The CISA and FBI have put out an advisory on Zeppelin ransomware that is very much reading. The advisory goes into great detail about how the ransomware works and includes some threat mitigation strategies.
Dr Darren Williams, CEO and Founder of BlackFog has this comment to share:
“Zeppelin ransomware, a fairly well-known malware strain has been in known use since 2019, often to target a wide range of businesses and critical infrastructure organizations. Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.
Zeppelin’s unique attack path is such that the FBI have observed the attackers executing the malware multiple times in the network, leaving a great big sting on the victim, who needs multiple unique decryption keys to combat the attack.
Attacks on hybrid working companies are nothing new, however it is crucial that employees remember they play a part in protecting themselves and the employer, too.
Attacks from vectors such as Zeppelin often start with a simple phishing email – employers must ensure they educate and remind their employees on cyber security best practices, to minimize attack risk. Standard, good cyber hygiene practice is essential here: remembering to regularly change passwords and use MFA as a basic practice. That said, if a threat actor wants to find their way in, they will! What matters is the data they were able to obtain and leave with…
Most cybercriminal gangs aim for extortion – organizations should also consider anti-data exfiltration to block the attacker and prevent data from being exfiltrated.”
I strongly suggest that you read this advisory because if the FBI and the CSI put out an advisory on this, you need to take it seriously.
CISA to begin scanning for vulnerabilities
Posted in Commentary with tags CISA on March 17, 2023 by itnerdOn Monday, CISA announced that under its new Ransomware Vulnerability Warning Pilot (RVWP) program it has started scanning critical infrastructure entities’ networks for vulnerabilities to warn and help entities fix the flaws ahead of the bad actors.
As part of RVWP, CISA leverages existing authorities and technology to proactively identify information systems that contain security vulnerabilities commonly associated with ransomware attacks. Once CISA identifies these affected systems, our regional cybersecurity personnel notify system owners of their security vulnerabilities, thus enabling timely mitigation before damaging intrusions occur.
CISA accomplishes this work by leveraging its existing services, data sources, technologies, and authorities, including CISA’s Cyber Hygiene Vulnerability Scanning service and the Administrative Subpoena Authority granted to CISA under Section 2209 of the Homeland Security Act of 2002.
Naveen Sunkavalley, Chief Architect at Horizon3.ai had this to say:
“CISA’s new program is a necessary and definite step in the right direction to protect critical infrastructure. Many N-day vulnerabilities are now being exploited by threat actors within days of being disclosed. Time is of the essence. The faster organizations are notified of critical vulnerabilities, the faster they can react to avoid compromise.
“CISA’s program is not a panacea though. Many vulnerabilities are exploited as zero days, and there is often a delay of at least a few days between the time a new vulnerability is disclosed and when CISA adds that vulnerability to its Known Exploited Vulnerabilities catalog. Understanding which vulnerabilities are likely to be exploited and notifying prior to any known exploitation would be valuable.
“Moreover, exploiting vulnerabilities isn’t the only method ransomware actors have at their disposal. Phishing attacks and leaked credentials are used just as often (for instance with the Colonial Pipeline attack). Organizations need to operate under the mindset that a breach will eventually happen, and critically evaluate their attack surface, both external and internal, against a wide spectrum of possible attacks.”
Dave Ratner, CEO of HYAS follows up with this:
“We continue to see increasing attacks on all aspects of critical infrastructure and believe that increased visibility and observability into what is happening in real-time inside the environment is critical to rapid identification of these attacks and shutting them down before they expand into major incidents.
“Attackers continue to find new and innovative ways to circumvent the perimeter and breach both IT and OT networks; however, given that the malware then needs to beacon out for instructions, visibility into outgoing communication – which domains and what infrastructure is being communicated with and how often — can identify anomalous and nefarious activity inside the network and provide a key layer of protection, if not the “last line of defense”, for all aspects of critical infrastructure.”
This is a good step in terms of fighting threat actors. But it is only a step. This has to be combined with the hard work of those responsible for defending networks against threat actors along with spending money on the tools to effectively fight threat actors. Otherwise the CISA’s work will mean nothing.
Leave a comment »