Last week, at least fifteen Ukrainian public institutions and government agencies’ websites were hacked and defaced by a new malware family Microsoft calls ‘WhisperGate’.
Microsoft warns of the new malware family disguised as ransomware which is being used in attacks against multiple organizations in Ukraine. Since January 13th, Microsoft detected attacks that implement a destructive two-stage attack used to intentionally destroy their victim’s data. Because the malware does not offer a means to recover the maliciously encrypted data, Microsoft did not classify this as ransomware (an attack aimed to collect a ransom payment), but rather a deliberately destructive attack. With geopolitical tensions recently escalating between Russia and Ukraine, it is believed that the malware attacks are designed as an intimidation campaign to propagate chaos in Ukraine.
Due to the coordinated cyberattacks against Ukraine last week, the Cybersecurity and Infrastructure Security Agency (CISA) urges U.S. organizations to strengthen their cybersecurity defenses against data-wiping attacks.
“This CISA Insights is intended to ensure that senior leaders at every organization in the United States are aware of critical cyber risks and take urgent, near-term steps to reduce the likelihood and impact of a potentially damaging compromise,” warns a new CISA Insights bulletin. “All organizations, regardless of sector or size, should immediately implement the steps outlined below.”
While the CISA’s recommendations are in direct response to the recent cyberattacks on Ukraine, their recommended steps are also excellent advice for all businesses looking to prevent any network intrusion or ransomeware attack.
Reduce the likelihood of a damaging cyber intrusion:
- Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
- Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
- Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
- If the organization is using cloud services, ensure that IT personnel have reviewed and implemented strong controls outlined in CISA’s guidance.
- Sign up for CISA’s free cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.
Take steps to quickly detect a potential intrusion:
- Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging in order to better investigate issues or events.
- Confirm that the organization’s entire network is protected by antivirus/antimalware software and that signatures in these tools are updated.
- If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic
- Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/ responsibilities within the organization, including technology, communications, legal and business continuity.
- Assure availability of key personnel; identify means to provide surge support for responding to an incident.
- Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.
Maximize the organization’s resilience to a destructive cyber incident:
- Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack; ensure that backups are isolated from network connections
- If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.
Bleeping Computer January 14th Article
Bleeping Computer January 16th Article
Bleeping Computer January 19th Article