Ransomware Threats Affecting the Public Sector

By and on Nov 18, 2021

In the October 2021 Threat Report, McAfee Enterprise ATR provides a global view of the top threats, especially those ransomware attacks that affected most countries and sectors in Q2 2021, especially in the Public Sector (Government).


In June 2021 the G7 economies urged countries that may harbor criminal ransomware groups to take accountability for tracking them down and disrupting their operations. Let’s review the high severity campaigns and threat profiles added to MVISION Insights recently.

Threat Profile Conti Ransomware & BazarLoader to Conti Ransomware in 32hrs

Conti has been one of the top Ransomware groups in 2021, including a new campaign reported in September 2021. As mentioned earlier in this report, the public sector seems to be the sector most affected by Ransomware attacks. McAfee Enterprise provides regular publications on the strategies to defend against ransomware, such as this blog.

Other Recent Threats Affecting the Public Sector

CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability

This is a serious Microsoft Office vulnerability reported in September 2021 by Microsoft, McAfee Enterprise and other sources. The MVISION Insights heat map shows the prevalence of the Indicators of Compromise (IOCs) associated with this threat in the first half of October 2021.

Although Microsoft has provided guidance on a workaround, it can be challenging for many public sector organizations to deploy these patches quickly. To help you be more agile, McAfee Enterprise has released its own guidance leveraging ENS, EDR and NSP.

Microsoft Office vulnerabilities are commonly exploited in the early phases of the attack lifecycle. BazarLoader, mentioned earlier with the Conti Ransomware, has also been used with Word and Excel documents. In the MITRE Enterprise ATT&CK framework this technique is known as T1203, which we can find in 177 campaigns and threat profiles in MVISION Insights.

Threat Profile APT41 & APT41 Malware Identified Doing the ChaCha at SAS21

APT41 is a state sponsored threat group linked to China and associated with multiple campaigns, including a new campaign reported in September 2021. Although Ransomware is currently the main cyber threat type which hits the news, state sponsored threat groups are equally concerning, especially in the public sector for organizations with sensitive government and citizen data, which could be potentially exploited by a foreign nation like China.

In the second part of this report, we highlight how you can leverage the data from MVISION Insights to find traces of these attacks to enhance your level of protection.

Cloud Threats Affecting the Public Sector

In the October 2021 Threat Report, McAfee Enterprise ATR also assessed the prevalence of Cloud Threats, identifying the US Government sector as one of the top 10 verticals affected.

Many governments are moving quickly to adopt cloud technologies to bring services for their citizens, for collaboration and cost savings.

Inadequate readiness to address cloud security has been the primary contributor of these threats. Several cloud-native controls exist to protect sensitive data from loss or theft in real time, such as:

Operationalize Threat Intelligence

In the second part of this report, we want to give you some guidance on how you can operationalize this threat intelligence data to better protect your networks. MVISION Insights can help operationalize McAfee Enterprise Threat Intelligence data by providing risk assessment against threats affecting you, protective guidance and integrating with other tools to share threat data.

Let’s take the previous example of the Conti Ransomware Threat Profile. Below you can see how MVISION Insights provides:

1. A short description with the list of CVEs linked to this threat profile, the minimum version of McAfee Enterprise ENS AMcore content to be correctly protected against this threat, detections in your environment and on which device.

2. The list of related campaigns, the devices with unresolved detections related to these campaigns or those with insufficient protections.

3. The list of MITRE techniques and tools, which provide a universal and agnostic overlay of the threats, as well as details on the observables specific to this threat profile for each MITRE technique.

4. The list of IOCs with filters, IOC attributes, and IOC export features which you can use to share them with your other solutions, such as your SIEM, and which you can also share with other public sector entities. We also provide a direct integration with MVISION EDR. Alternatively, you can leverage the APIs to automate the exchange of IOCs.

If you find devices with these IOCs in MVISION EDR you can take immediate remote actions such as quarantine the device, kill the process, remove the files, or run custom scripts.

You can also use MVISION EDR for more advanced threat hunting such as searching for specific MITRE techniques in all MVISION EDR alerts …

… or in the MVISION EDR monitoring view which automatically groups the alerts.

5. MVISION Insights also provides hunting rules created by McAfee Enterprise Threat Intelligence experts using Yara, Sigma and McAfee Enterprise ENS expert rules.

6. A proactive assessment of your Endpoint and Cloud security posture score with guidance on the configuration changes which you should follow to ensure that your McAfee Enterprise Endpoint and Cloud solutions are protecting you with their full capabilities.

7. And all this, with more than 1,200 threat campaigns and threat profiles

MVISION APIs give you the ability to integrate and to exchange this extensive Threat Intelligence data with your SOC tools, including Threat Intelligence Platforms (TIPs) and Security Orchestration Automation and Response (SOAR).

These integrations can be used both in Internet-facing and closed networks. For advanced Threat Intelligence teams, our Advanced Program Group (APG) provides “Threat Intelligence as a Service” (INTAAS) including:

  • Access to the unaggregated raw data behind MVISION Insights
  • Access to McAfee Private Global Threat Intelligence (GTI)
  • Threat Assessments
  • Adversary Monitoring and Attribution
  • IOC enrichment
  • Reverse Engineering

Summary

To conclude, here is a summary of the use cases you can achieve with MVISION Insights in the public sector:

  1. Start your threat intelligence program despite a lack of time and expertise
  2. Improve your existing Threat Intelligence program
  3. Check whether you have been breached by leveraging McAfee Enterprise ENS and NPS
  4. Predict threats, including ransomwares, that are most likely going to hit you
  5. Prioritize threat hunting using the most relevant indicators
  6. Enrich investigations with MVISION EDR/XDR
  7. Integrate with your other SOC solutions
  8. Deliver on-premise Threat Intelligence for restricted networks
  9. Proactively assess your protection status with McAfee Enterprise ENS and MVISION Cloud
  10. Improve Zero Trust with Threat Intelligence

If you want to learn more on our Threat Intelligence capabilities and participate in Architecture or Incident Response Workshops, contact your local McAfee Enterprise representative.

About the Author

Nicolas Stricher

Nicolas Stricher is a McAfee Advanced Technology Specialist for EMEA. Nicolas has over 20 years’ experience in the Cyber Security Industry. As part of his current role he helps McAfee Sales Engineers position and design McAfee threat intelligence and security operation solutions. He is also a regular presenter at the McAfee Enterprise Briefing Center (EBC).

Read more posts from Nicolas Stricher

Mo Cashman

Mo Cashman is one of the company’s passionate leaders in cyber security. As an Enterprise Security Architect and Principal Engineer at McAfee, Mo advises our largest global customers and partners on their cyber threat management and data protection strategies for the digital enterprise. Mo’s passion is to inspire our next generation security professionals as well ...

Read more posts from Mo Cashman

Categories: McAfee Enterprise

Subscribe to McAfee Securing Tomorrow Blogs