In our previous post, we shared the joint advisory issued from the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Today we’re delving into the key sections of the advisory that CISA outlines specifically to mitigate cybersecurity threats from WhisperGate and HermeticWiper caused by spillover. Here are a few items from the list that require special attention.
Distribution Vectors
Destructive malware may use popular communication tools to spread, including worms sent through email and instant messages, Trojan horses dropped from websites, and virus-infected files downloaded from peer-to-peer connections. Malware seeks to exploit existing vulnerabilities on systems for quiet and easy access.
The malware has the capability to target a large scope of systems and can execute across multiple systems throughout a network. As a result, it is important for organizations to assess their environment for atypical channels for malware delivery and/or propagation throughout their systems. Systems to assess include:
- Enterprise applications – particularly those that have the capability to directly interface with and impact multiple hosts and endpoints. Common examples include:
- Patch management systems
- Asset management systems
- Remote assistance software (typically used by the corporate help desk)
- Antivirus (AV) software
- Systems assigned to system and network administrative personnel
- Centralized backup servers
- Centralized file shares
While not only applicable to malware, threat actors could compromise additional resources to impact the availability of critical data and applications. Common examples include:
- Centralized storage devices
- Potential risk – direct access to partitions and data warehouses
- Network devices
- Potential risk – capability to inject false routes within the routing table, delete specific routes from the routing table, remove/modify, configuration attributes, or destroy firmware or system binaries — which could isolate or degrade availability of critical network resources
Best Practices and Planning Strategies
It’s important to note that this list does not contain the full set of recommendations outlined by CISA. We’ve highlighted some of the more general practices all businesses should be adhering to, and deals exclusively with access control and monitoring.
Access Control
- For enterprise systems that can directly interface with multiple endpoints:
- Require multi-factor authentication for interactive logons.
- Ensure authorized users are mapped to a specific subset of enterprise personnel.
- If possible, the “Everyone,” “Domain Users,” or the “Authenticated Users” groups should not be permitted the capability to directly access or authenticate to these systems.
- Ensure unique domain accounts are used and documented for each enterprise application service.
- Context of permissions assigned to these accounts should be fully documented and configured based upon the concept of least privilege.
- Provides an enterprise with the capability to track and monitor specific actions correlating to an application’s assigned service account.
- If possible, do not grant a service account with local or interactive logon permissions.
- Service accounts should be explicitly denied permissions to access network shares and critical data locations.
- Accounts that are used to authenticate to centralized enterprise application servers or devices should not contain elevated permissions on downstream systems and resources throughout the enterprise.
- Continuously review centralized file share ACLs and assigned permissions.
- Restrict Write/Modify/Full Control permissions when possible.
Monitoring
- Audit and review security logs for anomalous references to enterprise-level administrative (privileged) and service accounts.
- Failed logon attempts
- File share access
- Interactive logons via a remote session
- Review network flow data for signs of anomalous activity, including:
- Connections using ports that do not correlate to the standard communications flow associated with an application
- Activity correlating to port scanning or enumeration
- Repeated connections using ports that can be used for command and control purposes
- Ensure network devices log and audit all configuration changes.
- Continually review network device configurations and rule sets to ensure communication flows are restricted to the authorized subset of rules.
For assistance in implementing these strategies, contact us today. Our team of experts will monitor your systems 24/7.
Since 1995, Manassas Park, VA-based V2 Systems has employed local systems administrators, network engineers, security consultants, help desk technicians and partnering companies to meet a wide range of clients’ IT needs, from research, to implementation, to maintenance. Concentrate on your VISION…We’ll handle the TECHNOLOGY!