To reduce the impact of a successful compromise, should one occur, you are strongly advised to review your authoritative DNS setup ASAP:

• If using off site secondary nameservers, ensure that those secondaries have an up-to-date copy of your zone/s; and SOA expire times are set to at least 14 days.
• If you are currently running DNS onsite, you should consider how you will access your zone files should your DNS servers be compromised. The use of off-site secondary nameservers increases your DNS resilience. Consider using a Secondary Nameserver Service or partnering with another organisation.

Microsoft Exchange Server

Microsoft released out of band security patches for Critical remote code execution vulnerabilities in Exchange on 2^nd March, these vulnerabilities are being actively exploited to compromise tens of thousands of organisations worldwide. See: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/.

Action

• Urgently install the latest Cumulative Update and the patches from  https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/ on ALL Exchange servers (internet facing and internal). This cannot wait until scheduled maintenance periods – it must be done immediately.
• Follow Microsoft’s guidance to confirm whether a compromise has occurred.
• Utilise Microsoft’s patch confirmation script: https://github.com/microsoft/CSS-Exchange/tree/main/Security.

Remote Desktop Protocol

The Remote Desktop Protocol is not sufficiently secure for remote access over the internet, and has been targeted in numerous compromises, including the Ransomware incidents which hit the sector last year; despite this many RDP servers remain internet accessible on Janet.

Action

• Ensure account lockout timers are configured for ALL accounts and set to trigger early enough to hinder attacks and remain tripped long enough for you to detect and respond to attacks.
• Urgently replace RDP based remote access solutions with well configured Virtual Private Networks.
• Deploy multi-factor authentication to all remote users, at the minimum for the VPN.

Remote Desktop Gateway

Remote Desktop Gateway adds a layer of separation to RDP, however, if not configured correctly this is still just as susceptible to purchased or brute forced credentials, once access is gained the same level of access is available as with RDP.

Actions

• Ensure account lockout timers are configured for ALL accounts and set to trigger early enough to hinder attacks and remain tripped long enough for you to detect and respond to attacks.
• Ensure that all user accounts capable of accessing the RD Gateway have multi-factor authentication enabled.
• Ensure that RD Gateway logs are monitored closely for indicators of attack.
• Replace RD Gateway based remote access solutions with well configured Virtual Private Networks.
• Deploy multi-factor authentication to all remote users, at the minimum for the VPN.

Citrix

Citrix Application Delivery Controller (AKA NetScaler and Citrix Gateway) were affected by a critical unauthenticated remote code execution vulnerability in Q4 2019, and Citrix products remain a popular target for attackers.

Actions

• Ensure that all Citrix products within your environment are on a supported version with the latest Security Updates applied.

Any Other External Services

Any system can be vulnerable, and if remotely exposed could be used to gain an initial foothold in your network.

Action

• Ensure that only expected services on expected systems are exposed to the internet.
• Ensure that all systems that are facing the internet are running on supported Operating Systems and Applications, with all applicable security updates applied.
• Ensure logs for exposed systems are closely monitored for indicators of attack.
• Deploy suitable security tooling, such as Web Application Firewalls, in front of exposed systems.