Los Angeles Times, Chicago Tribune, Wall Street Journal, San Diego Union-Tribune and New York Times among titles affected by virus causing printing and distribution. Reportedly, the virus affected back-end production systems.
Was this a targeted attack? If so, what was the goal? Could an attacker alter and print content?
We have very little detail on the attack, but most likely this was a targeted attack and probably the initial infection was due to a user clicking on a phishing link in an email. Let's consider what controls could possibly prevent the attack in this scenario.
- User security awareness training may have prevented the user from clicking on the link in the first place.
- An email scanning service may have blocked the email or rendered the phishing link harmless.
- A firewall with up to date threat analysis may have blocked the domain the phishing link directs to. Or subsequent C2 traffic would have made the malware impotent.
- Similar for a secure web proxy.
- A malware analysis engine may have blocked the malware from being downloaded, for example malware analysis in a secure web proxy, firewall or standalone engine.
- Endpoint protection, either standard anti-virus or next gen endpoint protection.
- DNS filtering may have blocked a malicious domain, such as Cisco Umbrella or Akamai Threat Prevention. It may have defeated the initial download or blocked subsequent C2 traffic.
- Better detection, such as SIEM with threat intelligence.
- Improved response.
- Network segmentation to prevent lateral movement within the network.
- Privilege access management.
Actually, the more I think about this, and without knowing the specifics, there's a whole raft of controls that could conceivably have prevented this attack.