How to Protect Your Organization’s Network from 3rdParty Breach
Computers in nearly 400 dental offices across the U.S. had been infected with ransomware after DDS Safe, a cloud management software that backs up client data for the affected dental offices was compromised by still an unidentified attacker or attackers. This incident shows the need to protect your organization’s network from 3rdparty breach.
Last August 26th, theWisconsin Dental Associationthrough its Executive Director Mark Paget announced that nearly 400 dental offices across the U.S., with a small percentage of these dental offices based in Wisconsin, had been unable to access their client data as a result of the compromised at DDS Safe, a service from The Digital Dental Record, a subsidiary of the Wisconsin Dental Association.
Days following the ransomware attack, PerCSoft, the IT vendor for DDS Safe, via its Facebook page, has been giving out decryption keys to the affected dental offices. In a ransomware attack, attackers lockout users’data by encrypting the data and demanding from victims ransom in exchange for the decryption key or keys, which in theory, unlock the encrypted data.
It isn’t clear how PerCSoft got hold of these decryption keys or whether a ransom was paid to the attacker or attackers. Some affected dental offices have reported that the given decryption key only unlocked a portion of their client files.
In a recent update, Paget said that investigation shows that the version of ransomware suspected in the DDS Safe attack has been used against other service providers in separate incidents that haven’t involved The Digital Dental Record or its partners.
Different sources found that the ransomware strain used in the DDS Safe ransomware attack was Sodinokibi, also known as REvil or Sodin, ransomware. Researchers at Cisco Talosfirst spotted the Sodinokibi ransomware in April this year. Once inside the victim’s infected computer, Sodinokibi attempts to encrypt data in a user’s directory.
Researchers at Cisco Talos found that the Sodinokibi ransomware was installed on the victim’s computer by actively exploiting a zero-day vulnerability in Oracle WebLogic, causing the affected server to download a copy of the ransomware. A zero-day vulnerability is a security vulnerability that’s unknown or unaddressed by the software vendor.
Oracle patch this security vulnerability, which is officially called “CVE-2019-2725”last April 26th. “This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack,”Cisco Talos researchers said. This means that vulnerable systems could be infected with this ransomware even without user or victim interaction.
In July this year, Kaspersky Labreported that Sodinokibi was also observed being delivered by exploiting the security vulnerability in Windows operating systems called “CVE-2018-8453,”also known as Win32k Elevation of Privilege Vulnerability. According toMicrosoft, an attacker who exploits this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, however, the attacker would first have to log on to the system.
The coordinated ransomware attack on 22 local governments in Texas was also attributed to Sodinokibi. Gary Heinrich, the mayor of the City of Keene, one of the affected local governments in the coordinated ransomware attack in Texas told NPRthat the coordinated ransomware attack was a result of a compromised in the information technology software managed by a third party and used by the affected local governments.
Fidelis Securityranked Sodinokibi as one of the most active and widespread ransomware strains this year, with a market share of 12.5%, behind Ryuk ransomware (with 23.9% market share), Phobos ransomware (17.0%) and Dharma ransomware (13.6%).
Preventive and Mitigating Measures
Here are some cybersecurity measures in order to prevent or mitigate the effects of 3rd party breach:
- Back up Critical Data Offline
As shown in the discovery of the Sodinokibi ransomware by the researchers at Cisco Talos, even fully-patched systems are vulnerable to attacks as exemplified by the zero-day vulnerability in Oracle WebLogic. It’s, therefore, important to back up your organization’s critical data.
Storing your organization’s critical data in the cloud, however, isn’t enough and presents a new set of vulnerabilities as shown in the case of the compromised on DDS Safe, a cloud management software that’s specifically developed to back up client data of dental offices. In addition to a cloud back up, it’s important to keep another copy of your organization’s critical data offline.
Ransomware, in particular, is only effective when its victim fails to effectively back up critical data. With the right back up system, ransom demand can simply be ignored.
- Keep All Software Up to Date
Traditionally, ransomware’s main pathway to victims’computers is through phishing emails in which victims are tricked into clicking a malicious link or malicious attachment. Once clicked, this malicious link or attachment allows the installation of malicious software (malware).
The availability of the Sodinokibi in the wild means that attackers are exploiting known vulnerabilities that require minimal or no interaction from the victim, such as clicking a link or attachment. Attackers are, instead, exploiting vulnerabilities like Microsoft’s Win32k Elevation of Privilege Vulnerability. Microsoft patched the Win32k Elevation of Privilege Vulnerability in October 2018. It’s, therefore, important to keep all your organization’s software up to date.
- Practice Network Segmentation
Network segmentation is the practice of dividing a computer network into subnetworks. This practice ensures that if one network is infected, such as a compromised 3rdparty software, the other subnetworks won’t be affected.
At GenX Solutions, we love helping businesses protect important information. Out IT security experts have years of hands-on experience and can help your organization deliver more value. Call us today at (416) 920-3000 or email email@example.com