Cybercriminals have been using COVID-19 as an opportunity to activate attacks and prey on the urgency of the current situation – while using the information and access gained to plan and gain leverage for future attacks.
In the first two weeks of April 2020 alone, multiple groups have been activating dozens of ransomware deployments, having accumulated access, and maintained persistence on target networks for several months. These attacks can even be fatal, given their impact on aid organizations, medical billing companies, manufacturing, transport, government institutions and educational software providers.
- Vulnerable systems are targeted far in advance of actual attacks: Microsoft security intelligence as well as forensic data from relevant incident response engagements by Microsoft’s Detection and Response Team (DART) has shown that compromises which enabled these attacks occurred months earlier where attackers had infiltrated target networks and then waited silently to monetize their attacks by deploying ransomware.
- Weak systems are targeted more: To gain access to target networks, recent ransomware campaigns exploited internet-facing systems that had weaknesses such as a lack of multi-factor authentication (MFA). Hackers also went for older Windows platforms which were not updated and had weak passwords, or looked for misconfigured web servers and systems with specific existing vulnerabilities.
- Similar technique as human-operated campaigns: The attacks used the same techniques observed in human-operated ransomware campaigns: initial access, credential theft, lateral movement and persistence- culminating in the deployment of a ransomware payload. These recent attacks spread quickly throughout the network environment, affecting email identities, endpoints, inboxes, applications and more.
- Ransomware attackers don’t take days off: Attackers pay no attention to the real-world consequences of disruption in services that their attacks cause and therefore, organizations should not expect them to be concerned about anything other than disruption and potential financial reward. Human-operated ransomware attacks have shown how attackers can skillfully maneuver blocks and find other ways to move forward with their attack, and there are complex, far-reaching, and unique.
Because it can be challenging even for experts to ensure the complete removal of attackers from a fully compromised network, it’s critical that vulnerable internet-facing systems are proactively patched and that mitigations are put in place to reduce the risk of these kinds of attacks.
Respond immediately once attacked, plan prevention of further attacks
In case of an attack, organizations should immediately check network-wide if they have any alerts related to these ransomware attacks and prioritize investigation and remediation.
When an organization’s network is affected, we recommend performing the following scoping and investigation activities immediately to better understand the impact of the breach and to respond accordingly:
- Investigate affected endpoints and credentials:Identify all the credentials present at affected endpoints (points of access by end-user devices like desktops, laptops and mobile). Given the breach, assume that these credentials were available to attackers and that all associated accounts are compromised. Across software, check the event log for post-compromise logons, namely those that occur after or during the earliest suspected breach activity.
- Isolate compromised endpoints:For endpoints that have command-and-control beacons or have been lateral movement targets, these should be located and isolated. They can be located using advanced hunting queries or other methods of directly searching for related Indicators of Compromise (IOCs). Defender sources like Microsoft Defender ATP or NetFlow can then isolate identified endpoints.
- Address internet-facing weaknesses: Identify perimeter systems that attackers might have utilized to access your network. A public scanning interface such as iocan then be used to augment your own data. Systems that are known to be at-risk and endpoints without MFA should receive particular attention.
- Inspect and rebuild devices with related malware infections: Many ransomware operators enter target networks through existing malware infections. Investigate and remediate any known infections immediately and consider them as possible vectors for sophisticated human adversaries. Do check for exposed credentials, additional payloads and lateral movement before you rebuild affected endpoints or reset passwords.
Build proactive security hygiene to defend networks
As ransomware operators continue to compromise new targets, taking the proactive step to assess risk using all available tools is the best prevention strategy. Organizations should continue to enforce proven solutions such as credential hygiene, minimal privileges and host firewalls to stymie these attacks.
These are some measures that should be implemented to make networks more resilient against new breaches, reactivation of dormant implants, or lateral movement:
- Randomize your local administrator passwords using a tool such as the Local Administrator Password Solution (LAPS).
- Apply an Account Lockout Policy so that someone who attempts to use more than a few unsuccessful passwords logging onto the system will be blocked.
- Ensure good perimeter security by patching exposed systems and applying mitigating factors, such as MFA or vendor-supplied mitigation guidance, for vulnerabilities.
- Utilize host firewalls to limit lateral movement and prevent endpoints from communicating on TCP port 445 for SMBs. This can significantly disrupt malicious activities.
- Turn on cloud-delivered protection for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
- Follow standard security baselinesguidance for all your software. A tool like Microsoft Secure Score can also assist in measuring your security posture and recommending actions for improvement , guidance and control.
- Turn on tamper protection features to prevent attackers from stopping security services.
- Turn on attack surface reduction rules, including rules that can block ransomware activity.
With the region’s rapid digital transformation fuelled by COVID-19, organizations must be aware and prepared to reduce the risk of impending attacks. Staying vigilant with the latest preventive actions and tools and knowing how to react in case of an attack, will go a long way in safeguarding an organization’s present and future.