CISA Advisory Cautions MSPs: Beware More Ransomware Attacks
Nearly every sector of U.S. critical infrastructure was hit by a ransomware attack in 2021, including the defense industrial base, emergency services, food and agriculture, government agencies and information technology organizations. In total 14 or the 16 sectors absorbed cyber hijacking incidents last year.
“Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally,” a recently released alert issued by the Cybersecurity and Infrastructure Security Agency (CISA) said.
U.S. law enforcement and cybersecurity, namely, the Federal Bureau of Investigation (FBI), the CISA and the National Security Agency (NSA), have had enough of it. In a collective effort with the Australian Cyber Security Centre and the U.K.’s National Cyber Security Centre, the three nations have issued a lengthy cybersecurity advisory entitled 2021 Trends Show Increased Globalized Threat of Ransomware. The U.S., Australia and the U.K. are part of the Five Eyes, an intelligence sharing alliance that dates to 1941 and also includes Canada and New Zealand.
Ransomware Attacks Continue to Target MSPs
The authors specifically cautioned organizations to beware ransomware threat actors targeting managed service providers (MSPs). By exploiting the trusted accesses MSPs have into client organizations, a ransomware threat actor could hijack multiple victims through one initial takeover. The most telling example is the SolarWinds cyber attack that hit in December 2020 and reverberated well in 2021. Expect more ransomware incidents where threat actors target MSPs to reach their clients, the advisory said.
Of additional note, cybersecurity officials in the U.S., Australia, and the U.K. are particularly worried that if the services-for-hire ransomware business model (ransomware-as-a-service) continues to yield financial returns for threat actors, cyber extortions will increase noticeably.
The advisory itself includes a trend analysis, hackers’ favored exploits and timing, suggested mitigation and recommendations. In sum, the security arms of all three countries have compiled a list of 28 analyses and interventions to slow down a ransomware assault. Here’s what’s in their briefcase:
- Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize exposure.
- Limit access to resources over internal networks, especially by restricting remote desktop protocol (RDP) and using virtual desktop infrastructure.
- Implement a user training program and phishing exercises to raise awareness about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments.
- Require MFA for as many services as possible, particularly for web mail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.
- Require all accounts with password logins to have strong, unique passwords.
- If using Linux, use a Linux security module, such as SELinux, AppArmor, or SecComp, for defense in depth.
- Protect cloud storage by backing up to multiple locations, requiring MFA for access, and encrypting data in the cloud. If using cloud-based key management for encryption, ensure that storage and key administration roles are separated.
- Segment networks. Network segmentation can help prevent ransomware spread by controlling traffic flows between and access to various sub-networks and by restricting lateral movement.
- Implement end-to-end encryption. Deploying mutual Transport Layer Security can prevent eavesdropping on communications.
- Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a network-monitoring tool.
- Document external remote connections. Organizations should document approved solutions for remote management and maintenance.
- Implement time-based access for privileged accounts. Just-in-time access method provisions privileged access when needed.
- Enforce principle of least privilege through authorization policies. Minimize unnecessary privileges for identities.
- Reduce credential exposure. Accounts and their credentials present on hosts can enable further compromise of a network.
- Disable unneeded command-line utilities.
- Maintain offline backups of data, and regularly test backup and restoration.
- Ensure all backup data is encrypted, cannot be altered or deleted and covers the entire organization’s data infrastructure.
- Collect telemetry from cloud environments. Ensure that telemetry from cloud environments—including network telemetry, identity telemetry and application telemetry is retained.