CERT NZ says New Zealand businesses should ‘urgently' review their remote access systems and remote working technologies to prevent ransomware attacks.
According to CERT NZ, most ransomware attacks can be traced back, in part, to poorly configured remote access systems such as Remote Desktop Protocol (RDP). Attackers use vulnerabilities within RDP to conduct their attacks via the internet.
Bluekeep is an example of a vulnerability in Microsoft remote desktop services, which, if left unpatched, could enable attackers to gain access to unpatched systems to install a cryptocurrency miner.
CERT NZ threats and vulnerabilities principal advisor Michael Shearer says organisations should ‘urgently review' their remote access systems and secure them.
CERT NZ states that attackers can use several methods to gain access to systems, but they can conduct more damaging attacks once they have accessed RDP.
“Regardless of what technology organisations use to enable remote working, it's important to keep your system up to date and enable two-factor authentication for logins,” says Shearer.
In many cases, organisations do not need to enable RDP because there are other solutions such as virtual private networks (VPNs) and virtual desktop products.
VPNs should be supported by multi-factor authentication and should keep activity logs. Organisations must also patch VPN endpoints, and they need network controls.
“Recent events have brought to light the devastating effects a ransomware attack can have on an organisation. There's been an increasing trend of these types of attacks globally over the past 18 months, and they're only going to continue,” says Shearer.
CERT NZ's latest quarterly report showed that between April and June 2021, CERT received 30 reports of ransomware attacks - the highest number ever reported within a single quarter.
“These figures do not paint a complete picture of the extent of ransom attacks in New Zealand. These numbers only reflect what has been reported to us, however conversations with our industry partners indicate there are a lot more attacks happening.
Organisations that need to use RDP internally or externally need to harden their server and service, in addition to client-side hardening. More information here.
CERT NZ encourages organisations affected by a ransomware attack to report it to CERT NZ's online reporting tool at www.cert.govt.nz/report, or to the CERT NZ contact centre on 0800 CERT NZ.
CERT NZ says it is working with internet service providers to contact organisations that use internet-exposed RDP to provide advice on how they can make remote working more secure.