Is ASEAN Ready for Serious Cybersecurity?

No, most ASEAN countries are not ready for “serious cybersecurity.” Cybersecurity requires a persistent and consistent rhythm of action that fixes known security risks. Public nonprofit cyber civil defense organizations like the Shadowserver Foundation, CyberGreen, and others organizations deliver actionable cyber-risk reporting as a public benefit. Yes, these reports are free to organizations seeking to reduce cyber-risk. Yet, these free reports are ignored. It is no surprise when organizations and governments get hacked.

How bad is it?

Poor cybersecurity hygiene, a lack of daily cyber health actions, and ignoring the best common practices make accessing networks throughout ASEAN easy for any Threat Actor. This includes many Government and Critical Infrastructure organizations that have dedicated teams working to protect their organizations.

The best way to see this risk is by exploring the Shadowserver Foundation’s Dashboard. This figure lists all the devices communicating with one of the Shadowserver Foundation’s Sinkholes. Sinkholes are a “malware takedown” technique that captures the Command & Control (C&C) used by the malware. The C&C controls the malware. The malware regularly reaches out to the C&C.

Sinkhole operations are a collective action to replace the C&C. This has all the malware easily seen as they “call home.” The Shadowserver Foundation is one organization that hosts Sinkhole services, helps other organizations conduct Sinkhole Operations, and works with peers in the community with their Sinkhole operations.

The Shadowserver Foundation then sends organizations with malware in their network talking to the Sinkholed C&C daily alerts. These daily alerts are detailed to allow organizations to work with their firewall/NAT logging to find the specific device. That organization can then open an incident and take action.

Is minimizing cyber-risk hard?

One story I always share so people understand how easy this is goes back to my Juniper Network days. In those days, the Shadowserver reports were emails every day. One day back, when I was Juniper Network’s SIRT Director, I got a new report on the Torpig botnet (also called Sinowal or Mebroot). It is now part of the “victim notification” of a malware takedown. 19 computers were listed as “infected” and talking to the Torpig/Mebroot Sinkhole.

My first thought was, “Why are their 19 Computer infected with MBROOT?” This was the sign of a bigger problem!

First things first …. I called the team inside Juniper, activated our “we have malware inside our network,” and together, we quarantined those 19 computers with people working on the risk and threat analysis. We got lucky that day. The MBROOT infections happened the day before. The threat actors did not get a foothold, and the malware was communicating to a Sinkhole.

We found that up-to-date operating systems, malware protection, firewalls, layers of security, and compartmentalization were bypassed. The threat actors used a Firefox zero-day inside an advertisement on Microsoft’s new service (i.e., a malvertisement).

That incident was not hard to resolve. It started with a morning “health cybersecurity habit” to review the Shadowserver Foundation’s free reporting. Today, organizations do not need to look at emails; they can use DevOps/SecOps to get free data via APIs. Shadowserver’s Network Report prevented Juniper Network’s potential damage to the organization. The infection vector was identified, and extra network protections were implemented to protect the organization. All from a public benefit report!

Health Cybersecurity Habits are NOT HARD! Why are so many organizations aware they are at risk but do nothing to minimize that risk?

• Subscribe to the Senki Community Mailing List. Stay connected to Surfing Cybersecurity practical advice and critical “do this now” operation security recommendations by email.
• Subscribe to Senki’s YOUTUBE Channel for videos on this and other security topics.
• Ask questions to Barry Greene — bgreene@senki.org

Originally published at https://www.senki.org on August 6, 2024.