Ukraine, here is the cyber alert in Italy

Start MagazineUkraine, here is the cyber alert in Italy The text of the latest bulletins issued by Csirt Italia, the response team in case of cyber incidents set up at the National Cybersecurity Agency

Maximum alert for cyber attacks in Italy. In relation to the evolution of the conflict in Ukraine and the resulting geopolitical situation, the National Cybersecurity Agency again recommends all national digital infrastructure operators to adopt "a posture of maximum cyber defense". The invitation is to launch "all the most urgent prevention and control measures": reduction of attack surfaces, verifying that access control to systems is implemented correctly, raising the monitoring levels of IT infrastructures, adoption of plans for the preparation and management of cyber crisis situations, information exchange towards the reference cyber articulations, the Agency in primis. "The intensification of malicious activities in cyber space - reports the Csirt Italia (Computer Security Incident Response Team) - increases the possibility that they can generate 'spillover' phenomena outside the assets directly targeted by the campaigns". Here is the full content of the recent bulletin and the latest alert issued by CSIRT Italy. Raising the defensive posture in relation to the Ukrainian situation (BL01 / 220228 / CSIRT-ITA) BULLETIN 02/28/2022 16:50 Description and potential impacts The worsening of malicious activities in cyber space increases the possibility that they can generate spillover phenomena outside the assets directly targeted by the campaigns. The main vectors for conducting such malicious activities from outside the perimeter of corporate networks are related to: • use of public communication platforms for the release of malicious code; • sending phishing emails containing malicious attachments or links in the body of the emails; • malicious files distributed via peer to peer sharing platforms; • exploitation of known vulnerabilities in internet facing systems; • malware released through specially created or compromised websites, for example for watering hole campaigns; • use of systems that can be used to amplify the effect of volumetric DDoS attacks (e.g. incorrectly configured LDAP and DNS). As regards the exploitation of assets inside the network, particular attention must be paid to the rapid detection of anomalies found in the management and networking systems (as in case of compromise they can represent facilitators to adversary activities) such as: • patch management systems; • asset management systems; • remote management systems; • security systems (antivirus, firewall, etc); • systems assigned to administrators; • centralized systems for logging, backup, file sharing, storage; • systems for managing a domain (eg Active Directory, LDAP, etc) • network devices (routers, switches). Mitigation Actions With the increase in the risks associated with the malicious activities in progress in the Ukrainian cyberspace, it is necessary to adopt, if not already done, priority protection measures that encompass the following areas: • reduction of the external attack surface • reduction of the internal attack surface • stringent control of access to systems / services • monitoring of logs, network traffic and activities performed by administration accounts • internal organization for the preparation and management of cyber crises • planning of the revision of its IT infrastructures with a view to Zero Trust • support internal and external info sharing. Here are the detailed recommendations Reduction of the external attack surface • perform in-depth asset management of all systems directly or indirectly exposed on the Internet, checking their Operating System and installed software (and related patch level), services running, scheduled tasks, firewalling rules that allow them to be exposed, protection systems (AV, EDR, WAF, HIPS, NIPS, Firewall, CDN, etc) and related update level and correct configuration, availability of everything necessary for the complete reinstallation of the system (golden image, source code, database structure, etc); • ensure that the most restrictive best practices in terms of security are implemented on all components of these systems, also disabling all unnecessary features / packages; • perform the reclamation of all DNS records no longer used; • implement the following measures on its own authoritative DNS: disabling recursion, limiting recursion to only the necessary clients, implementing response rate limiting; • verify the actual need for exposure of the identified systems and, if not necessary, proceed with the removal of the same; • proceed with the patching of all the components identified, paying particular attention to using only verified sources for finding the update software; • if patching is not possible due to application limitations, evaluate the possibility of disconnecting the service / asset, implement virtual patching systems, segregate non-upgradeable components in a dedicated DMZ allowing them only the communications strictly necessary for the operation of the hosted service, raise the logging and monitoring capabilities of these systems to the maximum level; • check the communication flows available to the exposed assets, reducing them to essential communications only and raising the level of logging and monitoring of these flows; • if not strictly necessary, inhibit the outgoing traffic of the assets exposed on the internet. Reduction of the internal attack surface • verify / implement network segmentation making sure that the client-to-server and server-to-server traffic management rules only allow traffic strictly necessary for the correct functioning of the applications, making sure that such flows are defined, documented, approved and monitored; • verify / implement a segregated network for all the management of network equipment, storage, virtualization infrastructures; • verify all accesses to the Internet by removing, where possible, those that are not strictly necessary, and making sure that they offer logging capabilities and the setting of traffic blocking rules; • verify that all the components of the network are correctly registered and managed; • strengthen the checks carried out by anti spam systems to reduce the delivery of possible phishing emails; • carry out internal training sessions for its staff, in particular highlighting the risks associated with opening files and links received via e-mail systems, text messages, instant messaging. Access control • implement multi-factor authentication for external and internal services; • verify / implement the password policy (min. 12 alphanumeric characters, uppercase lowercase, special characters), and the lockdown policy, also verifying that the passwords entered are not contained in public data breach (eg using the HIBP service) and evaluating the opportunity to force an overall password reset for all users; • remove the permissions linked to generic groups (eg Everyone, Domain Users, Authenticated Users) making sure that each user belongs to the correct authorization group; • ensure that a dedicated service account is used for each different service and that these are properly documented; • reduce the permissions granted to service accounts to the minimum level necessary for the proper functioning of the applications, removing where possible the permissions to local and interactive logon, access to network shares or unnecessary critical data; • periodically test (depending in particular on the specific temporal depth) the functionality of the backups. Monitoring • raise the monitoring levels in particular for accounts with administrative privileges and for service accounts, carefully checking the logs relating to successful / unsuccessful logins, access to network shares, interactive and network logons performed via remote session; • monitor network flows by identifying connections made to ports not provided for by applications; • monitor events that may represent scanning or enumeration activities; • ensure that the logging and collection systems of the same are always adequate in the event of architectural changes and that they cover all the systems present on the network; • identify and raise the monitoring level of the network / service components that can represent pivot points for the passage between different segments; • monitor their networks using all available indicators of compromise. Organization Individuals and organizations are sent to analyze their organizational structure in order to verify that it is adequate for the preparation and management of a high-impact IT incident on their operations, from all points of view, both technological and business. Planning In addition to the review of its internal plans relating to the management of IT incidents (eg. Incident response plan) and business continuity (eg. Disaster recovery plan, Business continuity plan), it is recommended, where not already in place, to start a review of its IT infrastructures leading to the adoption of Zero Trust paradigms capable of significantly raising their resilience. Info Sharing The sharing of information represents an important multiplier in terms of protection of the cyber space and therefore all subjects are invited to monitor the institutional channels of CSIRT Italy and to share with it through the reporting forms and the email info@csirt.gov.it any information deemed of interest.

Description and potential impacts Security researchers have highlighted new malicious activities perpetrated through the well-known instant messaging platforms Discord and Trello in order to distribute links to resources containing malicious files. Mitigation actions For the foregoing, if not strictly necessary for the purposes of your organization, it is advisable to carefully evaluate access to these messaging platforms in order to raise the general safety posture.