Skip to content

Report-EN.md

Latest commit

 

History

History
119 lines (89 loc) · 9.2 KB

Report-EN.md

File metadata and controls

119 lines (89 loc) · 9.2 KB

Preventative cyber measures: Russian-Ukrainian conflict

Version
2022-03-02
Authors
Cédric BLANDAMOUR
Capucine DE NOMAZY
Jérémy ROLLAND

General recommendations

Priority recommendations

  • Reduce the risk of account usurpation by strengthening authentication, as a priority, on VPN access and other services exposed to the Internet and on administrator accounts that have access to all critical IS resources

    • Implement strong authentication (with at least two authentication factors) on all remote accesses to the organisation’s network and privileged or administrative access.
    • Ensure that the password policy enforces password complexity, brute force blocking, accounts review and disabling of unused accounts.
    • Enable email security solutions to prevent phishing emails from reaching end-users.

  • Enhance the security supervision system of logged events

    • At a minimum, validate the generation of logs on relevant points and centralise the logs generated by the most sensitive assets: VPN entry points, administration bastions, domain controllers, hypervisors.
    • Investigate anomalies that might normally be ignored. In particular, in an Active Directory environment, abnormal connections on domain controllers should be inspected, as well as alerts in the antivirus and EDR consoles.
    • If possible, deploy monitoring tools (Sysmon, EDR, XDR).
    • In case of business relationships with organisations operating in conflict areas: monitor and inspect all traffic to and from them, as well as carefully examining access controls to this traffic.

  • Off-line backup of critical data and applications

    • Perform regular backups of the company's critical assets (file servers, infrastructure and business applications, etc.). The frequency of the backups should be adapted to the entity and the criticality of the data to be backed up.
    • Have at least one level of backups disconnected from the IS, including the index of backup images.
    • Test the backup procedures for critical data to ensure that they can be restored quickly and efficiently.

  • Sanctuary critical activities and services for the entity

    • Have an inventory of digital services associated with business activities, listed by sensitivity.
    • Identify dependencies on service providers.
    • Ensure that software is up to date and potentially accelerate the deployment of patches or the correction of identified vulnerabilities.

  • Ensure that a crisis management system is in place to deal with a cyber-attack

    • Designate a crisis response team and ensure that each of its roles/responsibilities within the organisation is under control, particularly in terms of technology, communication, law and business continuity.
    • Have a business continuity plan and a downtime plan in case systems, business applications and support functions are unavailable (including communication means such as telephony or messaging).
    • Define emergency contact points, including at digital service providers.
    • Ensure that all useful information is available in hard copy or accessible off-line.

  • Prepare a "Red Button" procedure

    • Prepare emergency procedures to isolate sections of the information system that would be at risk (network areas containing equipment/office in areas affected by the conflict, i.e., currently Ukraine or Russia).

  • Follow security alerts and advisories issued by trusted publishers

    • List of sources to follow below.

  • Assess the use of Russian or Ukrainian products, from a perspective of cyber risk but also looking at potential sanctions, leading to difficulties in the use or the payment of the licenses

(More details in the ANSSI report, the CISA report and the NCSC press release)

Specific recommendations for malware identified in the context of international tensions February-March 2022

Attached you will find a document listing the known indicators of compromise related to the context. Please ensure that there are no indicators on your network. Specific recommendations for identified malware and vulnerabilities include:

Destructive Malware:

  • WhisperGate: On 15 January 2022, the Microsoft Threat Intelligence Center (MSTIC) revealed that this malware was used to target organisations in Ukraine. According to Microsoft, WhisperGate is intended to be destructive and is designed to render targeted devices inoperable.

  • HermeticWiper: On 23 February 2022, several cybersecurity researchers revealed that malware known as HermeticWiper was being used against organisations in Ukraine. According to SentinelLabs, the malware targets Windows devices, manipulating the master boot record, resulting in a subsequent boot failure and complete loss of infected systems as well as the data stored on them.

  • IsaacWiper: On 24 February 2022, researchers revealed that malware known as IsaacWiper was being used against organisations in Ukraine. According to ESET RESEARCH, it has no code similarity with HermeticWiper and it enumerates physical and logical drives to wipe.

Botnet:

  • Cyclops Blink: a sophisticated state-sponsored botnet that may have infected a limited number of WatchGuard firewall appliances. This is believed to be linked to the Sandworm Team APT, as indicated in the NCSC malware analysis report.

    • Remediation: Follow WatchGuard's detailed 4-step plan: https://detection.watchguard.com/.
    • Remediation: Block the IPs and domain names in the attached Indicator of Compromise document.

  • Katana: a botnet used to carry out DDOS attacks.

    • Remediation: Establish an operation plan against DDOS. A document was published by the ANSSI in 2015.
    • Remediation: Block the IPs and domain names in the attached Indicator of Compromise document.

Ransomware

  • HermeticRansom: A ransomware operated at the same time than HermeticWiper.

Worm

  • HermeticWizard: A worm spreading in local networks via SMB and WMI to drop HermeticWiper sample.

Exploited vulnerabilities

  • CVE-2021-32648 is a vulnerability affecting the OctoberCMS content management system (CMS) platform, which is believed to have been used during the attacks on Ukrainian government websites. It allows an attacker to access any account through a specially crafted account password reset request.

    • Organisations using OctoberCMS prior to version 472 and version 1.1.5 are encouraged to upgrade to the latest version.

  • Microsoft SQL Server vulnerability (CVE-2021-1636): Attackers appear to have exploited a known vulnerability in Microsoft SQL Server to compromise at least one of the targeted organisations, using the "whoami" command.

    • Organisations are encouraged to follow the Microsoft release and update to the latest version.

Sources to follow

General alert sources

Recommendation sources

Indicator of Compromission sources