Prepare your Organization for Potential Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure

This UDTSecure Cyber Alert recommends what to look for and shares intelligence sources for more detailed information

UDT remains vigilant of the escalating hostilities between Russia and Ukraine and the growing concern of cyber-attacks attempting to disrupt critical infrastructure services in the United States. At this point, we highly recommend our clients take immediate and precautionary measures to ensure security controls are working as designed and indicators of compromise identified which historically have been tied to these nation state actors. This UDTSecure Cyber Alert recommends what to look for and shares intelligence sources for more detailed information.

We remain on a high state of vigilance given the current environment and will continue to issue important alerts as we identify them.

If you believe you are seeing indicators of compromise (IOC) mentioned in this alert or suspicious activities in general, do not hesitate to contact us directly at 1800-882-9919

INITIAL REVIEWS

Review your incident response plan and confirm all team members have access to the latest and approved copy of the plan. We recommend performing an incident response tabletop exercise that plays out a scenario based on a ransomware and DDoS attack. This will identify weaknesses in the plan itself.
Validate your Cybersecurity Liability Insurance not just to make sure its active but to ensure it covers losses caused by a ransomware attack. Now is the time to understand the type of coverage and policy your organization has and what triggers a claim.
Review listing of Mission Critical Systems with respective system and business owners. Then perform the following review on those assets:
1. Prioritize the systems by referencing the latest version of the Business Impact Analysis
2. Review which users have access to those systems especially those with admin privileges. Remove those which have not logged on for more than 60 days.
3. All users having access to these systems should have MFA enabled accounts along with the use of Complex Password Policies.
4. Validate these systems have logging enabled and the latest AV/Malware versions installed
5. Monitor these systems and ensure detection policies for any changes to files or user account privileges. Alerts should also trigger command line or PowerShell scripting executions
Disable storage of clear text passwords in LSASS memory
Conduct a user access review of all AD users. Remove those with no need to access the system.
Apply strong and complex password policies to all Service Accounts
Consider disabling LLMNR/NTBIOS services from the network. This is highly used to conduct LLMNR poisoning techniques in Brute Force and Password Harvesting. Test first by using a small sample set of systems before rolling out to the enterprise
Disable Microsoft’s Online Web Access (OWA) which allows users to access their emails. All users should be logging on to O365 applications directly with MFA. OWA has no authentication techniques available and is highly leveraged by attackers once they have stolen credentials
Verify the latest versions of backups. Spot those jobs which have a pattern of failing and verify what data is contained. More importantly, validate failed jobs are redone and completed successfully.
1. Ensure you maintain three separate copies of backups and that at least one is maintained securely offline
2. Confirm configuration settings for mission critical systems and network devices are included in the backups
Confirm firewall Inbound and Outbound traffic are updated by referencing OFAC Country Lists. The same should be applied for Microsoft Geo Detection Rules for email traffic
Consider removing Local Domain Admin Privileges from users that have no need for this.
Notify employees and staff to remain vigilant of suspicious emails due to the heighten state we’re currently in. We recommend you do this sooner rather than later.
Perform External Vulnerability Scans to identify Critical or High vulnerabilities on internet facing systems. Perform recommended mitigations or apply patches accordingly. Critical vulnerabilities should be remediated within 15 days and Highs within 30-day period. Prioritize mitigation activities to mission critical systems first.
Once the External Vulnerabilities have been completed, perform the Internal network vulnerability scans.
Filter emails containing executable files to prevent them from reaching end users

3^rd Party Vendor Vigilance

Russian state-sponsored actors have compromised third-party infrastructure, third-party software, or developing and deploying custom malware. The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments including cloud environments by using legitimate credentials.

We recommend that you request a copy of your 3^rd Party Vendor’s SSAE-16/18 SOX Attestation Report immediately to verify what compensating controls the 3^rd party provider recommends you deploy in your environment to secure access between both parties.

TECHNICAL DETAILS

Historically, Russian state-sponsored advanced persistent threat (APT) actors have used common but effective tactics including spear phishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security to gain initial access to target networks.

Top vulnerabilities known to be exploited by Russian state-sponsored APT actors for initial access include:

CVE-2018-13379 FortiGate VPNs
CVE-2019-1653 Cisco router
CVE-2019-2725 Oracle WebLogic Server
CVE-2019-7609 Kibana
CVE-2019-9670 Zimbra software
CVE-2019-10149 Exim Simple Mail Transfer Protocol
CVE-2019-11510 Pulse Secure
CVE-2019-19781 Citrix
CVE-2020-0688 Microsoft Exchange
CVE-2020-4006 VMWare (note: this was a zero-day at time.)
CVE-2020-5902 F5 Big-IP
CVE-2020-14882 Oracle WebLogic
CVE-2021-26855 Microsoft Exchange (Note: this vulnerability is frequently observed used in conjunction with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)

DETECTION

To detect password spray activity, review authentication logs for system and application login failures of valid accounts. Look for multiple, failed authentication attempts across multiple accounts.

To detect use of compromised credentials in combination with a VPS, follow the below steps:

“Impossible Logins” from users utilizing two IPs which originate from geographic locations that are significantly distant.
Review detection and alerting for program execution command line indicating credential dumping, especially attempts to access or copy the ntds.dit files from a domain controller
Alerting on suspicious privileged account use after resetting passwords
Identify Service Accounts with privilege access which they should not have. Especially those service accounts accessing multiple applications or services.
Alert on unusual activities originating from dormant accounts
Detection of a single IP used for multiple accounts

INCIDENT RESPONSE

If you suspect potential APT activity in your IT networks, take the following steps:

Immediately understand the perceived source of the attack. Isolate affected systems.
Scan backup data with AV program to ensure its free of malware. Try and restore the backups in a test environment first
Contact a 3^rd party Incident Response Company with significant experience conducting incident response investigations
Collect and store relevant logs, data and artifacts. Do not perform analysis on affected systems without first creating an image of the affected systems. Analysis must be done on the copy and not the affected system itself.

Accomplish More With UDT

Get your custom solution in cybersecurity, lifecycle management, digital transformation and managed IT services. Connect with our team today.

More to explore

2024 Will Test Cybersecurity Leaders: Is Your Company Ready?

Experts say new AI-driven threats and an election year will spell trouble for companies.

K12 Budgeting: Planning Your 1:1 Device Refresh Program Cost

As K12 education evolves, managing 1:1 device programs effectively is crucial. These programs, providing each student with a personal computing device, play a pivotal role in modern education. Success demands strategic planning, communication, foresight, and a holistic approach to device management. With digital learning on the rise, these devices are more than just tools for accessing information; they are platforms for interactive, core learning experiences. However, funding remains a significant hurdle, making effective budgeting for your device refresh program essential for optimizing ROI and device longevity.

Crafting a Futureproof 1:1 Device Strategy for School Districts

In the evolving landscape of Education Technology, crafting a futureproof 1:1 device strategy is crucial. This strategy should link every student, teacher, and administrator experience with specific device specifications. The integration of educational apps into the curriculum can significantly enhance the learning environment. These apps, tailored to the needs of students, can provide interactive content, fostering a dynamic learning experience.

Optimizing Your K12 Tech Investments: Funding 1:1 Device Programs

This blog will guide school districts grappling with the financial and resource demands of implementing a successful 1:1 device program amid ongoing challenges of budget constraints and competing priorities. Our guided workbook, created in partnership with Intel, provides further support with personalized roadmap on “Pathways to Innovation: Building a Sustainable Digital Learning Environment”.

K12 Cybersecurity: How to Secure 1:1 Devices in Your School District

This blog post delves into the importance of security, cybersecurity, and data privacy in school districts implementing 1:1 device initiatives. It offers basic steps for evaluating, planning, and executing a security strategy. Our guided workbook, created in partnership with Intel, provides a personalized roadmap on “Pathways to Innovation: Building a Sustainable Digital Learning Environment”.

Lost & Stolen Devices are a Serious Data Security Threat—Here’s Why

Since the pandemic, remote and hybrid work has become the norm. While mobile devices and remote workstations have empowered great flexibility, it has also led to an increase in data security problems due to lost, misplaced, or stolen devices. Find out how remote and hybrid setups are contributing to this problem and how to protect yourself and your organization.