CISA Urges Critical Infrastructure Organizations to Read Microsoft Blog

Jan. 20, 2022
On Jan. 18, the AHA posted a news release about the recent CISA advisement to read a blog from Microsoft on malware identified in Ukraine —organizations should take action to make their networks stronger against cyber threats

On Jan. 18, the American Hospital Association (AHA) posted a news release saying that the Cybersecurity & Infrastructure Security Agency (CISA) recently advised U.S. critical infrastructure organizations to review a Microsoft blog on malware identified in Ukraine and take action to strengthen their networks against potential cyber threats.

The release states that “The Microsoft Threat Intelligence Center (MSTIC) Saturday reported evidence of destructive malware in systems belonging to several Ukrainian government agencies and organizations that work closely with the Ukrainian government. The malware is disguised as ransomware but, if activated by the attacker, would render the infected computer system inoperable.”

The blog from Microsoft explains that on Jan. 13, it identified intrusion activity originating from Ukraine that could possibly be Master Boot Records (MBR) Wiper activity. During the investigation, Microsoft found a unique malware capability being used in intrusion attacks against several victim organizations in Ukraine.

Stage 1 is described by the blog as overwriting MBR to display a faked ransom note and Stage 2 is described as file corrupter malware.

The blog states that “The techniques used by the actor and described in this post can be mitigated by adopting the security considerations provided below:

  • Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
  • Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.
  • Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity.  NOTE: Microsoft strongly encourages all customers download and use password-less solutions like Microsoft Authenticator to secure accounts.
  • Enable Controlled folder Access (CFA) in Microsoft Defender for Endpoint to prevent MBR/VBR modification.”

John Riggi, AHA’s national advisor for cybersecurity and risk, was quoted in the news release from AHA saying that, “As we have seen in the past, destructive malware targeting the Ukraine can spread rapidly across the globe. It is again strongly recommended to assess any direct, 3rd party business associate connections and email contacts in the Ukraine and that region of the world. Consider blocking such connections. Although, geo-fencing for all inbound and outbound traffic related to Ukraine and that region may help mitigate direct cyber risk presented by this threat, it will have limited impact in reducing indirect risk, in which the malware transits through other nations, proxies and third parties. Thus, increased monitoring of networks and incident-response preparedness is also strongly recommended.”

Sponsored Recommendations

Elevating Clinical Performance and Financial Outcomes with Virtual Care Management

Transform healthcare delivery with Virtual Care Management (VCM) solutions, enabling proactive, continuous patient engagement to close care gaps, improve outcomes, and boost operational...

Examining AI Adoption + ROI in Healthcare Payments

Maximize healthcare payments with AI - today + tomorrow

Addressing Revenue Leakage in Hospitals

Learn how ReadySet Surgical helps hospitals stop the loss of earned money because of billing inefficiencies, processing and coding of surgical instruments. And helps reduce surgical...

Care Access Made Easy: A Guide to Digital Self Service

Embracing digital transformation in healthcare is crucial, and there is no one-size-fits-all strategy. Consider adopting a crawl, walk, run approach to digital projects, enabling...