Rewterz Threat Alert – Urgent Advisory: Strengthening Cybersecurity Against Rising Ransomware and Cyber Threats

Severity

High

Analysis Summary

The most recent report from the Regulatory Authority addresses cyberattacks targeting financial institutions and underscores the critical importance of prioritizing cybersecurity preparedness. It emphasizes the need to secure networks against adversaries and highlights prevention as the most effective defense against ransomware and other cyber threats.

They have been actively sharing information about the tactics, techniques, and procedures used by threat actors in these attacks, along with indicators of compromise (IOCs). To respond effectively to this threat landscape, They advises organizations to take the following steps:

– Elevate Cybersecurity Alertness: They recommend putting cybersecurity teams on high alert, particularly during holidays and weekends when offices are typically closed. This heightened state of vigilance is essential to detect and respond to highly impactful cyberattacks, including ransomware and Distributed Denial of Service (DDoS) attacks.

– Assess Current Cybersecurity Posture: All organizations are encouraged to assess their existing cybersecurity posture. This involves a comprehensive evaluation of current security measures, identification of vulnerabilities, and the implementation of recommended best practices and mitigations. The goal is to effectively manage the risks posed by a wide range of cyber threats, including ransomware and DDoS attacks.

The advisory further provides a list of indicators of suspicious activities that Security Operations Center (SOC) monitoring teams should closely monitor:

• Unusual Network Traffic: Any abnormal patterns of inbound and outbound network traffic.
• Privilege Compromise: The compromise of administrator privileges or unauthorized escalation of permissions on user accounts.
• Credential Theft: Incidents involving the theft of login and password credentials.
• Database Volume Increase: A substantial and unexplained increase in database read volume.
• Geographical Irregularities: Anomalies in access and login patterns that may indicate unauthorized access from unusual geographic locations.
• Anomalous Logon Times: Attempts by users to log in during times that deviate from normal usage patterns.
• Unauthorized Server Access: Efforts to access folders on a server that are not linked to the HTML within web server pages.
• Baseline Deviations in Encrypted Traffic: Detection of variations in the type of outbound encrypted traffic, which is a common tactic used by advanced persistent threat actors for data exfiltration.

This advisory highlights the need for organizations to remain vigilant, enhance their cybersecurity measures, and closely monitor for potential threats, especially during non-business hours. By following these recommendations and being aware of the specified indicators, organizations can better protect themselves against cyberattacks and mitigate potential risks.

Here’s a summary of the provided recommendations in the report:

Offline Backup

• Ensure data security by designating IT security personnel available during weekends and holidays, creating and maintaining encrypted offline backups, and reviewing backup schedules to mitigate potential disruptions during these periods, all as part of a comprehensive data backup strategy.

Remote Desktop Protocol (RDP) & Potentially Risks

• To secure and monitor Remote Desktop Protocol (RDP) and other potentially risky services, the advice is to limit internal network access, use virtual desktop infrastructure, and externally authenticate RDP via VPN if necessary. Monitor RDP activities, enforce account lockouts, log login attempts, ensure proper device configuration, and disable unused ports and protocols to enhance security and reduce vulnerabilities.
• Disable outbound SMB protocol and eliminate outdated versions to prevent malware propagation.
• Conduct security assessments of third-party vendors and monitor their connections for suspicious activity.
• Enforce strict application and remote access policies to only allow trusted programs.
• Enhance document security by using protected viewing modes in document readers.
• Deploy endpoint detection and response (EDR) and extended detection and response (XDR) tools for real-time threat detection and protection of various endpoints, including desktops, laptops, services, and mobile devices.

OS & Software

• Keep your operating system and software up-to-date by upgrading to currently supported versions, especially if the vendor no longer supports older versions.
• Regularly apply patches and updates to ensure you have the latest security fixes.
• Prioritize patching for internet-facing servers, web browsers, browser plugins, and document readers to address known vulnerabilities. Consider using a centralized patch management system for efficient updates. Additionally, automate updates for antivirus and anti-malware solutions, and conduct routine scans for viruses and malware. Perform regular vulnerability scanning, with particular attention to internet-facing devices, to identify and address potential security weaknesses.

Strong Passwords

• Utilize strong passwords and multi-factor authentication (MFA), avoiding password reuse and requiring MFA, especially for remote access, VPNs, and critical system accounts.

Networks & User Accounts

• Implement network segmentation with multiple layers, prioritizing the most critical communications in the most secure layer.
• Filter network traffic to block communication with known malicious IP addresses and prevent access to malicious websites using URL blocklists or allowlists.
• Conduct regular scans to identify and close unnecessary open and listening ports, and audit administrative user accounts while configuring access controls based on the principles of least privilege and separation of duties. Additionally, regularly review logs to verify the legitimacy of new user accounts.

Incident Response Plan

• Establish and maintain a comprehensive cyber incident response plan that covers procedures for responding to ransomware incidents and addresses the potential unavailability of critical systems for a period.

General Recommendations:

Apart from the suggestions mentioned earlier, to safeguard your organization from ransomware threats, contemplate putting into action the subsequent general recommendations:

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Web defacement must be stopped at the web application level. Therefore, set up a Web Application Firewall with rules to block suspicious and malicious requests.
• Create automated and regular backups of critical data, both onsite and offsite.
• Educate employees on how to recognize phishing emails and suspicious attachments.
• Keep all operating systems, software, and applications up-to-date with the latest security patches.
• Isolate critical systems and networks from less critical ones to limit the spread of ransomware.
• Implement the principle of least privilege, ensuring employees only have access to the resources necessary for their roles.
• Use email filtering solutions to detect and block phishing attempts and malicious attachments.
• Employ advanced endpoint protection software to detect and prevent malware infections.
• Use firewalls and IDS to monitor network traffic for suspicious activity.
• Enable MFA wherever possible to enhance account security.
• Develop a robust incident response plan that outlines the steps to take in the event of a ransomware attack.
• Perform security audits and penetration testing to identify vulnerabilities and weaknesses.
• Utilize anti-virus, anti-malware, and anti-ransomware tools and keep them updated.
• Educate employees about ransomware threats, and establish clear reporting procedures if an incident occurs.
• Continuously monitor the activities of privileged accounts in real-time.
• Look for suspicious or unauthorized access, especially to critical systems and sensitive data.
• Utilize behavioral analytics to establish a baseline of normal behavior for privileged accounts.
• Regularly review and recertify privileged access rights to ensure that users have the appropriate level of access.
• Implement strong credential management practices, including the regular rotation of passwords and the use of strong, unique passwords for privileged accounts.

Note:

• The report’s indicators of compromise are sourced from a regulatory authority.
• Please liaise with your IT teams and inquire whether some of the mentioned IPs, which likely belong to GOOGLE-CLOUD-PLATFORM, are affiliated with your services.

• Additional Indicator Of Compromise:

SHA-1: 6BC09224B90925E09B9F04198EFA089C5160DD80

Indicators of Compromise

IP

• 138.68.208.42
• 162.243.145.45
• 130.211.54.158
• 184.105.247.195
• 45.156.129.2
• 184.105.247.252
• 172.104.210.105
• 162.142.125.214
• 45.79.168.172
• 45.79.163.53
• 172.104.242.173
• 167.94.138.36
• 162.142.125.217
• 162.142.125.12
• 162.142.125.13
• 162.142.125.11
• 167.248.133.187
• 167.248.133.123
• 167.248.133.125
• 167.248.133.50
• 167.248.133.51
• 167.248.133.35
• 167.94.138.127
• 167.94.138.124
• 167.94.138.50
• 167.94.138.49
• 167.94.138.33
• 167.94.146.60
• 167.94.145.60
• 64.62.197.87
• 64.62.197.83
• 64.62.197.77
• 45.79.181.94
• 45.79.181.223
• 69.164.217.74
• 172.104.11.51
• 71.6.134.230
• 64.62.197.241
• 80.66.88.215
• 205.210.31.140
• 45.79.181.104
• 172.104.11.46
• 205.210.31.153
• 205.210.31.129
• 205.210.31.133
• 205.210.31.176
• 205.210.31.51
• 205.210.31.60
• 194.165.16.10
• 194.165.16.76
• 194.165.16.72
• 192.155.90.220
• 167.248.133.127
• 172.104.11.34
• 172.104.11.4
• 95.214.55.85
• 185.233.19.242
• 172.105.128.11
• 172.105.128.12
• 167.94.138.51
• 193.163.125.109
• 45.33.80.243
• 71.6.134.234
• 172.104.238.162
• 194.165.16.37
• 66.175.213.4
• 192.155.88.231
• 192.155.90.118
• 162.142.125.95
• 162.142.125.92
• 162.142.125.91
• 162.142.125.89
• 162.142.125.86
• 162.142.125.84
• 172.104.138.223
• 167.94.138.64
• 167.94.138.110
• 167.94.138.106
• 167.94.138.104
• 167.94.138.102
• 167.94.138.100
• 167.94.138.101
• 167.94.138.96
• 167.94.138.52
• 167.94.138.143
• 167.94.138.141
• 167.94.138.136
• 167.94.138.131
• 167.94.138.128
• 139.162.190.203
• 193.163.125.148
• 193.163.125.121
• 193.163.125.91
• 184.105.139.69
• 162.142.125.90
• 64.62.197.14
• 64.62.197.116
• 64.62.197.117
• 80.66.88.204
• 80.66.88.211
• 129.250.206.86
• 198.235.24.176
• 198.235.24.143
• 198.235.24.44
• 205.210.31.180
• 205.210.31.35
• 205.210.31.41
• 198.235.24.193

MD5

• e9dc058440d321aa17d0600b3ca0ab04

SHA-256

• e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173

SHA-1

• 539c228b6b332f5aa523e5ce358c16647d8bbe57