The Cybersecurity and Infrastructure Security Agency and the FBI issued a joint alert Saturday warning that the two wiper strains that attacked Ukrainian enterprises in the run-up to Russia’s invasion of the country could affect United States businesses. The agencies urged preparedness.
“Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries. Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event,” the alert writes.
Ukraine has been hit by two strains of wiper malware in distinct attacks since the beginning of the year. In January, Microsoft reported WhisperGate. On Wednesday, in the hours before the invasion, ESET reported HermeticWiper. The wipers were not the only form of cyberattacks seen in Ukraine since the beginning of the year; attackers launched two rounds of coordinated DDoS and SMS spam against the country as well.
The United States has not formally attributed the wiper attacks to Russia, though the CISA and FBI alert connects the attacks to the “unprovoked [kinetic] attack against Ukraine.” That is not an attribution, as actors inspired but not directed by Russia could hypothetically be behind the attacks.
According to reports from Broadcom’s Symantec division, the CISA and FBI fears wiper attacks might reach beyond Ukraine — either intentionally or accidentally — are founded. Though ESET’s telemetry found “hundreds” of victims in Ukraine, Symantec found limited instances in enterprises hit in Latvia and Lithuania.
The CISA and FBI report contains hashes for both strains of wiper, links to the reports from ESET, Symantec and SentinelLabs detailing the malware, including its internals, and advice about how to prepare for potential wiper attacks.
The alert warns that, given the wiper’s ability to spread, “it is important for organizations to assess their environment for atypical channels for malware delivery and/or propagation throughout their systems,” namely third-party risk — including the risk from antivirus software itself.
It advises that wipers may disable critical components of a network intended to mitigate their wiping, including network storage devices. The alert further urges “targeted assessment and enforcement of best practices,” including a secure network topology, identity management, staggering antivirus update times across the network to limit the risk of a malicious update, as well as general hardening of networks and disaster preparation.
“Organizations are encouraged to report incidents to the FBI and CISA…and to preserve forensic data for use in internal investigation of the incident or for possible law enforcement purposes,” writes the alert, which includes a contact form to submit information.
In a statement to the press about the alert FBI Cyber Division Assistant Director Bryan Vorndran said the FBI needed the cooperation of enterprises to maximize security.
“We are striving to disrupt and diminish these threats, however we cannot do this alone, we continue to share information with our public and private sector partners and encourage them to report any suspicious activity. We ask that organizations continue to shore up their systems to prevent any increased impediment in the event of an incident,” he said.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) last week published an industrial control system (ICS) advisory related to multiple vulnerabilities impacting Schneider Electric’s Easergy medium voltage protection relays.
“Successful exploitation of these vulnerabilities may disclose device credentials, cause a denial-of-service condition, device reboot, or allow an attacker to gain full control of the relay,” the agency said in a bulletin on February 24, 2022. “This could result in loss of protection to your electrical network.”
The two high-severity weaknesses impact Easergy P3 versions prior to v30.205 and Easergy P5 versions before v01.401.101. Details of the flaws are as follows –
CVE-2022-22722 (CVSS score: 7.5) – Use of hardcoded credentials that could be abused to observe and manipulate traffic associated with the device.
CVE-2022-22723 and CVE-2022-22725 (CVSS score: 8.8) – A buffer overflow vulnerability that could result in program crashes and execution of arbitrary code by sending specially crafted packets to the relay over the network.
The flaws, which were discovered and reported by researchers Timothée Chauvin, Paul Noalhyt, Yuanshe Wu at Red Balloon Security, were addressed by Schneider Electric as part of updates pushed on January 11, 2022.
The advisory comes less than 10 days after CISA issued another alert warning of multiple critical vulnerabilities in Schneider Electric’s Interactive Graphical SCADA System (IGSS) that, if successfully exploited, could result in “disclosure of data and loss of control of the SCADA system with IGSS running in production mode.”
In related news, the U.S. federal agency also sounded the alarm related to General Electric’s Proficy CIMPLICITY SCADA software, warning of twosecurity vulnerabilities that could be abused to reveal sensitive information, achieve code execution, and local privilege escalation.
The advisories follow a Year In Review report from industrial cybersecurity company Dragos, which found that 24% of the total 1,703 ICS/OT vulnerabilities reported in 2021 had no patches available, out of which 19% had no mitigation, preventing operators from taking any steps to safeguard their systems from potential threats.
Furthermore, Dragos identified malicious activity from three new groups that were found targeting ICS systems last year, including from that of actors it tracks as Kostovite, Erythrite, and Petrovite, each of which targeted the OT environments of renewable energy, electrical utility, and mining and energy firms located in Canada, Kazakhstan, and the U.S.
Russia is not likely to take President Biden’snew sanctions sitting down and has proven to be highly adept at cyber warfare, which has become part and parcel of active “kinetic” wars in the 21st century.
“I remain particularly concerned about the reports of cyber attacks…There’s historical precedent to suggest these could be devastating for individuals, businesses, and entire countries,” Warner said in another tweet.
Ukrainian troops inspect a site following a Russian airstrike in Kyiv, Ukraine, Saturday, Feb. 26, 2022. (AP Photo/Vadim Ghirda)
Russia has already launched what appears to be a series of cyberattacks on targets in the Ukraine. This past week, cyberattacks impacted the websites of several Ukrainian government agencies, including the Ministry of Defense, according to Ukrainian officials. This follows cyberattacks on Ukrainian government sites and banks that have been attributed to the Russian military spy agency GRU.
How to defend yourself from Russian cyber warfare ‘spillover’
As Sen. Warner suggested, cyberattacks don’t have borders. As a result, cyber spillover campaigns could reach the U.S.
“With the Ukraine conflict now front and center and poised to widen, we expect a surge of cybersecurity attacks from Russia state-sponsored organizations,” Dan Ives of Wedbush Securities, told Fox News in a written statement.
Here’s what to watch out for and how to defend yourself, according to cybersecurity experts that Fox News spoke with.
—Ransomware: The bane of InfoSec professionals, ransomware attacks lock out companies and individuals from critical data. Attackers then demand hefty payments. “Businesses across the U.S. should be bracing for a variety of cybersecurity attacks, including ransomware,” said John Dickson, vice president at Coalfire, a Westminster, Colorado-based provider of cybersecurity advisory services.
“Make sure that all critical and all internet-facing systems are fully patched to mitigate ransomware and data destruction,” Lou Steinberg, cyber expert and founder of CTM Insights, told Fox News. “Use multi-factor authentication to log in to critical systems … and to prevent unauthorized changes (like turning off power or opening a valve on a dam),” Steinberg said.
—Denial of service attacks:Denial of Service, which renders critical computer services unavailable, and ransomware attacks are often “outsourced,” according Steinberg. “Rather than the government directly performing them, they tend to be done by groups who believe they are being patriots by defending Russia’s interests. It’s in [that] government’s interest to enable this as it gives them deniability. You can’t trace an attack back to the Kremlin,” Steinberg explained.
These outsourced actors “may be less capable” so companies can protect themselves if they take prudent cybersecurity measures, according to Steinberg.
Ukrainian soldiers take positions outside a military facility as two cars burn in a street in Kyiv, Ukraine, Saturday, Feb. 26, 2022. (AP Photo/Emilio Morenatti)
—Social engineering campaigns: These attacks manipulate human behavior and “piggyback off of the news cycle,” said Hank Schless, senior manager, security solutions, at Lookout, a San Francisco, Calif.-based endpoint-to-cloud security company.
“Be especially vigilant about where you’re sharing data, who has access to it and the identity of anyone with whom you have interactions online,” Schless said.
—Passwords: Consumers should always use multi-factor authentication and avoid reusing the same password across accounts/services, Alex Ondrick, director of security operations at BreachQuest, an Augusta, Georgia-based incident response company, told Fox News.
Ondrick said consumers can use sites like haveibeenpwned to see if they’ve been impacted by a security breach. “Regularly rotate passwords, especially on email/social media accounts, and for Wi-Fi and home router(s),” Ondrick said.
—Banking apps: “Consumers should be on the lookout for phishing and malware attacks, especially when accessing banking apps,” Dan Ives of Wedbush Securities said. Consumers should use antivirus products as well as software that protects their identities, Ives added.
—Software updates: For individuals, it is important to follow cybersecurity best practices. That includes “installing recommended software and app updates, backing up their data and exercising caution when clicking links in emails, social media posts and online articles,” Jonathan K. Osborne, a business litigation attorney at the Florida-based Gunster law firm, told Fox News.
—FBI: The FBI has a Cyber Threat website with tips and preventative measures on everything from email compromise to phishing and ransomware.
There are two methods of data collection and information gathering used in military observation. Covert gathering refers to the use of clandestine, or secret data sources. As a result, covert methods are often illegal due to being performed secretively. Overt data collection refers to methods used openly or in plain sight. Overt does not involve the use of secretive methods and is generally not illegal. But what is Open Source Intelligence?
Open Source Intelligence is an overt method of data collection. Furthermore, publicly available resources are what distinguish OSINT from other forms of intelligence gathering.
How is Open Source Intelligence performed?
Open source intelligence involves gathering information from publicly available resources. There are six main categories to OSINT.
The first is the use of public media sources. This category includes news reports, printed magazines, and newspapers.
Internet is the second category and can include everything from online databases, social media, and search engine manipulation. In addition, it also includes online publications such as blogs and discussion groups.
Category three involves the use of public government data. These sources include public hearings, budgets, directories, and publicly available government reports. Although included in public records, the data comes from official sources.
Professional and academic publications is the fourth category. These sources include academic papers such as theses, dissertations, and journals.
The fifth category is the use commercial data such as corporate databases, financial, and industrial assessments.
The final category is the use of grey data. Grey data, or “hard to find” data includes business documents, unpublished works, technical reports, as well as patents.
What are the risks involved with Open Source Intelligence?
There are a number of tools available for performing Open Source Intelligence. Exploits exist for manipulating public records and search engines such as Google Dorks. Open-source software to streamline and automate this process is widely available online. Tools such as Shodan and The Harvester come pre-packaged in Kali Linux. Websites exist for the sole purpose of exploiting databases and searches.
The main risk involved with practicing OSINT is data overload. The rapid increase and collection of data, called “information explosion,” can cause an overload of information. Interpretation can be stalled if there is too much information to sort through. In addition, corporate or industrial espionage can result from certain forms of OSINT. Espionage is highly illegal and can result in fines, imprisonment, or both. In extreme cases, acts of treason can occur through the use of OSINT.
Implications to cybersecurity
Open Source Intelligence has many practical applications. However, Social Engineering hackers employ OSINT to research their target prior to an attack. Pretexting requires extensive research prior to setting up the attack. A pretexter will use OSINT to gather extensive information about the target. Impersonation is another form of pretexting that requires extensive research. Cyberstalkers and bullies use OSINT to monitor, track, and exploit their victims.
Doxing is the practice of researching, gathering, and publishing information via the internet. This is used to expose their victims as a means of humiliation. Open Source Intelligence can result in data breach or exposure of personally identifiable information on the internet. This can leave the victim wide open for cyber-attacks. Additionally, identity theft can result from such exposure.
There really is no way of protecting yourself from Open Source Intelligence. It is not in itself a form of hacking. But rather, hackers use OSINT as a tool for reconnaissance. Public records are the number one source for OSINT. Data will always be freely available as a result. The best advice one can give is to be proactive with what information is shared online. Perform regular searches to ensure what type of information is available.