Trouble In The Water – 8 ways to reinforce security
As the Western world steps forward to impose sanctions on Russia following the outbreak of war in Ukraine, retaliatory measures in cyberspace from both Russian government-affiliated groups and other malicious actors targeting Western countries are to be expected, including cyberattacks against Switzerland, as highlighted by the Swiss National Cyber Security Centre (NCSC).
Among others, the expected scenarios include increased sabotage attempts on critical infrastructure, targeted cyber espionage operations and ransomware attacks targeting various private and public sector actors. Beside intended targets, any organization, small, medium, or large company can be used as a proxy to reach specific victims, and/or can suffer collateral damage.
Even though there has not been, up to this day, any notable increase in cyberattacks targeting Western countries from Russian government-affiliated groups, amidst the already chaotic cyberthreats environment, the Russian invasion of Ukraine has brought few additional tangible threats to the cyber arena such as:
Hermetic Wiper (malware): recent attacks against Ukrainian targets included the use of the Hermetic Wiper Malware, a purely destructive malware that was used against Ukraine’s largest state-owned bank – PrivatBank and another state-owned bank named Sberbank. Hermetic Malware wipes files in different strategic folders and corrupts partitions to force the system to shut down and ensure it will never be able to boot again, making the system totally unusable. So far, HermeticWiper has only been spread and used in Ukraine.
DDoS attacks: According to the State Special Communications Service of Ukraine, more than 3,000 DDoS attacks have already taken place since the series started on February 15. The DDoS attacks targeted the Ministry of Defense, Ukraine’s Armed Forces, the Ministry of Foreign Affairs, Ukrainian Radio, PrivatBank and Oschadbank.
Phishing attacks Ghostwriter (aka UNC1151): Another cluster of threat activity concerns webmail users of Ukr.net, Yandex.ru, wp.pl, rambler.ru, meta.ua, and i.ua, who have been at the receiving end of phishing attacks by a Belarusian threat actor tracked as Ghostwriter (aka UNC1151). The hacking group also conducted credential phishing campaigns over the past week against Polish and Ukrainian government and military organizations.
China-based threat actors : It is not just Russia and Belarus who have set their sights on Ukraine and Europe. Included in the mix is a China-based threat actor known as Mustang Panda (aka TA416 or RedDelta) attempting to plant malware in targeted European entities with lures related to the Ukrainian invasion. In addition, another Chinese-speaking threat actor called Scarab has been linked to a custom backdoor dubbed HeaderTip as part of a campaign targeting Ukraine. In fact, cyberattacks against NATO countries originating from Chinese IP addresses have increased 116% since Russia invaded Ukraine on Feb. 24.
Website Defacement: A second round of website defacements targeting various Ukrainian public institutions began shortly after February 23, following the first round that started around January 13. 15 websites in Ukraine were targeted and resulted in websites being defaced. This included the Ministry of Foreign Affairs, Cabinet of Ministers, Treasury, and others. Ukraine’s CERT said the attackers got in by exploiting a months-old vulnerability in its Laravel-based CMS, OctoberCMS.
In light of these recent events and as requested by several of our clients, we have put together a series of practical recommendations based on various government agencies and private companies’ advice (CISA, ANSSI, SANS, NCSC UK, etc.) regarding which steps to take to adopt a proactive attitude and protect your organization with a heightened cyber threat level.
Here are 8 ways to reinforce your security!
Check your system patching, especially known exploited new vulnerabilities identified by CISA.
Ensure your users’ desktops, laptops, mobile devices and internet-facing services are all patched against known exploited vulnerabilities identified by CISA, including third-party software such as browsers and office productivity suites. If possible, turn on automatic updates.
Verify access controls
Ensure FIDO2 multi-factor authentication (MFA) is enabled on systems and user accounts according to your policies.
Increase your overall level of vigilance and alertness
Increase your overall vigilance level and alertness towards security event correlations, and make sure all critical logs such as VPN entry points, Remote Desktop connections, domain controllers and hypervisors logs are reviewed.
Implement outbound traffic control integrating geo-blocking to check for connections towards malicious IPs or untrusted domains.
Test your backups
Perform test restorations from your backups to ensure that the restoration process is understood and familiar.
Ensure that there is an offline copy of your backups.
Focus on building lasting cyber resilience
Plan for the Worst
Establish a crisis management framework by creating call trees of all relevant actors in case of a cyberattack scenario. Have a paper version on hand.
Establish an up to date Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP).
Test your incident response plans (tabletop, simulation, operational, full scale).
Tests of response plans should include not only your security and IT teams, but also senior business leadership and Board members to exercise to ensure familiarity with how your organization will manage a major cyber incident, identify points of improvements and confirm that incident response escalation routes and contact details are all up to date.
Obtain assurance regarding information security management practices followed by your teams by implementing security standards such as NIST 800-53, NIST 800-53A, ISO27001, ISO22301 etc. Have audits performed on a regular basis.
Implement a Zero Trust network infrastructure throughout your organization.
Third-party access
Ensure compliance of your critical suppliers towards information security practices by conducting third party security assessment using a trustworthy automated platform as well as the advice of expert auditors, such as Supplier Shield.
Check your cyber insurance coverage
Cyber-insurance policies typically have “war exclusion” or “hostile act exclusion” language built into them. This language essentially says that insurers cannot defend against acts of war. Following Russia’s invasion of Ukraine — and the anticipated cyber fallout — security professionals should review their cyber-insurance coverage with an eye toward determining coverage gaps.
Phishing and social engineering response
Ensure that staff knows how to report phishing emails. Ensure you have a process in place to deal with any reported phishing emails.
Think before you click. More than 90% of successful cyber-attacks start with a phishing email.
Look twice before you click: beware of homographic attacks. Things are not always what they seem!
Cybersecurity and social engineering awareness training can be most beneficial to any organization. Users are often seen as the weakest link, but with the right knowledge, they can be the deciding factor on whether your organization’s information systems can be breached.
Keep in mind that if the risk zero does not exist in the cybersecurity industry. As evidenced by Abilene Advisors Cybersecurity Report 2021, working in the cybersecurity and information security sector nowadays means you are quite often the bearer of bad news. Still, practical measures can be taken to increase your security level in order to face ever growing amount of cyber risk that exists today.
Cyber resilience, just as Rome, does not get built in a day. But it is worth it!
How many of the recommendations above are already in place in your organization?