FBI Warns: Use 2FA As Time Traveling Hackers Strike
The Federal Bureau of Investigation (FBI) has issued a critical security advisory in response to the recent Medusa ransomware attacks that have affected at least 300 critical infrastructure targets. The FBI warning comes as time-traveling hackers, who have been creatively abusing system misconfigurations, strike again.
A Recap of the Medusa Ransomware Attacks
Medusa, a notorious ransomware strain, has been making headlines with its aggressive exploit campaign that combines social engineering and unpatched software vulnerabilities. The FBI has outlined tactics, techniques, and procedures (TTPs) associated with the Medusa attacks in their cybersecurity advisory AA25-071A. Since then, numerous technical details about the Medusa malware have come to light, including methods used to disable anti-malware protections.
A Twist: Time Travel
However, what has taken the story by surprise is the emergence of a time-traveling hacking technique used by Medusa attackers. According to Boris Cipot, a senior security engineer at Black Duck, the issue lies with system misconfigurations that allow attackers to bypass security controls. In essence, the attackers are exploiting expired security certificates signed in 2012, which were previously valid.
Cipot explained how this works: "The malware is effectively changing the system date to a time when the certificate," which signed a certain driver, was still valid. This means that the expired driver is now seen as being perfectly valid, accepted as such, and loaded like any other. The result? A security breach that could have been prevented with a little creativity from hackers.
Mitigation Advice
To mitigate this kind of time travel hackery, Cipot emphasized the importance of a combination of best-in-class endpoint protection, strict policy enforcement, and proactive monitoring. The detection of system configuration changes is also crucial, as it's the system time changes that proved central to the failure of security protections in the case of Medusa attacks.
Windows should be configured to enforce strict revocation checks for signed drivers, blocking expired certificates. Furthermore, many Microsoft out-of-the-box security features are not enabled because they have been switched off. This is often done for convenience or to allow older software and drivers to run without concern.
FBI Recommendations
The FBI has also issued several recommendations to help prevent Medusa-style attacks:
* Enable 2FA where possible, but particularly for webmail services such as Gmail, Outlook, and others, as well as virtual private networks (VPNs) that can access critical systems. * Use long passwords on all accounts that require them. * Avoid imposing a requirement for frequent password changes, as these can do more harm than good. * Ensure all operating systems are kept up to date alongside software and firmware updates. * Prioritize patching when it comes to those internet-facing systems where a known vulnerability is concerned.
Take Action Now
"My advice?" says Cipot. "Listen to both the FBI and me, as we know what we are talking about. And don't wait for Medusa to strike – act today, or your systems could get attacked by hackers from 2012."