Summary
The US CISA, FBI, the Australian Cyber Security Centre (ACSC), the National Security Agency (NSA), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) recently released joint Security Alert AA22-040A after observing a global increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations during 2021.
While incidents were observed on a global scale, incidents in the US were observed targeting 14 of the 16 US critical infrastructure sectors, including the Defense Industrial Base, Emergency Services, Food and Agriculture, Government Facilities, and Information Technology Sectors.
The Alert details observed behaviors and trends as well as mitigation recommendations to help network defenders reduce their risk of compromise by ransomware.
An increase in the following behaviors and trends were observed in the previous year, to include:
- Gaining access to networks via phishing, stolen Remote Desktop Protocols (RDP) credentials or brute force, and exploiting vulnerabilities
- Using cybercriminal services-for-hire
- Sharing victim information
- Shifting away from “big-game” hunting in the United States
- Diversifying approaches to extort money
- Targeting the cloud
- Targeting managed service providers
- Attacking industrial processes
- Attacking the software supply chain
- Targeting organizations on holidays and weekends
Analysis
Potential Impact
A successful ransomware attack can cause considerable system downtime and widespread damage across an organization. An attack could lead to encryption of a significant number of devices across the domain and lead to loss of availability for these devices and operational or sensitive data, further leading to potential regulatory fines and costs associated with loss of availability and repairs.
In addition, elevation of privileges and lateral movement through a targeted network could allow attackers further access to sensitive or proprietary data for further exploitation.
And, as we have seen in the past, successful attacks targeting critical infrastructure organizations – for example, the Colonial Pipeline and Saudi Aramco – could have a significant impact on the organization itself, as well as various ripple effects on local or global economies and supply chains.
Recommendations
The FBI, CISA, ACSC, NSA, and NCSC urge critical infrastructure organizations to apply the recommendations listed in the Mitigations section of the Alert to mitigate the risk of compromise from ransomware attackers.
The alert provides detailed mitigation recommendations which include:
- Patch and Update Systems,
- Implement end-to-end encryption
- Implement and Enforce Backup and Restoration Policies and Procedures
- Implement Network Segmentation
- Enforce principle of least privilege through authorization policies
- Maintain offline (i.e., physically disconnected) backups of data, and regularly test backup and restoration
- Use Multi-factor authentication and use strong passwords to secure user accounts
Please refer to the alert for detailed mitigation strategies.
In addition, the FBI, CISA, ACSC, NSA, and NCSC recommend reporting suspected ransomware incidents, as well as following the Ransomware Response Checklist on p. 11 of the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide .
Recommenda clients review the mitigation references available in the alert and apply any necessary software updates as soon as possible after appropriate evaluation and testing have been completed.
For more information and resources on protecting against and responding to ransomware, refer to StopRansomware.gov , a centralized, U.S. whole-of-government webpage providing ransomware resources and alerts.
References
https://www.cisa.gov/uscert/ncas/alerts/aa22-040ahttps://cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C_.pdf
https://www.cisa.gov/stopransomware/
https://cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%2520Guide_S508C_.pdf
No comments:
Post a Comment