Rewterz Threat Alert – Hive Ransomware – Active IOCs
September 14, 2022Rewterz Threat Alert – DanaBot Trojan – Active IOCs
September 15, 2022Rewterz Threat Alert – Hive Ransomware – Active IOCs
September 14, 2022Rewterz Threat Alert – DanaBot Trojan – Active IOCs
September 15, 2022Severity
High
Analysis Summary
A massive cyber attack attacked Montenegro, which officials suspect was orchestrated by pro-Russian hackers and Moscow’s security agencies. The attack compelled the government to disconnect its computers from the Internet.
The coordinated attack, which began around August 20, disrupted the government’s online information systems and put Montenegro’s vital infrastructure, such as its banking, water, and electricity systems, in grave danger. According to the National Security Agency, Montenegro is under a hybrid war at the moment.
Russia has a compelling reason to carry out such an attack since Montenegro, which it long considered a close ally, joined NATO in 2017 over Kremlin opposition.
It has also joined Western sanctions on Moscow in response to the Ukraine invasion, prompting Moscow to label Montenegro a “enemy state,” along with many other countries that have joined the embargo.
The cyber attack was carried out by “coordinated Russian services,” according to the ANB or Agency for National Security. “This type of attack was carried out for the first time in Montenegro, and it had been planned for quite some time.”
On the other hand, a cybercriminal extortion gang has taken credit for at least some part of the attack; a Cuba ransomware variant compromised the systems at a parliamentary office.
“For nearly 20 days, we have been faced with major issues relating to the cyber attack, and the whole state system, the system of state administration, and the system of citizen services have been operating at a rather restrictive level,” Konjevic told The Associated Press.
He said that specialists from many nations are working to restore the computer system used by the Montenegrin government and identify the perpetrators of the attack.
Montenegro split away from larger Serbia in 2006 and is currently governed by an interim government that has lost parliamentary support as a result of Prime Minister Dritan Abazovic’s shady deals with the powerful Serbian Orthodox Church without the consent of the entire coalition that supported the government.
Impact
- Systems & Service Disruptions
Remediation
- Maintain cyber hygiene by updating your anti-virus software and implement patch management lifecycle.
- Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
- Emails from unknown senders should always be treated with caution.
- Never trust or open ” links and attachments received from unknown sources/senders.
- Block all threat indicators at your respective controls.
- Search for Indicator of compromise (IOCs) in your environment utilizing your respective security controls
- Passwords – Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies.
- Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
- WAF – Web defacement must be stopped at the web application level. Therefore, set up a Web Application Firewall with rules to block suspicious and malicious requests.
- Patch – Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Secure Coding – Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- 2FA – Enable two-factor authentication.
- Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using a multi-layered protection is necessary to secure vulnerable assets