Threat actors have reinvented their attack approaches during the ongoing COVID-19 outbreak. Several new cybersecurity scams and ransomware activities have risen during the pandemic. According to the Microsoft Threat Protection Intelligence Team, cybercriminals have been using the current situation to gain information from organizations to plan future attacks. The team said that they have observed multiple hacking groups activating dozens of ransomware deployments in the first two weeks of April 2020.
“These attacks can even be fatal, given their impact on aid organizations, medical billing companies, manufacturing, transport, government institutions and educational software providers. However, despite this global crisis, ransomware groups seem to give little regard to the critical services they impact,” Microsoft said in a post.
Vulnerable Systems Are First Targets
Microsoft’s Security Intelligence and Detection and Response team stated that attackers infiltrate target networks and then wait to monetize their attacks by deploying ransomware. To gain access to target networks, threat actors exploited internet-facing systems that had weaknesses such as a lack of multi-factor authentication (MFA). Hackers also preyed on older Windows platforms which were not updated, had weak passwords, or systems with specific existing vulnerabilities. Microsoft observed that hackers used the same techniques in all human-operated ransomware campaigns including initial access, credential theft, lateral movement, and persistence.
Microsoft recommends certain investigation procedures to prioritize if an organization is hit by a cyberattack, these include:
- Investigate affected endpoints and credentials
- Isolate compromised endpoints
- Address internet-facing weaknesses
- Inspect and rebuild devices with related malware infections
Building Pro-active Security Hygiene
As cybercriminals continue reinventing their attack approaches to compromise new targets, organizations are taking proactive measures to handle the risks. Microsoft suggested some measures to make networks more resilient against evolving threats, these include:
- Apply an Account Lockout Policy so that someone who attempts to use more than a few unsuccessful passwords logging onto the system will be blocked.
- Ensure good perimeter security by patching exposed systems and applying mitigating factors, such as MFA or vendor-supplied mitigation guidance, for vulnerabilities.
- Utilize host firewalls to limit lateral movement and prevent endpoints from communicating on TCP port 445 for SMBs. This can significantly disrupt malicious activities.
- Turn on cloud-delivered protection for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
- Follow standard security baselines guidance for all your software. A tool like Microsoft Secure Score can also assist in measuring your security posture and recommending actions for improvement, guidance, and control.
- Turn on tamper protection features to prevent attackers from stopping security services.
- Turn on attack surface reduction rules, including rules that can block ransomware activity.
“What we’ve learned from the increase in ransomware deployments in April is that attackers pay no attention to the real-world consequences of disruption in services that their attacks cause, even in this time of global crisis. Organizations shouldn’t expect hackers to be concerned about anything other than disruption and potential financial reward, regardless of the impact on people or society as a whole,” Microsoft added.
Organizations must be prepared with the latest preventive actions to protect themselves from evolving threats and safeguard their valuable information.