In a recent Securities and Exchange Commission filing, Lumen Technologies, Inc. reported it was the victim of two cyber attacks.
On March 27, Lumen announced two cybersecurity incidents. Earlier this month the company discovered that a malicious intruder had inserted criminal ransomware into a limited number of the company’s servers that support a segmented hosting service, this was degrading the operations of a small number of the Lumen’s enterprise customers.
The filing reported that the company’s recent implementation of enhanced security software led to the discovery that a separate sophisticated intruder accessed a limited number of the Lumen’s internal information technology systems, including conducting reconnaissance of these systems, installing malware and extracting a relatively limited amount of data.
According to Lumen, ongoing investigations revealed the incidents will not have material adverse impact on the company’s ability to serve customers or its business, operations or financial results.
Once the incidents were discovered, Lumen followed its long-standing cybersecurity protocols which included working with outside forensic firms to contain the incidents and implementing business continuity plans to restore functionality to its customers’ operational and business systems. In addition, Lumen notified law enforcement and regulatory authorities and impacted customers, launched investigations and took additional steps to safeguard systems.
Following the attacks, Lumen is continuing to assess the potential impact of both events, including whether any personally identifiable or other sensitive information has been exfiltrated. Lumen continues to work with several external advisors, impacted customers and relevant authorities to assess and mitigate the impacts from these incidents.
Cybersecurity leaders weigh in
“Successful ransomware attacks can begin long before victims receive demands from the cybercriminals. These types of attacks start with an initial breach where the threat actor's goal is to establish a foothold in the environment and then do further reconnaissance to locate the victim's critical data,” Dave Martin, Vice President of MDR at Ontinue. “It’s during this initial breach phase that companies have the best chance to stop the attack before it takes hold — possibly limiting it to just a single compromised device or even containing the attack before the threat actor achieves their ultimate objective. However, businesses need to know as soon as possible that a breach has occurred in order to contain it as early in the cyber kill chain as possible. Unfortunately, it’s extremely difficult for businesses — most of which are not cybersecurity experts — to continually monitor for breaches, particularly given the global shortage of cybersecurity talent. Organizations that need assistance addressing ransomware and other cyber threats can get the expertise and responsiveness they need by partnering with a managed detection and response provider. An experienced MDR provider can efficiently and effectively identify and contain cyber threats on the enterprise’s behalf based on a pre-authorized playbook.”
“The first takeaway should be the importance of network segmentation,” said Darren Guccione, CEO and co-founder at Keeper Security. “Network segmentation prevents threat actors from moving laterally within a system should a breach occur, which likely prevented this breach from being as pervasive as it could have been. Network segmentation is a best practice of identity and privileged access management, and is part of the solution that makes it harder for external threat actors to compromise privileged credentials or internal threat actors to misuse them.”
“A major takeaway anytime a ransomware or other cyberattack is reported should be that any enterprise can be targeted,” Guccione continues. “The 2022 U.S. Cybersecurity Census found that IT and security executives expect the number of cyberattacks to continue growing each year. Given the nature of crime, we can expect these threat actors to take the path of least resistance. This means that if the threat actor is able to gain access to a network, the security measures and roadblocks they encounter will play a large factor in whether they continue probing or move on to an easier target.”
Guccione said once a network is connected to the internet, there is no way to outright prevent external attacks from happening. He offered some advice on what enterprises can do to help prevent similar attacks.
“In fact, even preventing system access can be a Herculean task with more than 80 percent of breaches happening from weak or stolen passwords, credentials and secrets, which is why it’s crucial to have the proper cybersecurity protections in place,” Guccione said. “A zero trust security model in conjunction with least-privilege access, role-based access controls (RBAC), a single sign-on (SSO) solution and appropriate password security can greatly decrease the likelihood of a successful attack and stymie the threat actor’s access. By adopting a zero trust framework within their infrastructure, enterprise leaders will be in a stronger position to not only identify and react to attacks on their organization but also mitigate any potential damage.”
Guccione said ransomware attacks are often the result of phishing so it is recommended to utilize a password manager and strong password policies along with employee training to stop attacks on the frontline.
“Phishing attacks to steal passwords and credentials or introduce malware are still prevalent and the more sophisticated attempts can be difficult to spot,” Guccione said. “A password manager can help with identifying malicious URLs if an employee were to click on one of these links. A password manager can also be used to create and store strong, unique passwords for each account, which helps to mitigate password reuse and the accompanying risks.”