In April, we alerted customers that hackers are planning to use zero day exploits to take over unpatched Windows XP machines and use them as botnets in coordinated DDOS attacks. This alert discusses a new threat that is also related to Windows XP vulnerabilities.
According to our sources, government agencies believe the current risk of foreign cyber attacks is at an all time high. Groups from China, Russia, and the Middle East are suspected to be planning cyber attacks against US organizations. Intentions vary by group and they are driven by both political and criminal motivations. For example, tension over Ukraine is thought to be behind possible Russian attacks.
The threat being most frequently discussed is a massive DDOS attack with the intent of distracting organizations while hackers launch malware attacks. The successful installation of malware is the real threat and likely targets are the large numbers of Window XP machines that are no longer being patched for security vulnerabilities. Many organizations have large numbers of medical devices, ATMs, and control systems that use the XP operating systems.
- Scan regularly. Patch or add compensating controls where and when possible.
- Use Vulnerability Management tools to tag assets that cannot be patched.
- Maintain updated signatures on Intrusion Protection Systems.
- Use a SIEM system or service to model unpatched assets and monitor for IOC (Indicators of Compromise) and CnC (Command and Control) via log and traffic correlation with Threat Intelligence and Reputation data sources.
- Automate blocking of suspicious traffic from malicious IPs.
- Use cloud-based redirection services to mitigate DDOS attacks. Understand the bandwidth of these services to ensure your vendor is not vulnerable to being overwhelmed by a large scale global attack.
- If practical, group vulnerable Windows XP machines in dedicated subnets and take machines off line during a DDOS attack.
- Develop contingency plans to deal with this threat and manual workarounds if Windows XP devices are not available.
Our intelligence is the scale of these attacks could be very large and we recommend you take proactive action to protect your organization.