Cybercriminals have been using COVID-19 as an opportunity to activate attacks and prey on the urgency of the current situation – while using the information and access gained to plan and gain leverage for future attacks.
According to Microsoft’s threat protection intelligence team, in the first two weeks of April 2020 alone, multiple groups have been activating dozens of ransomware deployments, having accumulated access, and maintained persistence on target networks for several months. These attacks can even be fatal, given their impact on aid organizations, medical billing companies, manufacturing, transport, government institutions and educational software providers.
Microsoft security intelligence as well as forensic data from relevant incident response engagements by Microsoft’s Detection and Response Team (DART) has shown that compromises which enabled these attacks occurred months earlier where attackers had infiltrated target networks and then waited silently to monetize their attacks by deploying ransomware.
Internet-facing systems that had weak multi-factor authentication were targeted, along with Windows platforms which were not updated and had weak passwords or looked for misconfigured web servers and systems with specific existing vulnerabilities.
Because it can be challenging even for experts to ensure the complete removal of attackers from a fully compromised network, it’s critical that vulnerable internet-facing systems are proactively patched and that mitigations are put in place to reduce the risk of these kinds of attacks.
In case of an attack, Microsoft has recommend performing the following scoping and investigation activities immediately to better understand the impact of the breach and to respond accordingly:
Investigate affected endpoints and credentials
Identify all the credentials present at affected endpoints (points of access by end-user devices like desktops, laptops and mobile). Given the breach, assume that these credentials were available to attackers and that all associated accounts are compromised. Across software, check the event log for post-compromise logons, namely those that occur after or during the earliest suspected breach activity.
Isolate compromised endpoints
For endpoints that have command-and-control beacons or have been lateral movement targets, these should be located and isolated. They can be located using advanced hunting queries or other methods of directly searching for related Indicators of Compromise (IOCs). Defender sources like Microsoft Defender ATP or NetFlow can then isolate identified endpoints.
Address internet-facing weaknesses
Identify perimeter systems that attackers might have utilized to access your network. A public scanning interface such as io can then be used to augment your own data. Systems that are known to be at-risk and endpoints without MFA should receive particular attention.
Inspect and rebuild devices with related malware infections
Many ransomware operators enter target networks through existing malware infections. Investigate and remediate any known infections immediately and consider them as possible vectors for sophisticated human adversaries. Do check for exposed credentials, additional payloads and lateral movement before you rebuild affected endpoints or reset passwords.
Build proactive security hygiene to defend networks
As ransomware operators continue to compromise new targets, taking the proactive step to assess risk using all available tools is the best prevention strategy. Organizations should continue to enforce proven solutions such as credential hygiene, minimal privileges and host firewalls to stymie these attacks.
There are also some measures that should be implemented to make networks more resilient against new breaches, reactivation of dormant implants, or lateral movement:
>Randomize your local administrator passwords
> Apply an Account Lockout Policy so that someone who attempts to use more than a few unsuccessful passwords logging onto the system will be blocked.
> Ensure good perimeter security by patching exposed systems and applying mitigating factors, such as MFA or vendor-supplied mitigation guidance, for vulnerabilities.
> Utilize host firewalls to limit lateral movement and prevent endpoints from communicating on TCP port 445 for SMBs. This can significantly disrupt malicious activities.
>Turn on cloud-delivered protection for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
> Follow standard security baselines guidance for all your software.
>Turn on tamper protection features to prevent attackers from stopping security services.
>Turn on attack surface reduction rules, including rules that can block ransomware activity.