Updated as of 22 April 2022 1800hrs
This advisory is an update to the threat advisory on The Cyber Implication of the Ukraine Crisis, which was supplemented with the Executive Brief on The Cyber Impact of Russia-Ukraine Conflict.
As the Russia-Ukraine conflict continues to escalate, the resulting geopolitical instability has exposed organisations both within and beyond the region to increased cyber threat activity.
A joint cybersecurity advisory has been released (20 Apr) by the cybersecurity agencies of the United States, Britain, Australia, Canada, and New Zealand (https://www.cisa.gov/uscert/ncas/alerts/aa22-110a). Together, they form the Five Eyes intelligence-sharing alliance which calls for critical infrastructure network defenders to prepare for potential cyber threats, including destructive (wiper) malware, ransomware, DDoS attacks, and cyber espionage.
Considering the heightened cyber threat activity, it is important that organisations prioritise reviewing and strengthening their cybersecurity postures and defences. We have collated a list of notable cyber threat incidents, and our recommendations to help organisations prepare for potential cyber threats.
(For IOCs refer to: https://cert-gov-ua.translate.goog/article/39518)
Phishing and Scam - Opportunistic threat actors continue to take advantage of the conflict with lures-themed emails about the situation, calling out for urgent humanitarian assistance and fund raising. Phishing emails delivered Remcos RAT (Remote Access Trojan) on to the victim’s device via an attached Excel file with a malicious macro. Custom backdoor,originally known as Scieron, was deployed in lure documents, reportedly by a suspected Chinese threat actor, Scarab.
Credential phishing and malware campaigns targeted several US-based, non-government organisations (NGOs), and Ukrainian users. Phishing emails were sent out from many compromised accounts which included links to attacker-controlled domains.
Mars Stealer malware has been observed in campaigns linked to a Russian threat actor. It took advantage of cracked versions of the info stealer malware, exfiltrating data stored in web browsers and cryptocurrency wallets (like Metamask, Coinbase Wallet and Binance).
Russia/Ukraine-themed war documents have become the lure of choice for cyber espionage threat actors to steal sensitive information from governments, banks, and energy companies, according to Check Point Research. Attackers used decoys, from official-looking documents to news articles and job postings, in their spearphishing campaigns. The capabilities of the malware deployed included: keylogging, credential collection, file collection, screenshotting, clipboard data collection, and command execution.
For IOCs, refer to:
https://cert-gov-ua.translate.goog/article/39708
https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/
https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing
Destructive Malware – Another wiper malware surfaced: AcidRain (as named by SentinelOne). The destructive executable was run on modems, routers, or IoT devices, with technical similarities to VPNFilter. Earlier wiper malware campaigns included WhisperGate, HematicWiper, IssacWiper, CaddyWiper and DoubleZero.
Ransomware – Conti (Ransomware-as-a-Service) ransomware malware source code was leaked. Other threat actors can easily leverage the leaked Visual Studio source with their own public keys, add new functionalities, and create their own ransomware operations.
The proliferation of initial access broker (IAB) activities reduces the time and effort for deployment of ransomware. At the very least, five known Russian-speaking ransomware operators were reportedly using IABs which include Conti, LockBit, Avaddon, DarkSide and BlackByte. With the leaked Conti ransomware source code in late March, a pro-Ukrainian hacktivist group, NB65, has allegedly claimed to have breached Russian entities.
BotNets - A new variant of Cyclops Blink has been acquired, and targeted ASUS routers. See ASUS security bulletin for more information and mitigation measures: (https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html)
For IOCs related to Cyclops Blink malware targeting ASUS Routers: (https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyclops-blink-sets-sights-on-asus-routers/Appendix_Cyclops%20Blink%20Sets%20Sights%20on%20ASUS%20Routers.pdf)
Supply Chain Compromise - An open-source software supply chain abuse in the code in NPM library ‘node-ipc’ affected the popular JavaScript front end framework, ‘Vue.js’;Selected NPM versions (tracked under CVE-2022-23812) of the ‘node-ipc’ library were seen launching a destructive payload to delete all data by overwriting the files of users (believed to be from Russia or Belarus) installing the packages. Maintainers of the open-source packages—dubbed as protestware, add broken codes, protest messages or undesired damaging functionality in the latest versions of their project without documenting it beforehand. A recent NPM protestware, ‘event-source-polyfill’ package (v1.0.26), was modified to show anti-war messages to Russia-based users.
Exploitation of Default Multifactor Authentication (MFA) Protocols and “PrintNightmare” Vulnerability – Russian state-sponsored actors gained network access to the victim’s network through exploitation of default MFA protocols, enrolling a new device for MFA. The attacks then exploited a critical Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527), to run arbitrary code with system privileges. TTPs and IOCs are available in the CISA Advisory (AA2-074A).
Ensign Posture & Monitoring
In addition to the 24/7 coverage of stepped-up monitoring operations, Ensign is keeping pace with updates on the current geopolitical situation, particularly in the cyber realm. Ensign stands ready to help organisations prepare for, respond to, and mitigate the impact of cyber incidents.
Our Recommendations
Here are cyber hygiene and broad protection pointers, in addition to the recommendations made in threat advisory on The Cyber Implications of the Ukraine Crisis and Executive Brief on The Cyber Impact of Russia-Ukraine Conflict.
We will continually provide updates on this situation, and keep you informed of any additional recommendations and IOCs. If you require further assistance, get in touch with marketing@ensigninfosecurity.com.
References