The operators of the DopplePaymer ransomware have congratulated SpaceX and NASA for their first human-operated rocket launch and then immediately announced that they infected the network of one of NASA’s IT contractors. In a blog post published today, the DopplePaymer ransomware gang said it successfully breached the network of Digital Management Inc. (DMI), a Maryland-based company that provides managed IT and cyber-security services on demand. According to the company’s press releases, DMI’s customer list includes several Fortune 100 companies and many government agencies, among them NASA. It is unclear how deep inside DMI’s network the DopplePaymer gang made it during their breach, and how many customer networks they managed to breach.
This breach really highlights the role of the supply chain in high-profile cyber breaches. In 2018, just over half of organisational breaches were caused by third-party vendors. These smaller businesses, without their own security in place, serve as open doors to the sensitive data of their customers. As supply chains become increasingly integrated and complex, it\’s important that businesses require their contractors to meet security standards. For example, over 80% of cyber breaches can be prevented by following the security controls covered in the UK\’s Cyber Essentials standards.
In data breaches of this type, the first impulse of any company would be to pay the ransom. However, there is no guarantee that paying a ransom will result in the recovery of data, or in cases like this one, that the data won\’t be sold or given to hackers for use at a later time.
Companies must learn to harden their defences, even going so far as to limit access from the web. While limiting employee internet access to data could be inconvenient, there are other more secure ways to access data over the net, including the use of a secure corporate VPN.
The theft and ransom of NASA data from a third-party contractor could be dangerous in the wrong hands. This is data that\’s not just valuable to financially-motivated criminals, but also nation-state actors who want to spy on NASA and its employees. Employee records, for example, could be used to vet and recruit individuals working for NASA to spy and steal on behalf of foreign governments.
There is currently a high level of uncertainty regarding what data has been breached, but based on what has been published to support DopplePaymer\’s claims, it would seem that many governmental organisations and Fortune 100 companies could be affected.
I am sure that DMI is doing all they can to check the verity of these claims and, in the case that they are found to be true, find the cause of the breach. I would recommend that all organisations, whether customers or partners of DMI, do the same. Check your systems and networks for any irregularities and watch out for possible attacks in the form of phishing emails. Be wary of emails or messages that have attachments or links, and avoid opening them if possible. With access to personal user information as well as that of companies, phishing attacks can appear much more credible than generic ones. Specifically, look out for social engineering attacks, or calls and emails from \’contractors\’. The rule to follow is \’Check before you Act\’.
Remote Desktop Services (RDS) provide IT departments with an effective and efficient method by which they are able to configure, maintain and manage remote corporate IT assets, so much so that RDS is often seen as a core element of the IT management strategy.
The RDS solutions in use today have been developed over many years and with the experience gained from an embarrassing number of security issues and breaches. For the most part, vendors have been quick to act and RDS, if configured correctly, can be considered low risk. However, nothing is perfect and we should expect to see new vulnerabilities exposed with RDS that criminal elements will attempt to exploit in an effort to gain access to such assets.
There are a number of key practices that organisations can implement to assist reduce their risk exposure to RDS exploits:
a. Configuration of RDS should follow best practice, be well documented, and be closely monitored for unauthorised change.
b. Software updates and patches should be tested and implemented in a timely fashion.
c. RDS should only be enabled on those devices that require remote management, on all other devices it should be disabled.
d. Network Level Authentication should be enabled.
e. Connections should only be allowed from specific sources.
f. Configuration management and monitoring should be used to prevent unauthorised changes to “a” through “e”.
g. Employ a robust backup strategy.