Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: The Importance of Crisis Communications
Controlled communications are a critical, yet often under-emphasized part of an effective incident response plan. Making decisions and laying out templates during comparative calm will allow you to focus on the exceptional circumstances of a cyber incident. If you don’t know what to say or do if you encounter a cyber incident today, here are five actions that you should consider before an incident emerges.
- Formalize the incident declaration process: Who declares that an incident has occurred, or a crisis is unfolding? Where do you meet physically/virtually? Who makes the decisions? This should all be part of the internal communications plan.
- Designate a communications coordinator: It is crucial to inform staff that they should not speak to the media or discuss the incident on social channels. It’s essential for a single voice to shape the message to reassure key stakeholders without divulging too much information that might compromise the incident investigation. Also, decide in advance whether you will engage with customers on social media, and how often.
- Create criteria for legal, law enforcement, cyber insurance involvement, ransom payment consideration, etc. in advance. Ensure that contact information (on both sides) is up to date.
- Develop communication templates for outreach – you need to have templated communication materials ready for customers, staff, shareholders, regulators, key business partners, etc. Templates should be ready for mail, web, social media channels in advance so they can be modified and deployed quickly when needed.
- Test! You should test your communications plan regularly, through tabletop exercises or planned scenarios. Build that muscle memory so you can respond gracefully in case of an incident.
Indigo Books & Music still recovering from “cyber incident”
On the evening of February 8, Canada’s largest book chain Indigo posted “an update from us” on their website, announcing that they had experienced a “cybersecurity incident” and that their website will remain unavailable until their systems are back online. By February 13, the posting was still on the website, and very few additional details had been made available. The incident has affected Indigo’s website and mobile app; is preventing them from processing electronic payments, accepting gift cards or returns; and has caused disruptions to the company’s internal operations.
In a conference call with analysts on February 10, Indigo’s Chief Financial Officer Craig Loudon said the company’s main priorities are to protect customer data, limit the operational and financial effects of the incident and safely resume full operations as quickly as possible.
ISA Cybersecurity’s Executive Vice-President Enza Alexander was approached by the CBC to comment on the incident. While Indigo has not disclosed any details about the incident, Alexander confirmed that cyber attacks on the retail sector are on the increase as a result of the rise of online shopping in recent years.
Report: Rise in malware delivery through OneNote documents
In a February 1 blog post from Proofpoint, security researchers reveal a dramatic uptick in the number of campaigns leveraging OneNote attachments to deliver malware in recent months. In December 2022, six campaigns were identified; in January 2023, that number had risen to over 50.
“Based upon our observed characteristics of past threat campaigns, it is believed that threat actors have increasingly adopted OneNote as of result of their experimentation with different attachment types to bypass threat detection. Since Microsoft began blocking macros by default in 2022, threat actors have experimented with many new tactics, techniques, and procedures (TTPs), including use of previously infrequently observed filetypes such as virtual hard disk (VHD), compiled HTML (CHM), and now OneNote (.one),” according to the Proofpoint analysis.
The post provides examples of some of the campaigns, along with a detailed set of IOCs. While endpoint protection software should capture the malware, the post notes that “an attack is only successful if the recipient engages with the attachment, specifically by clicking on the embedded file and ignoring the warning message displayed by OneNote. Organizations should educate end users about this technique and encourage users to report suspicious emails and attachments.”
Cat and mouse game continues with VMware ESX malware attacks
After the February 8 release of a recovery script by the FBI and CISA for organizations affected by a massive ransomware campaign targeting VMWare ESXi servers worldwide, reports by Bleeping Computer indicate that a new variant of the malware has emerged that makes the recovery script ineffective.
The initial malware campaign was disclosed by researchers at the French Computer Emergency Response Team (CERT-FR) on February 3. At the time, the researchers had discovered that an old vulnerability CVE-2021-21974, for which a patch has been available for almost a year, was at the centre of the widespread attack. The ransomware encrypts configuration files on vulnerable virtual machines, potentially making them unusable. One ransom note issued to an affected company asked for about $23,000 (all figures USD) in Bitcoin. Some 3,800 servers have reportedly been affected by the vulnerability in ESXi’s OpenSLP service.
The new malware detected by Bleeping Computer has been confirmed by the French researchers, who updated their original post to say: “A new wave of attack started on February 8 changes the encryption method to encrypt a larger volume of data in large files making data restoration more difficult or impossible,” on February 10.
Whether or not the script in the FBI/CISA advisory is usable in a given situation, the authorities urge that all affected organizations patch their virtual machines to the latest version, shut down the SLP service, and restrict server access to the public Internet. Additional attack mitigation strategies are presented in the advisory as well.
The incident is a reminder of the importance of keeping current with system security updates and patches.