Remote Access Malware Used to Attack Aviation Industry; Detailed CISA Guidance on Cleaning Up After SolarWinds; “Zero Trust” Requires Mature Processes and Skills Be In Place First

As things start to open up, and users are starting to plan travel and vacations, we need to double down on both awareness training and implementation of technical controls. Beyond reminding users to be careful with unknown attachments and links, think twice about unusual requests received via email. Also, make sure that your anti-phishing tools are enabled and working, and add tools to check attachments and URLs before they get to the end-user. If you don’t have these tools, make sure that you don’t have existing options which can be enabled/licensed before looking to external sources.

Lee Neely

I feel like it is time for two high level reminders: (1) damaging malware attacks that steal information without trying for a ransom payment are still active, even though the press coverage focuses largely on the “exciting” ransomware attacks; and (2) the front end of both “OG” malware and ransomware attacks use the same initial phishing to exploit reusable credentials, similar malware insertion, etc. steps and require the same essential security controls to reduce risk. Use the hype to get backing to make changes that protect information overall.

John Pescatore

If an enterprise is a "target of choice," strong authentication (at least two kinds of evidence, at least one of which is resistant to replay) may not be sufficient protection but it may well be enough to remove the enterprise from the "target of opportunity" population. While it cannot prevent users from clicking on bait, it does resist reuse of passwords. The almost universal use of mobiles has reduced both its cost and its inconvenience. It is effective, efficient, and broadly applicable.

William Hugh Murray

This is a comprehensive approach to resolving and removing the adversary from systems impacted by the SolarWinds compromise. This is also a resource-intensive and prescriptive process; read the whole thing before starting to implement it. If you have Orion, walk through the guidance to make sure you have your bases covered. Verify you have adequate protections and assurances that you’re not currently compromised and can detect/respond to future actions.

Lee Neely

Jump to page 17 and look at the DISA Zero Trust Maturity model. The Preparation and Baseline Phases basically require that you have implemented all of the Center for Internet Security Critical Security Controls – including multi-factor authentication and sensitive data encryption. To achieve “zero trust” you have to first have a trustable infrastructure as the foundation; it cannot be sprayed onto systems/processes that don’t have the basic controls and skills in place.

John Pescatore

This architecture builds on the existing DOD ICAM reference architecture which is key to implementation. It also includes a maturity model you can leverage when planning your Zero Trust architecture and implementation. Be sure to understand the concepts, tenets, and required capabilities before attempting to implement.

Lee Neely

The HSE has been hit by the Conti Ransomware and the Wizard Spyder cybercrime gang are most likely behind this attack. This is a double extortion attack whereby there is a ransom demand to decrypt the data but also a demand to prevent the stolen data to be released onto the web. The Irish government has stated they will not pay the ransom, which in my opinion is the right approach. This is a despicable attack impacting on the provision of health services to patients. Paying ransoms is not going to rid us of the scourge of ransomware attacks. We now need governments worldwide to wake up to the threat these criminals pose to organizations, to our societies, our economies, and the lives of innocent people and to work together to rid us of this threat.

Brian Honan

While the trend for cyber insurance carriers like AXA to not cover ransomware/extortion is focused in France, this attack is not necessarily connected to that. Ransomware payouts have advanced to the point where cyber insurers are actually losing money, so expect them to continue to manage that liability by not issuing new policies and likely changing the terms for existing policies upon renewal. The extortion threat includes a promise not only to leak the pilfered data but also to execute a DDOS attack against AXA. The question is, will threats of increased attacks coupled with data release reverse trends to stop payments? Keep an eye on this to gauge your response if you wind up in the victim’s shoes.

Lee Neely

This comes at the time when AXA announced that it will no longer pay for ransom as part of its cyber insurance policies. These insurance payments have fueled the rise of ransomware and just maybe, this attack was retribution for the announcement.

Johannes Ullrich

Several layers of irony here, as Reuters has reported that Colonial Pipeline had cyberinsurance policies in place and one of the insurance carriers was AXA.

John Pescatore

The insurance industry has a responsibility to ensure that their products do not create a "moral hazard." AXA has rightly concluded that covering ransomware has the potential to create such a risk.

William Hugh Murray

One should not take announcements like this too seriously. They may come back in a couple months under a different name. Until the pipeline breach, Darkside has been pretty good about staying out of the news. They are likely trying to move back out of the limelight to the "dark side."

Johannes Ullrich

The BitMix cryptocurrency mixing service used by the Avaddon, DarkSide, and REvil ransomware operators to “wash” their funds has also allegedly ceased operation. The leaders of the DarkSide group are closely tied to the REvil gang, which just announced they were putting restrictions on what kinds of organizations their affiliates could hold for ransom, prohibiting “social sector” (healthcare and educational institutions) and “gov-sector” of any country as well as requiring affiliates to get approval before infecting victims. While well intended, the affiliates, including DarkSide, will more likely switch to a different platform with fewer restrictions.

Lee Neely

Don’t get too excited; they are not shutting down and leaving cybercrime, they are simply transitioning to a new identity that will be harder for law enforcement to track. I also thought it was interesting to see DarkSide’s statement that they would not target specific industries (healthcare, education, etc). In some ways that is good business as it can help keep them under the radar. However, even if they followed such ethical guidelines (which I doubt), others will not. In addition, cyber criminals are human and make mistakes; they can and will accidentally infect unintended targets.

Lance Spitzner

Hold suppliers accountable for what they distribute.

William Hugh Murray

Good lesson for anybody who blindly trusts access controls that you don't have any insight into or that you are not able to review (for example, cloud providers). Assume they will break eventually. For security cameras specifically: They should not be placed in personal spaces or rooms where confidential information is discussed. (For home security, it is best to keep them outside.)

Johannes Ullrich

Beware of over-permissioned applications. Beyond only installing applications from the vendor (Google/Apple) or enterprise app store, review your devices regularly and remove unused applications. Keep the remaining apps and OS updated. Replace devices before the vendor stops providing regular OS and Security updates.

Lee Neely

Here is a model of external communication during an incident which you should compare with your current communication model and adjust where necessary. Take hints from Volue’s web site below – frequency of update, contact information and communication in the relevant languages of their customers.

Lee Neely