In recent months, cyberattacks have crossed through the digital ether with very real implications in our physical reality, as online criminals send shockwaves through critical aspects of U.S. infrastructure ranging from domestic petroleum and meat production to local water treatment facilities. On Tuesday, the FBI and CISA released an advisory, warning organizations to “remain vigilant” to cybersecurity threats heading toward the holiday weekend. Based on recent security trends, the Labor Day holiday could be prime time for more than just barbecues and closing the pool for the summer.
“Ransomware continues to be a national security threat and a critical challenge, but it is not insurmountable,” said Eric Goldstein, executive assistant director for cybersecurity at CISA in the advisory. “With our FBI partners, we continue to collaborate daily to ensure we provide timely, useful and actionable advisories that help industry and government partners of all sizes adopt defensible network strategies and strengthen their resilience.”
SEE: Security incident response policy (TechRepublic Premium)
Timing is everything: Holidays and cybercrime trends
The federal advisory makes note of “recent holiday targeting,” stating that “cyber actors have conducted increasingly impactful attacks against U.S. entities on or around holiday weekends.” Neither FBI nor CISA has information about a cyberattack “coinciding with upcoming holidays and weekends,” per the advisory, but the document says cybercriminals may see holidays and weekends as “as attractive timeframes” to “target potential victims.”
“In some cases, this tactic provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware, as network defenders and IT support of victim organizations are at limited capacity for an extended time,” the advisory said.
The advisory goes on to list a number of recent cyberattacks coinciding with U.S. holidays. This includes a pair of attacks in May: One that occurred ahead of the Mother’s Day weekend involving DarkSide ransomware and another during the Memorial Day weekend involving Sodinokibi/REvil ransomware attack directed at a “critical infrastructure entity” at the FDA. On the Fourth of July weekend, a Sodinokibi/REvil ransomware targeted a “U.S.-based critical infrastructure entity in the IT Sector,” per the advisory.
In 2020, the number of total complaints reported to the FBI’s Internet Crime Complaint Center (IC3) increased 69% compared to 2019, according to the advisory; between January and July 31 of this year, the number of ransomware complaints increased 62% compared to this time period last year. In the last month, Conti, PYSA, LockBit, RansomEXX/Defray777, Zeppelin, Crysis/Dharma/Phobos are listed as the most common ransomware variants reported, according to the advisory.
“Cyber criminals have increasingly targeted large, lucrative organizations and providers of critical services with the expectation of higher value ransoms and increased likelihood of payments,” the advisory said. “Cyber criminals have also increasingly coupled initial encryption of data with a secondary form of extortion, in which they threaten to publicly name affected victims and release sensitive or proprietary data exfiltrated before encryption, to further encourage payment of ransom.”
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
Cybersecurity best practices
The advisory includes an extensive list of best practices to mitigate the risk of a cyberattack this weekend. This includes proactively threat hunting across the organizations’ networks, reviewing data logs, employing “intrusion prevention systems and automated security alerting systems,” deploying honeytokens and more.
“It’s not surprising to see this warning. One of the biggest trends we’ve seen this year is the significant uptick in ransomware attacks,” said Jake Olcott, vice president, BitSight.
Citing company analysis, Olcott said, “organizations with poor patching performance are nearly seven times more likely” to suffer a successful ransomware incident, adding that a focus on patch management could “measurably reduce risk and deserves prioritization and appropriate budget spend.”
Other executives we spoke with reiterated a similar lack of surprise with the advisory; some provided security tips for companies to bear in mind leading up to the extended holiday weekend.
“Cybercriminals have a long history of launching cyberattacks over long weekends, holidays and events like the Super Bowl. They are well aware of skeleton crews that are tasked to defend during these periods and how response times will be extended,” said Tom Kellermann, head of cybersecurity strategy, VMware.
Kellermann listed a few ways CISOs could protect their systems during the holiday weekend. This includes elevating “control to high enforcement,” segmenting backups from the larger company network, and activating “daily threat hunting on all critical systems and backups to help detect behavioral anomalies.” Additionally, he said, “enacting just in time administration on all devices will be paramount.”
“Cyberattacks today don’t have a beginning or end. If an organization is hit by a ransomware attack, they should assume the attacker has deployed a root kit inside their infrastructure, which makes Monday evening threat hunts an imperative,” Kellermann said.
The FBI and CISA, were “wise to issue this advisory,” said Tom Bossert, president, Trinity Cyber, noting the holiday timing of “serious” ransomware attacks on U.S. organizations. As for the “best practical advice” heading into the weekend, he suggested ensuring in-house employees and vendors support key functions and that employee vacation time is staggered.
Many companies use employee outreach programs to teach workforces the latest best practices; especially as these strategies relate to phishing and spearphishing campaigns in-house. Days away from the holiday weekend, it may be too late for companies to make any large overhauls to their defense strategy.
“Year-round vigilance saves us the hassle of scrambling to schedule specific security training modules for our employees. We need only to remind them to stay vigilant,” said Cobalt Chief Strategy Officer Caroline Wong.
Additionally, she said companies that have the cybersecurity basics down and proactively implementing these strategies each day are going to be better positioned “when the holidays come around.”