back to article Dunno about you, but we're seeing an 800% increase in cyberattacks, says one MSP

Revenge and inflation are key drivers behind an 800 percent increase in cyberattacks seen by a managed services provider since the days before the onset of Russia's invasion of Ukraine last month, according to the company's top executive. The attacks are coming not only from groups inside of Russia but also from within the …

  1. msobkow Silver badge

    The internet crosses all borders, and much like people choose sides in "discussions" on forums and social media, so too do the underground actors of all kinds. They are, after all, human beings, even if they don't have "traditional ethics", they do all have some kind of personal ethic.

  2. Version 1.0 Silver badge
    Alert

    I'm seeing an increase in Malware email deliveries - I'm not surprised and we're ready for it - fingers crossed, touch wood.

  3. PriorKnowledge
    Go

    Never been a better time to lock down

    For businesses: If you use Windows then deploy WDAC using a strict whitelist and start restricting outbound communications per-app using Windows Firewall (in addition to only allowing required inbound on workstations). If you use macOS, turn on the firewall and then consider deploying Santa, while Linux desktop users should get fapolicyd in place. TLS versions older than 1.2 should be blocked (IISCrypto can help with this on Windows) and a solution like chocolatey (Windows) or homebrew (macOS) should be adopted at a minimum to run on a schedule to auto-patch any non-store apps. Start using GPOs or MDM to block macros and remote links in any documents which aren’t in trusted locations. Possibly consider adopting a service to rewrite all Internet URLs in inbound emails to point to a service which checks against phishing databases while implementing strict attachment policies to block abused file types completely.

    Home users should: Switch off uPnP on their routers. Get Windows Defender set up with Cloud Extended Protection set to Zero Tolerance, macOS users can grab Sophos for free to supplement the built-in XProtect. Also, adopt OpenDNS FamilyShield, Cloudflare filtered DNS (e.g. 1.1.1.3) or Quad9 to block known malicious domains. Install uBlock Origin and NoScript to help protect web browsers from zero days. If using Chrome with a Google Account, then turn on Enhanced Protection. If using Edge, make sure SmartScreen is enabled. Enforce that all websites be accessed via HTTPS. Disable macros outright in office products. Most importantly, avoid pirating things if you can afford to as untrusted video, music and image files can and will be weaponised. If you must, use Windows Sandbox or a free version of VMWare to run a disposable virtual machine to download and fully transcode pirated content beforehand to clean it prior to use.

    1. Clausewitz 4.0 Bronze badge
      Devil

      Re: Never been a better time to lock down

      Whielist does not work well if the attacker uses legitimate windows binaries to sideload DLLs, or powershell. A popular brand of ATM uses whitelisting, but attacks using DLLs are still possible.

      Firewalls are useless with github, youtube, google drive used as C2. CANVAS from ImmunityInc uses these also.

      Finally, zero days.

      1. man_iii

        Re: Never been a better time to lock down

        I dont let anyone run windblows on my home network. Its all linux or android devices or nothing.

        More people should do the same where possible. Replace windows with linux and android at least.

        1. Potemkine! Silver badge

          Re: Never been a better time to lock down

          If you think Linux (and worse, Android) is safe, you're wrong.

      2. PriorKnowledge
        Happy

        WDAC covers DLLs and drivers by default

        …and PowerShell can be blocked for end-users via GPO. WDAC will also prevent a custom compiled version which ignores the GPO from running thanks to policy being applied via digital signatures. You can also block cmd.exe, WSH and all other common avenues of automation for regular user accounts this way. while WDAC prevents an attacker from using custom binaries to bypass group policy.

        Give it a go and you will find sideloading DLLs which aren’t whitelisted won’t help, the app will just fail to execute. Even setting up a “debugger” via the registry will fall over. If you choose to enforce it for MSIL (not the default), even locally-created DLLs made by ngen.exe will be blocked!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022