UDT remains vigilant of the escalating hostilities between Russia and Ukraine and the growing concern of cyber-attacks attempting to disrupt critical infrastructure services in the United States. At this point, we highly recommend our clients take immediate and precautionary measures to ensure security controls are working as designed and indicators of compromise identified which historically have been tied to these nation state actors. This UDTSecure Cyber Alert recommends what to look for and shares intelligence sources for more detailed information.
We remain on a high state of vigilance given the current environment and will continue to issue important alerts as we identify them.
If you believe you are seeing indicators of compromise (IOC) mentioned in this alert or suspicious activities in general, do not hesitate to contact us directly at 1800-882-9919
INITIAL REVIEWS
- Review your incident response plan and confirm all team members have access to the latest and approved copy of the plan. We recommend performing an incident response tabletop exercise that plays out a scenario based on a ransomware and DDoS attack. This will identify weaknesses in the plan itself.
- Validate your Cybersecurity Liability Insurance not just to make sure its active but to ensure it covers losses caused by a ransomware attack. Now is the time to understand the type of coverage and policy your organization has and what triggers a claim.
- Review listing of Mission Critical Systems with respective system and business owners. Then perform the following review on those assets:
- Prioritize the systems by referencing the latest version of the Business Impact Analysis
- Review which users have access to those systems especially those with admin privileges. Remove those which have not logged on for more than 60 days.
- All users having access to these systems should have MFA enabled accounts along with the use of Complex Password Policies.
- Validate these systems have logging enabled and the latest AV/Malware versions installed
- Monitor these systems and ensure detection policies for any changes to files or user account privileges. Alerts should also trigger command line or PowerShell scripting executions
- Disable storage of clear text passwords in LSASS memory
- Conduct a user access review of all AD users. Remove those with no need to access the system.
- Apply strong and complex password policies to all Service Accounts
- Consider disabling LLMNR/NTBIOS services from the network. This is highly used to conduct LLMNR poisoning techniques in Brute Force and Password Harvesting. Test first by using a small sample set of systems before rolling out to the enterprise
- Disable Microsoft’s Online Web Access (OWA) which allows users to access their emails. All users should be logging on to O365 applications directly with MFA. OWA has no authentication techniques available and is highly leveraged by attackers once they have stolen credentials
- Verify the latest versions of backups. Spot those jobs which have a pattern of failing and verify what data is contained. More importantly, validate failed jobs are redone and completed successfully.
- Ensure you maintain three separate copies of backups and that at least one is maintained securely offline
- Confirm configuration settings for mission critical systems and network devices are included in the backups
- Confirm firewall Inbound and Outbound traffic are updated by referencing OFAC Country Lists. The same should be applied for Microsoft Geo Detection Rules for email traffic
- Consider removing Local Domain Admin Privileges from users that have no need for this.
- Notify employees and staff to remain vigilant of suspicious emails due to the heighten state we’re currently in. We recommend you do this sooner rather than later.
- Perform External Vulnerability Scans to identify Critical or High vulnerabilities on internet facing systems. Perform recommended mitigations or apply patches accordingly. Critical vulnerabilities should be remediated within 15 days and Highs within 30-day period. Prioritize mitigation activities to mission critical systems first.
- Once the External Vulnerabilities have been completed, perform the Internal network vulnerability scans.
- Filter emails containing executable files to prevent them from reaching end users
3rd Party Vendor Vigilance
Russian state-sponsored actors have compromised third-party infrastructure, third-party software, or developing and deploying custom malware. The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments including cloud environments by using legitimate credentials.
We recommend that you request a copy of your 3rd Party Vendor’s SSAE-16/18 SOX Attestation Report immediately to verify what compensating controls the 3rd party provider recommends you deploy in your environment to secure access between both parties.
TECHNICAL DETAILS
Historically, Russian state-sponsored advanced persistent threat (APT) actors have used common but effective tactics including spear phishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security to gain initial access to target networks.
Top vulnerabilities known to be exploited by Russian state-sponsored APT actors for initial access include:
- CVE-2018-13379 FortiGate VPNs
- CVE-2019-1653 Cisco router
- CVE-2019-2725 Oracle WebLogic Server
- CVE-2019-7609 Kibana
- CVE-2019-9670 Zimbra software
- CVE-2019-10149 Exim Simple Mail Transfer Protocol
- CVE-2019-11510 Pulse Secure
- CVE-2019-19781 Citrix
- CVE-2020-0688 Microsoft Exchange
- CVE-2020-4006 VMWare (note: this was a zero-day at time.)
- CVE-2020-5902 F5 Big-IP
- CVE-2020-14882 Oracle WebLogic
- CVE-2021-26855 Microsoft Exchange (Note: this vulnerability is frequently observed used in conjunction with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)
DETECTION
To detect password spray activity, review authentication logs for system and application login failures of valid accounts. Look for multiple, failed authentication attempts across multiple accounts.
To detect use of compromised credentials in combination with a VPS, follow the below steps:
- “Impossible Logins” from users utilizing two IPs which originate from geographic locations that are significantly distant.
- Review detection and alerting for program execution command line indicating credential dumping, especially attempts to access or copy the ntds.dit files from a domain controller
- Alerting on suspicious privileged account use after resetting passwords
- Identify Service Accounts with privilege access which they should not have. Especially those service accounts accessing multiple applications or services.
- Alert on unusual activities originating from dormant accounts
- Detection of a single IP used for multiple accounts
INCIDENT RESPONSE
If you suspect potential APT activity in your IT networks, take the following steps:
- Immediately understand the perceived source of the attack. Isolate affected systems.
- Scan backup data with AV program to ensure its free of malware. Try and restore the backups in a test environment first
- Contact a 3rd party Incident Response Company with significant experience conducting incident response investigations
- Collect and store relevant logs, data and artifacts. Do not perform analysis on affected systems without first creating an image of the affected systems. Analysis must be done on the copy and not the affected system itself.