Ukraine Cyber Attack – Best Practice Risk Mitigation & IOC

Best Practice Risk Mitigation and Indicators of Compromise (IOC)

A massive cyberattack has been reported to hit the Ukrainian government websites and several organizational departments. U.S. organizations such as Cybersecurity and Infrastructure Agency (CISA), National Security Agency (NSA), and Ukrainian security services are conducting their investigation to analyze and understand more thoroughly the threats behind the cyber attack and build a robust cyber defense against further attacks. Currently, the temporarily shut down sites have now been restored.

Correlated to the attack, Microsoft has identified a new wiper malware that targetted Ukrainian organizations, which was designed to be perceived as ransomware, but was actually designed to destroy and render targeted devices to make them inoperable. The Microsoft Threat Intelligence Center (MSTIC) reports that the malware was programmed to be executed when the targeted devices were in shut down mode. From there, the malware could overwrite the master boot record (MBR), placing a ransom note, followed by a second download of a .exe file where it would overwrite a list of files, deleting all the data and information contained within them.

Here at Fudo, we advise our readers to begin securing their critical infrastructures with best-practice risk mitigation and prevention. We recommend organizations to use MITRE ATT&CK Framework to fight ransomware attacks with tactics, techniques, and procedures (TTP) and Advance Persistent Threat (ATPs) security strategies. However, several indicators of compromise (IOC) have been triggered despite the attack.


IOC and Detection During Execution Stage

Some of the IOC can be spotted during the Execution stage of an attack. We can note that a cmd.exe command-line interpreter can be used to execute remote commands within PowerShell. This is notable as the user who creates the cmd.exe will have its actions logged, while the system would not create such shells by default. Furthermore, in many cases, event logs can be attained to provide command-line arguments within new processes created. Administrators can monitor cmd.exe executions within the /c directives. Microsoft logs these events as ID 4688 where you can search for event ID, for example, within the event XML log. System Administrators can then gain insight into malicious or suspicious activity. The Event ID 4688 also provides the user name and the parent process, which can be used to find entry points via users or parent processes.

Persistence – Maintaining the foothold

To maintain the foothold within the system, attackers begin to find access points to stay within the system without interruptions. System restarts changed credentials, or network interruptions can cut off the attackers’ access, losing their foothold within the targeted system. In many cases, Brute Force Attacks on passwords are used to find vulnerable accounts with valid access and obtain their credentials. IOC of brute force attacks can be the extensive logon failure from a single user or several users within a short time. It is advised to create alert detection steps such as with event log ID 4625, where it is generated on the domain controllers, member servers, and workstations showing the computer where the logon was attempted.

Another attempt for an attacker to sustain itself within the target is to kerberoast an independent user. This is done by extracting service account credentials from Active Directory. An attacker can request tickets to verify the Identity. By requesting a Service-Ticket, a Ticket-Granting Ticket is used to generate the Service-Ticket, which provides access to application services. A good IOC is to watch out for encryption downgrades, i.e. AES to RC4, as the attackers still need to brute force the password to plaintext. Windows Event ID 4769 broadcasts whether a Kerberos service ticket was requested. Monitoring the encryption type within the event ID can help establish downgrade identification. Another viable option is to track event ID 4769 within users, as it’s uncommon for users to proceed with several authentication service tickets.

Additionally, OS credential dumping can be used to obtain account logins and passwords. Attackers can export copies from the Active Directory database. The ntds.dit is a database that stores Active Directory data; this includes user objects, groups, and group memberships. The best practice IOC is to monitor access to the ntds.dit database for any access that is outside of regular hours or irregular user/machine. This can be achieved by monitoring the access via event ID 4663 within Windows. The event indicates specific operations were conducted on an object (file, kernel, or registry).

Access to Credentials

After execution and perstiance, attackers often look for further vulnerabilities to exploit credentials. Within environments that use Active Directory Federation Services (ADFS) feature on Windows and contain SAML certificates for signing, attacks aim to obtain encryptions to private keys from ADFS to decrypt SAML signing certificates, performing a Golden SAML attack, granting them SAML token which can be used to gain access to anything that trusts these tokens. The best practice IOC is to observe and regulate access to encryption keys with unusual file access. Spectating Event ID 4633 can help validate access to these private key files, where administrators can set different types of access to these files, such as READ.

Another exploitation that can be used to obtain credentials is the CVE-2020-1472 vulnerability known as NetLogon. The exploit allows for an elevation of privileged vulnerability. Attacks can establish a vulnerable Netlogon secure channel connection to a domain controller. Granting the ability to change the password for domain controllers. These can be indicated by logon events by anonymous access, with the addition of windows event ID 4742 & 5805, indicating whether a computer account was changed and if NetLogon was attempted.

Recommended Risk Mitigation

Cyber threats change dynamically as more refined attacks are conducted on organizations. Such a dynamic field relies on improved and evolving security procedures and policies. As Identity is becoming, more clearly, a parameter of entry, organizations need to secure their credentials and weak access points to keep their resources safe. Though many organizations follow fundamental security processes such as Multi-factor authentications, Virtual Private Networks, patch upgrades/installations, and strong password policies, it is essential to follow a thorough, in-depth defense strategy.

Dynamic Controls – Prohibit arbitrary code execution enable a security policy to limit legitimate executables within privileged users.
Enforce A Limit To Admin Accounts – maintain consistent control over privileged accounts within your organizations, disabling ghost accounts or limiting access to critical high-value targets. Provide proactive monitoring and access management system to mitigate credential theft and elevation of privileges.
Maintain Secured Backups – create strategies to contain domain controller backups and secure them with limited or physical access. Be ready for credential theft within Active Directory database NTDS file and adapt security tools that can prevent NTDS file access.
Contain Security Measures For Credential Certificates – Protect any additional attempts and vulnerabilities within your identification/authentication methods.

Get in touch with Fudo and learn the latest best practice solutions to mitigate cyber threats risks and insider threats caused by the dynamic cyber security field!

Written by: Damian Borkowski – Technical Marketing Specialist