The ransomware attack on Australia's MediBank is still relatively recent and it will be some time before all the details are known, but some are now becoming public. From what is known so far, the attack shows many of the classic elements common across ransomware attacks.
The MediBank attack appears to include compromised credentials for VPN access and Amazon data warehousing. It also seems to have followed some standard attack patterns: access was on sale on the dark web, external and temporary staff credentials weren't disabled, internal systems that might not be considered traditional IT services (in this case Confluence, the wiki tool that had access to source code repositories) were breached, data was stolen for sale, and demands escalated to heap increased pressure on the victim, ...
Understanding how attacks start and then migrate and grow is crucial to knowing how to defeat attacks. It would be dangerous to claim that all attacks could be prevented, but there are actions that can be taken to reduce the chances and impacts of attack.
Although there's no guaranteed way to prevent an attack, there are some basic protections that every IT organisation should have. Here are the top three:
The MediBank attacker claims to have gained access to the data warehouse via a "jump server". It's not clear what was involved here but this is a typical use case for Privileged Access Management (PAM): only allow access to backend databases via PAM. The user will connect to the PAM server, prove their identity and PAM will determine which systems that user can access depending on corporate policies. The connection to the system or database will be made securely by PAM and the credentials used will never be exposed to the user. Security can be further extended by requiring approval for the user to make the connection and ensuring the connection can only be used for a specified time period - what's known as "Just in Time (JIT)" and "Principle of Least Privilege (POLP)".
Some of the most vital systems to protect are those that will be used to recover the IT estate after an attack, including backups. Smart attacks will infect data and wait until full backup cycles are completed so even offline are infected and will be encrypted when brought online. The attack may even delete backup files if administrator credentials are compromised. Again, PAM can be used as a protective layer to protect backup systems and the National Cyber Security Centre (NCSC) highlight this in their recommendations for how to mitigate ransomware attacks.
From the DataBreachToday article, it seems access to MediBank systems was readily available on dark web markets, and credentials from temporary staff were available. Every organisation depends on temporary staff and remote access by suppliers. The University of Reading treated security of external access as a priority when they adopted Osirium Privileged Access Management (PAM).
There are many benefits from Privileged Access Management for Remote Access:
There's never going to be 100% defence against ransomware attacks, but taking basic precautions makes attacks harder and recovery easier. As with any crime, it's generally true that the attackers will look for the easiest targets - don't let your organisation be that easy target. Every day's delay in adding ransomware protection increases the chances of an attack, so get started now!