The Cybersecurity and Infrastructure Security Agency and the White House have released warnings to companies and organizations across the country, urging them to be on alert for cyberattacks ahead of the Christmas holiday.
CISA has released “CISA Insights: Preparing For and Mitigating Potential Cyber Threats” to provide critical infrastructure leaders with steps to proactively strengthen their organization’s operational resiliency against sophisticated threat actors.
In a letter sent out on Thursday, White House Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger and National Cyber Director Chris Inglis said there are typically breaches around national holidays because cybercriminals know that security operations centers are often short-staffed.
“Beyond the holidays, though, we’ve experienced numerous recent events that highlight the strategic risks we all face because of the fragility of digital infrastructure and the ever-present threat of those who would use it for malicious purposes,” Neuberger and Inglis said.
“There are specific steps that you, as leaders, can initiate now to reduce the risk of your organizations during this time of heightened risk and into the New Year. In many cases, criminals plan and actually begin an intrusion before the holiday itself — they infiltrate a network and lie in wait for the optimal time to launch an attack. It is therefore essential that you convene your leadership team now to make your organization a harder target for criminals.”
The two urged organizations to make sure all patches are up-to-date, enable logs, back up data, investigate incidents quickly, change passwords, mandate multi-factor authentication, manage IT security schedules and make employees aware of phishing.
CISA’s warning focused on critical infrastructure owners and operators, telling them that security personnel coverage needs to be sketched out now in light of the coming Christmas holiday, and incident response plans need to be updated.
Organizations should also make sure all the cybersecurity best practices are being followed and that the current cybersecurity threats and malicious techniques are being monitored.
CISA even said the threshold for information sharing should be lowered, and any cybersecurity incidents and anomalous activity should be reported to CISA or the FBI Immediately.
The FBI sent out its own notice on Wednesday notifying potential victims of the Log4j vulnerability that they “may be unable to respond to each victim individually, but all information we receive will be useful in countering this threat.”
While some cybersecurity experts have said cybercriminal interest in Log4j is waning, Microsoft said nation states and other groups are exploiting the bug, including Chinese government-linked group Hafnium as well as groups from North Korea, Turkey and Iran.
VMware head of cybersecurity strategy Tom Kellermann told ZDNet that he was very concerned about the organizations that haven’t followed the “very specific and holistic advice” given by CISA and the Joint Cyber Defense Collaborative (JCDC).
As a member of the JCDC, VMware has worked alongside Google, Microsoft, Verizon to help address the threat posed by Log4j.
“Ever since the first proof of concept exploit was made available, attackers around the world — from cybercrime cartels to rogue nation states — have been actively exploiting the vulnerability, and that’s been going on for days. Everyone uses Apache in some form and it’s really a question of them updating immediately,” Kellermann said.
“But in addition to that, I think people should apply outbound micro-segmentation rules to prohibit new connections from being established from workloads. They should be scanning their environment and code bases for vulnerable systems employing Log4j. They should be monitoring their workloads for abnormal traffic flow, and they should be reviewing their log files to look for unauthorized configuration changes.”
Kellermann added that if an organization doesn’t know where Apache ends and begins in their environment, they need to “dramatically expand their threat hunt game” because, more than likely, they’ve already been compromised given the level of scanning and exploitation occurring.