Escalating tensions from war create an opportunity for a cyclone of cyber attacks and security issues.
Ukraine Crisis Cyber-Readiness Checklist
With Russian military operations currently underway in Ukraine, the question of whether cyber warfare will also be employed remains unanswered. While we have seen cases of destructive cyber actions focused on Ukraine, at this point attribution is not possible.
As a result of these actions, there is a heightened sense of concern being felt by many organizations. Our focus here is to protect organizations by helping them prepare for potential cyberattacks. For that, we have put together this cyber readiness checklist. While many of these suggestions are standard cyber hygiene protocols and best practices, being reminded of doing the basics never hurts, especially when there are so many other concerns. In the same way that hand washing helps in our fight against COVID-19, simple actions can also go a long way towards fighting against cyberthreats.
- Patching: Ensure that all systems are fully patched and updated
- Protection Databases: Make sure your security tools have the latest databases
- Backup: Create or update offline backups for all critical systems
- Phishing: Conduct phishing awareness training and drills
- Hunt: Proactively hunt for attackers in your network using the known TTPs of Russian threat actors
- Emulate: Test your defenses to ensure they can detect the known TTPs of Russian threat actors
- Response: Test your incident response against fictitious, real-world scenarios
- Stay up to Date: Subscribe to threat intelligence feeds like Fortinet Threat Signals
- Patching: Threat actors often target unpatched vulnerabilities in a victim’s network. As a result, the first line of defense should always be patch management and running fully patched systems. For organizations interested in focusing on specific vulnerabilities, CISA maintains a list of specific CVEs used in the past by Russian threat actors. But the better approach is to simply focus on being up to date all the time. This is also true for air-gapped environments, and now is a good time to ensure that these systems have been patched as well. And remember, patching is important not only for workstations and servers but also for security and networking products.
- Leverage Protection Databases: FortiGuard Labs continuously creates new detection rules, signatures, and behavioral models for threats that are discovered in our extensive threat intelligence framework. These are quickly propagated to all Fortinet products. Make sure that all protection databases are updated regularly.
- Backup Critical Systems: Many attacks come in the form of ransomware or wiper malware. The best defense against the destruction of data by such malware is to keep up-to-date backups. It is equally important that these backups are kept offline since malware often tries to find backup servers to destroy backups as well. The current crisis is a good opportunity to check whether backups really exist (not just on paper) and run recovery exercises with the IT team.
- Phishing: Phishing attacks are still the most common entry points for attackers. Now is a good time to run a phishing awareness campaign to heighten the awareness of everybody at your organization and to ensure they know how to recognize and report malicious emails.
- Hunt: The sad truth is that if your organization plays any sort of role in this conflict, then adversaries may already be in your network. Running threat hunting engagements can be vital in detecting adversaries before they install spyware or cause serious destruction. For threat hunting, you can use the known Tactics, Techniques, and Procedures (TTPs) below.
- Emulate: The TTPs listed below can be also used to evaluate whether your security infrastructure is able to detect them. Running emulation exercises can uncover configuration problems and blind spots that attackers might leverage to move around in your network undetected.
- Response: A quick and organized incident response will be crucial when a compromise is discovered. Now is a good opportunity to review procedures for responding to an incident, including disaster recovery and business continuity strategies. If you have your own incident response team, you can run tabletop exercises or fictitious scenarios to ensure everything will run smoothly should a compromise occur.
- Stay up to Date: it is crucial that the actions listed here are not performed just once. Staying up to date and patched, monitoring vulnerabilities, and maintaining threat awareness are actions that must be performed continuously.
The Art of War (and Patch Management)
With escalating tensions in Ukraine and threats of nation-state attacks, it is worth noting that modern warfare is no longer only based on the traditional ground, air, or sea assaults, but it has progressed to the point where cyber attacks are a common part of the offensive arsenal. They are commonly made on the financial, government, and communications of target countries in order to destabilize the country’s critical infrastructure and delay any required response to an attack.
Even if you are not directly in the line of fire, it is a timely reminder during these concerning times that we all need to be taking our cybersecurity more seriously. This is a sentiment echoed by Department of Justice (DoJ) official Deputy Attorney General Lisa Monaco in remarks at the Munich Cybersecurity Conference.
“Given the very high tensions that we are experiencing, companies of any size and of all sizes would be foolish not to be preparing right now as we speak — to increase their defenses, to do things like patching, to heighten their alert systems, to be monitoring in real-time their cybersecurity. They need to be as we say, ‘shields up’ and to be really on the most heightened level of alert that they can be and taking all necessary precautions.”
Why do we even need to say this?
Anyone who has been keeping up with Fortinet blogs is aware that we have been saying this for some time, Prioritizing Patching is Essential for Network Integrity. We are dealing from the fallout of some customers not patching. It has caused an ongoing news cycle related to an SSL-VPN issue resolved back in 2019, which remains unpatched for some customers. If you take nothing else away from this blog, check that you have taken action to remediate this issue.
Given that some organizations are not always taking action to patch, how can we better understand the reasons why so that we can help to change this behavior? Human psychology gives us some useful clues as to why this is the case.
Hyperbolic discounting is a cognitive bias that refers to the inclination to choose immediate rewards over rewards that come later in the future, even when these immediate rewards are smaller. This is most clearly demonstrated by the phrase: “A bird in the hand is worth two in the bush.”
In cybersecurity terms: I will continue working on a time-sensitive project that my boss is chasing rather than patching systems against a cybersecurity issue that might never happen, thinking “maybe we’ll get lucky and nobody will attack us.”
The situation in Ukraine and the warning from DoJ Official Lisa Monaco demonstrates we should not be taking this lightly but we need to change human nature if we want to succeed in prioritizing patch management. To do this, we need to give people instant payback.
New Wiper Malware Discovered Targeting Ukrainian Interests
FortiGuard Labs is aware of new wiper malware observed in the wild attacking Ukrainian interests. The wiper was found by security researchers today at ESET. Various estimates from both outfits reveal that the malware wiper has been installed on several hundreds of machines within the Ukraine.
Cursory analysis reveals that wiper malware contains a valid signed certificate that belongs to an entity called “Hermetica Digital” based in Cyprus. This is a breaking news event. More information will be added when relevant updates are available.
It has been reported that ransomware was deployed at the same time as the wiper in some cases.
For further reference about Ukrainian wiper attacks please reference our Threat Signal from January. Also, please refer to our most recent blog that encompasses the recent escalation in Ukraine, along with salient advice about patch management and why it is important, especially in today’s political climate.
Is this the Work of Nobelium/APT29?
At this time, there is not enough information to correlate this to Nobelium/APT29 or nation state activity.
Are there Other Samples Observed Using the Same Certificate?
No. Cursory analysis at this time highlights that the Hermetica Digital certificate used by this malware sample is the only one that we are aware of at this time.
Was the Certificate Stolen?
Unknown at this time. As this is a breaking news event, information is sparse.
Why is the Malware Signed?
Malware is often signed by threat actors as a pretence to evade AV or any other security software. Signed malware allows for threat actors to evade and effectively bypass detection and guaranteeing a higher success rate.
What is the Status of Coverage?
FortiGuard Labs has AV coverage in place for publicly available Wiper samples as:
FortiGuard Labs has the following AV coverage in place for the ransomware used in the attack:
Are you ready for application spring cleaning?
We help our clients rationalize and modernize their application stack with our consultative approach. We leverage industry-leading tools for discovery, application groupings and dependency mapping, network throughput and sizing, risk mitigation, health checks by application and modernization strategy moving forward.
Speak with a cloud consultant today.
eCloud dramatically simplifies backup and recovery by consolidating multiple point products on a single software-defined platform that spans from on-premises, enterprise edge, and to the public cloud. Architected on web-scale principles, eCloud can natively run in the public cloud and offers comprehensive protection against ransomware. We future-proof our backup and recovery strategy whether you’re on-premise, hybrid, or fully in the public cloud.
Typically, eCloud helps customers reduce their TCO by 50 to 70% with our proven solutions.
Have time to do what needs to be done to grow your organization.
Become more efficient and reduce TCO with an optimized environment.
Know that your technology foundation is solid with a certified partner.