Brief Update on our Perspective: 9 March, 2022
As we move into a new phase of the invasion of Ukraine, and the subsequent cyber operations we have seen, what do you need to know?
At the top level, the most important answer to that question is that Vectra Security Research and Threat intel are working hard to ensure we deliver the best coverage for detecting threats when they happen at any level in your network, and we provide the means to react quickly, effectively, and cut off attacks before they become the next incident response case study.
On the ground and in media, the war has moved from an aggressive rapid expansion into new territory and has turned to a more pitched battle of words. World leaders move to further sanction and increase their grip on Russian billionaires and assets. There is growing social pressure that corporations pull their products from Russia, the war has now become a lot smaller in the minds of people. In terms of the cyber espionage and battles being fought over computer networks, the tactics have also shifted. When the ground war began, there was a push to disrupt communications and the computer networks of those forces moving to defend positions. The world saw the deployment of three discreet types of attack. Firstly, Ukranian systems were subject to a mass DDoS attack, this was followed up with the well-known HermeticWiper malware used to destroy systems, and also Microsoft saw the deployment of a new Trojan, FoxBlade.
Finally we must remember to not let all our focus be dedicated to looking to attacks overseas, Mandiant recently produced a report detailing an ongoing attack from APT41 targeting US Government targets5. This Chinese state actor were detailed to use multiple attempts to compromise their targets, ranging from their own zero day in a Web facing application, to using the well distributed Log4J vulnerabilities to achieve action on objective. In these cases the threat actor deployed their own sophisticated malware utilising traditional C2 type behaviour, and also deploying persistence through the use of “dead drop” techniques to update C2 IP addresses.
Once again, we are asked, well if this is business as usual what should we be doing?
First and foremost, we must remain vigilant, as it has been shown that whilst the headline grabbing activities will pull our focus to those overseas, we must also keep an eye on what we know to be true: Criminals will jump at an opportunity to use a global event to spread their own malware, sophisticated APT actors will attempt to use the smokescreen created by destructive malware to infiltrate targets of interest in a ground war, and finally, just because this is happening overseas we must not lose focus on our own networks and security.
Prior Content: 2 March, 2022
A week ago, we wrote about how the state level actors in Russia and other associated groups operate during a cyber security attack, or during an ongoing ground conflict. Looking back over the last seven days, we’d like to offer an updated perspective with a fresh look at what we know about how threat actors from Russia operate.
Additionally, we’d like to call attention to the fact that Microsoft have also identified a new Trojan capable of being used as part of a DDoS attack known as FoxBlade.A!dha and it’s dropper parent FoxBlade.B!dha. These were identified just before the first movements of the Russian military to seize territory in Ukraine, showing how joined up Russian military and Cyber operations truly are.
As with any conflict there are always volunteers, and this hybrid ground / cyber war is no different. One of the first groups to swear allegiance to Russia was the Conti / TrickBot group, although they have since softened this stance. This gang are responsible for some of the largest and most successful ransomware campaigns in the last 5 years. TrickBot and its role in deploying IcedID, CobaltStrike and numerous Ransomware campaigns, is a name most blue team operators know well. It was Reported in late February that the TrickBot project was shut down, dealing a huge blow to the gang. Conti, however, prevail, having recently taken control of the BazarBackdoor malware.
Vectra customers should look for Vectra Threat Intel Match detections with the threat actor listed as WIZARD SPIDER or WIZARDSPIDER this is the internal name for the group. BazarBackdoor which is dropped by the BazarLoader malware communicates over HTTP and DNS to [.]bazar domains, customers should look for Hidden HTTP Tunnel, Hidden HTTPS Tunnel and Hidden DNS Tunnel detection as these are the primary communication methods for the backdoor. These will help correlate potential infections.
The backdoor also has several modular components, which can execute PowerShell commands on the infected host, so other detections to look out for includes Suspicious Remote Execution using WMI methods to execute commands on other hosts. This threat group is also known to use Task Scheduler and SMB to spread laterally, so look for schtask as an operation in Suspicious Remote Execution detections.
Early in the ground campaign, two new malware families emerged in the Information Security conflict, notably WhisperGate and Hermetic wiper. Both are destructive / Ransomware Lite types of malware, which destroy systems and sometimes ask for payment but do not provide a recovery option. At the moment, there are no network IOCs to look for, but Vectra are still able to find ransomware attacks as they happen, and let responders react quickly. An example of this is seen here in a post incident review where a customer did just that using Cognito Detect. Vectra’s CTO also produced a blog post talking about this current wave of ransomware.
The Vectra threat intelligence and services teams are also collating hundreds of indicators and reports to best serve our customers. To this end we have so far published three new saved searches in Recall:
Currently, Vectra is working hard to ensure all customers are protected. If you are a Sidekick customer, the analyst team is providing hands on coverage, and are working with Vectra threat intelligence directly to provide the best priority and service possible. To the wider customer base, Vectra threat intelligence is collating 1000s of indicators and independent reports to ensure the best coverage to everyone. We also continue work confirming behaviours of known and engaged malware operators and threat actors, to ensure that detections line up with known malware and threat actor behaviour.
Notable detections to always look out for will be:
There haven’t been wide reports of Cloud based attacks yet, but it is likely that whilst these destructive and noisy attacks are happening, quiet attacks that focus on the cloud are also likely to be happening. Russian state actors are moving to the cloud for their attacks. The CISA put out a report in Februrary 2022 stating that Russian state sponsored attackers breached defence contractors cloud infrastructure. Based on research from previous compromises, and known threat actor behaviour, Detect for Azure AD and Office 365 environments would expect to see the following types of detections.
Lastly, these TTPs as outlined by MITRE ATT&CK have been associated with Russian State Actors historically and have been updated to include the most recent destructive wiper attacks: