NEW ATTACK – REvil Ransomware
As you may know, this weekend, an important Argentinean Corporation was hit by a ransomware attack and got their administrative operations impacted for several hours.
With attack details being public, we would like to share some thoughts with you.
The attack was committed by REvil ransomware (A.K.A. Sodinokibi), taking advantage of different vulnerabilities, including unpatched exposed RDP and privilege escalation. This malware uses vulnerability CVE-2018-8453, which should have been patched almost two years ago (https://support.microsoft.com/en-us/help/4471320). Beyond obtaining administrative access to Active Directory, the attack ciphered server and user files, including those in Onedrive. This detail may have been more part of the solution than a problem indeed.
Based on this summary, we would like to offer (or may I say remind) some general advice to minimize the impact of this kind of attack.
- Patch. New vulnerabilities are detected continuously, but just a minimal amount of attacks happen in the “Zero-day” phase, and before flaws are fixed by vendors.
- Backup. The only way to recover information after being hit by ransomware is restoring backups. We are not going to discuss paying ransom for several reasons. An important detail about this weekend´s attack is that most affected files were stored in Onedrive, and got ciphered from user´s computers or notebooks. Fortunately, data relying on this kind of service can be quickly recovered.
- Patch. Yes, again. And patch on-time. It is necessary to schedule a monthly maintenance window in critical systems. If any system needs to run non-stop, strict isolation measures should be taken. Nobody connects to an outdated SCADA from internet, DO YOU?
- Lower attack surface. From not exposing unnecessary services (Who needs RDP from the internet?) to avoid unnecessary software. An exposed RDP could be used (exploiting a vulnerability, by brute-force or dictionary attacks, through phishing, etc.), and then avoidable software could allow privilege escalation. Taking control of a system can be this simple.
- Patch in time and backup. Just in case we didn´t insist enough.
Only after covering (not necessarily solving, but engaging for sure) this points, we can start talking about further measures like Malware protection, IPS, WAF, reverse proxies, latch authentication, device management, etc., etc., etc., All these measures add a security layer, contributing in the framework of “Swiss Cheese” model (https://en.wikipedia.org/wiki/Swiss_cheese_model).
If you have any questions, please contact us: firstname.lastname@example.org