By now, affected organizations would have already mitigated the effects, but here are more tips for avoiding similar future scenarios.
On the week of December 13th, US government offices exposed they were targeted by a series of mega cyberattacks, allegedly related to state-sponsored threat organizations.
Hackers, by leveraging a common IT practise of ensuring constant updates to software, utilized a backdoor to compromise networks with unprecedented ease.
Researchers, who have named the hack Sunburst, say it could take years to fully comprehend the severity of this large-scale cyberattack. It could take months for security professionals in the affected organizations to discover which emails were read, what documents were stolen and which passwords are compromised because of the hack.
Five steps to future Gen V vigilance
As a first step, affected organizations should have already reset the passwords of local SolarWinds users and followed all post-disclosure updates released from SolarWinds.
Tip #1: One last check, just in case
Relevant Snort\Yara rules have been published regarding the attack. According to cybersecurity firm Check Point, to check if a SolarWinds server has been compromised, please follow these steps.
- Download the yara binary file “yara-v4.0.2-1347-win64.zip” from here: https://github.com/virustotal/yara/releases/tag/v4.0.2
- Compile the all-yara.yar rule here: https://raw.githubusercontent.com/fireeye/sunburst_countermeasures/main/all-yara.yar
- Then, on the SolarWinds server, run the compiled file (e.g., yara64.exe) against the SolarWinds.Orion.Core.BusinessLayer.dll file under the SW install dir with the following syntax: # yara64.exe -C [/path_to_yara_rule/SW_yara.yar] [path_to_SW_DLL/SolarWinds.Orion.Core.BusinessLayer.dll]
- If no errors return, it means that the server is clean.
Tip #2: Stay protected with a free security check up
Check Point is offering a free extensive security check up for corporates. Their experts will analyze the network and collect comprehensive data on active threats to the complete environment including networks, endpoints and mobile devices. Specifically, they will determine if your organization was infected by the Sunburst attack, and will create a plan to ensure you are protected from any future Gen V cyberattack.
Tip #3: The ‘new normal’ now means Gen V Cyberattacks
Threat actors have become highly sophisticated. The latest generation of cyberattacks present a completely different ball game as sophisticated cyberattacks are surging not only in volume but also in impact, complexity and speed. Hackers are constantly evolving their technology and techniques to creatively deliver malware. The pandemic will disappear, but its cyberattack fallouts will not. This has now become a reality.
Tip #4: Ransomware spikes to be wary of
Organizations worldwide are experiencing a massive spike in ransomware attacks. In Q3 2020, Check Point detected a 50% increase in the daily average of ransomware attacks, compared to the first half of the year.
While some reported attacks were carried out by known ransomware strands such as REvil and Ryuk, several large corporations experienced full blown attacks using a previously unknown variant, Pay2Key.
Pay2Key spreads rapidly across victims’ networks, leaving significant parts of the network encrypted with a ransom note that threatens to leak stolen corporate data unless the ransom is paid.
Ryuk, the infamous ransomware, also targeted hospitals in what was seen as a wave of targeted attacks against the healthcare industry. The CISA, FBI, and HHS issued a warning against ransomware attacks on US hospitals, saying they hold credible information of an increased and imminent cybercrime threat. October saw a 71% increase in ransomware attacks against the healthcare sector in the US. Ransomware attacks also increased by 33% in APAC and 36% in EMEA.
Tip #5 Prevent the next cyber-pandemic with these measures
- Real-time prevention: Vaccination is far better than cure. The same applies to your cybersecurity. Real time prevention places your organization in a better position to defend against the next cyber-pandemic. Organizations that stress the prevention of unknown, zero-day threats can win the cyber security battle.
- Secure your everything: Every part in the chain matters. This requires that you revisit and check the security level and relevance of your network’s infrastructures, processes, compliance of connected mobile, endpoint devices, and IoT infrastructure. The increased use of the cloud computing means an increased level of security, especially in technologies that secure workloads, containers, and server-less applications on multi- and hybrid-cloud environments.
- Consolidation and visibility: The highest level of visibility, reached through consolidation, will guarantee you the security effectiveness needed to prevent sophisticated cyberattacks. Unified management and risk visibility fill out your security architecture. This can be achieved by reducing your point product solutions and vendors, and your overall costs.
- Keep your threat intelligence up to date: Threat intelligence combines information from multiple sources, providing a more effective protection screen for your network. To maintain business operations, you need comprehensive intelligence proactively stop threats, management of security services to monitor your network, and incident response to quickly respond to and resolve attacks.