At the tail end of last week, the Australian Cyber Security Centre (ACSC) published a notification that "Australian organisations are encouraged to urgently adopt an enhanced cyber security position." The Advisory can be found here.
At the time, the Advisory was quite a frustrating one as it stated that "The ACSC is not aware of any current or specific threats to Australian organisations, adopting an enhanced cyber security posture and increased monitoring for threats will help to reduce the impacts to Australian organisations." So, why publish the advisory? Why now? What has changed to make the ACSC publish this notice?
We as cyber professionals have been telling organisations for years that they need to up their game. We have been continually repeating the message that it is not a matter of if, but when. Thankfully, the ACSC quickly updated the Advisory to add further details that this is in response to the ransomware being seen deployed on Ukrainian organisations. This is all well and good, but again, it is not something new. The ACSC released their half yearly report that showed ransomware attacks were up ~30% on Australian organisations.
As we begin to dig deeper, the reason behind the Advisory becomes apparent. One of the more prevalent Ransomware as a Service (RaaS) gangs we see operating in Australia, Conti (a Russian speaking group responsible for ransomware attacks at CS Energy, Finite Recruitment and many more that have not been disclosed) have warned they will retaliate should the west launch cyber attacks on Russia. This really comes off the back of the Ukraine Government asking for volunteers from the "hacker community" to help protect critical infrastructure and conduct cyber spying missions against Russian troops.
Furthermore, there has been in-fighting within Conti with what seems to be Ukrainian based members compromising the internal chat system (Jabber/XMPP) and leaking internal logs. The leak contains 339 files, with each file consisting of a full day’s messages and can be read here (noting, Russian speaking), thanks to IntelligenceX.
So, now we have context. We are seeing a RaaS group, that operates heavily in Australia, threatening to use all their might on the West should there be offensive efforts, and a number of them are annoyed their internal chats were published online. Great, but what do Australian organisations need to do? The ACSC Notification outlines the Tactics, Techniques and Procedures (TTPs) and Indicators of Compromise (IOC) known to be used by Conti. This is all well and good, but what actionable things do you need to do. It is quite simple really, and remains the same message as always:
- Enable Multifactor Authentication (MFA) on all externally facing systems including email, VPN, Remote Access and anything else that gives access. There is no reason MFA should not be enabled on externally facing systems.
- Deploy an Endpoint Detection and Response (EDR) solution such as Crowdstrike or Carbon Black. Your Antivirus like McAfee, Symantec, Trend Worry Free Business, Avast, etc will simply not stand up to Ransomware. If you have not tested it, you should. The results will be surprising.
- Undertake internal and external vulnerability scanning and prioritise patching based on your vulnerability management programme. Ensure commonly targeted vulnerabilities are patched, especially things like ProxyShell. Almost all ransomware Incident Response Triskele Labs undertakes stems from missing patches.
- Deploy a Log Management Platform (such as a SIEM) that captures all logs and seeks out possible threats in the network. This gives insight into exactly what is happening in your network and allows for response as needed.
- Finally - and most importantly - ensure your systems are being monitored around the clock. It is fine to have EDR and SIEM in place, but if nobody is watching is 24x7x365 - it is useless. Do not rely on a member of the IT team waking up at 2am on a Tuesday to respond - engage a Managed Security Services Provider (MSSP) to do this for you - and to take action.
While there are many other solutions and mitigations such as a secure email gateway, user awareness training, network security monitoring and plenty more, these 5 simple items will provide the visibility needed to monitor for the known TTPs and IOCs and allow for rapid response.