The US authorities have used the week before Labor Day to warn organizations about the risk of cyber-threats timed to coincide with holidays and weekends.
The FBI and Cybersecurity and Infrastructure Security Agency (CISA) alert noted that ransomware attacks in particular are more likely to hit home on these days, when offices are closed and IT incident responders will not be at their desks.
Most recently, the major Kaseya supply chain attack on MSPs and their downstream customers occurred over the July 4 weekend in the US. On Memorial Day weekend, there was an attack on meat processing giant JBS USA, while the infamous Colonial Pipeline outage began on the Mother’s Day weekend in the US.
Although the agencies don’t have any intelligence suggesting a similar attack this coming weekend, it urged public and private sector organizations to be alert in the days preceding.
They flagged the following as among the main tactics for ransomware threat actors: phishing and brute forcing unsecured remote desktop protocol (RDP) endpoints; deploying dropper malware for reconnaissance and other tasks; exploitation of vulnerabilities and MSPs; and use of credentials purchased on the dark web.
The alert suggests a number of mitigations for organizations, including offline backups, securing RDP, vulnerability scans and patching, multi-factor authentication, network segmentation, and user training on phishing awareness.
It also suggested organizations engage in “pre-emptive” threat-hunting on their networks to spot the signs of suspicious activity and mitigate attacks before they cause any damage.
“Threat actors can be present on a victim network long before they lock down a system, alerting the victim to the ransomware attack,” it said. “Threat actors often search through a network to find and compromise the most critical or lucrative targets. Many will exfiltrate large amounts of data.”
Jake Williams, co-founder and CTO at incident response specialist, BreachQuest, argued that most ransomware attacks could be thwarted by following CISA’s advice.
“This is especially true for reviewing logs. Threat actors could certainly perform lateral movement while staying out of logs, but with the plethora of potential victims with horrible cyber-hygiene there’s currently no need to do so,” he added.
“Extremely basic levels of cybersecurity hygiene and monitoring are enough to achieve early detection of today’s ransomware adversaries.”