Defend Windows networks against destructive cyberattacks

Russian cyberattacks against Ukrainian companies are a reminder that the attacker is not always looking to steal data or extort money. Sometimes the goal is simply to cause as much damage as possible. Microsoft and Mandiant recently released information about these destructive attacks and how to best protect against them. No matter where the business is located, there are always lessons to be learned about the modus operandi of these attacks and how to mitigate them. The attacks in question against Ukraine have been very destructive. As Microsoft states in its blog, “the malware overwritten the MBR (Master Boot Record) without a recovery mechanism.” The overwrite prevents the system from booting and cannot be repaired other than a full reinstallation or recovery from a system backup. The first lesson to be learned is therefore to ensure that the company has the tools and resources necessary to completely redeploy the images of its workstations or recover its platforms. Mandiant’s document includes operational guidance on best practices to protect against damage and destruction resulting from similar attacks and assesses the safeguards in place.

Protect external devices and systems with multi-factor authentication

Mandiant recommends starting with external devices. For a long time, apart from strong perimeter protection, the internal network was quite weakly protected and monitored. Once the attacker succeeded in penetrating this perimeter, it was quite easy to launch lateral attacks inside the network resources. Therefore, the first thing to do is to verify that external devices and everything that allows remote access is protected by multi-factor authentication. No one and no device should be allowed to log in with just a username and password. Ensure that each edge device supports a native authentication application and does not accept a simple password login. The network doesn’t have to be 100% secure, but it should be just a little more secure than the network next to yours.

Identify high value targets

Identifying high-value targets that could be subject to destructive attacks on a network is also a good practice. The key solution, which has been around for years, isn’t revolutionary: backup. Backups should be rotated regularly to ensure that the company has offsite and offdomain backup media. If all backup storage locations are linked to a domain and the attacker manages to access them, then the attack may affect the backups themselves. Access to the virtualization infrastructure must therefore be restricted to a few accounts designed and protected accordingly. Again, when it comes to protecting HyperV and other virtualization platforms, one must think about implementing two-factor authentication and other privilege access processes.

Protect your network against lateral movements

A review of the lateral movement guards is also necessary. For example, deploying Local Administrator Password Solution (LAPS) can prevent lateral movement when sharing a local administration password. Another point to check is the usage of typical firewall ports that attackers target for lateral access, and more specifically ports 445, 135 and 139. It is important to know which workstations and servers are listening to these ports and Take steps to isolate and limit firewall ports in their network.

Examine usage and exposure of remote protocols

First of all, it must be ensured that the remote desktop protocol Remote Desktop Protocol (RDP) is not exposed to the outside. If so, limit RDP to only devices that need it. As Mandiant recommends, on sensitive devices, it is important to block the following remote protocols: File and Print Sharing, Remote Desktop, Windows Management Instrumentation (WMI), and Windows Remote Management. This involves reviewing how IT staff manage and maintain systems. The old method of logging into servers and workstations remotely is no longer secure. From now on, it must be ensured that the company’s own management processes do not introduce insecurity into the process.

Check exposed or inherited passwords

Usernames and passwords are a key access point and therefore a key point of attack. Reusing passwords is common practice. Additionally, apps often enroll credentials on systems and thus introduce weaknesses. Mandiant reminds that networks keep passwords hidden, a risk we are not always aware of. Many people use Active Directory (AD) networks, upgraded over time from older, less secure AD infrastructure. However, it is possible that old parameters have been maintained on the network. This is the case for example of the WDigest parameter. Even though WDigest authentication is now disabled by default in Windows 8.1 and Windows Server 2012 R2 and later versions, it may happen that clear text passwords are still stored in LSASS memory to support authentication. Mandiant recommends deleting the registry key below to block saving passwords:

HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigestUseLogonCredential

REG_DWORD = “0”

Additionally, older systems may retain the WDigest password, making it easy for attackers to harvest this information.

Implement Windows Defender Credential Guard

As Steve Syfuhs points out on his Steve on Security blog, Windows’ Credential Guard service “prevents credential theft from a machine.” Credential Guard “protects the secrets used by Windows for single sign-on SSO against theft and their use on other machines”. Certain APIs documented by Windows allow software to access identifiers and secrets that run in memory. Microsoft cannot disable these APIs because a lot of professional software depends on these credentials. The implementation of Credential Guard makes access to this information more complicated for attackers. Most of Mandiant’s recommendations are applicable on current networks. You don’t need to deploy a new Windows 11 server or desktop system to implement most of these recommendations. You just have to do some tests and spend a little time to make the necessary adjustments. No need to wait to make a network more difficult to attack. Better to push attackers to the less secure network, rather than attacking the main corporate network.