The Cybersecurity and Infrastructure Security Agency (CISA) warns US organizations to strengthen their cyber security posture in relation to potential data wiping attacks, which have recently been observed targeting Ukrainian government agencies and businesses.
Late last week, Ukrainian government agencies and corporate groups contended with coordinated cyber attacks involving website defacement and data-wiping malware. As a result, certain Windows devices became inoperable.
Sources informed cyber security journalists that attackers may have leveraged the CVE-2021-32648 vulnerability in conducting their virtual raids. The Ukraine Cyber Police are working on a new investigation into the use of Log4j vulnerabilities and stolen credentials as a secondary avenue of network and server access.
Initially, the website defacements and data-wiping malware incidents appeared as separate attacks. However, Ukraine has since issued a press release stating that entities were hit by both threats simultaneously, strongly suggesting attack coordination.
Some security experts attribute the attacks to Ghostwriter, a state-sponsored cyber criminal group with links to Belarus.
How US organizations can prepare
CISA advocates for business leaders and US-based organizations to proactively take the following steps in order to reduce the probability of similar attacks hitting networks.
- Ensure that all remote access to your organization’s network and privileged or administrative access require multi-factor authentication.
- Prioritize updates that address known exploited vulnerabilities.
- Disable ports and protocols that are not critical for business functionality.
- For organizations that rely on cloud services, ensure that IT personnel have reviewed and implemented strong controls.
- Register for CISA’s freely available cyber hygiene services, which includes vulnerability scanning, and can help minimize exposure to threats.
Top ways to detect intruders
- Inform IT personnel and security staff that they should focus on identifying and assessing unexpected or unusual network behavior, and request for staff to enable logging, which can allow easier event investigation.
- Check to make sure that your entire network is protected by cyber security software and that signatures within relevant tools are appropriately updated.
- US-based organizations that partner with Ukrainian organizations may wish to take extra care in monitoring, inspecting and isolating traffic from these groups. Plan on a close review of access controls for related traffic.
- Develop a crisis-response team with clearly delineated roles and points of contact.
- Ensure the availability of key personnel who can potentially provide critical support in the event of a cyber incident.
- Launch a tabletop exercise to ensure that all staff are ready to contend with a cyber attack.
Additional resilience measures
CISA also suggests that organizations review and test backup procedures pertaining to the storage and restoration of critical data. Data backups should be isolated from network connections.
In addition, if reliant on industrial control systems or operational technology, organizations may wish to conduct a test of manual controls. This will help ensure that critical systems remain operable in the event of a network disruption.