Tag Archives: Russia-Ukraine Conflict

The Digital Citizen’s Guide to Navigating Cyber Conflict

Post Syndicated from Jen Ellis original https://blog.rapid7.com/2022/03/25/the-digital-citizens-guide-to-navigating-cyber-conflict/

The Digital Citizen’s Guide to Navigating Cyber Conflict

As security professionals, we are currently being bombarded with warnings and alerts of a heightened threat level due to the possibility that Russia will start to more aggressively leverage cyberattacks as part of their offensive. If you are feeling the pressure of getting everything done, check out this post that identifies the 8 most important emergency conflict actions for your security program.

This post is meant as a companion piece that gives advice for non-security-pro digital citizens to protect themselves and, by extension, help protect their organizations.

As security pros, we do not live in a perfect technical vacuum where we make system-wide Decisions That Will Be Obeyed by Everyone in Our Domain. Rather, we must acknowledge that our users are part of the equation. They can be tricked and manipulated. They lose devices or leave them unlocked in public. They may not follow policy, connecting to unsecured networks, using personal devices for work, or buying unvetted apps.

In other words, they make your life more complicated. But they are likely also watching the same news reports you are and may be wondering what they can do to help protect against the prospect of Russian aggression. This is your opportunity to harness that desire to help, and educate your non-security friends, family, and end users on making it through a cyber conflict. This could be a step toward inspiring them to think more about security in the long term.

1. Control who can access your accounts, apps, or devices

Password hygiene and password managers

These days, most technical devices or apps will give you the option to set up a password, PIN, or pattern. It’s highly recommended that you do so in addition to avoiding reusing passwords and changing them often.

If you follow that advice, you’ll end up with a lot of information to remember. This is where a password manager comes in. They automatically store and fill passwords as needed. They’ll also help you generate passwords if you want them to, ensuring each one is unique and adheres to the requirements of the site, app, or device. Some also offer other benefits, such as working across multiple devices so your passwords can sync across your laptop, tablet, and mobile. Another cool feature is the ability to share selected passwords with designees — for example, if you want to give a family member access to your Netflix account. There are plenty of decent and inexpensive password managers out there. Examples include LastPass, Bitwarden, 1Password, and Dashlane.

Turn on a second layer of protection for your accounts (2FA/MFA)

Having unique and hard-to-guess passwords is important, but it’s not a magical fix that will make you invulnerable to hacking. Cyberattackers will try to trick you into giving them your password, or they may try to guess or crack it. If you are reusing passwords (which is a bad bet), they may already have your password from a previous successful hack.

In situations such as these, having a second way to prove who you are when accessing your accounts is critical to help you protect your private data and accounts. This is referred to as two-step verification, two-factor authentication (2FA), or multi-factor authentication (MFA). The second step or factor might be a code sent to a trusted device, a physical token (such as a scannable key tab or a yubikey), or a biometric (such as your fingerprint or a facial scan). You don’t have to set up 2FA on everything (though it definitely doesn’t hurt to do so), but we strongly recommend you add it to anything holding very sensitive information, such as your online or mobile banking apps, your mobile phone, or other devices.

2. Pay attention to experts

Listen to your employer or other affiliated organization

Pay attention to all internal communications from your work/school/organization, as they likely have situation-specific guidance pertaining to any malicious activity against that organization. Be sure to follow any guidance or policies they issue.

Look out for alerts from apps and services

The vendors and other organizations you do business with should notify you if they are victims of a cyberattack. Look out for communications from them, but be cautious of anything asking you for info or to take an action, as these could be fraudulent. If you receive a communication asking you to take an action, instead of clicking on links within the email, we recommend going directly to the company website or using a search engine to find the information. You should find information to indicate whether it’s legitimate or a scam.

Relevant regional information

Ensure you know where to find information on local services and infrastructure — for example, your local government’s website, social media feeds, or other forms of local media, such as TV, radio and print.

Credit reports

One way that Russia may try to gain footholds on organizations is through identity theft of individuals. Signing up to credit reports — and actually paying attention to them — is one way to catch and respond to this activity early on. Many credit card companies offer this service for free.

3. Hope for the best, but prepare for the worst

Attacks against critical infrastructure

There is a lot of speculation that Russia will target cyberattacks at critical infrastructure. A great deal of effort is going into building resilience into these organizations and systems, and we hope that widespread outages will not occur. However, the Colonial Pipeline, JBS, and HSE attacks in 2021 highlighted the scale of disruption that can be caused by cyberattacks against critical infrastructure. In the same way you would plan for warnings of incoming hurricane activity, we recommend you consider what you might need to weather outages of power, water, or other critical services.

Backup your data offline

The major technology companies typically invest a great deal in cybersecurity to ensure your data is protected; however, they also may make for attractive targets of Russian hacking. They will also be just as affected as everyone else is in the case of power outages. If you are worried about being able to access information in these events, you may want to create an offline backup of your most essential data.

The guidance above focuses on the most critical actions to help individuals navigate the current threats of cyber conflict related to the Russian invasion of Ukraine. For more general advice to individuals for protecting your digital identity, check out this guide, which was created in a collaboration with the UK government’s Cyber Aware campaign.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

8 Tips for Securing Networks When Time Is Scarce

Post Syndicated from Erick Galinkin original https://blog.rapid7.com/2022/03/22/8-tips-for-securing-networks-when-time-is-scarce/

8 Tips for Securing Networks When Time Is Scarce

“At this particular mobile army hospital, we’re not concerned with the ultimate reconstruction of the patient. We only care about getting the kid out of here alive enough for someone else to put on the fine touches. We work fast and we’re not dainty, because a lot of these kids who can stand 2 hours on the table just can’t stand one second more. We try to play par surgery on this course. Par is a live patient.” – Hawkeye, M*A*S*H

Recently, CISA released their Shields Up guidance around reducing the likelihood and impact of a cyber intrusion in response to increased risk around the Russia-Ukraine conflict. This week, the White House echoed those sentiments and released a statement about potential impact to Western companies from Russian threat actors. The White House guidance also included a fact sheet identifying urgent steps to take.

Given the urgency of these warnings, many information security teams find themselves scrambling to prioritize mitigation actions and protect their networks. We may not have time to make our networks less flat, patch all the vulnerabilities, set up a backup plan, encrypt all the data at rest, and practice our incident response scenarios before disaster strikes. To that end, we’ve put together 8 tips for “emergency field security” that defenders can take right now to protect themselves.

1. Familiarize yourself with CISA’s KEV, and prioritize those patches

CISA’s Known Exploited Vulnerabilities (KEV) catalog enumerates vulnerabilities that are, as the name implies, known to be exploited in the wild. This should be your first stop for patch remediation.

These vulns are known to be weaponized and effective — thus, they’re likely to be exploited if your organization is targeted and attackers expose one of them in your environment. CISA regularly updates this catalog, so it’s important to subscribe to their update notices and prioritize patching vulnerabilities included in future releases.

2. Keep an eye on egress

Systems, especially those that serve customers or live in a DMZ, are going to see tons of inbound requests – probably too many to keep track of. On the other hand, those systems are going to initiate very few outbound requests, and those are the ones that are far more likely to be command and control.

If you’re conducting hunting, look for signs that the calls may be coming from inside your network. Start keeping track of the outbound requests, and implement a default deny-all outbound rule with exceptions for the known-good domains. This is especially important for cloud environments, as they tend to be dynamic and suffer from “policy drift” far more than internal environments.

3. Review your active directory groups

Now is the perfect time to review active directory group memberships and permissions. Making sure that users are granted access to the minimum set of assets required to do their jobs is critical to making life hard for attackers.

Ideally, even your most privileged users should have regular accounts that they use for the majority of their job, logging into administrator accounts only when it’s absolutely necessary to complete a task. This way, it’s much easier to track privileged users and spot anomalous behavior for global or domain administrators. Consider using tools such as Bloodhound to get a handle on existing group membership and permissions structure.

4. Don’t laugh off LOL

Living off the land (LOL) is a technique in which threat actors use legitimate system tools in attacks. These tools are frequently installed by default and used by systems administrators to do their jobs. That means they’re often ignored or even explicitly allowed by antivirus and endpoint protection software.

You can help protect systems against LOL attacks by configuring logging for Powershell and adding recommended block rules for these binaries unless they are necessary. Refer to the regularly updated (but not comprehensive, as this is a constantly evolving space) list of these at LOLBAS.

5. Don’t push it

If your organization hasn’t mandated multi-factor authentication (MFA) yet, now would be a very good time to require it. Even if you already require MFA, you may need to let users know to immediately report any notifications they did not initiate.

Nobelium, a likely Russian-state sponsored threat actor, has been observed repeatedly sending MFA push notifications to users’ smartphones. Though push notifications are considered more secure than email or SMS notifications due to the need for physical access, it turns out that sending enough requests means many users eventually – either due to annoyance or accident – approve the request, effectively defeating the two-factor authentication.

When you do enable MFA, be sure to regularly review the authentication logs, keeping an eye out for accounts being placed in “recovery” mode, especially for extended periods of time or repeatedly. Also consider using tools or services that monitor the MFA configuration status of your environment to ensure configuration drift (or attackers) have not disabled MFA.

6. Stick to the script

Often, your enterprise’s first line of defense is the help desk. Over the next few days, it’s important that these people feel empowered to enforce your security policies.

Sometimes, people lose their phone and can’t perform their MFA. Other times, their company laptop just up and dies, and they can’t get at their presentation materials on the shared drive. Or maybe they’re sure what their password should be, but today, it just isn’t. It happens. Any number of regular disasters can befall your users, and they’ll turn to your help desk to get them back up and running. Most of the time, these aren’t devious social engineering attacks. They just need help.

Of course, the point of a help desk is to help people. Sometimes, however, the “users” are attackers in disguise, looking for a quick path around your security controls. It can be hard to tell when someone calling in to the help desk is a legitimate user who is pressed for time or an attacker trying to scale the walls. Your help desk folks should be extra wary of these requests — and, more importantly, know they won’t be fired, reprimanded, or retaliated against for following the standard, agreed-upon procedures. It might be a key executive or customer who’s having trouble, and it might not be.

You already have a procedure for resets and re-enrollments, and exceptions to that procedure need to be accompanied by exceptional evidence.

(Hat tip to Bob Lord for bringing this mentality up on a recent Security Nation episode.)

7. Call for backup

Now is the time to make sure you have solid offline backups of:

  • Business-critical data
  • Active Directory (or your equivalent identity store)
  • All network configurations (down to the device level)
  • All cloud service configurations

Continue to refresh these backups moving forward. In addition, make sure your backups are integrity-tested and that you can (quickly) recover them, especially for the duration of this conflict.

8. Practice good posture

While humans will be targeted with phishing attacks, your internet-facing components will also be in the sights of attackers. There are numerous attack surface profiling tools and services out there that help provide an attacker’s-eye view of what you’re exposing and identify any problematic services and configurations — we have one that is free to all Rapid7 customers, and CISA provides a free service to any US organization that signs up. You should review your attack surface regularly to ensure there are no unseen gaps.

While security is a daunting task, especially when faced with guidance from the highest levels of the US government, we don’t necessarily need to check all the boxes today. These 8 steps are a good start on “field security” to help your organization stabilize and prepare ahead of any impending attack.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

New US Law to Require Cyber Incident Reports

Post Syndicated from Harley Geiger original https://blog.rapid7.com/2022/03/10/new-us-laws-to-require-cyber-incident-reports/

New US Law to Require Cyber Incident Reports

On March 9, 2022, the US Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Once signed by the President, it will become law. The law will require critical infrastructure owners and operators to report cyber incidents and ransomware payments. The legislation was developed in the wake of the SolarWinds supply chain attack and recently gained additional momentum from the Russia-Ukraine conflict. This post will walk through highlights from the law.

Rapid7 supports efforts to increase transparency and information sharing in order to strengthen awareness of the cybersecurity threat landscape and prepare for cyberattacks. We applaud passage of the Cyber Incident Reporting for Critical Infrastructure Act.

What’s this law about?

The Cyber Incident Reporting for Critical Infrastructure Act will require critical infrastructure owners and operators — such as water and energy utilities, health care organizations, some IT providers, etc. — to submit reports to the Cybersecurity and Infrastructure Security Agency (CISA) for cybersecurity incidents and ransomware payments. The law will provide liability protections for submitting reports to encourage compliance, but noncompliance can result in a civil lawsuit. The law will also require the government to analyze, anonymize, and share information from the reports to provide agencies, Congress, companies, and the public with a better view of the cyber threat landscape.

An important note about the timeline: The requirements do not take effect until CISA issues a clarifying regulation. The law will require CISA to issue this regulation within 42 months (though CISA may take less time), so the requirements may not be imminent. In the meantime, the Cyber Incident Reporting for Critical Infrastructure Act provides information on what CISA’s future rule must address.

We detail these items from the law below.

Requiring reporting of cyber incidents and ransom payments

  • Report requirement. Critical infrastructure owners and operators must report substantial cybersecurity incidents to CISA, as well as any ransom payments. (However, as described below, this requirement does not come into effect until CISA issues a regulation.)
  • Type of incident. The types of cyber incidents that must be reported shall include actual breaches of sensitive information and attacks that disrupt business or operations. Mere threats or failed attacks do not need to be reported.
  • Report timeline. For a cyber incident, the report must be submitted within 72 hours after the affected organization determines the incident is substantial enough that it must be reported. For ransom payments, the report must be submitted within 24 hours after the payment is made.
  • Report contents. The reports must include a list of information, including attacker tactics and techniques. Information related to the incident must be preserved until the incident is fully resolved.
  • Enforcement. If an entity does not comply with reporting requirements, CISA may issue a subpoena to compel entities to produce the required information. The Justice Department may initiate a civil lawsuit to enforce the subpoena. Entities that do not comply with the subpoena may be found in contempt of court.

CISA rule to fill in details

  • Rule requirement. CISA is required to issue a regulation that will establish details on the reporting requirements. The reporting requirements do not take effect until this regulation is final.
  • Rule timeline. CISA has up to 42 months to finalize the rule (but the agency can choose to take less time).
  • Rule contents. The rule will establish the types of cyber incidents that must be reported, the types of critical infrastructure entities that must report, the content to be included in the reports, the mechanism for submitting the reports, and the details for preserving data related to the reports.

Protections for submitting reports

  • Not used for regulation. Reports submitted to CISA cannot be used to regulate the activities of the entity that submitted the report.
  • Privileges preserved. The covered entity may designate the reports as commercial and proprietary information. Submission of a report shall not be considered a waiver of any privilege or legal protection.
  • No liability for submitting. No court may maintain a cause of action against any person or entity on the sole basis of submitting a report in compliance with this law.
  • Cannot be used as evidence. Reports, and material used to prepare the reports, cannot be received as evidence or used in discovery proceedings in any federal or state court or regulatory body.

What the government will do with the report information

  • Authorized purposes. The federal government may use the information in the reports cybersecurity purposes, responding to safety or serious economic threats, and preventing child exploitation.
  • Rapid response. For reports on ongoing threats, CISA must rapidly disseminate cyber threat indicators and defensive measures with stakeholders.
  • Information sharing. CISA must analyze reports and share information with other federal agencies, Congress, private sector stakeholders, and the public. CISA’s information sharing must include assessment of the effectiveness of security controls, adversary tactics and techniques, and the national cyber threat landscape.

What’s Rapid7’s view of the law?

Rapid7 views the Cyber Incident Reporting for Critical Infrastructure Act as a positive step. Cybersecurity is essential to ensure critical infrastructure is safe, and this law would give federal agencies more insight into attack trends, and would potentially help provide early warnings of major vulnerabilities or attacks in progress before they spread. The law carefully avoids requiring reports too early in the incident response process and provides protections to encourage companies to be open and transparent in their reports.

Still, the Cyber Incident Reporting for Critical Infrastructure Act does little to ensure critical infrastructure has safeguards that prevent cyber incidents from occurring in the first place. This law is unlikely to change the fact that many critical infrastructure entities are under-resourced and, in some cases, have security maturity that is not commensurate with the risks they face. The law’s enforcement mechanism (a potential contempt of court penalty) is not especially strong, and the final reporting rules may not be implemented for another 3.5 years. Ultimately, the law’s effect may be similar to state breach notification laws, which raised awareness but did not prompt widespread adoption of security safeguards for personal information until states implemented data security laws.

So, the Cyber Incident Reporting for Critical Infrastructure Act is a needed and helpful improvement — but, as always, there is more to be done.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Graph Analysis of the Conti Ransomware Group Internal Chats

Post Syndicated from Kwan Lin original https://blog.rapid7.com/2022/03/04/graph-analysis-of-the-conti-ransomware-group-internal-chats/

Graph Analysis of the Conti Ransomware Group Internal Chats

We were presented with a remarkably rich source of intelligence with the leaked communications from the Conti ransomware group.

It’s a compelling and insightful read. The leaked information contains details on messages, including information on timestamps, sender, receiver, and the actual body of the message itself.

While the messages themselves are revealing, the messaging patterns provide another dimension of insight into the Conti organization.

Analyzing the Conti Ransomware messages

Graph analysis as an analytical method enables us to extract information about the structure and behaviors of the organization.

When we say “graph analysis” in this case, we’re not referring to just looking at interesting pictures of data (though interesting pictures are certainly a possible output); we are referring to a body of mathematical study that focuses on distinct entities and their interconnections.

The distinct entities in this case are the unique communicators represented in the Conti leaks. The interconnections are the messaging paths between those communicators.

Graph Analysis of the Conti Ransomware Group Internal Chats

Without labels, this visual in of itself seems obscure, but this represents the communication network of the Conti ransomware group. The little dots – the nodes – forming an ellipse represent individual communicators. The lines – the edges – connecting those nodes represent shared messages. The darkness of the edges represents a degree measure, or the frequency of communication in this case.

What they might tell us

There are a lot of calculations happening behind the scenes, and the visual conveys a sense that communication within Conti doesn’t happen uniformly, which quite frankly is probably representative of most organizations.

We see here that there are certain nodes that are very frequently communicated with. Why might that be the case? Hard to say without going into further analysis, but it’s likely due to those nodes being very loquacious and gregarious, or perhaps the nodes represent key figures in the organization that are frequently being consulted and are issuing guidance and directives.

We can restructure this graph into an arc diagram and cut down on the noise with some admittedly arbitrary filters to get a cleaner view of the overall picture. In this case, we’re looking only at the communications from 2022, and we further limited the set of nodes that appear to those with a high frequency of communication measure.

Graph Analysis of the Conti Ransomware Group Internal Chats

From this approach, we can get a sense of the set of recently most active communicators within Conti. Whether these prominent individuals are just chatty or leaders is unclear, but whatever the case, a lot of communications — and presumably intelligence – is going to and from them. If they are relays, then a lot of information is going through them.

If we’re talking about relays, then what we’re really looking for is a measure of betweenness centrality, which typically represents the amount of influence specific nodes have on the flow within a graph structure.

In other applications, such as for corporate entities or criminal organizations, the individuals that are characterized by high betweenness centrality are oftentimes key linchpins of the organization. Their removal from the organization often manifests as severe disruptions to the organization.

Graph Analysis of the Conti Ransomware Group Internal Chats

Upon deeper review of the text, it appears one communicator in particular, “buza”, is highly referenced by other communicators in decision-making contexts, though “buza” themselves is not an active communicator, relatively speaking. From this, we might surmise that “buza” is a leading figure within the organization.

If we focus only on adjacent nodes, the nodes that are directly connected to “buza”, we arrive at a view that could include “buza” at the center and the lieutenants of the organization surrounding it in a fairly classic spoke and wheel pattern. The size of the different contacts reflect how frequently they communicate with “buza,” which might in turn suggest their significance within the organization.

Graph Analysis of the Conti Ransomware Group Internal Chats

This graph analysis approach so far is really just scratching the surface of what’s possible. With further analysis, possibly combined with more in-depth text analysis methods, we can extract even more revelations about the Conti group, their areas of focus, and from there we can perhaps derive effective intelligence that can better enable defenders to secure their own organizations from similar threats.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Russia-Ukraine Cybersecurity Updates

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/03/04/russia-ukraine-cybersecurity-updates/

Russia-Ukraine Cybersecurity Updates

Cyberattacks are a distinct concern in the Russia-Ukraine conflict, with the potential to impact individuals and organizations far beyond the physical frontlines. With events unfolding rapidly, we want to provide a single channel by which we can communicate to the security community the major cyber-related developments from the conflict each day.

Each business day, we will update this blog at 5 pm EST with what we believe are the need-to-know updates in cybersecurity and threat intelligence relating to the Russia-Ukraine war. We hope this blog will make it easier for you to stay current with these events during an uncertain and quickly changing time.

March 3, 2022

Additional sanctions: The US Treasury Dept. announced another round of sanctions on Russian elites, as well as many organizations it characterized as outlets of disinformation and propaganda.

Public policy: The Russia-Ukraine conflict is adding momentum to cybersecurity regulatory actions. Most recently, that includes

  • Incident reporting law: Citing the need to defend against potential retaliatory attacks from Russia, the US Senate passed a bill to require critical infrastructure owners and operators to report significant cybersecurity incidents to CISA, as well as ransomware payments. The US House is now considering fast-tracking this bill, which means it may become law quite soon.
  • FCC inquiry on BGP security: “[E]specially in light of Russia’s escalating actions inside of Ukraine,” FCC seeks comment on vulnerabilities threatening the Border Gateway Protocol (BGP) that is central to the Internet’s global routing system.

CISA threat advisory: CISA recently reiterated that it has no specific, credible threat against the U.S. at this time. It continues to point to its Shields Up advisory for resources and updates related to the Russia-Ukraine conflict.

Threat Intelligence Update

  • An Anonymous-affiliated hacking group claims to have hacked a branch Russian Military and Rosatom, the Russian State Atomic Energy Corporation.

The hacktivist group Anonymous and its affiliate have hacked and leaked access to the phone directory of the military prosecutor’s office of the southern military district of Russia, as well as documents from the Rosatom State Atomic Energy Corporation.

Available in Threat Library as: OpRussia 2022 (for Threat Command customers who want to learn more)

  • A threat actor supporting Russia claims to have hacked and leaked sensitive information related to the Ukrainian military.

The threat actor “Lenovo” claims to have hacked a branch of the Ukrainian military and leaked confidential information related to its soldiers. The information was published on an underground Russian hacking forum.

Source: XSS forum (discovered by our threat hunters on the dark web)

  • An Anonymous hacktivist associated group took down the popular Russian news website lenta.ru

As part of the OpRussia cyber-attack campaign, an Anonymous hacktivist group known as “El_patron_real” took down one of the most popular Russian news websites, lenta.ru. As of Thursday afternoon, March 3, the website is still down.

Available in Threat Library as: El_patron_real (for Threat Command customers who want to learn more)

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

The Top 5 Russian Cyber Threat Actors to Watch

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/03/03/the-top-5-russian-cyber-threat-actors-to-watch/

The Top 5 Russian Cyber Threat Actors to Watch

As we continue to monitor the situation between Russia and Ukraine – and the potential for global cybersecurity impacts – we realize that our customers and other business and industry stakeholders may be interested in additional information and context to help them understand the landscape. An important part of the equation we are studying is the activity of cyber threat actors.

In an effort to help our clients know what to look for in their environments and anticipate potential attacks, this post provides guidance on the top 5 Russian threat actors and their known tactics and techniques, based on information from the Threat Library within Threat Command.

The following threat actors are identified by our Threat Intelligence Research team as the most likely (i.e., highest risk) to carry out cyberattacks against European and US companies.

1. The UAC-0056 threat group (AKA TA471, SaintBear, and Lorec53)

The UAC-0056 threat group has been active since at least March 2021. The group was observed attacking government and critical infrastructure organizations in Georgia and Ukraine. UAC-0056’s targets are aligned with the interests of the Russian government, although it is unknown whether it is state-sponsored.

The threat actors gain initial access via the sending of spear phishing email messages that contain either Word documents (with malicious macro or JavaScript codes) or PDF files (with links leading to the download of ZIP archives embedded with malicious LNK files). These are used to install and execute first-stage malware loaders that fetch other malicious payloads, such as the OutSteel document stealer and the SaintBot loader. The latter is used to download even more payloads by injecting them into spawned processes or loading them into memory.

UAC-0056 hosts its malicious payloads on Discord’s content delivery network (CDN). They are often obfuscated and have anti-analysis mechanisms.

In February 2022, amidst the geopolitical tension between Russia and Ukraine, the Computer Emergency Response Team of Ukraine (CERT-UA) attributed UAC-0056 with an attack against a Ukrainian energy organization. The threat actors used spear phishing email messages, allegedly on behalf of the National Police of Ukraine, suggesting that a certain individual (Belous Alexei Sergeevich) had committed a crime. This attack was associated with a larger campaign that was initiated by the group against Ukrainian entities from the beginning of 2021

UAC-0056 is actively targeting Ukraine. Their previous cyberattacks demonstrated the use of a spoofing phishing technique to reach their targets. This technique could be used to target various companies in Europe or the United States.

Targeted industries/sectors

  • Government
  • Energy

2. Sandworm Team

Sandworm Team, also called Black Energy, BlackEnergy , ELECTRUM, Iron Viking, Quedagh

Sandworm, TeleBots, TEMP.Noble, or VOODOO BEAR, is a group of Russian hackers that have been behind the major cyber campaign targeting foreign-government leaders and institutions, especially Ukrainian ones, since 2009. They may also have been involved in the cyberattacks launched against Georgia during the 2008 Russo-Georgian confrontation.

Sandworm Team is known to have a strong interest in US and European critical systems. In one campaign, Sandworm Team used a zero-day exploit, CVE-2014-4114. In that campaign, they targeted Ukrainian government officials, members of the EU, and NATO.

Sandworm Team’s previous activity in Europe and the United States exposed their interest in targeting critical systems and indicated preparation for cyber attacks.

In February 2022, the United States’ and United Kingdom’s cybersecurity and law enforcement agencies uncovered a novel botnet that has been used by Sandworm since June 2019. The malware, dubbed Cyclops Blink, targets WatchGuard Firebox and other Small Office/Home Office (SOHO) network devices, and grants the threat actors remote access to networks. Cyclops Blink leverages the legitimate firmware update process and maintains system access and persistence by injecting malicious code and installing repacked firmware images. In addition, the malware is deployed along with modules that are developed to download and execute additional files from a remote command and control (C2) server, collect and send general system information, and update the malware. Cyclops Blink is estimated to affect approximately 1% of all active Watchguard firewall appliances in the world.

Targeted industries/sectors

  • Government
  • Critical systems (energy, transportation, healthcare)

3. Gamaredon Group

Active since at least 2013, Gamaredon Group is a Russian state-sponsored APT group. In 2016, the Gamaredon Group was responsible for a cyber espionage campaign, tracked as Operation Armageddon (an operation that has been active since at least mid-2013), targeting the Ukrainian government, military, and law enforcement officials. The Security Service of Ukraine (SSU) blamed Russia’s Federal Security Service (FSB) for the cyberattacks. Furthermore, evidence found by researchers suggested that the malware used by the threat actor had been built on a Russian operating system. The Gamaredon group leveraged spear-phishing emails to deliver common remote access tools (RATs), such as UltraVNC and Remote Manipulator System (RMS).

Gamaredon Group is known to use strikingly off-the-shelf tools in their hacking activities. At the beginning of 2017, the Gamaredon Group made a shift to custom-developed malware instead of common RATs, showing that the group has improved its technical capabilities.

For their custom-built malware distribution, Gamaredon Group primarily makes use of compromised domains, dynamic DNS providers, Russian and Ukrainian country code top-level domains (ccTLDs), and Russian hosting providers. The new malware is very sophisticated, and it is able to avoid the detection of security solutions.

While Gamaredon has started using new malware, it also relies on self-extracting archives (SFX) and much of the same infrastructure as when its activities were first analyzed.

In January 2022, Symantec researchers reported that Gamaredon initiated a campaign between July and August 2021, targeting Ukrainian organizations. The campaign included the sending of spear phishing email messages embedded with malicious macro codes. Once the macro was enabled, it executed a VBS file that dropped the group’s custom backdoor, Pteranodon. In addition, Gamaredon used 8 other malicious payloads that were dropped from 7-zip SFX self-extracting binaries. These payloads had different functionalities, such as creating scheduled tasks, connecting to a C2 server, and downloading additional files.

In February 2022, cybersecurity researchers reported that on January 19, 2022, Gamaredon attempted to compromise an undisclosed Western government entity operating in Ukraine. This was done as part of a phishing campaign, in which the threat actors leveraged a Ukrainian job search and employment platform to upload a malware downloader masquerading as a resume for a job ad that was posted by the targeted organization.

In addition, the researchers discovered another Gamaredon campaign that took place in December 2021 and targeted the State Migration Service (SMS) of Ukraine. The threat actors used weaponized Word documents that deployed an open-source UltraVNC virtual network computing (VNC) software for maintaining remote access to the compromised systems. Gamaredon was observed to use an infrastructure of more than 700 malicious domains, 215 IP addresses, and over 100 samples of malware. The group was also found to recycle its used domains by consistently rotating them across new infrastructure, which is unique among threat actors.

Targeted Industry / Sector

  • Government
  • TechnologyStay vigilant

4. APT29 (AKA Dukes or Cozy Bear)

APT29 is a well-resourced, highly dedicated, and organized cyberespionage group. Security researchers suspect that the group is a part of the Russian intelligence services. The group has been active since at least 2008, and its main purpose is to collect intelligence in support of foreign and security policy decision-making.

APT29 primarily targets Western governments and related organizations, such as government ministries and agencies, political think tanks, governmental subcontractors, diplomatic, healthcare organizations, and energy targets.

APT29 engages in targeted campaigns, utilizing different toolsets. The targets and timing of these campaigns appear to align with the known foreign and security policy interests of the Russian Federation at those times.

The group frequently uses publicly available exploits to conduct widespread scanning and exploitation against vulnerable systems, likely in an effort to obtain authentication credentials to allow further access. This broad targeting gives the group potential access to a large number of systems globally, many of which are unlikely to be of immediate intelligence value. The group may maintain a store of stolen credentials in order to access these systems in the event that they become more relevant in the future.

In addition to targeted attacks, APT29 has engaged in apparently biannual large-scale spear-phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns involve a fast but noisy break-in followed by a rapid collection and exfiltration of as much data as possible. If the compromised target is discovered to be of value, APT29 switches the toolset used and moves to using stealthier tactics focused on persistent compromise and long-term intelligence gathering.

Throughout 2020, APT29 has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States, and the United Kingdom, most likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines.

Targeted industries/sectors

  • Telecom
  • Technology
  • Pharmaceutical

5. APT28 (AKA Fancy Bear)

APT 28, also called Group 74, Pawn Storm, SNAKEMACKEREL, STRONTIUM, Sednit, Sofacy, Swallowtail, TG-4127, Threat Group-4127, or Tsar Team, is a state-sponsored hacking group associated with the Russian military intelligence agency GRU. The group has been active since 2007 and usually targets privileged information related to government, military, and security organizations. Among the Russian APT groups, Fancy Bear dominated in 2017, especially at the end of that year.

Between February 10 and 14, 2015, during the ceasefire in Donbass (East Ukraine), APT 28 scanned 8,536,272 Ukrainian IP addresses for possible vulnerabilities. After February 14, 2015, APT28 shifted its attention to the west. They have also scanned for vulnerabilities in Spain, the UK, Portugal, USA, and Mexico.

According to the UK foreign secretary, Dominic Raab, APT28 was responsible for the 2015 cyber attacks on Germany’s Parliament. The official also said, “The UK stands shoulder to shoulder with Germany and our European partners to hold Russia to account for cyberattacks designed to undermine Western democracies. This criminal behavior brings the Russian Government into further disrepute.”

In August 2020, a joint report of the NSA and the FBI was released, in which they attributed a new malware to APT28 named Drovorub. Drovorub is a Linux malware consisting of an implant coupled with a kernel module rootkit, a file transfer, and port forwarding tool, and a command and control (C2) server.

When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with the actor-controlled C2 infrastructure, file download and upload capabilities, execution of arbitrary commands as “root,” and port forwarding of network traffic to other hosts on the network.

On August 9, 2020, the QuoIntelligence team disseminated a warning to its government customers in Europe about a new APT28 campaign. This campaign targets government bodies of NATO members (or countries cooperating with NATO). The researchers discovered a malicious file uploaded to VirusTotal, which ultimately drops a Zebrocy malware and communicates with a C2 in France.

In September 2020, Microsoft researchers reported that state-sponsored Russian hacking group APT28 was observed targeting organizations and individuals involved in the US presidential election. According to the researchers, the group’s efforts are focused on stealing the targets’ credentials and compromising their accounts to potentially disrupt the elections and to harvest intelligence to be used as part of future attacks.

Targeted industries/sectors

  • Military
  • Security
  • Government
  • Press

Notable cyber adversaries

Based on their previous cyber operations against Western countries and due to their direct or indirect implication in the current Russian/Ukrainian cyber conflict, we’ve identified these APT groups as potential cyber threats. The sophistication of their attacks and the fact that they often target European countries and the US make them a higher risk. We, along with the rest of the cybersecurity community, will continue to monitor the activities of these threat actors, and we recommend security teams worldwide do the same.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/03/01/conti-ransomware-group-internal-chats-leaked-over-russia-ukraine-conflict/

Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict

On February 27, Twitter user @ContiLeaks released a trove of chat logs from the ransomware group, Conti – a sophisticated ransomware group whose manual was publicly leaked last year. Ahead of the chat log disclosures, Conti pledged their support for the Russian Government following the Russian invasion of Ukraine. However, a number of members sided with Ukraine, causing strife within the organization. Two days later, Conti posted a second message revising their statement to condemn the war and to strike back only if Russian critical infrastructure is targeted.

Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict
Conti announcement of support for Russian government

Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict
Conti walk-back of their support for Russia

Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict
@ContiLeaks announcement of the release

At the time of the leak, a file titled `1.tgz` was released on the “AnonFiles” website, containing 14 megabytes of chat logs across 393 JSON files. However, some of the messages were encrypted and could not be read, so the information provided is necessarily incomplete. The remaining files contained internal Conti communications, screenshots of tools, and discussions of their exploits and design processes.

On February 28 and March 1, a bevy of additional files were posted, along with a number of pro-Ukraine tweets. Among both sets of leaked messages, there were a number of usernames and passwords for a variety of accounts. Additionally, user @ContiLeaks shared access details for a number of alleged Conti command and control servers, plus storage servers for stolen files. However, we have not accessed any of the data necessitating access to remote servers or the use of usernames and passwords, and we strongly recommend against doing so.

@ContiLeaks also shared a file that they purport to be the source code for the Conti ransomware but declined to share the password except with “trusted parties.” @ContiLeaks did, however, name one alleged Conti developer, providing their email address and Github. The scale of the leaked information suggests that the leaker is likely either a very senior member of the group or a coalition of disgruntled Conti affiliates.

Conti is a business – and a well-funded one

Much of the discussion within the chat logs concerns fairly mundane things – interviewing potential operators of the group, payment for services, out-of-office messages, gossip, and discussions of products. Based on the leaked chats, the Conti interview process actually looks a lot like a standard technical interview, with coding exercises to be performed hosted on public code repositories, salary negotiations, and the status of ongoing products.

In addition to other financial information related to specific actors, the leaked chats have revealed Conti’s primary Bitcoin address, which contains over two billion USD as of February 28, 2022. Moreover, a conversation on April 9, 2021 between “mango” and “johnyboy77” indicates Russian FSB involvement in some portion of their funding and that the FSB were interested in files from the media outlet Bellingcat on “Navalny” – an apparent reference to Alexei Navalny, the currently imprisoned opposition leader in Russia.

Conti development

Conti seems to operate much like a software company – the chat logs disclose concerns with the development of specific features for targets and a particular difficulty in encrypting very large files. The Conti team also attempted to get demos of popular endpoint detection software with the intent to develop their malware to avoid detection.

Two of the actors, “lemur” and “terry” shared phishing templates (included verbatim in Appendix B at the end of this post) to be used against potential targets. Conti gains initial access in many ways, with phishing a popular line of attack due in part to its relatively high efficacy and low cost. Conti often uses phishing emails to establish a presence on targeted networks.

A screenshot of the Conti control panel was also leaked, showing a number of compromised hosts and a breakdown of the operating systems, antiviruses, user rights, and detailed information about the infected assets.

Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict
Conti control panel

Further discussions detailed the use of infrastructure against targets, disclosing a number of both known and unknown Conti command and control domains. At the time of this post, only a small number of the previously unknown command and control domains appear to be active. Conversations between two operators, “Stern” and “Bentley” discuss the use of third parties for malicious documents, favoring certain providers over others. They also discuss logistics for how to deliver ransomware without being detected by dynamic analysis. In a conversation between the two back in June of 2021, Stern discloses that Conti wants to start their own cryptocurrency but does not know who to work with. There is no evidence that anything came of this desire, and Conti continues to use Bitcoin for their ransoms.

Other groups assert they are strictly business

In stark contrast to Conti, other groups have made it clear to the public that despite their “business model,” they take no public stance on this crisis. LockBit is remaining aloof from the conflict and made it clear that they intend to operate as usual. Although it is believed that LockBit is a Russian organization, they assert that “we are all simple and peaceful people, we are all Earthlings,” and “for us it is just business and we are all apolitical.” Another ransomware group, ALPHV, claims to be “extremely saddened” by Conti’s pledge of support and condemns Conti. Their message concludes, “The Internet, and even more so its dark side, is not the place for politics.”

Rumors of Conti’s demise have been greatly exaggerated

Conti’s payment and “support” portal is still live, even following the infighting and leaks. Conti has repeatedly proven to be one of the most capable ransomware actors and these chats indicate that the group is well-organized and still very well-funded despite the schism. Any suggestion that these leaks spell the end for Conti is overstated, and we expect that Conti will continue to be a powerful player in the ransomware space.

What you can do

We are keeping an eye on dark web activity related to Conti and other ransomware groups and want to reiterate the following steps for protecting yourself from ransomware:

  • User education, especially related to well-crafted phishing campaigns
  • Asset and vulnerability management, including reducing your external attack surface
  • Multi-factor authentication

Additionally, it is worth ensuring that you are well-guarded against the exploits and malware commonly used by Conti (vulnerabilities provided in Appendix A at the end of this post). Furthermore, security teams should also take some time to review CISA’s recent report on the group. For further discussion on how to protect yourself from ransomware, see our ransomware playbook.

Appendix A – Conti known exploited vulnerabilities

CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146 (MS17-010; EternalBlue/EternalSynergy/EternalChampion)

CVE-2020-1472 (ZeroLogon)

CVE-2021-34527 (PrintNightmare)

CVE-2021-44228 (Log4Shell)

CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 (ProxyShell/ProxyLogon)

Appendix B – Phishing templates

{Greetings|Hello|Good afternoon|Hi|Good day|Greeting|Good morning|Good evening}!
{Here|Right here|In this letter|With this letter} we {send|direct} you {all the|all the necessary|the most important} {documentation|papers|documents|records} {regarding|concerning|relating to} your {payment|deposit payment|last payment} {#|№|No. }НОМЕР ПЛАТЕЖА, right {as we|as we have} {discussed|revealed} {not so long ago|not too long ago|recently|just recently|not long ago}. Please {review the|check the|take a look at} аll {necessary|required|important} {information|data} in the {file attached|attached file}.
Т: {Payment|Deposit payment} {invoice|receipt} {#|№|No. }НОМЕР ИНВОЙСА {prepared|formed}
D: {payment|deposit|dep|paym}_{info|information|data}

{Hello|Greetings|Greetings to you|Good evening|Good morning|Good day|Good afternoon}{!|,|.|}
Your {order|purchase order|online order} was {successfully|correctly|timely} {paid|compensated|covered} by you {yesterday|today|recently}. Your {documentation|docs|papers} and {bank check|receipt|paycheck} {can be found|are listed} in the {attached file|file attached}.
T: {Invoice|Given invoice|Bill} {we|we have|we’ve} {sent|mailed|delivered} to you {is paid|is covered|is processed}.
D: {Purchase order|Order} {verification|approval}

{Hello|Greetings|Greetings to you|Good evening|Good morning|Good day|Good afternoon}{!|,|.|}
{We are contacting you to|This is to|This mail is to} {notify|remind} you {about|regarding} your {debt|unprocessed payment} for {our last|the recent|our recent} {contract|agreement}. All {compensation|payment} {data|information}, {agreement|contract} and prepared legal {documents|documentation} {can be found|are located} in the {file attached|attached file}.
T: {Missing|Additional} payment {information|details|info} reminder
D: {Contract|Agreement} 2815/2 {case|claim}

{Hello|Greetings|Greetings to you|Good evening|Good morning|Good day|Good afternoon}{!|,|.|}
{Your payment|Your advance payment|Your obligatory payment|Payment you sent|Payment you made} was {successfully|correctly|timely|properly} {achieved|accomplished|approved|affirmed|received|obtained|collected|processed}. All {required documentation|necessary documents|important documentation|documents you need|details that can be important|essential documents} {can be found|you can find} in the {attached file|file attached}.
T: {Invoicing|Invoice|Agreement|Contract|Payment} {info|data|information|details}
D: {Receipt|Bill} {id|ID|Number|number|No.|No.|No|#|##} 3212-inv8

{Greetings|Hello|Good day|Good afternoon}{!|,|}
{Thank you for|We are thankful for|We are grateful for|Many thanks for} {your|your recent} {on-line order|purchase order|order}. {We|Our financiers have|Our team has|We have|Our shop has} {received|collected|processed|checked} your {payment|advance payment|money transfer|funds transfer} НОМЕР ПЕРЕВОДА. Now we {are and ready to|begin to} {pack|prepare|compose} your {shipment|order|box}. Your {parcel|packet|shipment|box} {will|is going to|would} {arrive|be delivered} to {you|your residence} within {4|5|6|four|five|six} {days|business days}.
{Total|Full|Whole} {order|purchase|payment} sum: СУММА
You {can find|will find} {all|full} {relative information|order info|order and payment details} and your {receipt|check} НОМЕР ЧЕКА {in|in the} {attached file|file attached}.
{Thank you!|Have a nice day!}
ТЕМЫ: Your {order|purchase|on-line order|last order} НОМЕР ЗАКАЗА payment {processed|obtained|received}
АТТАЧИ:
ord_conf
full.details
compl_ord_7847
buyer_auth_doc
info_summr
customer_docs
spec-ed_info

Additional reading

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.