Exploiting existing vulnerabilities in the system to take over control, install malicious code; sending emails with attached files containing malicious code to trick users into opening systems and activating malicious code; Log in to the system from a leaked or weak password of the system user.

Expert Vu Ngoc Son analyzed that with ransomware attacks, hackers often enter the system through a number of ways such as password detection, exploiting system vulnerabilities, with mainly zero-day vulnerabilities (manufacturer vulnerabilities). no patch yet – PV).

“Financial companies will often have to meet regulatory standards, so the ability to detect passwords is almost impossible. The highest possibility is to attack through a zero-day vulnerability. Accordingly, hackers remotely send pieces of data causing errors, causing the software to fall into an uncontrolled state when processing.

Next, the hacker runs remotely executed code and takes control of the service server. From this server, hackers continue to collect information, use the obtained administrative accounts to attack other servers in the network, and finally run data encryption tools to extort money., expert Vu Ngoc Son analyzed.

Lesson 2 – Experts show how to respond to ransomware data encryption attacks 

Evaluate the safety of the system for online stock trading before April 15April 15 is the deadline for securities companies to complete the review and assessment of information security and implement measures to overcome risks and weaknesses of systems, including transaction service systems. online securities.