We want to provide organizations with recommendations to prepare for potential cyberattacks as a direct or indirect result of the current geopolitical crisis.
As of the date of writing this security advisory, security incidents have been more subdued than initially feared. Reported security incidents are mostly distributed denial of service (DDoS) attacks. So far, we have not seen any verified reports of industrial control systems (ICS) breaches like the paralyzing power supply attacks in Ukraine in 2015 and 2016.
This situation is still developing and it is important to stay informed and vigilant. We expect to provide updates to this post over time.
These are uncertain and difficult times. Although it may seem difficult to prepare for such a wide-ranging risk, you can take specific actions to proactively prepare your organization. Now is the time to review your current cybersecurity strategy, test your incident response plans and ensure you have your cybersecurity solutions configured to maximize prevention, detection and response.
Not everyone is facing the same risks, and we have organized our advisory into three different tiers of business and organizations depending on their relationship with Ukraine. However, all the recommendations below can and should be leveraged across all three tiers of business and organizations at this time.
Despite the current elevated risk, the best protection for all organizations is still provided by a defense-in-depth security strategy, combining high-quality prevention security control, enhanced with detection and response capabilities.
- Focus on patching vulnerabilities that are known to be exploited by state-sponsored APTs. These include:
- CVE-2019-2725 - Oracle WebLogic Server
- CVE-2019-7609 - Kibana
- CVE-2019-9670 - Zimbra software
- CVE-2019-10149 - Exim Simple Mail Transfer Protocol
- CVE-2019-11510 - Pulse Secure
- CVE-2019-19781 - Citrix
- CVE-2020-0688 - Microsoft Exchange
- CVE-2020-4006 - VMware
- CVE-2020-5902 - F5 Big-IP
- CVE-2020-14882 - Oracle WebLogic
- Test your backups are safe and your recovery procedures are reliable in case you are impacted by wiper malware. If you are at an elevated risk (see our recommended risk categories below), we recommend you shut down any computers and servers that are not critical to minimize the potential impact of a security breach.
- Actively monitor your infrastructure, network, and environment for any potential exploitation attempts and have your response plan ready.
- Stay current on new developments - Bitdefender Labs and the MDR team are continuously updating our threat intelligence database and actively monitoring the situation.
- Continue to monitor for phishing campaigns and ensure employees are alerted to the heightened risk.
Who’s at risk and what are the threat levels?
Note: This security advisory is focused on risks and threats posed to businesses. Curated Intelligence (an international project dedicated to bringing together a unique community of intelligence analysts and incident responders) is working with analysts from around the world and is a good resource for organizations looking for additional free threat intelligence. For more information for consumers and the general population, the U.S State Department and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have released resources detailing risks and potential impact on general populations.
Tier 1 – Businesses and organizations located in Ukraine
Based on the past actions and capabilities of known threat actors, businesses and government organizations located in Ukraine should expect and prepare for attacks focused on disruption and interference with the availability of services and IT systems including data wiping and DDoS attacks. Additionally, network availability may be at risk as this crisis has also opened up an opportunity for initial access brokers to sell network access to the highest bidder.
The likely offensive weapons are those designed to cause irreversible damage — such as CrashOverride or NotPetya malware. Additionally, we have detected a new data wiping malware named HermeticWiper in the wild, which is related to the malware family KillDisk.
HermeticWiper can cause irreversible damage. These attacks can be precisely targeted or may be used in a “spray and pray” attack on IP ranges to cause as much widespread damage as possible.
Below are detection names used by Bitdefender for the new HermeticWiper malware:
There are several APT cybercrime groups that could carry out these types of attacks. Below is a list of Advanced Persistent Threat (APT) groups to pay attention to: Gamaredon, UNC1151 (Ghostwriter), APT29, APT28, Sandworm, Turla
Additionally some groups have publicly stated their intention to target organizations supporting Ukraine; for example,TheRedBanditsRU, the Ransomware-as-a-Service group also known as Conti stated that they will “strike back if the well-being and safety of peaceful citizens will be at stake due to American cyber aggression”.
Attacks from these groups can be opportunistic or they may choose targets based on geolocation instead of strategic importance.
On the other side, we have seen groups, such as Anonymous or GhostSec, officially announce support for Ukraine. Be aware that the involvement of these vigilante hackers will only continue to add to risk and confusion.
Tier 2 – Businesses and organizations connected to Ukraine
While the cyber-attacks we have observed, so far, have been restricted to Ukraine, we expect there will be impact on businesses in neighboring countries and organizations connected to Ukraine. Businesses with B2B VPN connections to companies in Tier 1, those who use Ukranian contractors or vendors, and companies at risk of being impacted by Ukrainian supply-chain attacks should have their security teams on standby and be ready to respond to any security incident. Follow the recommendations above and ensure you are monitoring for any change in security posture.
The targets for cyberattacks can widen significantly, increasing the risk to companies peripherally related or connected to Ukraine. Organizations should understand how they may be connected and the risk that is inherent due to those connections.
Tier 3 – Businesses and organizations in countries supporting Ukraine
For businesses and organizations in countries that have publicly proclaimed support for Ukraine, including also all NATO and EU countries, there is the possibility of retaliatory attack from both nation-state actors and vigilante groups. It is highly possible that destructive attacks using similar malware to the wiper malware discussed above may be deployed in countries supporting Ukraine. At this time, we have not seen any proof of this in the wild, however.
We recommend reviewing the Shields Up guidance issued by CISA. While there is no credible information regarding specific threats, at this time, the situation is developing and it is imperative to review and test your cyber resilience and response plan immediately as a proactive measure.
The security community working with government
Remaining vigilant today is more important than ever. We believe it is important for governments and the security community to come together to put our collective best foot forward. Romania’s National Cyber Security Directorate (DNSC), in partnership with Bitdefender, announced on February 27th that it will provide technical consulting, threat intelligence and, free of charge, cybersecurity technology to any business, government institution or private citizen of Ukraine for as long as it is necessary.
We have also announced our support for assisting businesses and public entities in NATO and EU countries who seek to replace cybersecurity solutions due to trust concerns from a technical or geopolitical perspective. You can learn more about this offer to ensure you are protected and remain cyber resilient in these uncertain times.