At midnight on July 13th, one of the largest clinical labs in the Unites States, LabCorp, fell victim to a Samsam ransomware attack conducted via brute force RDP attack. Thanks to LabCorp’s Security Operations Center (SOC), a data breach was prevented, and the ransomware was contained within 50 minutes. LabCorp’s SOC immediately intervened, alerting Incident Response teams and cutting connections & access to internal file shares. Within that time, however, 7,000 systems and 1,900 servers were affected by the attack.
This event highlights three critical factors important to companies’ security:
- Have a proper Incident Response Plan that is tested regularly.
- Supplement that plan with technical controls to detect and alert upon detection of malicious actions.
- Implement multi-factor authentication wherever possible.
LabCorp’s SOC and IR teams were able to quickly contain the infection and prevent a data breach and immediately rolled into recovery mode once the threat had been contained. But how could this threat have been prevented?
The Samsam ransomware has been known to use an exploit tool for public-facing RDP instances, using brute force tactics to gain access to authorized RDP user accounts. Multi-Factor authentication, or two-factor authentication it’s also known, is a proven method of preventing these attacks.
Multi-factor authentication is an authentication method that requires knowledge of a user’s password and at least one other authentication method such as a hardware token, fingerprint detector, or retina scanner.
Implementing multi-factor authentication creates a layered defense and makes it more difficult for a malicious attacker to access a target remotely. If an attacker breaks through the first layer of defense (the user’s password), the second authentication factor must also be overcome by the malicious attacker to successfully infiltrate the target organization. This is nearly impossible in most cases.
So, if you’re not doing MFA today, please consider it. There are many options such as Duo, RSA, and Yubikey.