SANS Russian Cyber Attack Escalation in Ukraine Webcast and Resource Center; Russian Uses of Malware as Part of Invading Ukraine Will Spillover, Check and Upgrade Defenses; Coalition Will Act as a Force Multiplier for Nonprofit Security Organizations; Irish Ransomware Incident Costs Exceed €100m, Much More Than Cost to Avoid

Currently, these attacks appear to be targeting systems in the Ukraine. But don't feel too safe if you are not connected to the Ukraine. As NotPetya and other events have shown, malware like this easily spills over.

Johannes Ullrich

It is not a huge surprise that both kinetic and cyber-attacks are being leveraged against the Ukraine. The wiper has been dubbed “HermeticWiper” because the certificate which signs it was issued to “Hermetica Digital Ltd.” Note that it has also been found in Lithuania and Latvia, seemingly targeting financial institutions and government contractors. The ransomware feint is reminiscent of the WhisperGate wiper previously targeting the Ukraine. Even so, user awareness, content filtering, and other ransomware defenses are still relevant to reducing the likelihood of a successful compromise.

Lee Neely

SANS gave one the founders of one of the organizations, #ShareTheMicInCyber, a SANS Difference Makers award in 2021 and has long been a supporter of the Center for Internet Security. There is a lot of good and meaningful progress in cybersecurity being driven by non-profits, this coalition can act as a force multiplier for future efforts.

John Pescatore

This is an incredible gathering of expertise and resources. This is a collection of free services you can leverage, and augments resources provided by others such as the CISA. The initial focus is on raising awareness of the services offered and how you can leverage them. If you’re curious about the composition of the coalition, the last three pages of the press release below describe each of the members and what they bring to the table.

Lee Neely

It should be very clear by now that the cost of a ransomware attack is not limited to the ransom payment itself (if you decide to pay in the first place). The response and recovery from a ransomware attack includes many other variables that will increase the cost exponentially. I hope that by now all the NewsBites readers have bought in to investing in testing, measuring, and improving their security controls (people, process, and technology) before the inevitable breach. We call this culture “operating under assumed breach.”

Jorge Orchilles

Read that number and remember it doesn’t include security improvements or other costs to patients, including any loss of life which resulted from the downtime. Now make sure your recovery plans include obtaining funding for security improvements, as well as lack of, or reduction to, customer business during the recovery.

Lee Neely

Folks, remember HSE never paid a ransom; they obtained the decryption key for free. The biggest costs to ransomware is not the ransom, but costs to no longer be able to function, costs to reputation, costs to recover, legal fees, etc. Anytime someone is paying a ransom, you can exponentially increase that number to determine the real costs. And those costs are just financial. What about costs to people’s health, jobs, family life, and emotional state?

Lance Spitzner

People keep asking, “What can I do?” While there is little you can do to help people in Ukraine right now, you should be able to find the time today to double check your router/firewall (not just Watchguard). Make sure it is up to date, uses strong authentication and that its admin interface is not exposed to the public. Compromised routers are a valuable commodity even for state actors not just to launch DoS attacks, but also to use as proxies for targeted attacks.

Johannes Ullrich

Yes, this the same Sandworm group that released the NotPetya malware. Cyclops Blink leverages a firmware update weakness which allows it to persist across firmware updates on WatchGuard devices. WatchGuard has published updates to Fireware that address the vulnerability. It is expected that other manufacturer devices will also be targeted. The best mitigation is to disable remote management of your router/firewall and keep the firmware updated.

Lee Neely

Expect threat actors to target health and government systems for members of the NATO alliance in response to the sanctions issued. Heightened awareness is called for, panic is not. Make sure that you are taking steps to ensure your cyber posture is strengthened. Leverage active monitoring, immutable backups, strong authentication and DDOS protections. Update and verify contact information for responders and key management staff. Finish up those BC/DR plans you’ve been updating to include new services or functions implemented in the last two years.

Lee Neely

The threat intelligence feeds consumed by the Firepower platform depend on the SSL certificate. The certificate authority is being decommissioned March 6th, so postponing can make Monday March 7th a really bad day. The Firepower Management Center is what needs the update, not the Firepower Threat Defense device. Note that the fix may require updates to a newer supported software version, so you want to leverage between now and March 5th for regression testing.

Lee Neely

If you’re running Cisco Nexus or UCS series switches/appliances or virtual edge services, check the advisories for applicability. The fixes include addressing CVE-2022-20650, which can be remotely exploited and allow command injection. The flaw identified by the NSA is CVE-2022-20624, resulting from insufficient validation of network packets, allowing specially crafted packets to exploit it. While some of the flaws are mitigated by not enabling vulnerable features, such as CFSoIP, it’s best to apply the update to protect future possibilities of you enabling those functions.

Lee Neely

Volume C: How-to Guides make this publication much more useful than the typical NIST Special Publication. Working with private industry, a reference architecture was used to build out real world systems using real world products to develop and implement a candidate security solution. Other volumes provide the usual high level security guidance, and the how-to volume is not a “just build this” solution but definitely brings everything closer to reality.

John Pescatore

With the pandemic, HIPAA restrictions relating to telehealth were loosened. It’s time to make sure that systems implemented to provide remote services to patients are properly secured, with validation. These guides are intended to help with that process. Check services you may have exposed to ease access are only allowing the access intended, monitored, patched/updated and themselves are not pivot points into your other IT systems. Make sure that you have an appropriate agreement with the services, such as a BAA, for protecting that information.

Lee Neely

While becoming more mainstream, crypto is still less regulated with fewer consumer protections than traditional currency. Keep track of your crypto, including the details, reporting losses if stolen. Funds can only be returned if sufficient details are available; in this case the wallet address, savings and trading services it was invested in as well as the law enforcement agency the loss was reported to must match.

Lee Neely

For whatever reason, the IRS initially tried the “let’s throw the frog into a pot of boiling water” approach to moving away from reusable passwords – and the frog leapt out. Login.gov supports 2FA and strong identity proofing at enrollment – the identity frog is in the pot and the temperature can gradually be increased.

John Pescatore

Throwing a frog into a boiling pot, as John says, is too rapid of a change and never effective, particularly with a large user group. In short, look before you leap. Login.gov is engineered for providing accounts for the public to authenticate to US Government systems which include both strong authentication and identity verification. This move should help smooth any rough edges in the current Login.gov account activation process.

Lee Neely

It is, and probably ought to be, difficult to enroll in login.gov or ID.me. I have so far been unsuccessful. The IRS has committed to both facial recognition and an interview as options for people like me.

William Hugh Murray