By Taylor Mullins · May 6, 2022
Evolving intelligence continues to indicate that the Russian government is exploring options to launch cyberattacks in retaliation against governments that have assisted Ukraine or levied sanctions against Russia. In addition, threat groups that have sworn loyalty to Russia are continually seeking opportunities to attack large organizations and critical infrastructure. Due to the continued risk, an advisory from the Five Eyes Intelligence Oversight and Review Council (FIORC) which includes the intelligence alliances compromising of the United States, Australia, Canada, New Zealand, and the United Kingdom has been released outlining the threat groups at play and mitigations to proactively protect against being a victim.
CISA Alert: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
Trellix is continuing to monitor the threat activity impacting the Ukrainian region and adding protections to our products for newly discovered malware variants and APT activities. Trellix recommends for organizations to continue adopting a heightened security posture to protect against current and future threats that could target their environment. Government agencies such as the CISA are providing guidance as part of Shields Up to help organizations assess their infrastructure.
<https://www.cisa.gov/shields-up>
Along with adopting the guidance from the CISA and Five Eyes alliance, Trellix would like to provide additional information and resources that could assist organizations with being prepared should they be targeted.
Trellix recommends reviewing the information provided by the CISA along with the items noted below to proactively prevent Initial Access in your environment.
Often organizations grant credentials with elevated rights into their environment to contractors, temporary employees, or outside vendors for projects or engagements that are active for months or even years once the engagement ends. Performing an assessment of your Active Directory accounts and permissions is one initiative-taking measure to prevent adversarial activity using stale credentials.
The same can be done for external network connections, large organizations will often allow third party customers, vendors, partners, or suppliers to have remote access into their environment to perform specific tasks. As was seen in the Lapsus$ breaches, if an attacker cannot find entry into their desired target, they will at times look at which entities might have access into the company and look to hack the third party to gain access via their allowed connection. Auditing who has remote access into your environment and the cybersecurity posture, frameworks, and controls of third-party solution providers is highly recommended.
Figure 1. MITRE Framework for tactics and techniques specific to well-known to Russian APT groups.
Vishwas Manral, Chief Architect from the Skyhigh Security Cloud team, and founder of NanoSec has created the above MITRE Framework based on tactics and techniques well known to APT groups out of Russia, also techniques identified with the software they use. Vishwas has made this MITRE Framework available in both json and xlsx format on the following GitHub site.
GitHub: MITRE ATT&CK MATRIX for Russian APT Groups.
The Trellix Advanced Threat Research Team has created a GitHub repository of aggregated Yara rules from various public sources, including our own, and make it available to organizations and individuals alike, to help combat these emerging threats.
<https://github.com/advanced-threat-research/Russian_CyberThreats_Yara>
The Trellix AC3 maintains a Threat Sightings site that notes tools are being used in attacks, this information is meant to assist Blue Teamers to generate actionable countermeasures. Among the information that a threat sighting may note is full command lines, API Calls, file system activity, network activity, etc.
The SANS Resource Center has outlined specific action items of consideration specific to the Russian/Ukraine Activity. This site from SANS can be used as a framework for security operations and provides guidance for CISOs on reporting to executives and board members.
SANS: Ukraine-Russia Conflict – Cyber Resource Center
Trellix is currently monitoring threats detected and reported across the threat landscape, this is a fluid situation that is ever changing. Trellix will continue to add protections to all our products and alert customers as these threats are discovered. Below is an overview of how to utilize threat intelligence for knowing who may be targeting your sectors and the tools utilized by specific APT and threat groups to assist with early detection of malicious activity.
Figure 2. Russo-Ukrainian Crisis Threat Campaign Detections for the past 30 days. Source: Trellix APG Team
One key area that can assist with initiative-taking detection and protection is correlating threat intelligence and Indicators of Compromise (IOCs) from MVISION Insights against event data within your organization. Customers of MVISION Insights can utilize the published APIs in MVISION API to pull down Campaigns, Indicators of Compromise (IOCs), and Tactics, Techniques, and Procedures (TTPs) into their environment to further correlate data and proactively detect threats. MVISION Insights regularly updated with campaigns and IOCs related to the threats related to the conflict in the Ukrainian region and the threat actors that are targeting outside entities as retaliation.
Figure 3. MVISION Insights APIs to access Campaigns, IOCs, and TTPs for added threat intelligence and correlation
Part of the challenge of defending against the growing threats is knowing who might be targeting your sector and the techniques used to gain initial access and the techniques utilized by the adversary should they gain entry. The joint advisory noted above from the CISA provides an overview of the active threat groups and the sectors they are known to target.
In addition to the joint government advisory, MVISION Insights has added the “Russo-Ukrainian Crisis” label to all campaigns and threat profiles in MVISION Insights to help identify specific threats related to the conflict and utilizing the Campaign Connections can assist customers with filtering to the threats that are being seen in a specific sector.
Figure 4. Filtering campaigns to those involved with the Russo-Ukrainian Crisis in MVISION Insights
Figure 5. Graphical view of Russo-Ukrainian campaigns targeting specific sectors in MVISION Insights
Ransomware gangs and APT groups often have a specific toolset that they utilize across their attacks, these tools can consist of open source and living off the land techniques. Being aware of these toolsets and monitoring for their usage in your environment can be an early indicator of adversarial activity if the usage of the tools is not known to be used for business purposes.
Below is an overview of common tools utilized by APT groups and ransomware gangs that have targeted entities across the Globe, hunting for the non-business usage of these tools can help with identifying emerging threats in your environment.
Alert (AA22-057A) - Destructive Malware Targeting Organizations in Ukraine
Trellix Advanced Threat Research Team: Looking over the nation-state actors’ shoulders: Even they have a difficult day sometimes
Trellix Global Defenders: Cyberattacks Targeting Ukraine and HermeticWiper Protections
Trellix Advanced Threat Research Team: Return of Pseudo Ransomware
Conti Leaks: Examining the Panama Papers of Ransomware
Conti Group Targets ESXi Hypervisors With its Linux Variant
Ukrainian Companies Targeted by Wipers - Impact & Prevention