Shields Up: What You Can Do Following New Reports of Destructive Malware in Ukraine, Latvia, and Lithuania

The situation in Ukraine unfortunately continues to escalate, and our hearts are with those who’ve been displaced and/or affected by the conflict. We want our customers to know we are here for you, and we will continue to update and inform you on all cybersecurity reports that impact your ability to protect your businesses and people. 

That being said, here is what we know as of February 25th:

Newly reported destructive malware has been identified impacting computer systems in Ukraine, Latvia, and Lithuania targeting financial institutions and government contractors. The new data wiper malware is believed to be linked to Russia and in support of the on-going invasion happening in Ukraine. We are also hearing reports of network attacks — Distributed Denial of Services (DDoS) — against Ukrainian government agencies and state-owned banks, including ATMs. 

For now, it appears that these cyberattacks are highly targeted and focused on Ukraine and members of the Ukrainian government and contractors. There have not been reports of similar cyberattacks waged against neighboring countries or any NATO allies at this time. 

Exabeam will continue to monitor the situation in real time, and provide information and guidance to our customers on how to strengthen their defenses and identify known threats and attacks related to the ongoing conflict. 

Recommended Actions

Exabeam recommends having on monitor (watchlist) your high privilege accounts and service accounts since these types of attacks rely on users to look to move laterally or escalate privilege.  This makes it imperative to understand abnormal behavior on your user accounts.

In previous attacks from similar attacker groups (exa Sandworm Team and APT29) they rely heavily on privileged accounts to damage disk partitions or impact the functionality of the operating system.

https://attack.mitre.org/groups/G0016/

https://attack.mitre.org/groups/G0034/

Based on current information, the following activities could prove useful on detection of these types of malware threats:

• Have a watchlist with an updated list of:
  • Privileged users
  • Service accounts
• Have a constant threat hunt operation for the following types of behaviors, adding as scope user label privilege accounts and service accounts.
  • Query registry
  • System information discovery
  • Lateral movement
  • Privilege escalation

Exabeam will continue to monitor this threat and provide more guidance as data becomes available.

The best indicator to detect this ever-evolving type of threat is knowing and understanding user behavior, since mostly every threat actor requires an account to propagate inside your network.

For customers using Exabeam Fusion SIEM and Fusion XDR products, please see our instructions below to create watchlists and more easily add rule tags to threat hunter searches. 

How to add/modify context tables

How to create custom Context Tables

1. On the Advanced Analytics Admin page, click on “Context Tables”

2. Search for “priviliged_users”

3. There are two options to add accounts to the context table.
   1. You can upload a CSV of all your privileged users
   2. You can add in a single privileged user

4. On the Advanced Analytics homepage, click on the new watchlist and select “Add User Watchlist”

5. Set the following attributes
   1. Title
   2. User Labels
   3. Privileged Users
   4. Then “save”

How to add Rule Tags to a Threat Hunter Search

How to perform Threat Hunter searches

1. Go to Threat Hunter
2. Add the following to “Rule Tags”
   1. Query Registry
   2. System Information Discovery
   3. Lateral Movement
   4. Privilege Escalation

How to add a correlation rule

How to create blacklist rules

Create a Correlation Rule with the following attributes

1. Rule Type: Blacklist
2. Search Query – exa_category:”Network”
3. Trigger if the value of “SRC_IP” is in the list of “RUSSIAUKRAINE_MALICIOUS_ACTIVITY”

How to perform historical searches using context tables

1. Create a search query using “exa_cateagory:”Network”

2. Click on the “Context Table” button.
3. Select
   1. Field: “src_ip”
   2. In Context Table: Name of context table created earlier

To get a complete list of all IP addresses related to this attack to date, go here. Thank you to Greynoise.io for sharing this information with the public. 

If you have any questions, please open a support ticket or reach out to your Customer Success Manager.