Let's still make it until the May holidays: what is important to do so that the "long" weekend is not overshadowed by cyberattacks

21:37
23.05.2025
SolarSecurity
33

Holidays, public holidays, any "extra" days off - this is an opportunity for attackers to try to launch an attack. The attackers' calculation is simple: the fewer "defending" specialists are at their workplaces, the higher the chances of breaking into the perimeter, establishing themselves, and causing damage. It was the same last year: at the beginning of May 2024, we were approached for help in investigating two serious cybersecurity incidents that occurred during the May holidays. Attackers targeted and destroyed the virtual infrastructure of large organizations and temporarily paralyzed their business operations. The normal weekend was ruined not only for our on-duty experts but also for representatives of the affected organizations, who had to trade nature and barbecue for servers and logs.

Unfortunately, we have no reason to believe that the situation with attacks during the holidays will change this year, as the number of incidents is increasing. From the beginning of the year through mid-April, we have already investigated almost thirty incidents. A year ago, by the same time, there had only been just over twenty such investigations. That’s why, ahead of the long weekend, we’d like to remind you of the rules to follow and measures you can take to significantly reduce the risk of a serious cyberattack on your perimeter—even if you can’t eliminate it entirely.

Take Inventory

1. Make sure you have detailed knowledge of all corporate network segments and the assets located within them. This recommendation may seem obvious, but we still encounter cases where an organization’s IT personnel had poor awareness of parts of the infrastructure they managed—including areas where attackers were able to gain a foothold. It’s also important to make sure that security event monitoring covers all parts of the infrastructure. In a recent investigation of Erudite Mogwai attacks, the group was able to establish itself in a part of the infrastructure that was outside SOC monitoring, allowing them to remain undetected for a long time.

2. Scan your company’s pool of public addresses—popular services such as Censys, Shodan, and Fofa are good for this. Advanced specialists might use other scanners, including those often used by security analysis teams or even the attackers themselves. Scanning will help you understand which applications, services, and ports are accessible from the network. Some of them may be vulnerable! This will also help identify systems that need to be patched first.

During the holidays, some of these applications and/or services can be made unavailable if there is no need to use them for that period.

Make Backups

Regularly backing up critical systems is always a good idea. Backup copies should be stored so they can’t be deleted in the event of an attack on your company’s infrastructure (one of the most common cases we see in practice).

It’s best to create backups according to the 3-2-1 rule. That means at least three copies of each file on two different types of media, with one copy stored offsite. Ideally, this copy should have no network connectivity with the original infrastructure being backed up.

Moreover, we recommend abandoning domain authorization on backup servers. It is better to use separate accounts with the minimum necessary privileges to access them. If the server is virtual, it should not be located in the same virtualization system as the systems from which backups are made, and access to the hypervisor should be under special control.

The ideal option is when all these backups are stored without permanent connectivity to the main network. This way, even if attackers succeed, the most critical servers and services of the company can be relatively quickly restored from the preserved backups.

Last year, we often saw that after gaining access to the virtual infrastructure, attackers completely destroyed it and thus stopped the organization’s operations. For attackers, this is relatively easy prey, as modern companies often use virtualization to host important business applications, but unfortunately, rarely take care of its resilience to external impacts.

Install patches

Read also:

AI hints in code: cognitive crutches or a productivity jetpack?

If the organization does not have a well-established patch management process, patches should at least be installed for all critical applications. Especially those that are externally accessible. Of course, it’s better to do this not on the last day before the holidays, but in advance – so as not to encounter issues related to the operation of products after applying patches.

Recently, we made a review of vulnerabilities found in the first quarter in widely used applications in corporate networks. We analyzed more than 100 vulnerability reports, and almost 80% of them have a network vector, and 72% of vulnerabilities have a High and Critical severity level. Before leaving for the weekend, make sure that at least these vulnerabilities are not relevant to your infrastructure.

It is important to remember that patches are needed not only to protect the external perimeter but also to complicate or stop the development of an attack when attackers have already penetrated the protected perimeter. A classic example is the compromise of some forgotten old corporate portal or test installation, whose compromise allows access to new segments of the infrastructure.

Passwords and Accounts

Compromised logins and passwords are often used by attackers to infiltrate the corporate network. Therefore:

● Conduct an audit of accounts used in various services (RDP, VPN, others), delete unused and unnecessary accounts;

● Make sure that administrator passwords are complex enough, change them if not, or if they have been used for too long, and enable multi-factor authentication.

● Conduct an audit of password policies and check password complexity requirements, exclude the possibility of making a new password identical to the old one, and review expiration dates. Minimum requirements for password complexity: randomly generated passwords with a length of at least 12 characters, consisting of lowercase and uppercase Latin letters, digits, and special characters. All of this can significantly complicate attackers' ability to obtain credentials in the infrastructure.

● Conduct an inventory of accounts created for contractors. If contractors do not plan to work during the holidays, their accounts can be temporarily disabled, which will protect against attacks through trust relationships. And don't forget to delete these accounts if the contractor has completed the work.

● If your infrastructure has network connectivity with the contractor's infrastructure (for example, this is required by the technological process), it can be disabled during the holidays.

● Make sure that no (especially critical) accesses (SAN, virtualization, backup, etc.) are stored in plain text in text files and are not saved in the browser. Unfortunately, attackers often compromise privileged user machines and easily gain access to critical systems because these accesses were saved somewhere in the browser. Therefore, it is recommended to use password managers that have been updated to the latest versions.

● Close all active remote access sessions via various protocols (e.g., RDP connections, web applications), if active interaction with systems is no longer taking place. Employees' computers that will not be working during the entire holiday period should be turned off to reduce the potential attack surface.

Compromise Assessment

Of course, there will be no time to perform a full infrastructure compromise assessment before the holidays, but a basic set of actions can be analyzed: