Priority: High
Executive Summary:
In a series of coordinated cyber attacks beginning on the 14th January 2022, orchestrated by Russian state-sponsored actors, more than 70 Ukrainian government websites have been defaced or rendered inaccessible. Russian threat actors have used spear-phishing, brute-force and exploited known vulnerabilities to gain access to target networks by compromising third-party infrastructure/software or deploying custom malware. The actors have also demonstrated the ability to maintain persistence undetected long-term access in compromised environments by using legitimate credentials. Microsoft outlined a new destructive malware family attributed to a threat actor DEV-0586, called WhisperGate that disables Windows Defender Threat Protection and was discovered to have targeted multiple organisations in Ukraine. As a result, American Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) have released a joint advisory on how to detect, respond to, and mitigate cyber attacks orchestrated by Russian state-sponsored actors.
The list of vulnerabilities exploited by Russian hacking groups to gain an initial foothold which are “common but effective,” are below:
| CVE-2018-13379 | FortiGate VPNs |
| CVE-2019-1653 | Cisco router |
| CVE-2019-2725 | Oracle WebLogic Server |
| CVE-2019-7609 | Kibana |
| CVE-2019-9670 | Zimbra software |
| CVE-2019-10149 | Exim Simple Mail Transfer Protocol |
| CVE-2019-11510 | Pulse Secure |
| CVE-2019-19781 | Citrix |
| CVE-2020-0688 | Microsoft Exchange |
| CVE-2020-4006 | VMWare (Note: this was a zero-day at the time) |
| CVE-2020-5902 | F5 Big-IP |
| CVE-2020-14882 | Oracle WebLogic |
| CVE-2021-26855 | Microsoft Exchange (Note: Frequently observed used in conjunction with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) |
Affected Products:
Multiple third-party vendor software, highlighted in the section above.
Recommendations and Best Practices:
To increase cyber resilience against this threat, ITC recommends installing the latest patches, mandating multi-factor authentication for all users, looking out for signs of abnormal activity implying lateral movement, enforcing network segmentation, and keeping operating systems, applications, and firmware up to date.
Other recommended best practices are as follows:
- Implement robust log collection and retention
- Require accounts to have strong passwords
- Enable strong spam filters to prevent phishing emails from reaching end-users
- Implement rigorous configuration management programs
- Disable all unnecessary ports and protocols
- Ensure OT hardware is in read-only mode
Organisations should act quickly to apply these measures, which are outlined in the following section and available in the URLs cited in this bulletin’s sources and detailed in the advisory here.
React:
Since these common vulnerabilities were released in the past, between 2018-2021, they are part of the Qualys detection logic used to identify vulnerable devices and the current exposure. ITC’s managed Vulnerability Intelligence customers will have already had these identified using Qualys.
ITC’s Sentinel SIEM managed service actively monitors for indications of attackers who may leverage vulnerabilities such as these to gain access to customer networks, and our analysts conduct proactive threat hunting to search for related indicators of compromise.
Sources:
- https://www.rapid7.com/blog/post/2022/01/11/cve-2021-20038-42
- https://thecyberwire.com/newsletters/daily-briefing/11/11
- https://thehackernews.com/2022/01/fbi-nsa-and-cisa-warns-of-russian.html
- https://unit42.paloaltonetworks.com/ukraine-cyber-conflict
- https://www.cisa.gov/uscert/ncas/current-activity/2022/01/11
- https://www.cisa.gov/uscert/ncas/alerts/aa22-011a
