Largest advertising company in the world still wincing after NotPetya punch

Lack of patches and enabling local admin rights blamed


The huge cyber attack that swept from Ukraine last week is still affecting companies, and several have been hit pretty hard, including the world's largest advertising business, UK-based WPP.

The malware attack, dubbed NotPetya because it masquerades as the Petya ransomware, affected several multinationals running Microsoft Windows. Most, if not all, confirmed cases stemmed from a malicious update to MeDoc, Ukraine's most popular accounting software.

One week after the attack and a number of WPP's agencies are still locked out of their network, with some staff only able to access webmail. It is not alone: Maersk, AP Moller-Maersm, Reckitt Benckiser and FedEx are also struggling to get back on their feet. It has prompted analysts to wonder why some were more susceptible than others.

WPP said it is "making steady progress towards resuming normal operations in parts of the Group that continue to experience some disruption". It said systems have been brought back online "in a measured and prudent way, again in line with good practice".

Outsourced support

The advertising and PR group has hundreds of small agencies grouped into six larger companies. The business signed an £800m cloud deal with IBM at the end of 2014, which led to its in-house IT team being transferred over to the company. Once the TUPE period ended, hundreds of staff were made redundant or left, according to multiple sources.

One insider claimed the lack of technical support remaining at WPP may have exposed the company to the attack.

He said IBM had not implemented a crucial central patch management system yet, meaning one of its agencies had not had a Windows patch for six months. Users were also given local admin rights, enabling the malware to spread like wildfire on the network.

He claimed the agencies not affected had taken a more proactive approach to maintaining systems because they either had a few IT support staff left, or had legacy policies in place that meant they were up to date. Others were unaffected because they mostly used MacBooks.

The insider said: "The lack of technical experts on the ground certainly exacerbated the problem."

IBM declined to comment.

WPP said it "had broadly patched as a response to WannaCry". However, external and internal analysis showed that the malware could utilise multiple vectors to spread, and the Microsoft-issued patch from March 2017 only mitigates one of these vectors.

"Upon becoming aware of the attack, WPP immediately shut down certain systems to implement all precautionary measures to protect business and client systems and data," the insider said. "It also deployed new antivirus updates, designed specifically for this malware, as soon as our global antivirus partner, Sophos, made them available.

"IBM has been working alongside our staff and IBMers have been invaluable in working tirelessly to help WPP resolve this issue."

Mysterious malware

Andy Patel, security expert at F-secure, said if a machine was infected by the malware, but the user did not have admin rights and other machines were patched, then the network would generally be safe.

He noted the most modern version of Windows contains a feature that prevents passwords from being stored in plain text (instead storing the hashes), which means the virus would not have been able to use lateral movements to spread.

Some companies, such as Maersk, did direct business with Ukraine, which would explain how the malware got on its system, the F-Secure man added. "However, one victim we spoke to had no ties to the Ukraine at all, so it is a mystery as to how they got infected. Its spread via VPN is one possibility."

Patel also blamed a lack of resourcing as being one factor in leaving some organisations more exposed. "So many companies under resource cyber security and IT, or they outsource it. In my earlier career every company had their own IT department, now we are seeing companies forgoing that. But if you have your IT guys, it is their job to make sure things don't go wrong."

Brian Honan, independent security consultant and founder of Ireland's Computer Security Incident Response Team, agreed that enabling local admin rights, a lack of network segmentation and inadequate patching are the emerging reasons as to why some organisations were more exposed than others.

Wake-up call

However, he cautioned against blaming outsourcing, adding that it's possible for a company with a large in-house IT team to be vulnerable too. "Organisations should never outsource responsibility for security," he said.

He added that although patching systems and removing local admin rights were simple steps to prevent exposure, in many enterprises it might not be as easy as it sounds. "For example, they may have legacy in-house applications that run on certain versions. And then if you patch a system, it may stop applications from running. So there is an inherent cost.

"Likewise, with local admin access there are many accounting applications that require local admin for applications to run. Also, from an IT support point of view it can be easier to allow local access rather than incur the cost of centralising it.

"Companies have to sit down and review the environments. I hate to use the phrase 'a wake-up call' as there have been so many, but hopefully after Petya and WannaCry people realise there are pretty basic things can do to increase security and make themselves resilient against attacks." ®


So it appears some of you really don't want us to use the word 'hacker' when we really mean 'criminal'

The votes have been cast and counted... and it's a landslide

Register debate Last week, we argued over whether or not the media, including El Reg, should stop using the word hacker as a pejorative.

This debate came about after infosec pro Alyssa Miller and a few others from the Hacking Is Not A Crime movement politely asked Register vultures on Twitter to quit using the h-word as a lazy shorthand for criminal.

We said we'd think about it. And we thought about it, and we thought about it some more. And in the end, since we're writing for you, we decided to put it to the audience: we published an article for and an article against the proposal, and let everyone vote for whichever side they agreed with.

Continue reading

Vodafone chief gushes over OpenRAN, says commercial deployments to start this year

But still some way to go before standards-based tech can match mainstream products

Last year Vodafone bet big on OpenRAN, announcing it would shift a huge portion of its tower estate to the standards-based tech. Now Andrew Dona, the telco's director of network and development, has shed some light on how this will work.

Speaking to Telecom TV, Dona said Vodafone had already deployed two OpenRAN sites to its production network, situated in the southwest of England. These deployments are part of its testing process, which Dona said would conclude in May.

The wide-scale macro rollout, which will replace roughly 2,600 4G masts with OpenRAN alternatives, is expected to commence later this year, winding up in 2027 in time to meet the UK government's edict to excise high-risk vendors from the telecommunications networks.

Continue reading

Swedish startup Logical Clocks takes a crack at scaling MySQL backend for live recommendations

Takes a 'different approach' to YouTube's Vitess to munch complex transactions in microseconds

Swedish startup Logical Clocks is launching a new key-value database as a managed service, based on the MySQL derivative MySQL NDB Cluster.

The vendor told us its RonDB can be used to provide live data to machine learning models for real-time decision-making – as commonly used in online recommendations and fraud detection.

Although it has a history going back to the late 1990s, the new open-source distribution is currently in closed beta, with interested users encouraged to apply to participate. General availability is expected in the second quarter.

Continue reading

Microsoft quantum lab retracts published paper: Readings that cast doubt on crucial discovery went AWOL

Quasiparticle eggheads were 'caught up in the enthusiasm of the moment'

A paper published in Nature two years ago and spearheaded by a Microsoft scientist has been retracted after it emerged that the data presented simply didn't add up.

The work was produced at a quantum computer lab set up by Microsoft and QuTech, a research center co-founded by the Delft University of Technology (TU Delft) in the Netherlands. The study, led by Microsoftie and TU Delft Professor Leo Kouwenhoven, reported the discovery of a theoretical quasiparticle the academics believed would prove useful for future quantum computers.

"A 2018 academic paper published in Nature and led by one of our scientific directors, primarily in his capacity as a Professor at TU Delft, was retracted,” Zulfi Alam, a Microsoft Quantum unit veep, told The Register on Monday.

Continue reading

Deploy AI workloads with confidence using OpenVINO

Write once, deploy anywhere

Sponsored Artificial Intelligence techniques have been finding their way into business applications for some time now. From chatbots forming the first line of engagement in customer services, to image recognition systems that can identify defects in products before they reach the end of the production line in a factory.

But many organisations are still stuck at where to start in building machine-learning and deep-learning models and taking them all the way from development through to deployment. Another complication is how to deploy a model onto a different system than the one that was used to train it. Especially for situations such as edge deployments, where less compute power is available than in a datacentre.

One solution to these problems is to employ OpenVINO™ (Open Visual Inference & Neural Network Optimization), a toolkit developed by Intel to speed the development of applications involving high-performance computer vision and deep-learning inferencing, among other use cases. OpenVINO takes a trained model, and optimises it to operate on a variety of Intel hardware, including CPUs, GPUs, Intel® Movidius™ Vision Processing Unit (VPU), FPGAs, or the Intel® Gaussian & Neural Accelerator (Intel® GNA).

Continue reading

China outlines plan to boost economy with AI, a cloud OS it controls – and bringing in skilled foreigners

Other fun bits: An 'asteroid patrol', brain:computer fusion, DNA storage, enhanced privacy laws

China has put quantum communications networks and a brain:machine interface on its to-do list in plans unveiled at its annual "Two Sessions" parliamentary sittings.

The centerpiece of the Two Sessions, which sees 5,000 of the nation's political elite gather for meetings of the National People's Congress (NPC) and top political advisory body the National Committee of the Chinese People's Political Consultative Conference (CPPCC), is discussion of a new five-year plan for the nation's development.

The 14th Five-Year Plan, a document outlining objectives from 2021 until 2025, is not allowed to be released before finalization. However a 142-page long draft in Mandarin was made legally public and select parts have been translated by Chinese journalist, Zichen Wang of state-controlled Xinhua News.

Continue reading

Mobile World Congress seemingly serious about in-person Barcelona event in June, shares safety plan

Is Spain really ready for 50,000 people at one venue? Sounds like a super spreader event ready to happen

Mobile World Congress appears determined to run its annual Barcelona super-conference as an in-person event this year, mid-pandemic, posting a safety plan online on Monday.

The tech-fest is due to take place at the end of June, having been pushed back from its usual late February slot, giving it less than four months until doors open: a risky timeline given that the vaccination rate for Spain and the Catalan region currently stands at just under nine per cent.

But the organizers reckon that the global COVID-19 pandemic can be defeated within the walls of its conference venue with a few simple steps: social distancing, personal hygiene, event hygiene, and training staff.

Continue reading

GitHub bug briefly gave valid authenticated session cookies to wrong users

Don’t panic: Fewer than 0.001% of sessions compromised through flaw that couldn’t be maliciously triggered

If you visit GitHub today you’ll be asked to authenticate anew because the code collaboration locker has squished a bug that sometimes “misrouted a user’s session to the browser of another authenticated user, giving them the valid and authenticated session cookie for another user.”

GitHub disclosed the problem today, explain that it could only happen under “extremely rare circumstances” and “occurred in fewer than 0.001% of authenticated sessions on GitHub.com.”

The service knows which users’ sessions were exposed by the flaw and says it has contacted them with guidance and additional information.

Continue reading

Azure flings out free virtual trusted platform module for cloudy VMs

Take that, rootkits and other low-level nasties - if they take a crack at fresh VMs, on certain instance types under a handful of OSes

Microsoft has revealed that its Azure IaaS platform now offers free a virtual trusted platform module.

Dubbed “Azure Trusted Launch for virtual machines” and launched as a preview on March 8th, Microsoft’s CTO for Azure Mark Russinovich said the new offering “allows administrators to deploy virtual machines with verified and signed bootloaders, OS kernels, and a boot policy that leverages the Trusted Launch Virtual Trusted Platform Module (vTPM) to measure and attest to whether the boot was compromised.”

All of which is pretty familiar stuff on-prem, as TPM has been around for over a decade and is just-about standard issue on modern servers. Google brought virtual TPM to its cloud in mid-2018 and made it the default server configuration in April 2020.

Continue reading

Cisco issues blizzard of end-of-life notices for Nexus 3K and 7K switches

Service options decline starting next year... so there may be a Nexus 9K switch in your future

Cisco has in recent days issued a blizzard of end-of-life and end-of-sale announcement for switches in its Nexus 3000 and Nexus 7000 ranges.

By The Register’s count, the networking giant has announced that the 18 devices, listed below, across the ranges will soon be sent to the knacker's yard.

The initial batch of notices advised users that the listed devices would not be sold after late August 2021, with shipments to end in November of the same year and support services dwindling as of August 2022. November 2025 was set as the last date on which a service contract could be renewed.

Continue reading

Biting the hand that feeds IT © 1998–2021