Shields Up: What You Can Do Following New Reports of Destructive Malware in Ukraine, Latvia, and Lithuania - Exabeam

Shields Up: What You Can Do Following New Reports of Destructive Malware in Ukraine, Latvia, and Lithuania

Published
February 26, 2022

Author

Reading time
4 mins

The situation in Ukraine unfortunately continues to escalate, and our hearts are with those who’ve been displaced and/or affected by the conflict. We want our customers to know we are here for you, and we will continue to update and inform you on all cybersecurity reports that impact your ability to protect your businesses and people. 

That being said, here is what we know as of February 25th:

Newly reported destructive malware has been identified impacting computer systems in Ukraine, Latvia, and Lithuania targeting financial institutions and government contractors. The new data wiper malware is believed to be linked to Russia and in support of the on-going invasion happening in Ukraine. We are also hearing reports of network attacks — Distributed Denial of Services (DDoS) — against Ukrainian government agencies and state-owned banks, including ATMs. 

For now, it appears that these cyberattacks are highly targeted and focused on Ukraine and members of the Ukrainian government and contractors. There have not been reports of similar cyberattacks waged against neighboring countries or any NATO allies at this time. 

Exabeam will continue to monitor the situation in real time, and provide information and guidance to our customers on how to strengthen their defenses and identify known threats and attacks related to the ongoing conflict. 

Recommended Actions

IOCThreat 
912342F1C840A42F6B74132F8A7C4FFE7D40FB77
61B25D11392172E587D8DA3045812A66C3385451
MD5: 3f4a16b29f2f0532b7ce3e7656799125SHA: 
1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
Win32/KillDisk.NCV trojan 6/n 

Exabeam recommends having on monitor (watchlist) your high privilege accounts and service accounts since these types of attacks rely on users to look to move laterally or escalate privilege.  This makes it imperative to understand abnormal behavior on your user accounts.

In previous attacks from similar attacker groups (exa Sandworm Team and APT29) they rely heavily on privileged accounts to damage disk partitions or impact the functionality of the operating system.

https://attack.mitre.org/groups/G0016/

https://attack.mitre.org/groups/G0034/

Based on current information, the following activities could prove useful on detection of these types of malware threats:

  • Have a watchlist with an updated list of:
    • Privileged users
    • Service accounts
  • Have a constant threat hunt operation for the following types of behaviors, adding as scope user label privilege accounts and service accounts.
    • Query registry
    • System information discovery
    • Lateral movement
    • Privilege escalation

Exabeam will continue to monitor this threat and provide more guidance as data becomes available.

The best indicator to detect this ever-evolving type of threat is knowing and understanding user behavior, since mostly every threat actor requires an account to propagate inside your network.

For customers using Exabeam Fusion SIEM and Fusion XDR products, please see our instructions below to create watchlists and more easily add rule tags to threat hunter searches. 

How to add/modify context tables

How to create custom Context Tables

  1. On the Advanced Analytics Admin page, click on “Context Tables”
Shields Up: What You Can Do Following New Reports
  1. Search for “priviliged_users”
Shields Up: What You Can Do Following New Reports
  1. There are two options to add accounts to the context table.
    1. You can upload a CSV of all your privileged users
    2. You can add in a single privileged user
  1. On the Advanced Analytics homepage, click on the new watchlist and select “Add User Watchlist”
Shields Up: What You Can Do Following New Reports
  1. Set the following attributes
    1. Title
    2. User Labels
    3. Privileged Users
    4. Then “save”
Shields Up: What You Can Do Following New Reports

How to add Rule Tags to a Threat Hunter Search

How to perform Threat Hunter searches

  1. Go to Threat Hunter
  2. Add the following to “Rule Tags”
    1. Query Registry
    2. System Information Discovery
    3. Lateral Movement
    4. Privilege Escalation
Shields Up: What You Can Do Following New Reports

How to add a correlation rule

How to create blacklist rules

Create a Correlation Rule with the following attributes

  1. Rule Type: Blacklist
  2. Search Query – exa_category:”Network”
  3. Trigger if the value of “SRC_IP” is in the list of “RUSSIAUKRAINE_MALICIOUS_ACTIVITY”
Shields Up: What You Can Do Following New Reports

How to perform historical searches using context tables

  1. Create a search query using “exa_cateagory:”Network”
Shields Up: What You Can Do Following New Reports
  1. Click on the “Context Table” button.
  2. Select
    1. Field: “src_ip”
    2. In Context Table: Name of context table created earlier
Shields Up: What You Can Do Following New Reports

To get a complete list of all IP addresses related to this attack to date, go here. Thank you to Greynoise.io for sharing this information with the public. 

If you have any questions, please open a support ticket or reach out to your Customer Success Manager.

Similar Posts

Exabeam News Wrap-up – Week of September 12, 2022

Exabeam News Wrap-up – Week of September 5, 2022

12 InfoSec Resources You Might Have Missed in August




Recent Posts

Exabeam News Wrap-up – Week of September 12, 2022

The 4 Steps to a Phishing Investigation

Exabeam News Wrap-up – Week of September 5, 2022

See a world-class SIEM solution in action

Most reported breaches involved lost or stolen credentials. How can you keep pace?

Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.

Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.

Get a demo today!