After its successful initial attack on Microsoft, the group has ramped up its password spray attacks tenfold between January and February in an attempt to probe for new weaknesses, CISA said.
Actions required
The April 2 Directive is fairly general in its recommendations but still manages to hand security teams inside agencies a pile of homework. This begins with working out which credentials might have been compromised by checking activity logs for large numbers of accounts, a huge job guaranteed to lead to hefty overtime. The timescale for this is ambitious:
- By April 30, refresh all authentication credentials such as passwords, tokens and API keys suspected of being compromised.
- “Reset credentials in associated applications and deactivate associated applications that are no longer of use to the agency.” It’s not clear what this refers to but will relate to any secondary applications that have access to email streams or data, for example older backup systems.
But that is perhaps the easier part of the job; having identified compromised accounts, agencies then have to do what’s called an impact analysis, in other words, identify which documents sent via email might have fallen into the hands of the attackers. Finally, they must relay any bad news on this to CISA itself.