What can we learn?
Cyber warfare is nothing new for Russia. In fact, it is an extension of the country's long-standing use of information warfare.
For more than a century, Russia has relied on disinformation and propaganda – and more recently, cyber warfare – to achieve its political and military objectives. Over the past decade, the Russian government has mounted more than a dozen significant cyberattacks against other countries, including the US. Such attacks include campaigns against US critical infrastructure (Colonial Pipeline), supply chains (Solar Winds), and disinformation campaigns (US Elections, DNC hack). It is unlikely that they will specifically target the US government during operations against Ukraine, however they will likely target US companies, organizations, and think tanks that are interested in Ukraine. With Russia’s current display of cyber warfare capabilities, security researchers and cyber professionals can learn about attack vectors, capabilities, and malware.
Fast-forward to 2022, and Russia has ramped up cyberattacks against Ukraine to destabilize the government and economy. Through GRU and FSB, Russia’s military intelligence services, Russia has artfully employed cyber operations to project national power. Moreover, Russia sees warfare as a continuum, and cyberspace is a key domain of its persistent conflict with Ukraine and Western influence. Recently, Microsoft detected Russian-backed cyber espionage groups targeting multiple Ukrainian organizations. Most notably, Microsoft identified a data-wiping malware disguised as ransomware in Ukrainian government computer systems. Additionally, Microsoft has observed a repeated set of tactics, techniques, and procedures (TTPs) carried out by Russian threat groups during their operations against Ukraine.
Russian Advanced Persistent Threat (APT) groups, similar to cyber-criminal groups, have a standard set of TTPs to gain access, escalate privileges, and maintain access to their victims networks. Network defenders can learn valuable information from these Russian TTPs and develop countermeasures to secure their networks. However, it is essential to understand that cyber threat groups evolve tactics as the landscape changes.
Russian threat groups continue to exploit the weakest link in any cybersecurity element: the human element. Russian threat groups are masters of social engineering, and they couple these skills with realistic emails to exploit the victim's network through phishing. Phishing is a tried-and-true method to gain initial access to networks. Russian APTs target Ukraine through spear-phishing emails with malicious macro attachments that employ remote template injection. This allows the threat actor to evade static detection by simple email/system scans. Remote template injection is generally triggered by opening the document and enables the attacker to control when and how the malicious package is delivered. Russian APT groups like cyber threat actors impersonate and masquerade as legitimate organizations and establish trust and familiarity with the victim. Trust becomes the underlying exploitable factor and allows the threat actor to send a malicious payload in a follow-up email resulting in a foothold on the organization.
Microsoft is supporting cyber defenders worldwide with their recent decision to disable Visual Basic macros running on five Office applications. Disabling macros is a step in the right direction; however, this is only a bump in the road as threat actors have used smuggling tactics to bypass email security and anti-virus tools. Smuggling tactics, or "containerized malware," allow threat actors to package malware in various containers (7zip, zip, ISO, IMG, PDF, VHD, VHDX, etc.). Ultimately, utilizing an email security tool with static and dynamic engines identifies and prevents malicious files from reaching the end-user. Training users not to open emails and performing phishing exercises will teach employees to avoid suspicious emails, also strengthening the organization's security posture.
Russian APT groups and cyber threat actors use similar methods to escalate privilege like DLL Hijacking, Service Permissions, Password Exploit, and known CVEs (Common Vulnerabilities and Exposures). An example of an escalation path via service permissions is "Unquoted Service Paths." Unquoted Service Paths are Windows services with an executable path containing spaces and not enclosed within quotes. These lead to a vulnerability that allows an attacker to elevate privileges to gain system-level access (if the service is running with system privilege and if the threat actor has the ability to restart the service).
Vulnerable Service Path
Path: C:\ Progarm Files (x86)\Vulnerable Service\Service1.exe
How to identify a vulnerable service in your network
Windows Management Instrumentation
wmix service get name, pathname, displayname, startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i/ v"""
'wmic service get name, displayname, pathname, startmode | findstar /i "auto" | findtsr /i /v "C:\Windows\\" findstr /i /v"""
The best way to identify vulnerable escalation paths is to conduct regular internal penetration tests (pentests). An internal pentest will identify all possible avenues that a threat actor could take to escalate privileges to gain Domain Admin and distribute ransomware to cripple a network. An IT/Cyber Security team can remediate vulnerabilities based on priority.
An example fix for the unquoted service path
The best way to fix this is by first identifying any vulnerable services with the commands provided.
The second step is to modify any vulnerable service paths with quotes surrounding the entire path:
Path: "C:\Program Files (x86)\Vulnerable Service\Service1.exe"
Now it is no longer vulnerable to an unquoted service path vulnerability
Russian APTs’ primary goal is to maintain persistent access to networks of perceived value for intelligence collection. Additionally, cyber-criminal organizations seek to maintain access to gather as much information as possible to force the victim to pay the requested ransom. On average, cyber-criminal organizations are on the network for 30 to 90 days to discover critical business processes and gain access to the entire network. Russian APTs and cyber-criminals rely on scheduled tasks, legitimate credentials, and abusing Remote Desktop Protocol (RDP) if the target network has it open.
Proactive threat hunting is the best defense to identifying and removing persistent access. Threat Hunters detect these persistence mechanisms to identify and eliminate persistent actors dwelling in your network through unauthorized access. Effective regular Threat Hunting paired with a robust defensive strategy helps mitigate risk and reduce potential financial loss due to a cyber-attack. Organizations that combine these two tactics can efficiently identify attackers on their networks, significantly reducing the overall costs for remediation and the potential costs associated with a breach.
The Redpoint Labs Approach
Redpoint Labs’ Threat Mitigation Group keeps your organization secure through a unique approach to targeting, pursuing, and eliminating threats on your network – we "Hunt the Hunter™." Comprised of experts in offensive and defensive cyber security strategies, Redpoint Cybersecurity can partner with you to create a strong, effective cybersecurity program for your SMB and curate industry-specific threat intelligence to provide insight into the cyber threat landscape.
Our approach is to align security with business strategy. We take actionable steps to help our clients mitigate their risk by combining Threat Hunting and Pentesting to secure your network. Redpoint's solutions will align with executive- and board-level desired outcomes to reduce risk and reduce exposure, and our human-led, technology-enabled ethos gives us the ability to tailor cutting-edge technology to your organizational objectives.
For more information on Redpoint Labs, contact Redpoint Cybersecurity Technical Director, David Duncan, at email@example.com.