Advice following malicious activity in Ukraine

—– 24/03/22, 09:30 update —–

Further to our update 2 days ago, the White House has doubled down on their warnings, confirming some ‘preparatory activity’ that could indicate a potential attack on Critical National Infrastructure (CNI) organisations. This activity includes vulnerability scanning and website probing and the White House has shared classified information relating to this with organisations they believe may be a target.

They are quick to comment that this does not mean there is certainty in future cyber-attacks, but simply reshare their advice on being prepared. Whilst this is obviously US related and no evidence has yet been surfaced of attacks on the UK, there is a reasonable likelihood that if the US is attacked, the UK may also be. In addition, depending on the targets of any attacks on the US, UK organisations may be impacted.

Our advice remains the same as it has throughout these updates, in ensuring organisations practice good incident response, from bare-metal backups with ‘break-glass accounts’ and getting 24/7 monitoring as soon as possible.

—– 22/03/22, 17:30 update —–

The National Cyber Security Centre (NCSC) has supported the White House’s call for increased cyber security precautions in response to the invasion of Ukraine and response to the sanctions imposed on Russia by world leaders, as we shared in our last update.

—– 17/03/22, 14:00 update —–

As we start to get more of a picture of the cyber threats as a result of the Ukraine invasion, we’ve provided another short update. There has been a lot of cyber activity reported, with a number of localised attacks, mostly using Wiper Malware and DDoS attacks, on both Ukraine and Russia.

We have yet to see any uptake in significant attacks on organisations outside of Russia and Ukraine, both the US and Australian Cyber Security Agencies have issued alerts encouraging organisations to take action to mitigate the threat from destructive malware targeting organisations within Ukraine.

Our advice remains the same as it has throughout this blog, in practicing good backup restoration, from ‘bare metal’ backups and ‘break-glass accounts’.

It’s also important to remain vigilant for ‘traditional’ ransomware attacks (i.e. not designed to be destructive), especially as the sanctions placed on Russia continue to have a significant economic impact, both locally and across the world. Naturally, ransomware will be a way to make financial gain as a result of the economic challenges.

This update serves as a reminder of best practice, which our customers will have through our SOC services. Vigilence against ransomware and good incident response practice are as important as ever.

—– 07/03/22, 13:30 update —–

Trend Micro have released a new resource, detailing the Indicators of Compromise (IOC) used in cyber attacks related to the Russia-Ukraine conflict. It looks at threat actors (Conti) and specific malware and hashes related to them. You can view this resource here.

—– 24/02/22, 12:00 update —–

The NCSC has reiterated their guidance in urging UK organisations to act in relation to the ongoing situation in Ukraine.

With the latest reports of Russian military action in Ukraine, we have also seen evidence of Distributed Denial of Service (DDoS) attacks: taking down websites by overloading target IP addresses with traffic for sustained periods of time.

Cloudflare reports (via zdnet) that the DDoS attacks seen so far have been ‘relatively modest’ compared to attacks they’ve seen previously. Interestingly, Cloudflare also state that there has been more DDoS activity this week compared to the previous week, but less than a month ago. The targets so far have focused on Ukraine’s government and banking institutions.

In addition, ESET Research has discovered the use of ‘wiper malware’, named Hermetic Wiper. The objective here is as discussed in our original blog below – a destructive attack with no concern for stealing data or money, simple destroying machines and preventing organisations from working.

What next?

As the NCSC advises, initially, there are unlikely to be any (more than normal) overt Russian cyber-attacks on other countries, including the United Kingdom. However, as was the case with NotPetya (as detailed below), there is a higher chance of UK organisations being ‘collateral damage’ in a wider supply chain attack as malware is injected into commonly used software and/or organisations.

Clearly, we don’t know what may happen beyond this and anything suggested would be nothing more than speculation. Whatever happens next will strongly depend on how those opposed to Russia respond and the reciprocal response from Russia. However, we can expect further destructive attacks, both in the form of a ‘traditional’ DDoS attack and through tools similar to the wiper malware towards Ukrainian organisations, which can have a knock-on effect on UK organisations.

It’s worth noting that DDoS attacks are unlikely to be used more widely, but there is a risk that disruptive attacks against Ukraine’s Internet (such as DDoS or BGP related attacks) could have wider knock-on effects.

Could escalations such as sanctions increase the likelihood of wider attacks on the UK?

Yes, it’s possible that a wider campaign could result from sanctions – i.e., an increase in cyber-attacks because of increased sanctions. These could target any organisation but may be focused on where the largest impact would be – financial, political or utilities for example. Any organisation connected to Ukraine may be more at risk.

What about Australia?

Most of the UK news has been focused on the US and Europe, but there was similar advice from ACSC on yesterday (23rd Feb 2022) as it encouraged Australian organisations to ‘urgently adopt an enhanced cyber security posture’ in light of the heightened threat environment.

Our advice here remains relevant for our colleagues and customers in Australia.

What can organisations do to protect themselves?

Keep up to date with the latest guidance from experts such as the NCSC, CISA, ACSC, and any trusted advisors you work with.

Our guidance remains the same as below, organisations should practice incident response plans, with a particular focus on destructive attacks, making offline backups even more critical than normal.

To support with incident response, especially when it comes to being able to rapidly isolate files and machines, deploying an Endpoint Detection and Response tool to all end user devices and servers will go a long way to help, both with incident response as well as giving a quick view of the network. Clearly, this is not the same as asset management and other tools, but in the absence of proper process, will give you a good starting point in understanding your software, processes running, patch status, privilege status and more.

Naturally, ensuring you have 24/7 cyber security monitoring in place will be critical to detect and respond to attacks, to be able to then respond appropriately. You should be reviewing the data available to defensive cyber security operations, whether that be in-house or outsourced. Where possible go beyond log sources into network traffic as well.

The fact remains that good cyber security awareness, hygiene and processes will put organisations in a good position to protect themselves, especially given the rapidly changing landscape.

What if nothing happens?

Obviously, that would be excellent news. But, as with our original blog, it’s well worth taking note of the guidance as it will only set up your organisation to be more secure in the future – all of this guidance is general best practice, albeit at a slightly different level of priority than may normally be needed.

If you would like to talk through your incident response plans, or just have a chat on best practice, please don’t hesitate to get in touch via https://www.e2e-assure.com/contact.

—– 03/02/22, 10:00 update —–

We have published a blog with more detail on the importance of proper incident response planning, with particular focus on restoring from backups when your whole network could be taken out.

—– 28/01/22, 14:00 update —–

We will be updating this blog with more advice as the situation develops – this will, by nature, be generic advice, please continue to contact the SOC or your Account Manager for more specific advice relating to your organisation. For non-customers, please contact us to discuss your requirements.

Urgent advice following malicious activity in Ukraine

Today (28th of January 2022), the UK National Cyber Security Centre (NCSC) encouraged all organisations to take action and bolster their cyber security resilience in response to a string of malicious cyber incidents in and around Ukraine.

What’s happening?

In short, recent cyber incidents in and around Ukraine fit patterns previously observed with the extremely destructive NotPetya attack and the current cyber threat level should be treated as the same.

The difference between NotPetya and other ‘ransomware’ attacks is the intended outcome. The objective is not to ransom organisations, but to destroy their networks and stop businesses and CNI from operating. Even if organisations may not think they are of interest, due to the nature of a potential nation state supply-chain attack, many will be collateral damage to a broader set of targets.

Nation State attackers will know the most common software used by their targets and likely seek to infect that with malware, pushing it out in future software updates, infecting thousands of organisations.

The biggest concern with this type of attack is that it falls firmly in the unknown threat space – nobody yet knows what software may be targeted or the attack surfaces and vectors used, meaning BAU cyber security operations may not be enough.

Our advice

Underpinning any good security operation is decent security monitoring, best practice security design, implementation and preparedness. Currently, the biggest concern is the ability to react quickly to the unknown. There could be a never-seen-before attack, or a re-use of a well-known existing vulnerability, even log4j – the problem is that security teams can’t be sure what to look for at this stage. Some organisations may feel that there is little that can be done to prevent a Nation State attack, whilst it is more challenging than most ‘regular’ attacks and attackers, there are steps all organisations can take to reduce their risk.

At this point in time, the priority should be on simple, meaningful advice – there are a host of things organisations can do to improve their cyber security, but given the likely nature of a potential attack, the priorities should be:

  • Deploy Endpoint Detection and Response (EDR) as widely as possible - deploy EDR to all end user devices and servers, if necessary, running it alongside existing Anti-Virus (AV), and give e2e access to this. EDR gives you a quick view of software and patch status, processes running, privilege status, files, registry and more. We recommend that all organisations without EDR purchase and deploy it rapidly, giving e2e access. We don’t sell EDR tools so have no financial benefit to recommending this, it’s simply the quickest and easiest way to integrate with our SOC, increasing your protection level rapidly. Isolating files and machines needs to be at the top of your agenda, and EDR massively helps with this as well as giving us the ability to determine if you have impacted software and hunt for indicators of both attack and compromise.

  • Test your incident response plans - as the nature of attack may well be to destroy (if similar to NotPetya then this will be the sole purpose), test your incident response plans to ensure that you can isolate areas of your network rapidly and minimise potential damage. We’re not just talking about end user devices here – how quickly can you disconnect your internet; WAN links, WiFi or other networks and whilst you manage the impact of an incident? Nation state activity like this typically isn’t known to (AV) until after they’ve achieved their goals, be that destruction, espionage, or simple using organisations as a route into another target. e2e will be working with all customers to test incident response plans.

  • Ensure your service is 24x7 - at least while tensions in the region remain high, ensure your security operations runs 24x7. SOC teams should always be mindful of the wider geopolitical situation and current threat landscape, and this is no different. However, there is a greater need for vigilance and preparedness, which the advice above will support. If your service is not currently operating 24x7, get in touch with your provider immediately to get this set up and increase your collective ability to react.

  • Keep your information up to date - we will help all organisations with this and provide news and updated guidance based on what comes out in the next few weeks and months. Ensure you are also keeping up to date on the NCSC guidance and e2e’s blogs and threat briefs within Cumulo. For the NCSC to be talking about this, it means that the threat should be treated seriously.

None of this is a replacement for the advice in the NCSC guidance, but simply serves as a way of prioritising the most beneficial actions. Of course, continuing to patch, checking backups and implementing MFA are good practice.

Summary

It’s easy to say that threats like this are too difficult to prepare against, due to the unknown nature of Nation State attacks, but that’s simply not true. Good security principles, monitoring and (well-rehearsed) incident response plans, with 24x7 support from a trusted expert, will put you in a better position. There are also benefits in that these steps will put you in a better position for any future cyber-attacks from any skill level of attacker, including cyber criminals.

There are a range of other things that can be done, but the four points above will put organisations in the best position, in the shortest time. We will be sharing further guidance as time goes on and working with customers to improve other areas, such as securing key assets, updating detections, rules, use cases and playbooks, but for now prioritisation is key.

Written on January 28, 2022