In many ways the global marketplace has once again become akin to the Wild West. And the bad guys seem to have the advantage.
Manufacturing is under attack. Health providers are under attack. Now, global supply chains are under attack. Specifically, the French maritime transport and logistics giant CMA CGM, recently disclosed a malware attack affecting servers on the edge of its network. The attack forced CMA CGM’s IT teams to cut Internet access to some applications to block the malware from spreading to other network devices.
According to Andrea Carcano, co-founder of IT/OT security provider Nozomi Networks, transportation organizations are rapidly evolving to improve their service levels and efficiency. As the same time, safety has never been more important, as risks from cyber threats increase. “Indeed, the World Economic Forum cites cyberattacks on critical infrastructure, including transportation, as the world’s fifth highest risk in 2020. The maritime industry in particular transports 90% of the world’s trade, and like other industries, is becoming increasingly connected, automated and remotely monitored,” says Carcano. “The level of system visibility and cybersecurity maturity in this sector is relatively low. Many ships contain devices and systems that their operators aren’t even aware of. Crews are not typically trained to identify phishing emails or manage network access control. While dramatic situations like a vessel being capsized via hacking are not out of the realm of possibility, they are still unlikely. Crew constantly observe ship behavior and have the ability to employ manual or safety systems to correct performance that is out of normal range. Driven by the needs to reduce risk, comply with international shipping standards, and meet insurer requirements, shipping companies are investing in cyber resiliency.
An important capability lies in identifying maritime assets and their communications, explains Carcano. “Networks should be monitored for vulnerabilities, threats, and unusual behavior that could indicate a cyberattack. Just as water always flows downhill, cybercriminals will always attack at the weakest part of a system,” he says. “The best defense has multiple reinforcing layers. The people using the system are oftentimes the weakest element, opting to click a link in an email that says URGENT or voluntarily giving up their credentials when somebody named IT Support asks nicely. Make people aware of the threat of phishing attacks by training them to recognize suspicious messages. Implement two-factor authentication whenever possible to minimize the risk of stolen credentials. Finally, be sure to have a robust response plan in place to contain and sanitize incidents as soon as possible should they happen.”
Armis CISO Curtis Simpson tells IndustryWeek, What makes Ragnar Locker ransomware stand out is that it is purpose built to first find and exfiltrate data accessible by the attackers, followed by encrypting and demanding a ransom for the stolen and encrypted data.
“Victims are notified that failure to pay ransoms will result in data being leaked online and to show that the threat is real, a subset of stolen information is typically posted online as proof. A recent example of such an attack is the CWT ransomware event from earlier this year, which also involved the Ragnar Locker ransomware. Due to the widespread impact and potential for stolen information being leaked if ransoms were not paid, CWT paid $4.5 million in ransom to recover their data and prevent the leak,” says Simpson. “Exfiltrating data and/or compromising devices such as those in our OT/ICS networks as part of a ransomware attack are modern techniques used by attacks to increase the likelihood of their ransom being paid, at least in part.”
Simpson provided the following advice in preventing ransomware attacks that exploit Windows-based devices “As I consider the worst case scenario based on the specifics of this situation, the following comes to mind: a PC is compromised by a bad actor through a phishing attack. By exploiting the recently disclosed Zerologon vulnerability, the bad actor compromises an enterprise’s entire Windows domain. Once the domain is owned by the bad actor, the pervasive access is used to distribute the Ragnar Locker ransomware to every system on the domain,” he says.
Simpson further recommends the following best practices:
- Deploy a modern cybersecurity asset management solution to ensure that you have true visibility into your Windows ecosystem and the state of protection measures
- Protect Windows laptops and PCs using a leading next-gen AV capability that can detect and prevent attacks in real-time
- Develop the capability to rapidly test and deploy security patches to user PCs (days vs. weeks).
- Similarly, processes and technical capabilities should be established and/or tested to ensure that high risk Windows infrastructure can be safely tested and updated shortly after critical Windows server patches are released.
- Monitor critical assets and their connected devices and systems for anomalous or malicious activity. This includes IoT, being that many such devices can run on older versions of Windows and are just as susceptible to ransomware attacks but cannot be protected with endpoint management or receive security patches. The goal is to alert on early indicators of a potential attack, regardless of the types of devices already being targeted or affected.
- Establish and test your cross-team technical and procedural ability to contain and respond to an attack.
SHIP IP LTD – Remote internal/external Vulnerability &
TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!