BACKGROUND:
News broke last night that engineering company, The Weir Group, was hit by a “sophisticated attempted ransomware attack” in mid-September. Whilst no sensitive data has been released, IT systems were shut down which is expected to have a considerable impact on operations and revenue into Q4.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p dir=\"ltr\">No company should consider itself safe from a potential ransomware attack. Cyber-attacks that are designed to disrupt critical services and business productivity represent a major shift from wide-scale APT attacks that have traditionally been focused on data theft and cyber-espionage. Organisations need to take immediate action to assess their risk level and harden their systems from potential attacks. </p>
<p dir=\"ltr\">Unfortunately, we see far too often that there are methods and tools being employed that don’t meet the security and control needs of an organisation. Security is more than a checklist. The best solutions fit in a broader sense of governance but still make it easy to share files with anyone, without compromising security and control. Combating attacks on critical infrastructure must be a C-level priority for all organisations in the public and private sectors.</p>
<p dir=\"ltr\">Ransomware is incredibly dangerous as it not only encrypts sensitive data, rendering it inaccessible, but it can also disrupt critical applications and systems, causing major outages and stoppages in operations. We can expect cybercriminals to continue to exploit common vulnerabilities in these types of opportunistic ransomware campaigns – and we strongly encourage companies to patch vulnerabilities as quickly as they can while ensuring all systems and programs are up to date.</p>
<p dir=\"ltr\">Key lessons for organisations moving forward include visibility across all endpoints, both existing and newly installed, to ensure a cyberattack can be prevented — or at least detected — as soon as possible. If a remote desktop server is required to be internet-facing, additional measures should be taken to harden the device such as enforcing complex passwords, enabling two-factor authentication, and changing the default listening port 3389.</p>
<p dir=\"ltr\">In this ransomware attack, the engineering company were forced to isolate and shut down their IT systems. Though there is no evidence that any personal or other sensitive data has been exfiltrated or encrypted, ransomware recovery and system restoration can be a difficult, laborious process in itself.</p>
<p dir=\"ltr\">To prevent future ransomware attacks and safeguard highly sensitive information, organisations must have full visibility and control over their data.</p>
<p dir=\"ltr\">In order to mitigate the impact and disruption of a ransomware attack, companies should consider investing in and implementing a Zero Trust framework, which ensures that only authorised users can access their network. Additionally, a secure access service edge (SASE) can give full visibility and control across the entire IT ecosystem, while providing advanced threat protection. With a vigorous cybersecurity posture, organisations can drastically decrease the chance of compromised IT and security systems. What\’s more, companies need to ensure adequate employee security training to identify phishing attempts and illegitimate emails as phishing is the primary vector for ransomware attacks.</p>
<p dir=\"ltr\">As we will continue to see cybercriminals refining their attack methods in 2022, companies must be prepared.</p>
<p dir=\"ltr\">The Weir Group responded quickly to the attack in its systems, and this robust action was crucial once the threat was identified. This reactive approach to cybersecurity is good, but it will always be better if a proactive approach is taken to prevent the penetration of systems in the first place – once hackers have access to systems, there is little else that can be done. </p>
<p dir=\"ltr\">While it is unclear at this stage how the attack was attempted, one step that critical infrastructure organisations such as this should take is to adopt robust processes for onboarding and offboarding employees and affiliates that may receive access to key information systems. It\’s vital to control privileged access and to monitor those that enjoy that administrator privilege. Ensuring that multi-factor authentication is enforced wherever possible, is a vital defence where user credentials find their way into the hands of adversaries. This will help to limit the blast radius, and in most cases, defeat the data breach.</p>
<p dir=\"ltr\">Even if all procedures and policies are well-executed, then there\’s no escaping the fact that adversaries are constantly looking to probe vulnerabilities and to insert malware into the environment to enable surveillance, often using everyday business documents which we all use. It\’s vital that businesses like this, and all organisations, invest in cyber protection services that stay ahead of attackers by eliminating the threats while still allowing employees to do their vital work and the business to function.</p>
<p dir=\"ltr\">Attacks like these demonstrate that a traditional castle-and-moat approach to network security leaves organisations exposed. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held amongst multiple cloud providers it is crucial to strengthen all processes relating to access verification. Without a zero trust approach organisations run the risk of attackers having a free reign across a network once they are inside.</p>