Tag Archive for: Russia

Increased Cybersecurity Risks from Russian Cyber Attacks Resulting From the Russia Ukraine Conflict

A barrage of sanctions from the U.S. and E.U. continues to rain down on Russia following Vladimir Putin’s decision to invade Ukraine. The damage inflicted by these sanctions poses concerns about possible retaliation measures against Western nations.

Given Russia’s significant capabilities and history of cybercrime, it appears likely that Russian cyber attacks, particularly against critical public sector infrastructure, may be on the agenda. These attacks have already begun against Ukraine and very likely will turn to the Western nations next.

Let’s take a look at some plausible risks, scenarios, and targets if Russia decides to turn to cyber attacks against Western nations during the ongoing conflict, so you can stay protected.

Russian Cyber Attacks Preceding the Physical Invasion of Ukraine

Before the Russian military stepped over the physical borders of Ukraine, there was an escalation in cyber attacks carried out by the country’s extensive cyber units, as their banks and government websites were targeted with data-wiping malware and DDoS attacks. These actions confirmed that cybercrime is a central component of modern hybrid warfare.

According to the United States Congressional Research Service, Russia has a history of deploying cyber crime during wartime. During its 2008 war with Georgia, a large-scale DDoS attack crippled electronic communications at several government and financial institutions.

The escalation in cyber warfare is a continuation of attacks on Ukraine stretching back to Russia’s annexation of Crimea in 2014. A quick recap of some of these incidents serves as a reminder of what type of attacks Russia’s cyber units engage in during war times and the damage they can cause:

  • In December 2015, a complex, multi-phase attack took down Ukraine’s power grid leaving over 230,000 consumers without power.
  • A year later in December 2016, websites and payment systems belonging to the Ukrainian Ministry of Finance and State Treasury were taken offline by Russian malware.
  • In June 2017, Russia targeted Ukraine with a variant of the Petya ransomware (NotPetya), which hit Ukrainian ministries and banks, and even took down a radiation monitoring system at the Chernobyl nuclear plant.

Russian Cyber Attacks on Western Nations

While the attacks against Ukraine are proof of Russia’s cyber power, what conclusions can we draw about Russian cyber attacks on Western nations? Pertinent examples from in recent years help us to predict who Russia might target in the West, possible tactics they may use, and what the consequences could be.

  • Russian cyber unit Fancy Bear was implicated in the July 2016 hacking of the Democratic National Committee. Using tactics such as spear-phishing emails, keylogging software, and privilege escalation, the hack resulted in an email leak that stoked divisions in the Democratic party. The attack was seen as a Russian effort to weaponize information and interfere in the US Presidential election.
  • The NotPetya malware that hit Ukraine in 2017 spread to organizations in several Western nations, including Great Britain, France, Germany, and the United States. Maersk, the world’s largest container ship operator, suffered $300 million in damages from NotPetya. FedEx suffered similar costs to Maersk as a result of its subsidiary TNT Express being impacted by the ransomware strain.
  • The SolarWinds data breach is the most infamous recent example of Russian cybercrime against a Western nation. In this supply chain attack, Russian threat actors managed to modify software updates for Orion, a SolarWinds network monitoring software used by the U.S. federal government. Malicious Orion updates installed on federal IT systems gave Russian threat actors undetected access to those systems for up to nine months.

Federal Government Warnings and Advisories

The recent history of Russian cyber warfare clearly paints a worrying picture for Western nations. A diverse range of past attacks impacted critical public services and infrastructure, , especially and as new sanctions get imposed daily, Russian cybercriminals could easily look for new targets. The possibilities include:

  • Russian threat actors deploying similar attacks on Western nations to those that hit Ukrainian banks and government websites.
  • Cyber incidents spreading from Ukrainian businesses to organizations in other countries due to globally interconnected networks.
  • Standalone attacks on carried out as a direct response to ongoing Western sanctions damaging the Russian economy.

The highest levels of Western government assess the cyber risk landscape as an increasingly dangerous one if recent advisories and publications are anything to go by. The UK’s National Cyber Security Centre called on organizations to bolster their cybersecurity defenses in light of heightened cyber threats following Russia’s invasion of Ukraine. Recommended actions include patching systems, verifying access controls, and ensuring proper incident detection and response.

In the US, CISA director Jen Easterly indicated the agency was, “working with our federal partners, our state and local partners, and our industry partners to make sure that they’re aware of the potential threats of a potential cybersecurity crisis.” The FBI Cyber Division’s David Ring reportedly echoed similar sentiments during a call when he asked state and local leaders and business executives to think about how the provision of critical services could be disrupted by ransomware.

Meanwhile, in an address to the nation on February 24, 2022, President Joe Biden claimed that “If Russia pursues cyberattacks against our companies, our critical infrastructure, we’re prepared to respond.”

These warnings, comments, and advisories show that there is a clear perception of increased cyber risk. The public sector and operators of critical infrastructure appear to be particularly vulnerable targets, so those operating in these sectors should continue to be on high alert.

Potential Upcoming Russian Cyber Attack Campaigns

It’s unclear how likely a Russian cyber attack on a Western nation is right now. The past actions of Russian cyber units indicate anything is possible. What is clear is that countries such as the United States and the United Kingdom are taking steps to prepare. Here are some potential upcoming Russian cybercrime campaigns to watch out for:

  • Targeting critical infrastructure: Statements from government officials in recent weeks have persistently referred to critical infrastructure. Cyber attacks on industrial control systems or even healthcare organizations pose threats to health and safety in addition to the monetary costs involved.
  • Data leaks: Russia has shown its willingness in the past to use information as a weapon. Threat actors lurking undetected in federal or other public sector networks may decide to leak confidential information in an attempt to sow discord. Spear phishing campaigns on public sector employees may provide new entry points into public sector IT networks.
  • Supply chain attacks: Russian cyber units may use existing footholds in software supply chains to initiate an attack that mimics SolarWinds and leads to widespread data breaches of government data.

While the risk of attack in the current environment may be high, there are steps you can take to be better prepared and stay protected against potential threats. We recommended you prioritize the following (in this order):

  • Patch / remediate any critical internet facing vulnerabilities that could be leveraged by an attacker to gain a foothold within the environment
  • Make sure that all endpoints have up-to-date endpoint protection, preferably an up-to-date EDR agent installed on all systems
  • Patch internal vulnerabilities that are commonly used by attackers to compromise an endpoint.
  • Geo-block Russian IP address ranges on the NGFW if you do not do business with this region

Closing Thoughts

If and when Russia decides to strike back against the West using its cyber attack arsenal, public and private sector organizations face the challenge of detecting potential cyber attacks quickly and responding before they spread and do serious damage. While proper cyber hygiene is a great start, you need around the clock monitoring to ensure you’re catching attacks before they cause damage.

Proficio’s managed detection and response service provides 24/7 investigation and incident remediation capabilities to help organizations manage threats and reduce businesses in this potentially dangerous new cybersecurity landscape. To better protect our clients in these uncertain times, Proficio is deploying additional, targeted monitoring solutions to detect and respond to these attacks. To learn more about how Proficio can help keep your organization secure, contact us.

Key Takeaways from the SolarWinds Compromise

FireEye has recently released a detailed report on a global supply chain cyber-espionage campaign that utilizes compromised Solarwinds Orion software updates to distribute a backdoor codenamed “SUNBURST” by FireEye.

This particular campaign was announced by FireEye to be associated with a breach reported earlier on the 8th of December 2020, where it was revealed that attackers have gained access to FireEye’s environment, attempted to obtain information relating to certain US government customers and stole some of their Red Team tools.

FireEye isn’t the only organization using SolarWinds Orion software, with the malicious updates being pushed to 18000 other customers of the SolarWinds Orion platform, including Microsoft, the US Treasury and Commerce Departments, the Department of Energy and the National Nuclear Security Administration Of course, not all organizations affected were actively targeted and breached by the threat group, with majority of the targets located in the United States and the rest in seven different countries; Canada, Mexico, Belgium, Spain, United Kingdom, Israel and the UAE.

At this time, it is too early to say that we have a full understanding of the scope of the SolarWinds compromise. The number of organizations impacted is based on very limited visibility with an expectation that we understand all the compromise routes and adversary command and control capabilities. We do not know that to be true and more time is needed before we can say that we have a complete idea of the scale and scope of the compromise. Everything we know at this time relates to cyber-espionage and US national security institutions and there are no indications that most customers of SolarWinds Orion are actively breached by the threat group.

There are also no indications that the SolarWinds compromise was the only way in which the adversary could have gotten to their targets. The Cybersecurity and Infrastructure Security Agency has evidence that there are initial access vectors other than the SolarWinds Orion platform. As mentioned previously, we recommend following the remediation measures recommended by CISA. Even if your organizations aren’t active targets of this threat group, there are no reasons to leave a backdoor into your network lying around if you are using the affected versions of SolarWinds Orion. https://us-cert.cisa.gov/ncas/alerts/aa20-352a

Some Interesting Details

Proficio has issued several advisories regarding the SolarWinds compromise and will be issuing more advisories as we learn more about the compromise. We are also in the midst of conducting an ongoing threat hunting campaign. Here are some of the interesting details that will shed light on the lessons we can draw from this campaign thus far.

  1. SolarWinds hackers did a test-run of the spy operation in Oct 2019, when malicious SolarWinds files were first downloaded by customers. That version did not contain a backdoor, but indicates that the hackers were dwelling in SolarWinds network in 2019, if not earlier.Code with the word password in red stolen credentials Solarwinds
  2. FireEye first discovered the breach when hackers utilized stolen employee credentials to register their own device to FireEye’s MFA system so as to receive the employee’s unique access codes. FireEye’s security system sent an alert to the employee and to the company’s security team saying a new device had just been registered to the company’s MFA system as if it belonged to the employee, prompting FireEye to investigate. FireEye uncovered the SolarWinds breach into their network while trying to determine how the hackers obtained the employee’s credentials to register their device.
  3. The SUNBURST backdoor is only an initial persistent entry point used to deploy other tools to take root and subtly compromise the network configurations to allow future accesses. Remediating the SolarWinds breach is only the first step to be taken.The SUNBURST backdoor is known to distinguish between malleable detectors (services modified and tracked in the config file) and dealbreakers (running processes that will make SUNBURST abort immediately). Malleable detectors include several AV/EDR agents, while dealbreakers include several generic and specialized forensic tools, one of those being Sysmon. The distinction between the buckets of target system processes/drivers for evasion purposes is pretty important. Upon encountering one of the 8 malleable detection product families, SUNBURST takes a backup of SCM ACL for the service, modifies the ACL to take ownership and disables the service. Before going dormant, SUNBURST restores the original ACL and settings. This means that:
    1. Dealbreaker drivers installed prevents execution of SUNBURST completely.
    2. Dealbreaker processes at RUNTIME prevents Job Execution at that time.
    3. The 8 AV/EDR products would not have been very effective at preventing actions taken by SUNBURST unless anti-tampering settings are cranked up.

Lessons to Take Away

The SolarWinds compromise is a good case study of the impact, scale and scope of a supply chain compromise by a serious and capable adversary. It is important for us to draw the right lessons away from chasing buzzwords and what is popular and trendy.

  1. Most organizations should not shift all their focus to supply chain attacks. Most organizations do not have sufficient visibility, network segmentation, administrative tiering, insider threat programs, sufficient detection and response, backups and asset management capabilities and those pose far more risks in terms of actual impact on most organizations. Supply chain compromises are incredibly serious, but they are far from being the only way organizations get hit by serious cyber-attacks.
  2. Prevention is increasingly a no-win game. Well-orchestrated supply chain compromises are almost impossible to prevent. However, where prevention can fail, detection and response can succeed and did succeed in this case. FireEye was able to detect and respond correctly to the actions of a capable nation-state adversary. Organizations should look to beef up their detection and response capabilities either internally or with a managed detection and response partner like Proficio. Contact Proficio
  3. The success of detection and response actions depends significantly on basic visibility and monitoring. DNS logs play a key role in identifying if a breach has taken place, and other activity indicators include file-write events to the ‘SolarWinds Orion DLL config file’, as well as changes to services in registry while using anyone of the 8 AV/EDR families tracked by the SUNBURST backdoor.
    1. In fact, the adversary does not even attempt to infect your network if it looked like you were watching the machine with something as simple and as effective as Sysmon. This means that the adversary knows that such dealbreakers work very effectively against them.
    2. That is not to say that FireEye and other organizations do not have monitoring in place, but it simply may not have been tools in the list of SUNBURST dealbreakers.
  1. Make use of defence-in-depth principles when crafting a detection strategy. When it comes to visibility, logging and detection and response capabilities. EDR and NDR solutions provide the ability to detect and rapidly contain threats, and should be complemented with solutions focusing on complete visibility and logging like Zeek and Sysmon. Reach out to Proficio to find out more about how we can help you create a more complete detection strategy.
  2. Make use of multi-factor authentication where possible and ensure that you have a robust asset management program. FireEye first discovered the breach when hackers utilized stolen employee credentials to register their own device to FireEye’s MFA system, and that requires both robust asset management and the use of multi-factor authentication.
  3. Enhance actual detection and response bandwidth and capability by reducing noise and excessive alerting. Reach out to Proficio to understand how we can help you enhance your existing capabilities by helping you to focus on what matters most.

Attacker: Grizzly Steppe

Russian state-sponsored cyber actors appear to be performing worldwide cyber exploitation of enterprise-class and SOHO/residential network infrastructure devices (e.g., router, switch, firewall, Network-based Intrusion Detection System (NIDS) devices). This campaign, particularly the choice of protocols and devices appears to have some overlap with earlier reports detailing the vulnerability CVE-2018-0171, as well as, reports detailing cyber-attacks on network infrastructure utilizing vulnerabilities in smart install (SMI).

This attack was an attempt to exploit vulnerabilities in routers and switches which was intended to advance spying, intellectual property theft and other malicious activity. It is feared that the exploited routers could be used to launch future offensive cyber operations.

Do note that Russian cyber actors do not actually need to leverage zero-day vulnerabilities or install malware to exploit the devices. They are taking advantage of the following older, existing vulnerabilities:

  • Devices with legacy unencrypted protocols or unauthenticated services
  • Devices that are insufficiently hardened before installation
  • Devices that are no longer supported with security patches by manufacturers or vendors such as end-of-life devices

Affected Systems:

  • Generic Routing Encapsulation Enabled Devices
  • CISCO Smart Install Enabled Devices
  • Simple Network Management Protocol Enabled Devices

Proficio Threat Intelligence Recommendations:

  • Regularly inspect firewall policies that have Cisco Smart Install (4786 TCP) open to the internet and make sure they are set to only allow the IP ranges that are required for the connection
  • Regularly inspect firewall policies that have telnet open to the internet and close the connection
  • Mitigate the risks of compromised credentials by utilizing multi-factor authentication and strong password policies for all accounts, with special emphasis on any external-facing interfaces and high-risk environments
  • Restrict internet access to the management interface of any network device
  • Configure network devices before installing onto a network exposed to the internet. If SMI must be used during installation, disable SMI with the “no vstack” command before placing the device into operation

General Information – Click Here

Grizzly Steppe – Russian Malicious Cyber Activity – Click Here