The past few months have been quite challenging in terms of ransomware. The United States had a pipeline completely shut down for several days, an international meat distribution point caused beef and chicken prices to skyrocket, and most recently Kaseya – who provides IT solution developers for Managed Service Providers (MSPs).
When we think of ransomware, there is a presumption that it occurs because somebody was hoodwinked on their corporate email. Through the compromise of the corporate email, either using that entry point as a means for obtaining credentials, or if the email server is within the same environment as mission critical services, being able to hop over and take remote command and control and subsequently, encrypt all material files that are of value to the victim.
Unfortunately, even if backups are maintained elsewhere, some system administrators use the same credentials for production environments as the backups. This creates a pivot point that takes very little time for the adversary to completely hurt the victim.
SAME STORY SAME RESULTS
What is surprising to me is how many people I communicate with that are oblivious to the targeting activities on non-corporate email accounts. When we see something like “LinkedIn has 700 million accounts impacted”, how many people are actually changing their logon credentials? Not as many as there should be.
A note for companies that are now C3PAO candidates, a former Department of Defense head (who will remain nameless given current public relations challenges), advised that more direct targeting campaigns will be asserted on those in the CMMC ecosystem.
BEWARE OF SPEAR-PHISHING TACTICS: CASE IN POINT
Since SoundWay Consulting became a C3PAO candidate, the number of hits on our corporate site from China and Russia have increased dramatically. Coincidence? Possibly but as a former criminal investigator, I do not believe in coincidences when crime is concerned. I am now also experiencing an unusually high number of LinkedIn requests that are clearly bogus. Both of which are old news to those of us in this industry.
What is new to me is the number of unsolicited text messages that are to the tune of almost one a day. And most recently, my family was in Florida while I worked in the D.C. area (not complaining, just for context). I have a niece who always goes, and her name is Courtney. She posts on Facebook regularly. I received a text message advising, “Courtney asked me to share these pictures with you of us in Florida. Click this link ………. “.
Short answer is “no”, I did not click it. However, this is the first time I have seen such a specific and detail-oriented campaign that clearly was using near real-time data to try and get to me.
REPORTING A CYBER INCIDENT
While many firms have incident response procedures (and if you are in the CMMC ecosystem you better shore that up quickly if you do not), does your policy and procedures extend beyond the corporate environment? Do your employees have a basis of understanding that they may be targeted on their personal account as an attempt to pivot to the corporate environment?
Every company should at least consider revising the incident response plans to account for these attack vectors.
To learn more about how to revise your incident response plans and policies, contact SoundWay for a free consultation at CMMC@soundwayconsulting.com or call us at (571) 210-0624.
