Escalating CyberThreats Associated With Russia/Ukraine Confrontation
As tension escalates between Ukraine and Russia, an increase in domestic cyber-attacks has been identified as a result. Recently, the US-CERT announced a bulletin regarding common malicious tactics and techniques used by those known foreign adversaries, with additional details that have been cited below.
HAWK's automated threat intel platform ensures the latest known threats can be detected. HAWK's existing analytic rules cover all of the threats currently outlined in the US-CERT Alert AA2-011A (see below).
HAWK continues to monitor the ongoing threats against our customers and has not seen any significant increase in cyber-attacks; however, that is subject to change over the next few weeks.
The US-CERT recommends the following detection mechanisms, each being a standard feature in HAWK's service offering:
Password spray activity - HAWK provides automated detection for brute force attacks, whether multiple passwords for a single system or a few passwords across multiple accounts. Additionally, authentication from outside the network is also rated with a higher risk score.
Impossible travel - HAWK provides automated detection for hosts authenticating from more than one destination outside the customer network. Additional risk is applied when those authentications happen at the same time.
Living off the Land Credential Dumping - HAWK's analytic rules detect all known forms of credential dumping, including the dumping of lsass and ntds.dit files from domain controllers.
Unusual activity in typically dormant accounts - HAWK's user behavior anomaly detection provides visibility into low traffic accounts in relation to a sudden increase in behavior. This behavior's risk score is increased.
Unusual User-Agent - HAWK not only relies on the detection of abnormal User-Agent but also deploys real-time beacon detection using network analysis and statistic anomaly detection methods.
For more information regarding this US-CERT announcement, please visit https://www.cisa.gov/uscert/ncas/alerts/aa22-011a
Common Tactics and Techniques Employed by Russian State-Sponsored APT Actors
| Tactic | Technique | Procedure |
|---|---|---|
| Reconnaissance | Active Scanning: Vulnerability Scanning | Russian state-sponsored APT actors have performed large-scale scans in an attempt to find vulnerable servers. |
| Reconnaissance | Phishing for Information | Russian state-sponsored APT actors have conducted spearphishing campaigns to gain credentials of target networks. |
| Resource Development | Develop Capabilities: Malware | Russian state-sponsored APT actors have developed and deployed malware, including ICS-focused destructive malware. |
| Initial Access | Exploit Public Facing Applications | Russian state-sponsored APT actors use publicly known vulnerabilities, as well as zero-days, in internet-facing systems to gain access to networks. |
| Initial Access | Supply Chain Compromise: Compromise Software Supply Chain | Russian state-sponsored APT actors have gained initial access to victim organizations by compromising trusted third-party software. Notable incidents include M.E.Doc accounting software and SolarWinds Orion. |
| Execution | Command and Scripting Interpreter: PowerShell and Windows Command Shell | Russian state-sponsored APT actors have used cmd.exe to execute commands on remote machines. They have also used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and to execute other commands. |
| Persistence | Valid Accounts | Russian state-sponsored APT actors have used credentials of existing accounts to maintain persistent, long-term access to compromised networks. |
| Credential Access | Brute Force: Password Guessing and Password Spraying. | Russian state-sponsored APT actors have conducted brute-force password guessing and password spraying campaigns. |
| Credential Access | OS Credential Dumping: NTDS | Russian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database ntds.dit. |
| Credential Access | Steal or Forge Kerberos Tickets: Kerberoasting | Russian state-sponsored APT actors have performed “Kerberoasting,” whereby they obtained the Ticket Granting Service (TGS) Tickets for Active Directory Service Principal Names (SPN) for offline cracking. |
| Credential Access | Credentials from Password Stores | Russian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords. |
| Credential Access | Exploitation for Credential Access | Russian state-sponsored APT actors have exploited Windows Netlogon vulnerability CVE-2020-1472 to obtain access to Windows Active Directory servers. |
| Credential Access | Unsecured Credentials: Private Keys | Russian state-sponsored APT actors have obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML signing certificates. |
| Command and Control | Proxy: Multi-hop Proxy | Russian state-sponsored APT actors have used virtual private servers (VPSs) to route traffic to targets. The actors often use VPSs with IP addresses in the home country of the victim to hide activity among legitimate user traffic. |
Source: US CISA Alert (AA22-011A)