The invasion of Ukraine is a harrowing ordeal for anyone impacted by the conflict. While we hope the situation can be resolved without further harm to the impacted population, it is a time of heightened risk and uncertainty, with implications that are rippling across the world.
One area of increasing concern is the elevated risk of cyberattacks. As part of the greater cybersecurity community, we aim to share information that is helpful to those who are dealing with, or having to respond to, questions about increased cyberthreats.
The Fast-Evolving Threat Landscape – Nation-State Attacks & Opportunistic Threat Actors
Over the course of at least months, cyber strikes on Ukraine have escalated. Attacks in recent days have knocked government and corporate systems and websites offline, and defaced Ukrainian websites. A new data wiping malware, dubbed HermeticWiper (AKA KillDisk.NCV), has also been leveraged to infect hundreds of machines across Ukraine, Latvia, and Lithuania. Security researchers have reported that HermeticWiper corrupts the Master Boot Record (MBR), resulting in failure to boot. This new malware family comes close on the heels of the discovery of WhisperGate malware, which was used to attack Ukrainian systems in early January. As with NotPetya, these new malware families seem intended to incapacitate the assets they infect. The rapid emergence of these debilitating, novel malware families also reinforces the need for proactive, preventative security that goes beyond signature-based recognition.
However, the cybersecurity fallout of the geopolitical conflict extends far beyond Ukraine’s borders. Cyber threat activity is picking up around the world. A joint advisory, by CISA, the FBI and the National Security Agency (NSA), outlined activities and tactics used by state-sponsored cybercriminals. These activities include brute-forcing, spear phishing emails with malicious links, using harvested credentials to gain access, and maintaining persistent access. CISA also issued a “SHIELDS UP” advisory. In the advisory, “CISA recommends all organizations—regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets.” The advisory also provides steps organizations should take to help prevent or mitigate a cyber intrusion.
While nation-state threat actors may be increasing activity to disrupt the operations and supply chains of adversaries, and to increase their spheres of power, the usual cast of non-affiliated, opportunistic threat actors, such as ransomware operators and phishing scammers, could also be looking to cash in on global instability, like they did during the early stages of the coronavirus pandemic. Over the past couple of years, we’ve gotten some ugly glimpses (e.g. Colonial Pipeline attack, Oldsmar Water Treatment attack, etc.) of how the lives or livelihoods of innocent people can be jeopardized as part of cyberattacks, whether those attacks were motivated by financial or other objectives.
Blended, Preventative Protection against the Top Threats
Over the last year, nations across the world, including the U.S. with its issuance of the Executive Order (EO) 14028 on “Improving the Nation's Cybersecurity”, have made strides in ramping up their cyber defenses and in fostering better cross-country collaboration. Recent geopolitical events underscore the importance of maturing zero trust security controls across all organizations—from small businesses to critical infrastructure and operational technology (OT).
Right now, it is important for everyone to reassess their cyber risk and look closely at where they can mature their security controls. The specific security priorities—whether it be accelerating the patching of vulnerabilities, vaulting and automating management of credentials, applying least privilege, or better securing remote access pathways—should be directed by the findings of their assessment.
As you reassess your security posture, consider the following security strategies and capabilities that can help you better withstand increasing cyber threats in this environment:
- Identify and prioritize the patching and remediation of vulnerabilities. While the current geopolitical strife may give rise to an increase in zero-day threats, addressing known vulnerabilities is a best practice that contributes to strong baseline security and a reduction of the threat surface.
- Maintain updates – ensure endpoints and software are updated, and if not operating on the latest version, are at least operating on a version that is still supported. End-of-life-software with vulnerabilities and security weaknesses can be an easy target for attackers to gain a foothold within your environment.
- Harden your IT systems by removing unnecessary software, applications, and privileges, and by closing unneeded ports.
- Remove admin rights and apply least privilege across all access. Limit all access to the minimum necessary amount and duration to minimize the threat surface and protect against lateral movement and privilege escalation attacks
- Use password managers to ensure credential security best practices are consistently enforced. In particular, privileged credentials and secrets for humans, machines, employees, and vendors are of the utmost importance to manage and protect. Rotation of privileged credentials, and creation of unique and complex passwords provide effective defense against brute-forcing, credential re-use attacks, and more.
- Ensure all access is ephemeral and authentication happens continuously, and is only given when the proper context is met
- Lock down remote connections through a single access pathway and ensure all access adheres to the principle of least privilege. It’s important to reduce port exposure to protect against entry points exploited by the top vectors for ransomware and other threats.
- Apply advanced application control and protection techniques to defend against the tricky fileless and living off the land threats that are often used in multi-step attack chains (APTs), and as part of nation-state attacks.
- Implement segmentation and microsegmentation to isolate systems, resources, and users, providing further resistance against lateral movement.
- Monitor, manage, and audit every privileged session that touches the enterprise whether by human, machine, employee or vendor. The ability to instantly zero in on and stop suspicious session activities is particularly important.
- Verify that your incident response plans and critical contact information for employees and law enforcement is up-to-date.
In addition to helping our customers protect their environments, BeyondTrust remains diligent in monitoring for activity against our own environment. Our organization complies with applicable U.S. sanctions programs and trade regulations in the sale and delivery of our products, as well as other regions where we operate. As developments arise, we will react quickly in accordance with any newly imposed sanctions to ensure we maintain compliance with such programs. We stand ready to support our customers, partners, and those new to BeyondTrust.
Please contact us to get in touch.
Morey J. Haber, Chief Security Advisor
Morey J. Haber is the Chief Security Advisor at BeyondTrust. As the Chief Security Advisor, Morey is the lead identity and technical evangelist at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. Morey has previously served as BeyondTrust’s Chief Security Officer, Chief Technology, and Vice President of Product Management during his nearly 12 year tenure. In 2020, Morey was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board, assisting the corporate community with identity security best practices. He originally joined BeyondTrust in 2012 as a part of the acquisition of eEye Digital Security, where he served as a Product Owner and Solutions Engineer, since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. Morey earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.