Leading up to the holiday weekend, federal agencies warn of cyberattacks

Ahead of Labor Day, federal agencies are warning local governments about an increased risk of cyberattacks. Historically, holiday weekends pose an opportunity for cybercriminals because many people aren’t working and networks are vulnerable. 

An advisory published Tuesday by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) notes that municipalities should take preemptive defense measures. In general, administrators should be “especially diligent in your network defense practices in the run up to holidays and weekends, based on recent actor tactics, techniques, and procedures and cyberattacks over holidays and weekends during the past few months.”

Specifically, the advisory notes a ransomware attack that crippled the Colonial Pipeline’s digital infrastructure just before Mother’s Day, halting much of the United States’ oil supply chain for about a week. A short while later, a Memorial Day attack on JBS SA, the world’s largest meat company, forced a shutdown of all U.S. beef plants—impacting almost a quarter of America’s beef supply.

During the Independence Day weekend, the Miami-based IT and software security company Kayesa was targeted by a sweeping ransomware attack impacting between 800 and 1,500 small- to medium-sized businesses. It was one of the largest cyberattacks ever recorded.

In light of the increased risk, CISA and the FBI recommend “threat hunting” measures, or searching for signs of criminal activity to prevent an attack before it materializes—and to minimize damage if it does.

“Threat actors can be present on a victim network long before they lock down a system, alerting the victim to the ransomware attack,” the advisory says. Before revealing themselves on the server, perpetrators will “often search through a network to find and compromise the most critical or lucrative targets. Many will exfiltrate large amounts of data.”

To that end, establishing a baseline of a server’s normal activity can help administrators identify future anomalies and suspicious traffic patterns. Additionally, reviewing historic data logs can reveal clues like “numerous failed file modifications, increased CPU and disk activity, inability to access certain files and unusual network communications,” the advisory says.

Other indicators to watch out for include: Unusual inbound and outbound network traffic; compromise of administrator privileges or escalation of the permissions on an account; theft of login and password credentials; a substantial increase in database read volume; geographical irregularities in access and login patterns; attempted user activity during anomalous logon times; attempts to access folders on a server that are not linked to the HTML within the pages of the web server; and baseline deviations in the type of outbound encrypted traffic since advanced persistent threat actors frequently encrypt exfiltration.

“Ransomware continues to be a national security threat and a critical challenge, but it is not insurmountable,” said Eric Goldstein, CISA’s executive assistant director for cybersecurity in a statement. “All organizations must continue to be vigilant against this ongoing threat.” 

In recent years, the frequency of cyberattacks targeting government organizations has increased. Last Wednesday, ransomware temporarily crippled the Boston Public Library’s servers. In a statement, officials noted that while there’s “no evidence that sensitive employee or patron data has been disclosed,” the attack took down “public computer and public printing services, as well as some online resources. Affected systems were taken offline immediately, and proactive steps were taken to isolate the problem and shutdown network communication.”

As of Tuesday, the library said it’s “continuing to rebuild and securely restore our systems, assisted by an expert team of consultants.” 

Notably, CISA and the FBI recommend that victims shouldn’t pay ransoms. There’s no guarantee that payment will prompt the perpetrators to release the information, and “Payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of malware, and/or fund illicit activities,” the advisory says. 

Other mitigation measures that can be taken include backing up data to an offline server; limiting access to resources over internal networks; monitoring remote access logs; and making sure software is properly configured and updated. strongly discourage paying a ransom to criminal actors. Payment does not guarantee files will be recovered, nor does it ensure protection from future breaches.