CYE News

Russian Cyber Attacks: Analysis and Recommendations [Updated 22.5]

March 30, 2022

Russian Cyber Attacks: Analysis and Recommendations [Updated 22.5]

22.05 Update

Background

The following document is the 6th one CYE has published regarding the cyber aspects of the Russian-Ukrainian war which started on February 24th, 2022.

The purpose of this document is to present CYE’s analysis of the geo-cyber situation and provide you with IOC’s we found to be relevant to implement in your systems as well as provide you with recommendations for strengthening your networks according to the TTP’s of the attackers.

CYE continues to monitor and analyze Russian cyber activities in the war with Ukraine. It is our understanding that the war will not end soon. Our findings and analysis are that Russia continues its cyberattacks on Ukrainian targets even stronger than in the first 2 months of the war. At this point, it looks that the main Russian cyber effort is focused on supporting the war in Ukraine after what seems to be a miscalculation of the losses it will sustain. At the same time, it is crucial to note that the west, led by the US authorities, continues to alert and prepare the business sector (mainly critical infrastructures and finance) for possible aggression in the cyber domain by Russia. There is no evidence that attacks of this nature happened in the last 3 months.

At this point, there isn’t a lot of room for escalation in terms of sanctions toward Russia. It seems that the U.S. and European countries have decided on a certain shift in strategy in terms of responding to Russia. Instead of the threats of war, the west is constantly providing Ukraine with the means to fight Russia in both the kinetic and cyber domain through intelligence and cyber support to have Russia lose as many assets in the field as possible. That being said, the Russians are enacting sanctions of their own by cutting relations and stopping the supply of gas to certain countries in Europe.

This, along with significant preparation in the west, might be the reasons why we haven’t seen attacks aimed at critical infrastructures and financial entities. In addition, the coming year will be full of talks about the increase in military expenditure and more European countries pressing to join NATO. The ladder will surely trigger responses from Russia in the form of cyber-attacks.

Strategic Geo-Cyber situation

Timeline of the Russian cyber threat as the war in Ukraine advances:

 

Russian Cyber Attacks: Analysis and Recommendations [Updated 22.5]

The tension between the US and Russia is high since the beginning of the war and it continues to rise as more and more sanctions are imposed. We have assessed that the tension and sanctions continue to grow to a point where Russia decides to retaliate through significant Cyber-attacks against American and western targets. This hasn’t happened yet until now, at least, not in the form of aggressive CNA or CNI attacks.

During the last month and a half, the US and western authorities published several alerts regarding possible Russian cyberattacks on western critical infrastructure companies, mainly from the energy and financial sectors. These alerts, as published we published in earlier posts, were concerning different Russian capabilities, mainly ransomware attacks. However, it is important to note that the US also published general alerts facing those sectors, not only ransomware.

One of the highest risks comes from the RaaS (Ransomware-as-a-Service) groups, which might attack on behalf of Russia in order to allow the Russians more deniability options. There are several RaaS groups that are important to note: Conti, LockBit, AvosLocker, Revil, and BlackBasta.

Another important risk to take into consideration is the Russian threat against executives from western countries and companies. We have seen the Russian government, already, threatening to take measures against companies and their executives. This is an evolving threat that we assess is one of Putin’s easiest retaliation steps to take in the near future (we refer you to an article written by our Head of Projects and Executive Solutions at https://www.ibtimes.com/when-it-comes-executive-security-cyber-physical-realms-must-merge-3449234)

Recommendations

In correlation with our assessments, we remind you of our latest recommendations for you to take:

General recommendations:

  • High alert of the SOC.
  • Preparation of IR teams for fast response in case of an incident.

Vulnerabilities and IOCs:

  • Make sure multi-factor authentication (MFA) is enabled on the remote access interfaces and administration interfaces.
  • Review all authentication activity for remote access infrastructure. Identify and disable accounts with single-factor authentication.
  • Review your IDP (identity provider) for dormant accounts and disable them. Should your external interfaces use a separate IDP (such as local users on a VPN interface), make sure to review them as well.
  • Review all authentication activity for remote access infrastructure. Identify and disable accounts with single-factor authentication.
  • Monitor your incoming connections for suspicious activity e.g., authenticated accounts without MFA requirements, password brute-force attack, unusual IP location, etc.
  • Run a vulnerability scan on your internet-facing devices and critical infrastructure. Identify vulnerable entities and take action to patch them ASAP.
  • Verify your critical systems are backed up. Make sure your backups are detached from your networks or are saved in an offline manner. If possible, perform a restore operation to verify the backup system is in order.
  • Use the attached indicators of compromise (IOC) to investigate whether they exist in your environment. If found, address it immediately.
  • Verify that your email protection features are enabled, and policies are in “block” mode.
  • Verify your EDR / XDR solution is deployed throughout the network, specifically on your internet-facing entities and critical servers. Make sure it is updated with the latest Yara rules and signatures.
  • On a windows environment, enable the Controlled Folder Access (CFA) feature in Microsoft Defender for Endpoint to prevent MBR/VBR modification.
  • Confirm your monitoring capabilities are operational. Verify critical assets are monitored and privileged users receive specific monitoring rules.

Websites:

  1. Make sure your sites’ infrastructure is up to date with the latest patches. If you’re using WordPress, make sure plugins and themes are updated as well.
  2. After you’re done updating, scan your site for vulnerabilities to verify nothing was missed.
  3. Make sure your WAF service/appliance is updated with the latest signatures. If possible, enable geo-location and restrict traffic to valid locations.
  4. Verify your sites’ backup. If need be, backup your site ASAP and keep it in a secure location.
  5. Verify your Anti-DDOS configuration. Make sure your site is under protection.
  6. Monitor your sites for suspicious behavior. Instruct your analysts to be on high alert.
  7. We recommend conducting proactive threat hunting activities to find malicious activity on the website/web servers.

 

30.03 Update

Background

The following document is the fifth to be published by CYE regarding the cyber aspects of the Russian-Ukrainian war which started on February 24th.

The purpose of this document is to present CYE’s analysis of the geo-cyber situation and provide you with IOC’s we found to be relevant to implement in your systems as well as provide you with recommendations for strengthening your networks according to the TTP’s of the attackers.

CYE’s team continues to monitor and analyze Russian cyber activities in the war with Ukraine. Our understanding and findings at this point are that Russia continues its cyberattacks on Ukrainian targets. At the same time, it seems that Russia is preparing to execute more significant cyberattacks on the US and the west.

In addition to what we have seen and published up until today, in the last few days, we noticed that many in the US cyber community, including Biden’s administration, are focused on sending high priority alerts to the US critical infrastructure companies of possible Russian cyberattacks which might occur soon. In addition, there is a specific alert on a ransomware group called “AvosLocker”.

Strategic Geo-Cyber situation

Timeline of the Russian cyber threat as the war in Ukraine advances:

Russian Cyber Attacks: Analysis and Recommendations [Updated 22.5]

 

The tension between the US and Russia has been on the rise since the beginning of the war. We have assessed that as the tension continues to grow, Russia’s retaliation mechanism would be in the form of significant Cyber-attacks against American and western targets. In a dangerous turn of events, this might even lead to the activation of red buttons in critical infrastructure that Russia has put in place years prior (the U.S. Accuses 4 Russians of Hacking Infrastructure, Including Nuclear Plant – The New York Times.)

Also, Russia might decide to follow through and act against the executive branch of companies upholding international sanctions or commencing boycotts. CYE’s Head of Projects and Executive Solutions explained thoroughly the motives and potential threats in a briefing on the matter (When It Comes To Executive Security, The Cyber And Physical Realms Must Merge – IBTimes).

During the last week, the US authorities published several alerts regarding possible Russian cyberattacks on American critical national infrastructure companies, mainly from the energy and financial sectors. In one of the alerts, it was even mentioned that Russian hackers conducted a reconnaissance operation against a few companies in the US. The reconnaissance was using scanning tools for the companies’ websites. This activity by the Russians might be a preparatory step to attack these companies (the names of the companies were not published).

In addition, the FBI published an alert regarding a Ransomware-as-a-Service group called AvosLocker. This is an independent group, with no attribution. However, as seen before (and published by CYE on March 9th), independent groups might join forces with Russia to execute attacks against the west. In addition to extending capabilities, it can allow Russia a large range of deniability when these attacks will happen.

Known Russian IOCs relevant to AvosLocker

(Full FBI alert can be found here)

The following IOCs are in addition to the IOCs sent on February 26th, March 9th, March 14th, and March 21st

Encryption and the ransom demand

AvosLocker ransomware creates a mutex object for use as an infection marker to avoid infecting a system twice. Before encryption, the ransomware maps accessible drives and enumerated files in directories. It then encrypts files while creating a ransom note named “GET_YOUR_FILES_BACK.txt” in every directory. Some of the encrypted files might have the file extension “.avos”, “.avos2”, or “AvosLinux”. The “GET_YOUR_FILES_BACK.txt” file directs victims to an onion site accessible via a TOR browser, where the victim is prompted to enter an ID provided to them in the ransom note.

Note: It’s essential to look for the .txt file and the file extensions ( “.avos”, “.avos2”, or “AvosLinux”) as an indication that the server was encrypted. And monitor for the appearance of these files as an indication that you might be under a ransom attack.

Affiliation

Persistence mechanisms on the victim’s infected computer/server include the modification of Windows Registry ‘Run’ keys and the use of scheduled tasks.

More tools seem to be associated with AvosLocker ransomware attacks:

  • Cobalt Strike
  • Encoded PowerShell scripts
  • PuTTY Secure Copy client tool “pscp.exe”
  • Rclone
  • AnyDesk
  • Scanner
  • Advanced IP Scanner
  • WinLister

Vulnerabilities

Microsoft Exchange Server vulnerabilities might be one of the likely intrusion vectors. There were some reports regarding the use of specific vulnerabilities, such as CVE-2021-31207 (Microsoft Exchange Server Security Feature Bypass Vulnerability), CVE-2021-34523 (Microsoft Exchange Server Elevation of Privilege Vulnerability), CVE-2021-34473 (Microsoft Exchange Server Remote Code Execution Vulnerability), and CVE-2021-26855 (Microsoft Exchange Server Remote Code Execution Vulnerability).

Recommendations

In correlation with our assessments, we remind you of our latest recommendations for you to take:

General recommendations:

  • High alert of the SOC.
  • Preparation of IR teams for fast response in case of an incident.

Vulnerabilities and IOCs:

  • Make sure multi-factor authentication (MFA) is enabled on the remote access interfaces and administration interfaces.
  • Review all authentication activity for remote access infrastructure. Identify and disable accounts with single-factor authentication.
  • Review your IdP (identity provider) for dormant accounts and disable them. Should your external interfaces use a separate IDP (such as local users on a VPN interface), make sure to review them as well.
  • Consider changing your privileged users’ passwords. Review your IdP for recently added privileged users and verify they are legitimate.
  • Monitor your incoming connections for suspicious activity e.g., authenticated accounts without MFA requirements, password brute-force attack, unusual IP location, etc.
  • Run a vulnerability scan on your internet-facing devices and critical infrastructure. Identify vulnerable entities and take action to patch them ASAP.
  • Verify your critical systems & data are backed up. Make sure your backups are detached from your networks (i.e., storage device, cloud location) or are saved in an offline manner. If possible, perform a restore operation to verify the backup system is in order.
  • Use the attached indicators of compromise (IOC) to investigate whether they exist in your environment. If found, address it immediately.
  • Verify your email protection features are enabled, and policies are in “block” mode.
  • Verify your EDR / XDR solution and AV is deployed throughout the network specifically on your internet-facing entities and critical servers. Make sure it is updated with the latest Yara rules and signatures.
  • On a Windows environment, enable the Controlled folder Access (CFA) feature in Microsoft Defender for Endpoint to prevent MBR/VBR modification.
  • Confirm your monitoring capabilities are operational. Verify critical assets are monitored and privileged users receive specific monitoring rules.

Websites:

  1. Make sure your sites’ infrastructure is up to date with the latest patches. If you’re using WordPress, make sure plugins and themes are updated as well.
  2. After you’re done updating, scan your site for vulnerabilities to verify nothing was missed.
  3. Make sure your WAF service/appliance is updated with the latest signatures. If possible, enable geo-location and restrict traffic to valid locations.
  4. Verify your sites’ backup. If need be, backup your site ASAP and keep it in a secure location.
  5. Verify your Anti-DDOS configuration. Make sure your site is under protection.
  6. Monitor your sites for suspicious behavior. Instruct your analysts to be on high alert.
  7. We recommend conducting proactive threat hunting activities to find malicious activity on the website/web servers.

 

21.03 Update

Background

The following document is the fourth to be published by CYE regarding the cyber aspects of the Russian-Ukrainian war which started on February 24th.

The purpose of this document is to present CYE’s analysis of the geo-cyber situation and provide you with IOCs we found to be relevant to implement in your systems as well as provide you with recommendations for strengthening your networks according to the TTPs of the attackers.

CYE’s teams continue to monitor and analyze Russian cyber activities in the war with Ukraine. Our understanding and findings at this point are that Russia is applying some of its cyberattacks capabilities against Ukrainian targets.

In addition to what we have seen and published up till today, in the last few days, we noticed that the Russian attacks are focused on the following vector:

  • The exploitation of default MFA protocols and a known vulnerability called “PrintNightmare” (CVE-2021-34527)

Strategic Geo-Cyber situation

Timeline of the Russian cyber threat as the war in Ukraine advances:

Russian Cyber Attacks: Analysis and Recommendations [Updated 22.5]

At the beginning of the war, we assessed that Russia might conduct CNI attacks against western targets, mainly in the form of websites’ defacements. Our understanding at this stage is that Russia conducted and still conducts CNI attacks against western targets by using ransomware attacks. However, we have not seen full capability cyber-attacks by Russia at this point. We assess that most of the offensive cyber capabilities of Russia are focused on the support for the kinetic war, hence, attacking Ukrainian targets to gain military achievements.

Still, due to the tensions that are raising between the West, mainly the US, and Russia, our assessment is that as the war continues, these tensions will be translated into Russian cyber-attacks against western targets with CNA purposes, based on possible “red buttons” that Russian hackers have around the world.

Currently, we see the usage of a windows vulnerability by Russian APTs, even though it was published and patched by last July:

  • Russian APTs have gained access to different networks by the exploitation of default MFA protocols and the PrintNightmare vulnerability. These attacks started in May 2021 targeting mainly NGOs around the world. The vulnerability is a critical Windows Print Spooler vulnerability (CVE-2021-34527) to run arbitrary code with system privileges. The Russian attack, in one case, targeted an NGO using Cisco’s Duo MFA, enabling access to cloud and email accounts for document exfiltration. (Please see full CISA’s warning)

Known Russian IOCs relevant to these attacks

The following IOCs are in addition to the IOCs sent on February 26th, March 9th, and March 14th.

Processes

  • Ping[.]exe – frequently used by actors for network discovery.
  • Regedit[.]exe – A standard Windows executable file that opens the built-in registry editor.
  • Rar[.]exe – A data compression, encryption, and archiving tool.
  • Ntdsutil[.]exe – It is possible this tool was used to enumerate Active Directory user accounts.
  • In addition – Actors modified the c:\windows\system32\drivers\etc\hosts file to prevent communication with the Duo MFA server: 0.0.1 api-<redacted>.duosecurity.com

IPs

  • 45.32.137[.]94
  • 191.96.121[.]162
  • 173.239.198[.]46
  • 157.230.81[.]39

Recommendations

In correlation with our assessments, we remind you of our latest recommendations for you to take:

General recommendations:

  • High alert of the SOC.
  • Preparation of IR teams for fast response in case of an incident.

Vulnerabilities and IOCs:

  • Make sure multi-factor authentication (MFA) is enabled on the remote access interfaces and administration interfaces.
  • Review all authentication activity for remote access infrastructure. Identify and disable accounts with single-factor authentication.
  • Review your IDP (identity provider) for dormant accounts and disable them. Should your external interfaces use a separate IDP (such as local users on a VPN interface), make sure to review them as well.
  • Review all authentication activity for remote access infrastructure. Identify and disable accounts with single-factor authentication.
  • Monitor your incoming connections for suspicious activity e.g., authenticated accounts without MFA requirements, password brute-force attack, unusual IP location, etc.
  • Run a vulnerability scan on your internet-facing devices and critical infrastructure. Identify vulnerable entities and take action to patch them ASAP.
  • Verify your critical systems are backed up. Make sure your backups are detached from your networks or are saved in an offline manner. If possible, perform a restore operation to verify the backup system is in order.
  • Use the attached indicators of compromise (IOC) to investigate whether they exist in your environment. If found, address it immediately.
  • Verify your email protection features are enabled, and policies are in “block” mode.
  • Verify your EDR / XDR solution is deployed throughout the network specifically on your internet-facing entities and critical servers. Make sure it is updated with the latest Yara rules and signatures.
  • On a Windows environment, enable the Controlled folder Access (CFA) feature in Microsoft Defender for Endpoint to prevent MBR/VBR modification.
  • Confirm your monitoring capabilities are operational. Verify critical assets are monitored and privileged users receive specific monitoring rules.

Websites:

  1. Make sure your sites’ infrastructure is up to date with the latest patches. If you’re using WordPress, make sure plugins and themes are updated as well.
  2. After you’re done updating, scan your site for vulnerabilities to verify nothing was missed.
  3. Make sure your WAF service/appliance is updated with the latest signatures. If possible, enable geo-location and restrict traffic to valid locations.
  4. Verify your sites’ backup. If need be, backup your site ASAP and keep it in a secure location.
  5. Verify your Anti-DDOS configuration. Make sure your site is under protection.
  6. Monitor your sites for suspicious behavior. Instruct your analysts to be on high alert.
  7. We recommend conducting proactive threat hunting activities to find malicious activity on the website/web servers.

 

16.03 Update

Background

The following is the third document published by CYE’s team regarding the cybersecurity state of affairs relating to the Russian-Ukrainian war which started on February 24th.

The purpose of this document is to present CYE’s analysis of the geo-cyber situation and provide you with IOC’s we found to be relevant to implement in your systems, as well as provide you with recommendations for strengthening your networks according to the TTP’s of the attackers.

CYE’s teams continue to monitor and analyze Russian cyber activities in the war with Ukraine. Our understanding and findings at this point are that Russia is applying some of its cyberattacks capabilities against Ukrainian targets.

In addition to what we have seen and published up till today, in the last few days, we noticed that the Russian attacks are focused on two main vectors:

  • Phishing emails against Ukrainian targets
  • RagnarLocker Ransomware against western targets

We also assess that in the near future we might cyber campaigns against the executive branch of companies that either fulfilled international sanctions or have taken a stand of their own against Russia. This has implications for the threat assessment and preparation that organizations should take.

Strategic Geo-Cyber situation

As the Russia – Ukraine war continues, Russian cyber warfare is still on a “low profile” outside Ukraine. Lately, however, we have seen the first indications of Russian cyber activity against the west in the form of ransomware called “RagnarLocker.” At the same time, we predict that Russian cyberattacks against western targets are expected to increase. Since Russia is not interested in war with the west, we assess that cyber-attacks against western entities will be Russia’s strategy to retaliate against sanctions, support for Ukraine, and more anti-Russia activities.

Currently, we are seeing Russian cyber activities in two additional vectors:

  • Phishing emails against Ukrainian targets
  • RagnarLocker Ransomware against western targets – The FBI first became aware of RagnarLocker in April 2020. As of the last few weeks, the FBI has identified (since January 2022) around 50 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors. RagnarLocker is identified by the extension “. RGNR_,” where there is a hash of the computer’s NETBIOS name. The actors, identifying themselves as “RAGNAR_LOCKER,” leave a .txt ransom note with instructions on how to pay the ransom and decrypt the data. RagnarLocker uses VMProtect, UPX, and custom packing algorithms and deploys within an attacker’s custom Windows XP virtual machine on a target’s site. Ragnar Locker uses Windows API GetLocaleInfoW to identify the location of the infected machine. (You can view the full FBI report regarding this ransomware here).

Since the US and UK imposed sanctions on the Russian oil and gas market, we assess that companies relevant to these domains might be potential targets of Russian hackers.

Known Russian IOCs

The following IOCs are related to tools and attacks conducted by Russian cyber attackers and are in addition to the IOCs sent on February 26th and March 9th.

RagnarLocker

IPs

  • 185.138.164[.]18
  • 185.172.129[.]215
  • 45.144.29[.]2
  • 23.106.122[.]192
  • 45.90.59[.]131
  • 149.28.200[.]140
  • 193.42.36[.]53
  • 45.63.89[.]250
  • 190.211.254[.]181
  • 142.44.236[.]38
  • 37.120.238[.]107
  • 95.216.196[.]181
  • 162.55.38[.]44
  • 116.203.132[.]32
  • 49.12.212[.]231
  • 193.42.39[.]10
  • 193.111.153[.]24
  • 178.32.222[.]98
  • 23.227.202[.]72
  • 159.89.95[.]163
  • 50.201.185[.]11
  • 108.26.193[.]165
  • 108.56.142[.]135
  • 198.12.81[.]56
  • 198.12.127[.]199
  • 45.91.93[.]75
  • 217.25.93[.]106
  • 45.146.164[.]193
  • 89.40.10[.]25
  • 5.45.65[.]52
  • 79.141.160[.]43

Email addresses

Phishing emails

Domain names

  • id-unconfirmeduser[.]frge[.]io
  • hatdfg-rhgreh684[.]frge[.]io
  • ua-consumerpanel[.]frge[.]io
  • consumerspanel[.]frge[.]io
  • accounts[.]secure-ua[.]website
  • i[.]ua-passport[.]top
  • login[.]creditals-email[.]space
  • post[.]mil-gov[.]space
  • verify[.]rambler-profile[.]site

MD5

  • 7b2f41b57b9ab4151eb37ed69db9fdf8

SHA-256

  • 8a7fbafe9f3395272548e5aadeb1af07baeb65d7859e7a1560f580455d7b1fac

SHA-1

  • 2f46a7ed5d7a303c0f25d5e4a18bcbf01ce9af26

Recommendations

In correlation with our assessments, we remind you of our latest recommendations. We are available for any type of consultation our customers need. Please let us know if you have further questions.

General recommendations:

  • Employee awareness for phishing campaigns and possible attack surfaces.
  • Put your SOC on high alert and reevaluate the defense perimeter.
  • Preparation of IR teams for fast response in case of an incident.
  • Map out the executive team that might be high value targets for CNA, CNE and CNI attacks.
  • Analyze and assess the high value assets of the organization and reassess the cyber defense put in place for them including digital services such as email, social networking, cell phone, and pc.

Vulnerabilities and IOCs:

  • Run a vulnerability scan on your internet-facing devices and critical infrastructure. Identify vulnerable entities and take action to patch them ASAP.
  • Verify your critical systems are backed up. Make sure your backups are detached from your networks or are saved in an offline manner. If possible, perform a restore operation in order to verify the backup system is in order.
  • Use the attached indicators of compromise (IOC) to investigate whether they exist in your environment. If found, address it immediately.
  • Review all authentication activity for remote access infrastructure and look for suspicious abnormalities. Identify and disable accounts with single-factor authentication.
  • Make sure multi-factor authentication (MFA) is enabled on the remote access interfaces and administrative interfaces.
  • Verify that your email protection features are enabled, and policies are in “block” mode.
  • Verify your EDR / XDR solution is deployed throughout the network, especially on your internet-facing entities and critical servers. Make sure it is updated with the latest Yara rules and signatures.
  • On a Windows environment, enable the Controlled folder Access (CFA) feature in Microsoft Defender for Endpoint to prevent MBR/VBR modification.
  • Confirm your monitoring capabilities are operational. Verify critical assets are monitored and privileged users receive specific monitoring rules.
  • Make your employees aware of the current risks and phishing attempts.

Websites:

  1. Make sure your sites’ infrastructure is up to date with the latest patches. If you’re using WordPress, make sure plugins and themes are updated as well.
  2. After you’re done updating, scan your site for vulnerabilities to verify nothing was missed.
  3. Make sure your WAF service/appliance is updated with the latest signatures. If possible, enable geo-location and restrict traffic to valid locations.
  4. Verify your sites’ backup. If need be, backup your site ASAP and keep it in a secure location.
  5. Verify your Anti-DDOS configuration. Make sure your site is under protection.
  6. Monitor your sites for suspicious behavior. Instruct your analysts to be on high alert.
  7. We recommend conducting proactive threat hunting activities in order to find malicious activity on the website/web servers.

 

09.03 Update

Background

The purpose of this document is to present CYE’s analysis of the geo-cyber situation and provide you with relevant IOCs to implement in your systems. This document also serves to provide you with recommendations for strengthening your networks according to the TTPs of the attackers.

We will continue to update this document as new developments that are relevant to your cyber security are exposed.

CYE’s teams continue to monitor and analyze Russian cyber activities in the war with Ukraine. Our understanding and findings at this point are that Russia is applying some of its cyberattack capabilities against Ukrainian targets.

Thus far, the Russian cyberattacks have focused on several tactics:

  • Wiper malware – In addition to “WhisperGate” and “HermeticWiper”, we have also seen a new malware called Cyclops Blink with which the attacks have been conducted. According to the US and UK authorities, this new malware is attributed to the Sandworm threat actor [which is linked to Russia’s Main Intelligence Directorate (GRU)].
  • DDOS attacks on Ukrainian websites.
  • Ukrainian website cloning to spread the malware.
  • The ransomware-as-a-service group CONTI is acting pro-Russia

Strategic Geo-Cyber situation

As Russia continues its military campaign against Ukraine, cyber warfare against targets outside of Ukraine is expected to grow. Our assessment is that since Russia is not interested in war with the West, cyber-attacks against Western entities will be its way to retaliate for sanctions, support for Ukraine, and more anti-Russia activities.

We are currently seeing Russian cyber activities in the following areas:

  • Wiper malware – As aforementioned, we have seen the use of “WhisperGate”, “HermeticWiper”. and Cyclops Blink. This malware is sophisticated and modular with basic core functionality. The malware ultimately enables the device to beacon information back to a server enabling the attacker to download and execute files as desired. In doing this it also increases the functionality of the attackers’ movements as they are able to attack the software whilst the malware is running This allows Sandworm to implement additional capability as required. (Please note the US CISA alert on this issue for more information – https://www.cisa.gov/uscert/ncas/alerts/aa22-054a).
  • A Large amount of DDOS attacks against numerous Ukrainian websites, including military, government, and banking.
  • Website cloning to spread the malware. This is a very effective tool used by Russian attackers.
  • The RaaS CONTI group is in favor of Russia. This group is a well-known and notorious group that appears to be a replacement for the Ryuk group. The group works for financial gain and gives services to anyone who pays. In the last few days, we saw that the group is acting for Russian purposes (a full explanation regarding this group can be found in TrendMicro’s document).

Following all of the preceding factors, we assess that Russian hackers might execute attacks against Western companies, – with a specific focus on those that are related to governments that have imposed- or will impose Russian sanctions. At this stage, these attacks will probably focus on the defacement of websites, phishing campaigns, and possibly targeted attacks on executives. We do not assess that CNA attacks will be conducted against Western companies at this point, however, as the war situation progresses, we do note, that more aggressive attacks against the West, including attacks on infrastructures such as gas, energy, and oil may occur.

Known Russian IOCs

The following IOCs are related to tools and attacks conducted by Russian cyber attackers and are in addition to the IOCs sent on February 26th.

Conti SHA-256

  • 0fd062f86151b9d49d65b8f12c52737600bff8bb3462aba7bf23d820bf4d5518
  • 844cc2551f8bbfd505800bd3d135d93064600a55c45894f89f80b81fea3b0fa1
  • 931e35c0d941d79c9ee11b9e1f114a3917fb520b8a9e920ba7c3c858edd1ae43
  • d21c71a090cd6759efc1f258b4d087e82c281ce65a9d76f20a24857901e694fc
  • d598d3ba492f156725ab5c69aaf882240b7d14ad136ec3a11ca8aed10bde2d05
  • eae876886f19ba384f55778634a35a1d975414e83f22f6111e3e792f706301fe

Conti Hashes

  • 911c16d41f49198482aa4d75054cb0e10b07d68c
  • 3a81355ccfd6d3846fa435b5893ea5cd18e6c9fa
  • a803a4b305415b66f22ed29d08017c286b8cb9ef
  • b9505c86dd3ae120c0be1201e51af44de4266b36
  • 655269c264f7b044d8f406cd980fc00c3b8e21ca
  • 38cd341de09c7d393adf93596b691e7237d0a2e7
  • 6c7b35e36830c1cc613fb08280ee25e5fbba9937
  • 5bf5551cee1635709598c90836733550727245ba
  • 5f27447dcc66c1c4152e23decb47f82c32883080

Decoy ransomware Hash

f32d791ec9e6385a91b45942c230f52aff1626df

C&C servers of the malwares

a payload’s URL –

  • hxxp://<IP address of deep.deserts.coagula[.]online>/barefooted.cfg<Current Time + 1 second> (e.g. hxxp://10.172.0[.]3/barefooted.cfg2022/02/03%2020:49:31)

Recommendations

In correlation with our assessments, we recommend you take the following actions:

General recommendations:

  • Employee awareness for phishing campaigns and possible attack surfaces.
  • High alert of the SOC.
  • Preparation of IR teams for fast response in case of an incident.

Vulnerabilities and IOCs:

  • Run a vulnerability scan on your internet-facing devices and critical infrastructure. Identify vulnerable entities and take action to patch them ASAP.
  • Verify that your critical systems are backed. Ensure that your backups are detached from your networks or are saved in an offline manner. (If possible, preform a restore operation in order to verify that the backup system is in order.)
  • Use the attached indicators of compromise (IOC) to investigate whether they exist in your environment. If found, address it immediately.
  • Review all authentication activity for remote access infrastructure and look for suspicious abnormalities. Identify and disable accounts with single-factor authentication.
  • Make sure multi-factor authentication (MFA) is enabled on the remote access interfaces and administration interfaces.
  • Verify your email protection features are enabled, and policies are in “block” mode.
  • Verify your EDR / XDR solution is deployed throughout the network specifically on your internet-facing entities and critical servers. Make sure it is updated with the latest Yara rules and signatures.
  • On a Windows environment, enable the Controlled folder Access (CFA) feature in Microsoft Defender for Endpoint to prevent MBR/VBR modification.
  • Confirm your monitoring capabilities are operational. Verify critical assets are monitored and privileged users receive specific monitoring rules.
  • Make your employees aware of the current risks and phishing attempts.

Websites:

  1. Make sure your sites’ infrastructure is up to date with the latest patches. If you’re using WordPress, make sure plugins and themes are updated as well.
  2. After you’re done updating, scan your site for vulnerabilities to verify nothing was missed.
  3. Make sure your WAF service/appliance is updated with the latest signatures. If possible, enable geo-location and restrict traffic to valid locations.
  4. Verify your sites’ backup. If need be, backup your site ASAP and keep it in a secure location.
  5. Verify your Anti-DDOS configuration. Make sure your site is under protection.
  6. Monitor your sites for suspicious behavior. Instruct your analysts to be on high alert.
  7. We recommend conducting proactive threat hunting activities in order to find malicious activity on the website/web servers.

 

25.02 Update

Background

CYE’s teams have been monitoring and analyzing Russian cyber activities in the war with Ukraine for three weeks. As part of it, we understand that there is a possibility that companies outside of the direct conflict will suffer from Russian cyberattacks, for different reasons.

As part of our readiness process, we would like to provide you with some updated IOCs of known Russian tools. we highly recommend that you implement active monitoring of these IOCs in your networks.

Known Russian IOCs

The following IOCs are related to tools and attacks conducted by the Russian APTs during the last two weeks.

Files used after DDOS Attack “Katana” on a Windows file system

  • 978672b911f0b1e529c9cf0bca824d3d3908606d0545a5ebbeb6c4726489a2ed
    SHA-256
    Link
  • 82c426d9b8843f279ab9d5d2613ae874d0c359c483658d01e92cc5ac68f6ebcf
    SHA-256
    Link
  • 7504ac78e531762756e8ca8e94adc71fa2179104
    SHA-1
    Link
  • db8cc8adc726c3567b639c84ecf41aa5
    MD5
    Link

Master Boot Records (MBR) Wiper, Destructive malware windows systems,

(See Microsoft Warns of Destructive Malware Targeting Ukrainian Organizations | CISA for more details)

  • a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92
    SHA-256
    Link
  • dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    SHA-256
    Link
  • cmd.exe /Q /c start c:\stage1.exe 1> \\127.0.0.1\ADMIN$\__[TIMESTAMP] 2>&1
    Command-line
  • http://5[.]182[.]211.5/rip[.]sh
    URL
  • 5.182[.]211.5
    IP

IOCS of Cyclops Blink part of the VPNFilter malware

(see full malware report Cyclops-Blink-Malware-Analysis-Report.pdf (ncsc.gov.uk) Including IOCS and Yara signatures.

IOC’s

Path:

  • /usr/bin/cpd
    Path location of Cyclops Blink executable
  • /pending/bin/install_upgrade
    Path location to backed-up legitimate install_upgrade executable
  • /var/tmp/a.tmp
    Default path location for downloaded files

Filename:
rootfs_cfg
Name of file used to persist C2 server IP addresses on the device filesystem

C2 server IP addresses:

  • 100.43[.]220.234
  • 96.80[.]68.193
  • 188.152[.]254.170
  • 208.81[.]37.50
  • 70.62[.]153.174
  • 2.230[.]110.137
  • 90.63[.]245.175
  • 212.103[.]208.182
  • 50.255[.]126.65
  • 78.134[.]89.167
  • 81.4[.]177.118
  • 24.199[.]247.222
  • 37.99[.]163.162
  • 37.71[.]147.186
  • 105.159[.]248.137
  • 80.155[.]38.210
  • 217.57[.]80.18
  • 151.0[.]169.250
  • 212.202[.]147.10
  • 212.234[.]179.113
  • 185.82[.]169.99

The Following IOCs relate to HermeticWiper

See detailed report: HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine – SentinelOne

  • 912342F1C840A42F6B74132F8A7C4FFE7D40FB77
  • 61B25D11392172E587D8DA3045812A66C3385451
  • Win32/KillDisk[.NCV] trojan 6/n
CYE Critical Cyber Operations Group

By CYE Critical Cyber Operations Group