Prepare your Organization for Potential Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure

This UDTSecure Cyber Alert recommends what to look for and shares intelligence sources for more detailed information
Cyber Alert
Facebook
Twitter
LinkedIn

UDT remains vigilant of the escalating hostilities between Russia and Ukraine and the growing concern of cyber-attacks attempting to disrupt critical infrastructure services in the United States. At this point, we highly recommend our clients take immediate and precautionary measures to ensure security controls are working as designed and indicators of compromise identified which historically have been tied to these nation state actors. This UDTSecure Cyber Alert recommends what to look for and shares intelligence sources for more detailed information.  

We remain on a high state of vigilance given the current environment and will continue to issue important alerts as we identify them.

If you believe you are seeing indicators of compromise (IOC) mentioned in this alert or suspicious activities in general, do not hesitate to contact us directly at 1800-882-9919

 

INITIAL REVIEWS

  • Review your incident response plan and confirm all team members have access to the latest and approved copy of the plan. We recommend performing an incident response tabletop exercise that plays out a scenario based on a ransomware and DDoS attack. This will identify weaknesses in the plan itself.
  • Validate your Cybersecurity Liability Insurance not just to make sure its active but to ensure it covers losses caused by a ransomware attack. Now is the time to understand the type of coverage and policy your organization has and what triggers a claim.
  • Review listing of Mission Critical Systems with respective system and business owners. Then perform the following review on those assets:
    1. Prioritize the systems by referencing the latest version of the Business Impact Analysis
    2. Review which users have access to those systems especially those with admin privileges. Remove those which have not logged on for more than 60 days.
    3. All users having access to these systems should have MFA enabled accounts along with the use of Complex Password Policies.
    4. Validate these systems have logging enabled and the latest AV/Malware versions installed
    5. Monitor these systems and ensure detection policies for any changes to files or user account privileges. Alerts should also trigger command line or PowerShell scripting executions
  • Disable storage of clear text passwords in LSASS memory
  • Conduct a user access review of all AD users. Remove those with no need to access the system.
  • Apply strong and complex password policies to all Service Accounts
  • Consider disabling LLMNR/NTBIOS services from the network. This is highly used to conduct LLMNR poisoning techniques in Brute Force and Password Harvesting. Test first by using a small sample set of systems before rolling out to the enterprise
  • Disable Microsoft’s Online Web Access (OWA) which allows users to access their emails. All users should be logging on to O365 applications directly with MFA. OWA has no authentication techniques available and is highly leveraged by attackers once they have stolen credentials
  • Verify the latest versions of backups. Spot those jobs which have a pattern of failing and verify what data is contained. More importantly, validate failed jobs are redone and completed successfully.
    1. Ensure you maintain three separate copies of backups and that at least one is maintained securely offline
    2. Confirm configuration settings for mission critical systems and network devices are included in the backups
  • Confirm firewall Inbound and Outbound traffic are updated by referencing OFAC Country Lists. The same should be applied for Microsoft Geo Detection Rules for email traffic
  • Consider removing Local Domain Admin Privileges from users that have no need for this.
  • Notify employees and staff to remain vigilant of suspicious emails due to the heighten state we’re currently in. We recommend you do this sooner rather than later.
  • Perform External Vulnerability Scans to identify Critical or High vulnerabilities on internet facing systems. Perform recommended mitigations or apply patches accordingly. Critical vulnerabilities should be remediated within 15 days and Highs within 30-day period. Prioritize mitigation activities to mission critical systems first.
  • Once the External Vulnerabilities have been completed, perform the Internal network vulnerability scans.
  • Filter emails containing executable files to prevent them from reaching end users

 

3rd Party Vendor Vigilance

Russian state-sponsored actors have compromised third-party infrastructure, third-party software, or developing and deploying custom malware. The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments including cloud environments by using legitimate credentials.

We recommend that you request a copy of your 3rd Party Vendor’s SSAE-16/18 SOX Attestation Report immediately to verify what compensating controls the 3rd party provider recommends you deploy in your environment to secure access between both parties.

 

TECHNICAL DETAILS

Historically, Russian state-sponsored advanced persistent threat (APT) actors have used common but effective tactics including spear phishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security to gain initial access to target networks.

Top vulnerabilities known to be exploited by Russian state-sponsored APT actors for initial access include:

  • CVE-2018-13379 FortiGate VPNs
  • CVE-2019-1653 Cisco router
  • CVE-2019-2725 Oracle WebLogic Server
  • CVE-2019-7609 Kibana
  • CVE-2019-9670 Zimbra software
  • CVE-2019-10149 Exim Simple Mail Transfer Protocol
  • CVE-2019-11510 Pulse Secure
  • CVE-2019-19781 Citrix
  • CVE-2020-0688 Microsoft Exchange
  • CVE-2020-4006 VMWare (note: this was a zero-day at time.)
  • CVE-2020-5902 F5 Big-IP
  • CVE-2020-14882 Oracle WebLogic
  • CVE-2021-26855 Microsoft Exchange (Note: this vulnerability is frequently observed used in conjunction with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)

 

DETECTION

To detect password spray activity, review authentication logs for system and application login failures of valid accounts. Look for multiple, failed authentication attempts across multiple accounts.

To detect use of compromised credentials in combination with a VPS, follow the below steps:

  • “Impossible Logins” from users utilizing two IPs which originate from geographic locations that are significantly distant.
  • Review detection and alerting for program execution command line indicating credential dumping, especially attempts to access or copy the ntds.dit files from a domain controller
  • Alerting on suspicious privileged account use after resetting passwords
  • Identify Service Accounts with privilege access which they should not have. Especially those service accounts accessing multiple applications or services.
  • Alert on unusual activities originating from dormant accounts
  • Detection of a single IP used for multiple accounts

 

INCIDENT RESPONSE

If you suspect potential APT activity in your IT networks, take the following steps:

  1. Immediately understand the perceived source of the attack. Isolate affected systems.
  2. Scan backup data with AV program to ensure its free of malware. Try and restore the backups in a test environment first
  3. Contact a 3rd party Incident Response Company with significant experience conducting incident response investigations
  4. Collect and store relevant logs, data and artifacts. Do not perform analysis on affected systems without first creating an image of the affected systems. Analysis must be done on the copy and not the affected system itself.

Focus time, money, and effort on what really matters

Let’s build success together. 

More to explore

Cybersecurity Vocabulary

Improve Your Cybersecurity Vocabulary

This short glossary of cybersecurity terms is a simple way to raise awareness for terms like “zero-day attack” that employees and executives outside of cybersecurity should know about.

Experiencing a security breach?

Get immediate assistance from our security operations center! Take the following recommended actions NOW while we get on the case:

RECOMMENDED IMMEDIATE NEXT ACTIONS

  1. Determine which systems were impacted and immediately isolate them. Take the network offline at the switch level or physically unplug the systems from the wired or wireless network.
  2. Immediately take backups offline to preserve them. Scan backups with anti-virus and malware tools to ensure they’re not infected
  3. Initiate an immediate password reset on affected user accounts with new passwords that are no less than 14 characters in length. Do this for Senior Management accounts as well.

Just one more step

Please fill out the following form,