Croatian Agency Discovers Managed Services Are More Secure
This week, the Croatian Financial Services Supervisory agency (HANFA) has been hit by an unspecified cyber attack that knocked out its web and email services.
So what's happening?
Although details are scant, based on open source intelligence from Shodan and other public sources we can see the following was being done to restore services:
The email server for hanfa.hr appears to have quickly moved from an on-premise system to Microsoft365 cloud SaaS service. The old on-premise email servers (an open source Linux-based solution) are as of this writing offline, but it's not sure if this is on purpose or the servers are lost due to perhaps ransomware.
The web server for hanfa.hr is also apparently being moved from a self-hosted Windows IIS based service (apparently poorly maintained, as Shodan reports a vulnerability from 2014 there - https://lnkd.in/gTKfUTcX). The new server is now hosted at another hosting provider (also a Windows server-based IIS service), hopefully a managed one.
External facing services such e-mail, web and VPN access points are under constant probing from various threat actors, especially ransom-as-a-service operators (see here).
The attackers know these systems cannot have the constant attention now required to keep them secure and patched. Also, more likely than not, self-hosted systems rarely feature strong multifactor authentication (MFA), an essential prerequisite to avoid successful ransomware attacks.
The public-facing services are now automatically scanned for published and unpublished vulnerabilities, often before any patches are provided, let alone implemented (see here).
Therefore, publishing internet facing ports on a do-it-yourself basis is slowly becoming untenable and should be viewed as an unacceptable risk.
In this case, HANFA has apparently learned the lesson, as it appears to be finally moving its services to managed SaaS or IaaS providers.
Finally, it's worth quoting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) from its cyber security guidance for SMBs:
One major improvement you can make is to eliminate all services that are hosted in your offices. We call these services “on premises” or “on-prem” services. Examples of on-prem services are mail and file storage in your office space. These systems require a great deal of skill to secure. They also require time to patch, to monitor, and to respond to potential security events. Few small businesses have the time and expertise to keep them secure.