The Russia-Ukraine War: Malware Risks and Mitigations

The Russia-Ukraine War’s impact includes a range of cybersecurity concerns, especially with regards to the malware being deployed in this conflict. On March 21, President Biden issued a statement warning that Russia is exploring cyberattack options and that organizations should take steps now to verify and harden their stance. 

Our analysts have been monitoring the situation and have put together the following resource for you. In this two-part series, we will discuss what we know of the current threats and, in part two, what steps you should focus on in the short and long term to strengthen your security. 

Here is what we currently know about the malware being deployed in Ukraine–and a reminder of what steps you can take to protect against malware infections in general.

Malware targeting Ukraine: What we know

While Russia is deploying wipers instead of ransomware, the remainder of the tactics, techniques, and procedures (TTP) are the same–which means many of the same risk mitigation techniques still apply despite the gravity of what’s happening. 

A long dwell time

The malware appears to have had a significant amount of dwell time, meaning most of the systems were compromised for a significant amount of time before the wipers deployed–this also means that a lot of the detection opportunities occurred a while ago.

Crimes of opportunity vs. active attacks

In the past, Russia-based cybercrime groups have pursued targets in crimes of opportunity–so the big change for organizations with direct ties to Ukraine is they are now being actively attacked rather than facing opportunistic attacks.

These attacks are focusing on critical infrastructure–the wipers are deleting a few bites of the master boot record and then shutting the computer down. Then, when the computer gets turned back on, it can’t boot without that data. This attack technique is both fast and effective–there are ways to repair it, but in time sensitive situations these wipers are creating potentially critical situations.

Default MFA protocol exploitation

CISA recently released an advisory regarding the exploitation of misconfigured MFA protocols. Their mitigation recommendations include:

  • Enforcing MFA and reviewing configuration policies to protect against “fail open” and re-enrollment scenarios.
  • Ensuring inactive accounts are disabled uniformly across the Active Directory and MFA systems. 
  • Patching all systems. Prioritize patching for known exploited vulnerabilities.

More information on this vulnerability can be found here

Mitigating malware best practices

Backup your data

Having your data regularly backed up is always a best practice. In the event that your system does become compromised, it allows you to perform a complete wipe of the system without losing all of that data. 

Update, update, update

Make sure your OS and software are up-to-date so that any known vulnerabilities are fixed, making your system more secure. 

Phishing awareness and user education 

Requiring regular cybersecurity training for your employees helps prevent phishing and social engineering attempts from being successful.

Practice makes perfect

Running tabletop exercises helps make sure everyone knows what they need to do–and how to do it–when a situation arises. Be sure to review your strengths and weaknesses after the exercise!

Want to learn more about malware analysis?

For more information on malware analysis, check out our malware series:

And, as always, if you’re in need of more assistance, contact us. We’re happy to discuss how we can help. 

Conclusion

Hopefully these resources prove useful for you! We will continue to monitor the situation as the Russia-Ukraine War develops. Stay safe!

About Hurricane Labs

Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.

For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.