FBI Warning: Enable 2FA for Gmail, Outlook, and VPNs Now

The Federal Bureau of Investigation (FBI) has issued a warning about the growing threat of Medusa ransomware attacks, which have already impacted at least 300 victims in the critical infrastructure sector since June 2021. The FBI's latest industry alert emphasizes the importance of taking immediate action to mitigate these threats, and the solution lies in enabling two-factor authentication (2FA) for webmail services such as Gmail and Outlook, as well as VPNs.

In partnership with the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI has issued a joint March 12 cybersecurity advisory to warn organizations about the Medusa ransomware group's tactics, techniques, and procedures. The full alert provides detailed information on the technicalities of the Medusa operation, but for this article, we will focus on the attack mitigation advice offered by the FBI.

According to the FBI, the immediate actions that all organizations should take to mitigate the Medusa ransomware attack campaigns are:

  • Enable 2FA for webmail services such as Gmail and Outlook
  • Enable 2FA for VPNs

The FBI's advice is clear: enable 2FA now to protect against these sophisticated threats. However, not everyone is happy with this advice. Roger Grimes, a data-driven defence evangelist at KnowBe4, has expressed concerns that the warning continues a long tradition of "warning people about ransomware that spreads using social engineering, but then does not suggest security awareness training as a primary way to defeat it."

"It's like learning that criminals are breaking into your house all the time through the windows and then recommending more locks for the doors," Grimes said. "Social engineering is involved in 70% - 90% of all successful hacking attacks, yet awareness isn't mentioned in the 15 recommended mitigations." He warned that such a continued misalignment between the ways we are most often attacked by threat actors and how we are told to defend ourselves enables hackers to continue to be successful.

"The hackers must be laughing," Grimes concluded. "Enabling 2FA is an easy solution, but it's not a silver bullet. We need to focus on security awareness training as well."

It's essential to take the FBI's advice seriously and enable 2FA for your webmail services and VPNs immediately. Remember, prevention is key in the face of such sophisticated threats. Stay vigilant and stay safe online.