- Organizations must tighten up security controls to prevent adversaries from gaining initial access to poorly protected IT systems, according to a joint advisory issued by federal authorities and cybersecurity partners from the Five Eyes countries.
- The National Security Agency, FBI and Cybersecurity and Infrastructure Security Agency said malicious threat actors commonly take advantage of incorrect access privileges, unenforced multi-factor authentication (MFA) or unpatched software during the initial phase of an attack.
- “No need for fancy [zero]-days when these weak controls and misconfigurations allow [adversaries] access,” Rob Joyce, director of cybersecurity at the NSA, said on Twitter earlier this week.
The joint advisory with the U.K., Canada, Australia and New Zealand, serves as a reminder for international companies to strengthen their usual cybersecurity practices at a time when nation-state and criminal actors are actively looking for private sector and government targets.
Officials declined to comment on the timing of the advisory, but threat actors sympathetic to Russia and sophisticated state-linked actors have targeted U.S. and NATO allies since the beginning of the Ukraine war. The threat actors target key industrial sectors as well as government agencies and nonprofit groups doing humanitarian work.
Researchers from Mandiant said the advisory is not just related to concerns about industrial control systems; industrial attacks usually begin against corporate IT systems and cross over into operational technology (OT). The 2021 ransomware attack against Colonial Pipeline began as an attack on the company’s IT system, but the company shut down its OT system as a precaution.
Gartner Research VP Peter Firstbrook estimates that about 40% of breaches are caused by “well known misconfiguration of common control,” he told Cybersecurity Dive via email.
“Both advanced persistent threats (APTs) and common off-the-shelf malware exploit these configuration mistakes to compromise their victims,” Firstbrook said.
Malicious actors are exploiting weak security practices and protocols to get into IT systems, according to the advisory. Companies are leaving their computer systems exposed to the internet in many cases. Other companies are failing to enforce MFA, use vendor-supplied default settings or continue to run outdated software.
Many companies are still operating with large percentages of remote workers and threat actors are taking advantage of poorly secured remote access software or virtual private networks that are vulnerable to sophisticated attacks.