The Cybersecurity and Infrastructure Security Agency (CISA) and FBI Cyber Division have released a joint Cybersecurity Advisory (CSA) warning organisations that Russian state-sponsored cyber actors have gained network access through the exploitation of default multi-factor authentication (MFA) protocols and a known vulnerability.
As early as May 2021, Russian state-sponsored cyber actors gained access to a non-governmental organisation via exploiting default MFA protocols to control their network. Organisations that implement MFA have been told to review their default configurations and modify as necessary in order to reduce the likelihood that attacks can circumvent this control in the future.
With this in mind, Julia O’Toole, Founder and CEO of MyCena Security Solutions, has said that solely relying on multi-factor authentication to protect network access from this new wave of cyber actors and ransomware gangs is not enough.
“It is important for companies to understand that they must play a more active role in their own cyber-defence. With this MFA vulnerability, it proves even the most secure-seeming security methods will not stop attackers, especially those sponsored by the Russian state.”
“Within the Russia-Ukraine conflict, we’ve seen ransomware gangs like Conti pledging support with Russia. Their attacks are classified as acts of war, which has seen changes in insurance exemptions to reflect an increase in damages caused to enterprises related to state-sponsored cyber-attacks.”
“About 75% of ransom payments come from insurance, but with more developments from ransomware groups in recent years, it is becoming too expensive to insure damages for every cyber-attack. After insurance companies put out war exclusions, more gangs are announcing that they are acting independently to the Russian Federation or Ukraine, in the hope insurance companies will keep funding the ransoms.”
“Rather than spending hundreds of thousands on insurance, companies are better off investing in improving cyber-defences themselves to prevent attacks in the first place.”
“Additionally, we have even seen independent ransomware gangs are getting more brazen in their attempts to breach. New arrivals on the scene like Lapsus$ have actively used social media to advertise their access to victims via phishing attacks, broadcasting their victims’ identities through Telegram for anyone to see.”
“With groups such as Lapsus$ acting not for financial or political motives but instead for clout and infamy it makes them far more dangerous to businesses. Lapsus$ breaching Nvidia in mid-February and stealing 1 terabyte of data, including the usernames and passwords of more than 71,000 Nvidia employees, makes the idea of unique user control redundant and exposes the limitations of centralised access once the system gets compromised.”
“Most recently, Lapsus$ has even advertised breaching access to Okta – an authentication company used worldwide. Any hack of this kind can have ramifications for all organisations relying on Okta to authenticate access, with Lapsus$ themselves threatening to focus on Okta customers.”
“Simply relying on MFA methods will not prepare organisations for this rising tide of new-age cybercriminals. In fact, Lapsus$ does not want to kill the golden goose and said they were not interested in OKTA itself but in its customers. Instead, regaining and re-establishing command and control on the business side, managing access through segmentation and encrypted passwords distribution is a more effective solution in removing the potential for human fault entirely from the equation.”
“A simple focus in security structure like this makes all the difference in protecting your network from exploited access, and therefore hefty ransom payments.”
Read the latest edition of PCR’s monthly magazine here: