July 6, 2022
In the wake of the Russian attack on Ukraine, there are now highly destructive malware strains out in the world that threaten U.S. organizations.
In light of this, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) recently issued a joint Cybersecurity Advisory, providing an overview of the malware strains in question, as well as guidance on how organizations can detect and protect their networks.
Protect yourself from destructive malware.
Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data. Organizations should increase vigilance and evaluate their capabilities, encompassing planning, preparation, detection, and response, for such an event. CISA recommends some immediate actions that businesses can take right now to strengthen their cyber posture.
- Enable multi-factor authentication (MFA).
- Set antivirus and antimalware programs to conduct regular scans.
- Enable strong spam filters to prevent phishing emails from reaching end users.
- Update software.
- Filter network traffic.
What should you do if you’ve been attacked?
CISA recommends that victims of destructive malware attacks immediately focus on containment to reduce the scope of affected systems. Strategies for containment include:
- Determining a vector common to all systems experiencing anomalous behavior (or having been rendered unavailable) — from which a malicious payload could have been delivered:
- Centralized enterprise application,
- Centralized file share (for which the identified systems were mapped or had access),
- Privileged user account common to the identified systems,
- Network segment or boundary, and
- Common Domain Name System (DNS) server for name resolution.
- Based upon the determination of a likely distribution vector, additional mitigation controls can be enforced to further minimize impact:
- Implement network-based ACLs to deny the identified application(s) the capability to directly communicate with additional systems,
- Provides an immediate capability to isolate and sandbox specific systems or resources.
- Implement null network routes for specific IP addresses (or IP ranges) from which the payload may be distributed,
- An organization’s internal DNS can also be leveraged for this task, as a null pointer record could be added within a DNS zone for an identified server or application.
- Readily disable access for suspected user or service account(s),
- For suspect file shares (which may be hosting the infection vector), remove access or disable the share path from being accessed by additional systems, and
- Be prepared to, if necessary, reset all passwords and tickets within directories (e.g., changing golden/silver tickets).
- Implement network-based ACLs to deny the identified application(s) the capability to directly communicate with additional systems,
As related to incident response and incident handling, organizations are encouraged to report incidents to the FBI and CISA and to preserve forensic data for use in internal investigation of the incident or for possible law enforcement purposes. See Technical Approaches to Uncovering and Remediating Malicious Activity for more information.
Additional Resources from CISA
CISA has updated the Shields Up webpage to include new services and resources, recommendations for corporate leaders and chief executive officers, and actions to protect critical assets. Additionally, CISA has created a new Shields Up Technical Guidance webpage that details other malicious cyber activity affecting Ukraine. The webpage includes technical resources from partners to assist organizations against these threats. We recommend you give them a read, and if you have questions, please contact us. Our team of certified professionals can give you a free consultation and a complete cybersecurity audit.
Recent events have shown that organizations continue to face an ever-growing landscape of security threats that are becoming more targeted and malicious in nature. It is important for any organization to have visibility into how their systems are being used and by whom. Granular visibility of network activity is essential to protect against a catastrophic event such as a security breach, system outage, high-risk event, or compliance violation that results from unintentional or unauthorized changes to these systems.
Unfortunately, most organizations don’t have the tools, time, or staff expertise to deal with the evolving threat landscape and increased sophistication of attack techniques. By partnering with Rimstorm, organizations can leverage best practices to improve their network security while reducing staffing requirements and ultimately lowering costs.