[SANS ISC] A Review of Year 2021, (Sat, Dec 4th)

We are well on our way to closing 2021 and looking back at this year, it is easy to see that 2021 has been dominated by phishing and ransomware. With zero-day exploits in their possession, threat actors have been looking for new ways to target supply chain, source code, firmware and industrial control systems (ICS). 

For nearly 2 years now, COVID has accelerated the move to the cloud where it opens the door and widen the surface area for attacks and opened new challenges to protect data. In the first few months of this year, there were several Microsoft Exchange zero-day vulnerabilities affecting several thousand organizations  which was soon followed by SolarWinds which lead to compromised on Prem and in the Cloud.

Ransomware targeted and affected a wide range of organizations, stealing their data, encrypting it then threatened to leak it unless a ransom was paid. The actor(s) then look for something embarrassing or sensitive material that could be used to threaten to leak or sell to others. In some cases, they might research if a potential victim insurance covers ransoms payment. Some of the most publicize ransomware attack was US Colonial Pipeline[1], in Canada Newfoundland health services[2], supply chain attack against Kaseya[3], to name a few.

What could be done to help defend against phishing? Some of the things to watch for has been phishing and compromised of exposed Remote Desktop Protocol (RDP) has been a main vector for ransomware (RDP activity Diary), protect and monitor TCP/3389 for suspicious activity. Something else that can help is to setup DMARC for your DNS record to protect against domain spoofing. Patching and auditing software to ensure latest patches have been applied or risks that cannot be remediated are known, accepted and monitored against suspicious activity. Finally, good backups have been checked, tested, and verified that can be used to restore data.

What other tricks could help fight phishing and ransomware, share them via our comment section.

[1] https://www.cnn.com/2021/08/16/tech/colonial-pipeline-ransomware/index.html
[2] https://www.cbc.ca/news/canada/newfoundland-labrador/nl-cyber-attack-worst-canada-1.6236210
[3] https://www.zdnet.com/article/kaseya-ransomware-attack-1500-companies-affected-company-confirms/
[4] https://isc.sans.edu/forums/diary/Remote+Desktop+Protocol+RDP+Discovery/27984
[5] https://mxtoolbox.com/dmarc/details/how-to-setup-dmarc

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[ZDNet] Best cybersecurity schools and programs

All posts, ZDNet

Explore the best cybersecurity schools and programs that outrank the competition with acceptance rates, graduation rate performance, and graduation and retention rates. Source: Read More (Latest topics for ZDNet in Security)

Read More

[ThreatPost] Squid Game Crypto Scammers Rips Off Investors for Millions

All posts, ThreatPost

Anti-dumping code kept investors from selling SQUID while fraudsters cashed out. Source: Read More (Threatpost)

Read More

[SecurityWeek] Authorization and IAM Company PlainID Raises $75 Million in Series C Funding

All posts, Security Week

PlainID, a provider of authorization and identity and access management (IAM) solutions, today announced that it has raised $75 million in Series C funding, which brings the total raised to $96 million. read more Source: Read More (SecurityWeek RSS Feed)

Read More