It is 26 November 2020. We’re doing work for a medium-sized global enterprise that’s been hit by. I’m sipping coffee while on a call with the IT director, for getting users back up and running after they’ve restored their systems from backups (the company’s IT team had the foresight to run regular backups and keep them air-gapped from its network – I wish more companies would do this).
I asked him if he’s considered deploying(MFA) for the company’s users, as it helps prevent malicious login attempts if credentials are stolen. He sighs. “No, I’d love to, but I’d get too much pushback from the board and users because of the extra sign-in step.” “Have you tried telling the board that if MFA was used, the attack might not have impacted the company at all, and you wouldn’t have had to and a half to reinstall all the endpoints?” I ask. He snorts. “My job seems to be keeping everyone happy, and security comes second.”
I hear this a, so I suggest that all his IT administrators use MFA, which stops attackers from using stolen credentials or credential stuffing to get into privileged accounts where they can cause maximum damage. He agrees. “Anyway, we need to get our remote contractors , so we’ll have to open RDP [remote desktop protocol] back up,” he adds. “They all use their own PCs, so we won’t be able to put anti-malware or our new EDR [endpoint detection and response] software on them, though.”
I nearly choke on my coffee, and I’m lost for words for a few moments. When I’ve cleared my throat, I point out that the Dharma attack most likely originated from the attacker using phished credentialsand then planting the ransomware on the network. I suggest that, as a minimum, the company uses endpoint requirements before they are allowed to connect remotely.
After finishing the call with the IT director, I’m asked tothem on how the work is progressing. “How many machines have you scanned for infections?” they ask. About half of your total number of PCs, I reply. I haven’t been able to reach some, and some I scan because they are developers’ machines and don’t like administrators to watch them. I wait, but my Point seems to go unnoticed. “How many of those are infected with the ransomware?” 80% of the machines I’ve scanned, I tell them. “So what can we do with the infected machines?” they ask.
Ithey need to be removed from the network, thoroughly disinfected, and only then reinstalled; otherwise, there’s a risk of missing something or an unknown infection left behind that could re-infect the network. “That’s too big a job,” they say. “We have ; can’t we just get going with them, and the software will pick up any infections?” I point out that the antivirus software was disabled just before the ransomware attack by the hackers behind it, using administrator-level credentials probably harvested during an earlier phishing exploit targeting one of its IT teams. There’s a silence, and then someone asks: “Okay, we see what you mean. How do we stop this from again?” Now we’re starting to get somewhere.
Just asand how we would recommend using MFA to help prevent these attacks in the future, I get a message on the internal team WhatsApp group. “Online retailer . Can I join a call shortly?” Here we go again… A specialist in incident response (IR) is at the front battle aPointt malicious cybercriminals, ransomware, and other threats. The Secret IR Insider works at cyber security services and s,olutions supplier Check Point.