Rewterz Threat Alert –Threat Alert: Sidewinder APT Group’s Targeted Campaign Against the Pakistani Government – Active IOCs
June 26, 2023Rewterz Threat Alert – New Variant Of Ducktail Infostealer Targeting Social Media Accounts In Recent Campaign – Active IOCs
June 27, 2023Rewterz Threat Alert –Threat Alert: Sidewinder APT Group’s Targeted Campaign Against the Pakistani Government – Active IOCs
June 26, 2023Rewterz Threat Alert – New Variant Of Ducktail Infostealer Targeting Social Media Accounts In Recent Campaign – Active IOCs
June 27, 2023Severity
High
Analysis Summary
Cybercrime poses a significant threat throughout the year, and its impact is particularly heightened during the holiday season. As the long Eid Holidays are approaching, there is a growing concern about the rise in significant cyber-attacks, such as ransomware and DDoS attacks, during holiday periods when many offices are closed. It has been observed that cybercriminals take advantage of these times to carry out their malicious activities. In light of this, it is strongly advised for everyone to assess their current cybersecurity measures and take necessary actions to enhance their defenses against all types of cyber threats.
The recommended approach is to thoroughly examine your cybersecurity posture and ensure that you have implemented the best practices and mitigations suggested by experts. This includes measures to protect against ransomware, DDoS attacks, and other forms of cyber-attacks. By proactively strengthening your defenses and following industry-standard security protocols, you can effectively manage the risks posed by cyber threats and minimize the potential impact on your systems and data.
- During holidays like Eid ul Azha, individuals and organizations face various cyber threats. Phishing is a common tactic used by attackers to deceive people into revealing sensitive information or performing harmful actions. Attackers impersonate trustworthy entities, sending emails or messages with malicious links or attachments that can lead to malware installation or data disclosure.
- Another threat during Eid ul Azha is Distributed Denial of Service (DDoS) attacks, which aim to disrupt online services by overwhelming networks with malicious traffic. Reduced staffing levels and limited IT resources during holidays make organizations more vulnerable to such attacks.
- Ransomware attacks and data breaches are also a significant concern during holidays when businesses may have limited IT support. Ransomware encrypts files until a ransom is paid, while data breaches involve unauthorized access to sensitive information. Attackers exploit the holiday period to target vulnerabilities and compromise data security.
Recommendations
Here are some of recommendations shared by the regulatory to raise awareness and promote diligence in network defense practices leading up to holidays and weekends.
– Offline Backup
- Assign IT security employees for weekends and holidays to be available in case of incidents or ransomware attacks.
- Create and maintain encrypted offline backups of data, regularly testing their effectiveness. Conduct backups on a regular basis and ensure they are stored offline to protect against ransomware variants that target accessible backups.
- Review backup schedules to account for the risk of disruptions during weekends or holidays.
– Secure and monitor Remote Desktop Protocol (RDP) and other risky services
- Limit internal network access, especially by restricting RDP and utilizing virtual desktop infrastructure. If external RDP access is necessary, authenticate via VPN.
- Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts, log RDP login attempts, and disable unused remote access/RDP ports.
- Ensure devices are properly configured with enabled security features.
- Disable unused ports and protocols, such as RDP Transmission Control Protocol Port 3389, that are not necessary for business purposes.
- Disable or block outbound Server Message Block (SMB) protocol and remove/disable outdated versions, as threat actors exploit SMB for malware propagation.
- Assess the security posture of third-party vendors and interconnected systems, monitoring and reviewing all connections for suspicious activity.
- Implement application and remote access listing policies that only allow known and permitted programs to execute under established security policies.
- Open document readers in protected viewing modes to prevent the execution of active content.
– Maintain a high alert and increased monitoring during long holidays and weekends
- Utilize endpoint detection and response tools (EDR, XDR) for enhanced real-time threat detection, monitoring, and security of individual endpoints such as desktops, laptops, services, and mobile devices.
– Update your operating system (OS) and software; scan for vulnerabilities
- Upgrade software and OSs to currently supported versions, especially if they are no longer supported by vendors.
- Regularly patch and update software to the latest versions available.
- Prioritize timely patching of internet-facing servers and software processing internet data (e.g., web browsers, plugins, document readers) for known vulnerabilities.
- Consider implementing a centralized patch management system.
- Automatically update antivirus and anti-malware solutions, and conduct regular virus and malware scans.
- Perform regular vulnerability scanning to identify and address vulnerabilities, particularly on internet-facing devices.
– Use strong passwords and multi-factor authentication (MFA)
- Ensure the use of strong passwords and challenge responses.
- Avoid password reuse across multiple accounts and storing passwords on systems accessible by adversaries.
- Require MFA for all services, particularly for remote access, virtual private networks, and critical system accounts.
– Secure your networks and user accounts
- Implement network segmentation with multiple secure layers, prioritizing critical communications in the most reliable layer.
- Filter network traffic to block communication with known malicious IP addresses and prevent user access to malicious websites through URL blocklists or allowlists.
- Scan networks for open and listening ports, closing unnecessary ports.
- Regularly audit administrative user accounts and configure access controls based on least privilege and separation of duties principles.
- Conduct regular log audits to ensure the legitimacy of new user accounts.
– Have an incident response plan
- Develop, maintain, and exercise a basic cyber incident response plan that includes procedures for response and notification in a ransomware incident and plans for the possibility of critical system unavailability for a period of time.
Rewterz Threat Advisories keeps you up to date on the newest cybersecurity threats, cyber attacks, cyber events, and reported vulnerabilities that may have an impact on your organization. Organizations can take measures by helping their staff and customers informed and take the necessary precautions to mitigate the risk of the cyber attacks by using constant notifications.
Rewterz offers a variety of data protection and recovery solutions that ensure your organization’s data recovery from destructive cyberattacks.