The cyber impact of Russian invasion of Ukraine.
The outbreak of war in Europe has turned what was a relatively quiet period for cyber threat activity into one where the cybersecurity world's eyes are trained on Russia — its state-backed hacking capabilities and the ransomware groups it harbors. So far cyberattacks haven’t become the lead story of the Russian invasion, but security experts have nonetheless been monitoring several strands of activity and we’re including some of those key stories in this month’s Bird’s Eye.
Noteworthy trends in cybersecurity from Chief Information Security Officer Jason Rebholz
Russia's invasion of Ukraine included a hybrid warfare model that involved a variety of cyberattacks against public and private sector organizations in Ukraine. Here’s an overview of some cyber events so far:
January 13th: Microsoft investigation teams identified destructive wiper malware, known as WhisperGate, that targeted Ukrainian systems. This included government, non-profit, and information technology organizations. The wiper malware’s primary objective is to make the impacted systems inoperable with no path to recovering data. This is a remnant of the NotPetya malware of 2017.
February 15th: A distributed denial-of-service (DDoS) attack — where large amounts of traffic are sent to a specified target to disrupt normal system operations — hit military and financial institutions in Ukraine, making it the largest DDoS attack in the country’s history. Additionally, Russia conducted disinformation campaigns against Ukrainians. Users of Privatbank received fake text messages alerting them that the bank’s ATMs were no longer working.
February 23rd: Additional DDoS attacks targeted Ukrainian government bodies and a new strain of destructive malware known as HermeticWiper targeted additional organizations.
Ongoing: There are reports of ongoing cyberattacks against Ukraine that include disinformation, DDoS, and continued use of wiper malware.
What this means for you: For most organizations, there’s no cause for urgent concern. The United States has called out that there are currently no credible threats to businesses in the United States, but to still be mindful of potential attacks, especially ransomware. In many cases, companies that could be targeted would be strategic in nature to national security or have “national significance,” as New Zealand’s Cyber Security agency highlighted.
For organizations that have business operations or third-party vendors that touch Ukraine, additional precautions should be taken. We recommend that you read our article and confirm the following:
- If you have overseas operations, ensure that Ukrainian systems are segmented from the rest of your environment.
- If you have contractors based in the Ukraine, ensure their endpoints are secured and limit their access into your critical systems.
- Work with your key third-party providers to ensure they do not have dependent systems or services hosted in the Ukraine.
For all companies, this is the time to reaffirm your security foundations, check out the next section for tips on how to do so.
Risk + Response Tips
Security tips and service updates from VP of Risk + Response Lauren Winchester
This month we’re highlighting how to boost your organization’s security posture using free and discounted resources. Below are some noteworthy resources from the U.S. Cybersecurity and Infrastructure Security Agency (CISA):
- Shields Up. CISA recommends that all organizations put their cyber Shields Up, so to speak. Reduce the likelihood of an attack, detect malicious activity, respond effectively, and maximize resilience. CISA has laid out dozens of free tools and services to help your organization do all of the above, whether it be personnel training for phishing attacks or tools to detect suspicious activity. You can find the full list of free services in Shields Up, or directly linked here.
- The Known Exploited Vulnerabilities Catalog. Find any software used by your organization and ensure that it is updated to its latest version to fix any known security flaws.
- Get Your Stuff Off Search. A free how-to guide on reducing exposures that are visible to anyone on web-based search platforms (which makes your organization an easy target).
We recommend the following steps to check the foundations of your security program:
- Train users on phishing awareness and avoid clicking on suspicious links or attachments.
- Ensure Endpoint Detection and Response (EDR) technology is deployed throughout your organization, especially on critical systems. If you have not yet invested in an EDR solution, we have free trials and discounts with two industry-leading solutions, SentinelOne and CrowdStrike. Both partners have top-notch threat intelligence feeding into their products and have already updated their solutions to identify recent Russian destructive malware.
- Confirm your backups have been recently tested, are working as expected, and are protected.
- Ensure systems are being monitored for any suspicious activity.
For more on how small businesses can navigate implementing security measures on a budget, you can read our blog post.
What to watch for this month.
The Corvus Scan is a powerful asset that enables us to identify which policyholders are at risk for new vulnerabilities. You’ve probably already heard from us about the following if your organization is at risk, but we’ve gathered the monthly round-up of alerts and updates below:
WatchGuard Firewall Vulnerability Advisory
Recently, U.S. and U.K. authorities informed network security vendor, WatchGuard, of a sophisticated state-sponsored malware impacting WatchGuard firewall appliances. WatchGuard firewall appliances configured to allow unrestricted management access open to the Internet is vulnerable. Learn more about the impact of this vulnerability here.
Samba Vulnerability Advisory
On January 31, 2022, Samba security released a patch for a critical vulnerability, CVE-2021-44142. This vulnerability is found in all versions of Samba prior to 4.13.17 using the VFS (Virtual File System) module "vfs_fruit" which provides additional support for Mac OSX devices. Learn more about the impact of this vulnerability here.
Malicious Cyber Incidents in Ukraine
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) strongly urges organizations with any Ukrainian subsidiaries or entities to be on alert for malicious cyber activity due to escalating geopolitical activity. You can find our guidance on the situation here.