BACKGROUND:

Sinclair TV just confirmed a widespread data breach of their networks that took down many of their tv channels on Sunday and still continues as of 12pm EST. At first calling it a “technical issue”, stations across their networks resorted to posting news on Facebook, telling viewers they had lost access to their normal news services. Security Experts are commented below.

Subscribe
Notify of
guest

9 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Sam Curry
Sam Curry , Chief Security Officer
InfoSec Expert
October 19, 2021 1:06 pm

<p>The reports of a ransomware attack on Sinclair broadcasting are a reminder of the resilience and diligence needed by all companies to turn the tables on ransomware attackers. While it is far too early to know the severity of the damage caused by this attack, I guarantee that if broadcasting networks are taken offline, the U.S. government would likely respond against the attackers if their identities are learned. After all, we witnessed a swift and decisive response earlier this year after the Colonial Pipeline and JBS Foods ransomware attacks caused disruptions to gasoline deliveries on the East Coast and nationwide food disruptions.</p>
<p>Also, if we have learned anything from the deluge of ransomware attacks in 2021, the public and private sector need to invest now to ratchet up prevention and detection and improve resilience. We can meet fire with fire. Sure, the threat actors might get in, but so what. We can make that mean nothing. We can slow them down. We can limit what they see. We can ensure fast detection and ejection. We can—in short—make material breaches a thing of the past. So, what if they get a toe hold on the ramparts. We can keep them out of the castle by planning and being smart ahead of time and setting up the right defences.</p>
<p>Cybereason recommends not paying ransoms as it doesn\’t pay-to-pay unless a matter of life and death or national emergency. In fact, <a href=\"https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUTb4Q8G2-2F0MYkMDaVoHyFiGq7-2Frc4GfaP4q1qvAriLMGHM4fG-2FmrUtIqwCasTQzM0duITRNIRRrkwQUK142foPgA6foKoIR-2Fdp7ebt2hFdYz4nIpAXZi7bGuTAVe0THb-2FA-3D-3DJ3El_S3RA1gMvL7v1TdZrqvF2X48vY2LyH9KYdxKxBaPFp6Fl1TEEsXDQbgk-2FWPw9Ah5nwh5z3HPLIw79cePUeHvYGbACtpGEOUo9gKA7RdPV7CHYnRZ1BgjoepqPsAq5T4X7K-2Bw26wspumVv2xNKnDUQkdCCFafAOUpzCyC1FZHuIL4U4bt-2BbKCyVHmkGV8bcJCcFRs7yKCrS6tgk9UD97v-2BW4ycFJDXvO9Fijd-2BY9ZkvhcJDCPAdizuu-2FHQfEDaounTkhSwTt4nS1Htfp57aJUsBdl7EI7fO3ZsfMgvf4ukBO9-2FK2XY2wXNM34mL-2F6uFwwGA6RuNyxHljs95yfCGW6h0AtmypU1PtZx2copl8eatpiiu-2BeRIJZDPYujP-2FBVFKvp\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https://www.google.com/url?q=https://u7061146.ct.sendgrid.net/ls/click?upn4tNED-2FM8iDZJQyQ53jATUTb4Q8G2-2F0MYkMDaVoHyFiGq7-2Frc4GfaP4q1qvAriLMGHM4fG-2FmrUtIqwCasTQzM0duITRNIRRrkwQUK142foPgA6foKoIR-2Fdp7ebt2hFdYz4nIpAXZi7bGuTAVe0THb-2FA-3D-3DJ3El_S3RA1gMvL7v1TdZrqvF2X48vY2LyH9KYdxKxBaPFp6Fl1TEEsXDQbgk-2FWPw9Ah5nwh5z3HPLIw79cePUeHvYGbACtpGEOUo9gKA7RdPV7CHYnRZ1BgjoepqPsAq5T4X7K-2Bw26wspumVv2xNKnDUQkdCCFafAOUpzCyC1FZHuIL4U4bt-2BbKCyVHmkGV8bcJCcFRs7yKCrS6tgk9UD97v-2BW4ycFJDXvO9Fijd-2BY9ZkvhcJDCPAdizuu-2FHQfEDaounTkhSwTt4nS1Htfp57aJUsBdl7EI7fO3ZsfMgvf4ukBO9-2FK2XY2wXNM34mL-2F6uFwwGA6RuNyxHljs95yfCGW6h0AtmypU1PtZx2copl8eatpiiu-2BeRIJZDPYujP-2FBVFKvp&source=gmail&ust=1634733872804000&usg=AFQjCNHa5lFRdwzR7UOY-izGo8NHGe8omQ\">Cybereason\’s ransomware study</a> of more than 1,200 global organizations shows that 80 percent of companies that paid a ransom were hit a second time, often by the same attackers. And in instances where the attackers handed over decryption keys to the victims after a ransom was paid, nearly 50 percent of the time the company\’s data was corrupted, slowing down the recovery phase even further.</p>

Last edited 1 year ago by Sam Curry
Jonathan Knudsen
Jonathan Knudsen , Senior Security Strategist
InfoSec Expert
October 19, 2021 1:05 pm

<p>As details about the Sinclair Broadcast Group ransomware attack continue to emerge, questions will be asked. Will the ransom be paid? Can organisations recover their data? What kind of damage will this cause? The only question that matters is: how can a problem like this be prevented? The reason ransomware is so successful is that so few organisations are properly prepared. Organisations often focus solely on functionality when selecting, deploying, and operating software. They work hard to make software do what they want it to do, but security and robustness are often neglected or ignored. To prevent accidental or malicious disruptions, organisations must adopt a proactive, security-first approach to software. Where is your data? How is it protected? If something bad happens, like a ransomware attack or a tsunami, how will you recover? Software is a powerful tool for organisations of all kinds, but it must be selected, deployed, operated, and maintained inside a framework of security and resilience.</p>

Last edited 1 year ago by Jonathan Knudsen
Tim Erlin
Tim Erlin , VP of Product Management and Strategy
InfoSec Expert
October 19, 2021 1:04 pm

<p>No one wants to be the victim of a ransomware attack. Being prepared involves more than having backups.</p>
<p>A ransomware incident tests multiple facets of a cybersecurity program. Investigation into how the ransomware infiltrated and moved within the organizations identifies preventive controls that were insufficient. The operational impact highlights how data and assets are critical to the business. The response fully tests the incident response and communications process. Learning from other organizations can help reduce the probability and impact of a ransomware incident in your business.</p>

Last edited 1 year ago by Tim Erlin
Tony Cole
Tony Cole , CTO
InfoSec Expert
October 19, 2021 1:03 pm

<p><span lang=\"EN-US\">Ransomware is a fast and lucrative method of attack. It’s not that difficult for cybercriminals to masquerade as a legitimate user using the credentials they stole on from the initial incursion. With that user’s credentials, they conduct queries to find targets in the enterprise Active Directory system, steal more credentials with elevated privileges, and rinse and repeat until they have gained access to their target. Then, in the case of Sinclair Broadcast Group, they can steal corporate data, encrypt systems, gain control over security settings, and begin the hostage process for a ransom.</span><span lang=\"EN-US\"> </span><u></u><u></u></p>
<p><span lang=\"EN-US\">To counter these challenges, organizations must understand that they can’t prevent all attacks. They must put in place systems that detect in-network lateral movement and credential misuse, look for privilege escalation, and protect identity management systems such as Active Directory. Without this visibility, we will continue to read about these large successful ransomware attacks for the foreseeable future.</span></p>

Last edited 1 year ago by Tony Cole
Garret F. Grajek
InfoSec Expert
October 19, 2021 1:00 pm

<p>Penetration of all our key systems, water, energy, transportation and media is a grave concern for western countries. The fact that a major media outlet like Sinclair was effected shows how vulnerable even those w/ security resources are to cyber-attacks. Sinclair revealed that they conducted a enterprise-wide password reset – which implies they may feel it was a compromised credential that beget the attack.</p>
<p>Enterprises need to go beyond just password resets and even 2FA and start understanding the scope and capabilities of all the identities in their enterprises. This mean practicing the principle of least privilege to insure that all accounts, especially when they are compromised, do not have access to resources they do not need access to but could inflict damage if the account falls under control of malicious party. User accounts are easily stolen and guessed by the hackers which then conduct lateral movement across the enterprise and privilege escalation to obtain access to valued resources.   Enterprises must be aware of the rights granted and triggered when privileges are modified.</p>

Last edited 1 year ago by Garret F. Grajek
Information Security Buzz
9
0
Would love your thoughts, please comment.x
()
x