{"id":7437,"date":"2022-03-04T17:29:03","date_gmt":"2022-03-05T00:29:03","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7437"},"modified":"2023-04-20T02:07:27","modified_gmt":"2023-04-20T09:07:27","slug":"cyberwar-bulletin-1-russia-ukraine","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/cyberwar-bulletin-1-russia-ukraine\/","title":{"rendered":"Cyberwar Bulletin 1: Russia & Ukraine"},"content":{"rendered":"

For as long as there have been organizational assets exposed to the Internet, companies have absorbed varying levels of risk. The difference between managing your attack surface in a continuous, proactive way – and being the target of cyberwar tactics – is sometimes hard to delineate.<\/p>\n

 <\/p>\n

However, one delineation that could be made would be this – how do you know if you are being randomly targeted or purposefully targeted as part of something bigger? Only intelligence and valid insights can tell you that.\u00a0<\/strong><\/p>\n

 <\/p>\n

The Russia-Ukraine conflict has brought a new level of fear to most organizations in North America from a cybersecurity standpoint. The reason is that intelligence confirms that organizations have to be more aware, and certainly more vigilant of potential attacks on their systems now that the political climate has been dramatically altered over the past two weeks.<\/p>\n

 <\/p>\n

Typically, government entities, public sector companies, critical infrastructure, healthcare, and financial institutions are all targeted repeatedly in many different ways by groups emanating from a multitude of geolocations and nation-state affiliations.<\/p>\n

In this bulletin, CSW has performed real-time research on behalf of its customers, partners and followers to uncover data that can provide insights into new tools, techniques and signals around potential Russian-based attacks that could ultimately serve as indicators worthy of assessment and analysis. We took a deep dive into our data to look at Russian threat actors\u2019 cyber activities:\u00a0 their arsenal, their techniques, and the methods used as they up-level their targeting of Western companies.<\/b><\/p>\n

Note: This is a developing story. CSW experts will continue their research and publish their analysis as and when new threat groups emerge.<\/em><\/p>\n

Our research shows that cumulatively, these four groups have been known to exploit unpatched instances of 35 unique vulnerabilities.<\/p>\n

\"\"<\/p>\n

\n

CSW has warned about 29 of the 35 APT vulnerabilities in its blogs, reports and PatchWatch sections.<\/p>\n

30 vulnerabilities are covered in\u00a0CISA’s Known Exploited Vulnerabilities<\/a> released as part of the Binding Operational Directive for federal agencies and public sector organizations.<\/p>\n<\/blockquote>\n

Gamaredon<\/h2>\n

Gamaredon is an Advanced Persistent Threat (APT) group that has been in existence since 2013. Also going by the names Primitive Bear, Armageddon, and seven other aliases, the threat group with origins in Russia is known to target defense, law enforcement agencies, non-governmental organizations, power plants, water facilities, and government agencies, primarily in Ukraine.<\/p>\n

 <\/p>\n

The Gamaredon group has been observed deploying RMS (Remote Manipulator System), UltraVNC, Pterodo\/Pteranodon, PowerShell, FileStealer, USBstealers as part of its gamut of tools to compromise networks. In November 2021, the Security Service of Ukraine (SSU) attributed conclusive links<\/a> between five individuals operating under the guidance of the Federal Security Service (FSB) in Moscow, and Gamaredon.<\/p>\n

 <\/p>\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n
\n

\u00a0Gamaredon<\/p>\n<\/th>\n<\/tr>\n<\/thead>\n

\n

\u00a0Vulnerabilities Associated<\/p>\n<\/td>\n

\n

\u00a04<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0Vendors Affected<\/p>\n<\/td>\n

\n

\u00a02<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0CVSS Severity<\/p>\n<\/td>\n

\n

\u00a0Critical \u00a0 \u00a0 –\u00a0 \u00a0 0<\/p>\n

\u00a0High \u00a0 \u00a0 \u00a0 \u00a0 –\u00a0 \u00a0 3<\/p>\n

\u00a0Medium\u00a0 \u00a0 –\u00a0 \u00a0 1<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0Public Exploits Available<\/p>\n<\/td>\n

\n

\u00a0CVE-2017-11882, CVE-2018-20250, CVE-2017-0199<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

\"\"<\/p>\n

 <\/p>\n

Nobelium<\/h2>\n

Nobelium is the infamous mastermind behind 2020\u2019s SolarWinds<\/a> attack that affected over 18,000 customers, including government\u00a0and private agencies. Since the supply chain scare, the threat group has resurfaced in multiple campaigns, as called out by CSW<\/a>. Operational since 2008, the group is referred to by 16 other names including APT29 and Cozy Bear.<\/p>\n

 <\/p>\n

The Nobelium group is also known to continually expand their attack arsenal, most recently adding two new backdoors – Tomiris<\/a> and FoggyWeb<\/a>, and two sophisticated malware families – GoldMax, a Linux variant, and TrailBlazer, a new implant.<\/p>\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n
\n

\u00a0Nobelium<\/p>\n<\/th>\n<\/tr>\n<\/thead>\n

\n

\u00a0Vulnerabilities Associated<\/p>\n<\/td>\n

\n

\u00a023<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0Vendors Affected<\/p>\n<\/td>\n

\n

\u00a013<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0CVSS Severity<\/p>\n<\/td>\n

\n

\u00a0Critical \u00a0 \u00a0 –\u00a0 13<\/p>\n

\u00a0High \u00a0 \u00a0 \u00a0 \u00a0 – \u00a0 9<\/p>\n

\u00a0Medium\u00a0 \u00a0 –\u00a0 1<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0Public Exploits Available<\/p>\n<\/td>\n

\n

\u00a0CVE-2009-3129, CVE-2010-0232, CVE-2013-0640,<\/p>\n

\u00a0CVE-2013-0641, CVE-2014-1761, CVE-2018-13379,<\/p>\n

\u00a0CVE-2019-11510, CVE-2019-1653, CVE-2019-17026,<\/p>\n

\u00a0CVE-2019-19781, CVE-2019-2725, CVE-2019-7609,<\/p>\n

\u00a0CVE-2019-9670, CVE-2020-0674, CVE-2020-14882,<\/p>\n

\u00a0CVE-2020-5902, CVE-2021-1879, CVE-2021-21972,<\/p>\n

\u00a0CVE-2021-26855, CVE-2015-1641, CVE-2016-7255<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

\"\"<\/p>\n

 <\/p>\n

Wizard Spider<\/h3>\n

Wizard Spider is a Russia-based threat actor that began its operations in 2014. It also goes by the names Grim Spider and Gold Blackburn among others, and is popular as the player behind two prominent and highly notorious ransomware groups of recent times – Ryuk<\/a> and Conti<\/a>.<\/p>\n

 <\/p>\n

The Wizard Spider group prominently deploys malware tools such as TrickBot and BazarLoader in its attacks, with its primary targets being the defense, financial, government, health care and telecommunications sectors all over the world.\u00a0Recently, the developers\u00a0 behind the TrickBot trojan moved<\/a> to the Conti group to aid with further improvements in BazarLoader.<\/p>\n

 <\/p>\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n
\n

\u00a0Wizard Spider<\/p>\n<\/th>\n<\/tr>\n<\/thead>\n

\n

\u00a0Vulnerabilities Associated<\/p>\n<\/td>\n

\n

\u00a07<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0Vendors Affected<\/p>\n<\/td>\n

\n

\u00a01<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0CVSS Severity<\/p>\n<\/td>\n

\n

\u00a0Critical \u00a0 \u00a0 – \u00a0 1<\/p>\n

\u00a0High \u00a0 \u00a0 \u00a0 \u00a0 – \u00a0 5<\/p>\n

\u00a0Medium\u00a0 \u00a0 – \u00a0 1<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0Public Exploits Available<\/p>\n<\/td>\n

\n

\u00a0CVE-2017-0144, CVE-2020-1472, CVE-2017-0143,<\/p>\n

\u00a0CVE-2017-0148, CVE-2017-0145, CVE-2017-0146,<\/p>\n

\u00a0CVE-2017-0147<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

\"\"<\/h2>\n

 <\/p>\n

UNC1151 (GhostWriter)<\/h3>\n

The latest threat actor to join the bandwagon is the UNC1151 uncategorized group, also believed to be behind the GhostWriter campaign. The group has been associated with several information operations\u00a0 since March 2017, aligned with Russian security interests.<\/p>\n

The group is known to be deploying a backdoor as part of their campaign, the code for which is publicly available on GitHub. The backdoor is a variant of Micro backdoor, a C2 tool built to target Windows machines. UNC1151 is an evolving group that is well- positioned for more sophisticated and far-reaching campaigns with malicious intent, researchers warn.<\/p>\n\n\n\n\n\n\n\n\n
\n

\u00a0UNC1151\/GhostWriter<\/p>\n<\/th>\n<\/tr>\n<\/thead>\n

\n

\u00a0Vulnerabilities Associated<\/p>\n<\/td>\n

\n

\u00a01<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0Vendors Affected<\/p>\n<\/td>\n

\n

\u00a01<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0CVSS Severity<\/p>\n<\/td>\n

\n

\u00a0Critical \u00a0 \u00a0 –\u00a0 \u00a00<\/p>\n

\u00a0High \u00a0 \u00a0 \u00a0 \u00a0 –\u00a0 \u00a01<\/p>\n

\u00a0Medium\u00a0 \u00a0 –\u00a0 \u00a00<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0Public Exploits Available<\/p>\n<\/td>\n

\n

\u00a0NA<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

\"\"<\/p>\n

Vulnerabilities associated with the Russian Threats<\/h2>\n