Our New Zealand newswires have been busy of late with the rise of cyber attacks that have been hitting prominent New Zealand entities. Here at InPhySec, we have been directly involved with the response to many of these incidents and we would like to share some insight into the attacks along with some practical advice for you. We urge you to understand that for every newsworthy story you see re an attack, there are multiple other attacks that are happening concurrently to smaller, less visible organisations. We work with both large government agencies and corporates as well as much smaller organisations, therefore we are privy to the full spectrum of attacks and each and every one has the same motivation – to disrupt for financial gain.
If the recent attacks are raising doubt or concerns about your organisations current security posture, we suggest you start with an initial security baseline review. This will give you an understanding of the current security posture from both a management and technical perspective, tested against key security standards. A key deliverable from this review is a security roadmap with an informed set of recommendations as to how the company can progress from its current to its desired security state.
Overview of the recent cyber-attack methods
The recent attacks have taken the form of two common methods - Ransomware and DDoS. Both are very common cyber-attack methods and vary in their levels of sophistication and success.
Ransomware
Over recent years there has been an alarming evolution in the ransomware scene. eCrime gangs have moved from targeting single endpoints to compromising entire corporate networks before deploying increasingly sophisticated ransomware variants. Globally, there has been a tenfold increase in the average ransomware payments in less than two years. A reason for this increase is a change in strategy, coined the ‘double-tap’. Attackers will first steal sensitive data before encrypting the network. They will prove ownership of this data and use it as leverage to coerce the victim into paying the ransom.
Every industry is now a target. Threat actors do not care whether your business supports essential services like finance, critical infrastructure, or health care. Nor do they care if you operate in the retail, logistics, or manufacturing sector.
How the attackers get in and our advice:
- Over 50% of ransomware attacks come via exposed Remote Desktop services, especially in the age of remote working organisations need to ensure they have secure remote access solutions in place such as VPN and two factor authentication processes
- The second most common breach factor is email phishing. Having a secure email gateway that scans email attachments on their way through will help to mitigate this threat, along with security awareness and training for staff. Staff should be advised to ensure their personal and corporate password are very different. They should also be reminded to always think twice before entering a password, and unless a password reset has been requested or it is a new account, a request to enter a password never comes by email.
- The third is through software vulnerabilities. Our advice is simple - patch, patch, patch.
DDoS (Distributed Denial of Service)
The most recent DDoS attacks in New Zealand have been on such a scale that the Government has issued a general warning. A DDoS attack has the same goal as a traditional Denial Of Service (DOS) attack which is to effectively disrupt the availability of a computer system by overloading it with garbage messages and then issuing a ransom request. What distinguishes a Distributed Denial Of Service attack is that the attacking power is distributed across multiple attacking systems. For example, a threat actor (attacker) may direct the efforts of thousands of different computers to a company’s website or online ordering system in an effort to overload it. If it does this successfully, the website will stop working, hence - denial of service.
Our advice: - If you already have DDoS protection it enabled, please check the configuration and capacity with your DDoS service provider. Particularly against reflective or amplification attacks across a range of protocols including DNS and NTP. Be prepared for volume in the 50-200gbit per second range. - If you do not have DDoS protection and DDoS is a risk to your business, then please implement one as soon as possible. All of the big ISPs and service providers will provide DDoS protection solutions and there are also specialist companies such as RedShield.