Multiple Campaigns on the Rise – Destructive Threats
Threat Level Description
Threat Level: Critical – An attack is expected imminently. Maximum protective security measures to meet specific threats and to minimize vulnerability and risk. Critical may also be used if a terrorist attack is expected seeking to destroy, incapacitate, or exploit critical infrastructures in order to threaten national security, cause mass casualties, weaken the economy, and damage public morale and confidence.
We have observed that there are multiple active campaigns targeting organizations in Ukraine, Asia, Africa, Europe, and North America, with the aim to deploy destructive and/or espionage related malware. Further to the delivery of malware, Denial of Service attacks are on the rise.
Organizations should have an Incident Response Preparedness Plan and shift to a Cyber-Resilience position, to anticipate, adapt and quickly recover from disruptive threats.
We have observed a rise in the active campaigns, APT groups and different threat actors that are constantly entering the cyber warfare and impacting organizations across the globe.
In recent weeks there has been a significant escalation in the number of reported cyberattacks against Ukrainian institutions, organizations and the wider population utilising malware such as IsaacWiper and HermeticWizard. The fact that these campaigns are targeting critical infrastructures, raises particular concerns.
Attacks on infrastructures such as energy, water, healthcare, financial institutions, transport and communication services can have devastating consequences on the civilian population.
Moreover, these cyberattacks sow distrust and limit access to accurate information or spread false information. They can also be highly disruptive and create a sense of fear and uncertainty and even lead to the eventual displacement of people.
Furthermore there is an increase of Chinese and Iranian government sponsored threat actors, conducting cyber operations against foreign governments, private and commercial networks. Dubbed as Daxin a highly sophisticated piece of malware being used by China-linked threat actors, exhibiting technical complexity previously unseen by such actors. The malware appears to be used in a long-running espionage campaign against selected governments and other critical infrastructure targets and appears to be optimized for use against hardened targets, allowing the attackers to burrow deep into a target’s network and exfiltrate data without raising suspicions.
Additionally, Iranian government-sponsored advanced persistent threat (APT) actors, known as MuddyWater, are conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations, including telecommunications, defence, local government, oil and natural gas, in Asia, Africa, Europe, and North America.
Destructive malware, ongoing campaigns and APT groups can present a direct threat to an organization’s daily operations, impacting the availability of critical assets, resulting in disruption of business operations. It is highly advised that all organizations should be prepared to anticipate, adapt and quickly recover from disruptive threats and shift from a Cyber-Defensive posture to Cyber-Resilience position.
Executives and leaders are encouraged to review the advisory, assess their environment for atypical channels for malware delivery and/or propagation through their systems, implement strategies, and ensure appropriate contingency planning and preparation in the event of a cyberattack.
Organizations should have an Incident Response Preparedness Plan and anticipate, adapt and quickly recover from disruptive threats.
The guidelines below will help you protect against Ransomware and its associated security threats:
* Ensure all systems are patched and upgraded with the latest system versions and security patches in place.
* Back up your data. The single biggest thing that will defeat ransomware is having a regularly updated backup.
* Consider enabling the “Show hidden file-extensions”. One way that ransomware such as Cryptolocker frequently arrives is in a file that is named with the extension “.PDF.EXE”, counting on Window’s default behavior of hiding known file-extensions.
* Filter executable files in email. If your email gateway has the ability to filter files by extension, you may wish to deny mails sent with “.exe”, “.scr”, “.bat” files, or to deny mails sent with files that have two file extensions, the last one being executable.
* Disable files running from AppData/LocalAppData folders. You can create rules within Windows or with Host Intrusion Prevention software, to disallow a particular, notable behavior used by ransomware, which is to run its executable from the App Data or Local App Data folders.
* Disable macros in Microsoft Office files. Most people may not be aware that Microsoft Office Files are like a file-system within a file system, which includes the ability to use a powerful scripting language to automate almost any action you could perform with a full executable file. By disabling macros in Office files, you deactivate the use of this scripting language.
* Do not open e-mail from unknown sources. Be suspicious of emails purporting to be from financial institution, government department, or other agency requesting account information, account verification or banking access credentials sush as usernames, passwords, PIN codes, and similar information. Opening file attachments od clicking on web links in suspicious emails could expose your system to malicious code that could hijack your computer.
* Never respond to a suspicious email or click on any hyperlink embedded in a suspicious email. Call the purported source if you are unsure who sent an email.
* If an email claiming to be from your financial organization seems suspicious, checking with your financial organization may be appropriate.
* Keep your antivirus up to date and use real time protection.
* It is also recommended to implement a Security Awareness program, addressed to all your management and staff, designed to increase the level of understanding regarding Social Engineering and security threats in general.
Finally, in case that a system is compromised, it should be immediately removed from the network.