CISA Urges Critical Infrastructure Organizations to Read Microsoft Blog
On Jan. 18, the American Hospital Association (AHA) posted a news release saying that the Cybersecurity & Infrastructure Security Agency (CISA) recently advised U.S. critical infrastructure organizations to review a Microsoft blog on malware identified in Ukraine and take action to strengthen their networks against potential cyber threats.
The release states that “The Microsoft Threat Intelligence Center (MSTIC) Saturday reported evidence of destructive malware in systems belonging to several Ukrainian government agencies and organizations that work closely with the Ukrainian government. The malware is disguised as ransomware but, if activated by the attacker, would render the infected computer system inoperable.”
The blog from Microsoft explains that on Jan. 13, it identified intrusion activity originating from Ukraine that could possibly be Master Boot Records (MBR) Wiper activity. During the investigation, Microsoft found a unique malware capability being used in intrusion attacks against several victim organizations in Ukraine.
Stage 1 is described by the blog as overwriting MBR to display a faked ransom note and Stage 2 is described as file corrupter malware.
The blog states that “The techniques used by the actor and described in this post can be mitigated by adopting the security considerations provided below:
- Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
- Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.
- Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. NOTE: Microsoft strongly encourages all customers download and use password-less solutions like Microsoft Authenticator to secure accounts.
- Enable Controlled folder Access (CFA) in Microsoft Defender for Endpoint to prevent MBR/VBR modification.”
John Riggi, AHA’s national advisor for cybersecurity and risk, was quoted in the news release from AHA saying that, “As we have seen in the past, destructive malware targeting the Ukraine can spread rapidly across the globe. It is again strongly recommended to assess any direct, 3rd party business associate connections and email contacts in the Ukraine and that region of the world. Consider blocking such connections. Although, geo-fencing for all inbound and outbound traffic related to Ukraine and that region may help mitigate direct cyber risk presented by this threat, it will have limited impact in reducing indirect risk, in which the malware transits through other nations, proxies and third parties. Thus, increased monitoring of networks and incident-response preparedness is also strongly recommended.”