FBI Alert: Users of Gmail, Outlook, and VPNs Must Take Immediate Action

In addition to a deadly ransomware campaign by so-called Ghost attackers and some of the most advanced attacks ever experienced by Gmail users, the FBI recently issued a warning about strange ransomware attack threats sent by the USPS. In light of the continuous attacks by the Medusa ransomware gang, a recently released FBI industry alert has combined the mitigation recommendations that previously encouraged consumers to use two-factor authentication to prevent similar attacks. The FBI has advised turning on 2FA for VPNs and webmail services like Gmail and Outlook. And turn it on right now. This is what you should know.

Medusa Ransomware Industry Joint Alert Issued by the FBI and CISA

Since the campaign was first noticed in June 2021, Medusa, a highly dangerous ransomware-as-a-service provider, has affected at least 300 victims from the critical infrastructure sector. During attacks, Medusa is known to use both social engineering and unpatched software vulnerability exploitation. Intelligence agencies have been able to compile a dossier of the threat actors' strategies, techniques, and procedures, as well as indicators of compromise and detection measures, thanks to FBI investigations conducted as recently as February.

In response to attacks by the Medusa ransomware organization, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency jointly released a cybersecurity advisory on March 12. The specifics of the Medusa operation are covered in great detail in the complete FBI notice, AA25-071A. Therefore, it is imperative that all cyber-defenders read this. But for the sake of this piece, I will concentrate on the FBI's recommendations for mitigating attacks.

Expert Views After FBI Alert Regarding Medusa Ransomware Campaigns

Ransomware as a service is still very much in use today. That is the lesson to be learned from the FBI's warning. "Medusa is a fitting moniker for this assault, given its complex and extensive effects on multiple sectors," stated Tim Morris, Tanium's top security advisor. Morris went on to say that Medusa is "critical for businesses to manage their estates correctly, know where their assets are, and ensure they have solid defense-in-depth systems in place" since they are skilled at exploitation, persistence, lateral movement, and concealment.

According to Jon Miller, CEO and co-founder of Halcyon, "critical infrastructure institutions are excellent targets due to their heightened drive to maintain uninterrupted services." Ransomware operators like Medusa concentrate on obtaining leverage to extort organizations. According to Miller, these organizations take advantage of security flaws to migrate laterally, increase privileges, exfiltrate private information, and eventually launch their payloads. Miller went on to say, "Medusa uses advanced tactics to maximize influence once inside a network." In order to evade discovery, the gang specifically uses PowerShell to run base64 encrypted instructions and Mimikatz to retrieve credentials from memory, which allows for additional network intrusion. Miller cautioned, "They also use technologies like PsExec and RDP, as well as genuine remote access software like AnyDesk and ConnectWise, to spread throughout the network." Miller concluded that Medusa can stop more than 200 Windows services and processes, including security software-related ones, and is designed to cause the most operational interruption possible.

To mitigate Medusa, the FBI advises turning on 2FA for webmail and VPNs immediately.

The FBI has suggested the following measures that all enterprises should take immediately, as of right now, to lessen the impact of the Medusa ransomware attack campaigns:

• If at all possible, require two-factor authentication for all services, but especially for webmail (such Gmail, Outlook, and others), virtual private networks, and accounts that have access to vital systems.
• All password-protected accounts should have long passwords, and frequent password changes should be discouraged as they can compromise security.
• Multiple copies of confidential or proprietary information and servers should be kept in a physically distinct, divided, and secure place.
• Update all firmware, software, and operating systems. Give patching known exploited vulnerabilities in systems that are accessible over the internet first priority.
• Use a networking monitoring tool to find, identify, and look at unusual activities and possible ransomware traversal.
• Keep an eye out for efforts at illegal scanning and access.
• Filter network traffic by blocking access to remote services on internal systems from unidentified or untrusted sources.
• Configure access controls based on the least privilege principle and audit user accounts with administrative privileges.
• Turn off scripting and command-line operations and permissions.
• Turn off any unused ports.The hackers must be laughing in spite of the advice from the FBI and CISA.

The FBI and CISA's guidance regarding the Medusa ransomware group threat has not been well received by everyone. It follows a long pattern of "warning people about ransomware that spreads using social engineering, that then does not advise security awareness training as a main approach to counter it," according to Roger Grimes, a data-driven defense evangelist at KnowBe4. According to Grimes, social engineering accounts for 70% to 90% of all successful hacking assaults in KnowBe4's experience. However, the 15 suggested mitigations make no mention of awareness, even though the official advisory notes that social engineering is one of the main ways that ransomware threats are distributed. Grimes compared it to discovering that burglars frequently break in via your windows and then suggesting that you install additional locks on your doors. Grimes came to the conclusion that "the hackers must be laughing" because of the persistent discrepancy between how threat actors and their malware programs typically attack us and how we are instructed to protect ourselves.