Be prepared for aggressive ransomware
What a couple of weeks of astonishing news we have had. Storms Dudley, Eunice and Franklin struck the UK with some considerable force causing serious travel, power and associated infrastructure issues – four days of power outages for many people in the sticks, withering out even a new Apple Mac Powerbook’s (£3k to you Ma’am) batteries, prompting a rush to buy small petrol generators (who knew how small they could be?).
Of course all the time a much bigger storm was gathering as Russia massed troops on the Ukrainian border whilst blatantly lying about the deployment and intent, culminating in an invasion in the early hours of the 24th of February 2022.
Although the military activity is reminiscent of WWII, looking very old school, no doubt terrifying to the innocent population of Ukraine, it has been backed up by an enormous number of aggressive cyber attacks directed at Ukraine together with the infrastructure and systems of other nation states and businesses not supporting Russia – i.e. out just about everyone except China, Iran, Donald Trump and even to a certain extent Nigel Garage (this is true).
All of us who remember the fallout from system failures caused by the WannaCry ransomware in 2017, for instance to the NHS which was not a direct target but was running old Microsoft Windows or the NotPetya global ransomware (also 2017) which floored many large manufacturing facilities (no pun intended) must be sounding alarm bells to our customers, colleagues, family and friends informing them to be very concerned.
Over this weekend the (always misspelt), massively successful ransomware/organised crime/possibly government associated hacking outfit Conti announced the following in a blog post:
Threats are commonplace in the world of cyber and often amount to nothing, however we at Tiberium think that this one deserves to be taken very seriously, it is even written in the style of the Supreme Leader himself.
Our Chief, Drew Perry, posted the following important advice on LinkedIn at the weekend, which we would like to take a few minutes to explain.
Scan your perimeter for open RDP or management ports and close them
Other than phishing attacks, access to networks via misconfiguration, old unknown, possibly undocumented and unpatched systems accessible via the Internet are a major vector used by criminals to access your network.
Typically these are old remote access (RDP) servers which may have been used for administrative access for third parties to support printing systems or business applications.
Web, Mail, DNS servers together with unpatched routers are also targets of choice.
The bad guys test for these systems automatically – at the speed of script so expect attacks against any you have in droves in the coming days, weeks and months. If you are interested in Internet wide scanning, this article is eye opening.
If you do not already have a scanning solution or service, many are available. If you don’t know where to begin, please see ‘Ask For Help’ below.
Try and patch
If you identify Internet facing systems, you must patch them. If, for whatever reason, you cannot patch them, we would urge you to turn them off until you can.
Enable MFA
Brute force and password spray attacks on internet facing system accounts are very common and mostly go undetected, especially if local credentials are used. Multi Factor Authentication is a must on these systems.
Implement best practice Office 365 phishing protection, enable conditional access
If you are an Office 365 customer, the platform has built in features which can be enabled to provide a high degree of security and protection against phishing and other attacks.
Implement ASR rules on endpoints
If you are a Microsoft Defender for Endpoint or Microsoft 365 Defender customer, implement Attack Surface Reduction (ASR) rules.
Monitor
You cannot protect against adversaries and attacks that you cannot see, track or measure. Monitoring of both external and internal systems together with appropriate protection and remediation (automated where possible) are an absolute imperative to effectively defend your organisation.,
Ask For Help when needed
If you do not have the resources, internal systems, experience or skills available to implement the above, we recommend that you ask for the help of your security, managed service or specialist partners promptly.
If you are not a Tiberium customer, we would be happy to provide you with straightforward advice about any of these issues and whilst we obviously like to bring you on board, our advice does come with strings attached.
Tiberium provides managed security services built on and supported by Microsoft technology. Our FROST and MYTHIC services provide visibility, alerting, communications and highly automated remediation of security incidents underpinned by our expert team of engineers and threat hunters.
If you are a Tiberium customer, our systems and best practice configurations are already protecting you, however we welcome any opportunity to discuss any issues you may have.
Feel free to contact us.
Games Without Frontiers is a song released by Peter Gabriel in 1980. Unfortunately there is no such thing as a ‘War without tears’.
Wishing everyone affected by the Ukranian conflict the best.
In very recent news, Alon Gal, the CTO of Hudson Rock posted the following on linkedin:
