ThreatLabz Security Advisory: Cyberattacks Stemming from Russia’s Invasion of Ukraine [Updated: March 21, 2022]

Updated Security Advisory - March 21, 2022

In 2022, US President Joe Biden issued a statement warning of the potential for malicious cyber conduct against the United States as a response to economic sanctions against Russia. His statement urged immediate action to harden cyber defenses among both public and private sector organizations.

The Zscaler ThreatLabz research team continues to monitor the aggressive invasion of Ukraine by Russia and any associated cyberthreats that may impact our customers. We have aggregated our guidance and resources in our Russian Invasion of Ukraine Cyber Resource Center. We will continue to update this page and our blog with new developments, as well as information to register for live threat briefings that we deliver when relevant cybersecurity events unfold.

ThreatLabz has observed several targeted attacks since the invasion began in 2022:

1. PartyTicket Ransomware: This Go-based ransomware has been used in conjunction with the previously reported HermeticWiper malware to target organizations in Ukraine. It has not been formally attributed to the Russian state or other actors. Unlike HermeticWiper, PartyTicket is unsophisticated and contains flawed encryption that can be decrypted and reversed. Our technical analysis breaks down the full attack chain.
    
2. DanaBot DDoS attack: On March 2, 2022, The Ukrainian Ministry Of Defense’s webmail server was hit with a distributed denial-of-service (DDoS) attack by a threat actor using DanaBot, a malware-as-a-service platform that was first discovered in 2018. With DanaBot, threat actors purchase access to the platform where they can access ready-made malware, command-and-control, and support resources to distribute and use the malware as they see fit. On March 7, 2022, DanaBot affiliate ID 5 stopped DDoSing the Ukrainian Ministry of Defense’s webmail server and started DDoSing a hardcoded IP address, 138.68.177[.]158.  According to Passive DNS data, this IP address has recently been associated with invaders-rf[.]com. This site claims to be (Google translated):
   “...an information resource of the Office of the National Security and Defense Council of Ukraine, which provides information about prisoners of war of the Russian Armed Forces who have invaded the territory of Ukraine since February 24, 2022. The portal will be available to Russian citizens, including soldiers' families or acquaintances, to obtain information on the condition and whereabouts of prisoners.”
   Given the threat actor’s previous targeting, this seems like the likely target. The DDoS attack payload was written and distributed similarly to the Ukrainian Ministry of Defense DDoS payload on March 2, 2022.
    
3. Conti ransomware: The Cybersecurity & Infrastructure Security agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the United States Secret Service (USSS) have re-released an advisory on Conti, a Russia-linked ransomware group. Their advisory warns that “Conti cyber threat actors remain active and reported Conti ransomware attacks against U.S. and international organizations have risen to more than 1,000.” In late February, Conti posted two statements on their leak site, pledging support to the Russian government in response to “Western warmongering and American threats to use cyber warfare against the citizens of Russian Federation.” An analysis of their tactics is included in the ThreatLabz Ransomware Review report, as well as a recent ThreatLabz blog.

Zscaler Cloud Sandbox Report: Conti Ransomware

Zscaler has up-to-date protections against each of these attacks, including the indicators of compromise detailed in the blogs linked above. We recommend that all security teams adhere to the guidance in our previous advisory below, including best practices for patching, backup and recovery, monitoring, incident response plans, end user training, and zero trust adoption.

As always, if you require assistance planning for or remediating attacks associated with this invasion, please contact the ThreatLabz team through the support security channel.

Security Advisory – February 24, 2022

ThreatLabz has observed a resurgence in targeted attack activity against Ukraine in the recent months. We’ve identified two targeted attack chains that were likely waged by the Gamaredon APT threat actor between January and February 2022, and expect to see similar attacks in the coming days and weeks.

On February 16th, 2022, CISA along with the FBI and NSA issued a joint cybersecurity advisory outlining the tools and tactics used by Russian threat actors in targeting government and defense contractors with an objective to steal sensitive information. This advisory outlined the use of tactics such as spear phishing emails, credential stuffing, brute forcing, privilege escalation, and persistence. 

With Russia's aggressive invasion of Ukraine, the risk of cybersecurity threats targeting US & European organizations has also gone up significantly. The below industries are at particularly heightened risk—but it is important for all global organizations to prepare their defense and response to such attacks:

Figure 1: Industries Targeted (Credit: CISA)
 

How does Zscaler protect my organization against these attacks?

The Zscaler Zero Trust Exchange uses the principles of zero trust to protect your organization from cyber risks. Our protections closely map to trusted frameworks from organizations such as NIST and MITRE, and are continually updated by ThreatLabz experts and AI/ML models utilizing current data from the world’s largest security cloud, which processes over 200B transactions per day. 

Zscaler uniquely protects against these attacks by:

• Minimizing your attack surface and making apps invisible: Zscaler Private Access (ZPA) hides your internal apps behind our cloud proxy-based zero trust platform, making them invisible to the internet. When attackers cannot find your applications, they cannot attack them.
   
• Preventing Compromise by detecting and blocking malicious activity: Zscaler Internet Access (ZIA) inspects all internet traffic—whether encrypted or unencrypted—for indicators of compromise. If a file is unknown, Zscaler quarantines and detonates it with our in-line sandbox, only allowing files to proceed once they’ve been analyzed and deemed safe.
   
• Preventing lateral movement: ZPA connects users to resources only on a least-privilege basis, without granting network access – and Zscaler Workload Segmentation (ZWS) does the same for applications. Zscaler Deception populates your environment with decoys that can lure, detect, and contain sophisticated threat actors. Together, these capabilities provide defense-in-depth against lateral spread of an infection and limit the damage an attacker can cause.
   
• Stopping data loss. ZIA inspects all outgoing traffic – again, whether encrypted or unencrypted – to prevent malicious post-compromise activity such as communication with command-and-control servers and data exfiltration. Zscaler also protects valuable assets in the public cloud and SaaS apps by identifying misconfigurations and other vulnerabilities that may lead to data loss.

Security recommendations

Zscaler recommends a robust zero trust strategy based on the principles outlined above. Additionally, security teams must ramp up other areas of security hygiene in preparation for potential incidents, including:

• Patching. Ensure your enterprise applications are up-to-date with the latest security updates to minimize vulnerabilities.
• Backup and recovery. Ensure that your system backups are regular and current, and that backups are protected from attackers who may compromise your production servers. 
• SOC response playbooks & IR plans. Ensure that your security operations team has response plans in place, prioritizing the most likely attack types – such as DDoS, Bruteforcing, and Ransomware.
• Monitoring. Engage in heightened monitoring of assets exposed to the invaded region(s).
• Security awareness training. As with many attacks, the recently discovered Hermetic wiper attack utilized spear phishing for initial compromise. Educate and remind your end users to be on the lookout for phishing attempts, use good password hygiene, and care for the physical security of corporate assets.

How is Zscaler ThreatLabz helping our customers?

The ThreatLabz team is actively tracking several threat actor groups and related campaigns in the wild. Zscaler Cloud telemetry provides a unique visibility (200B+ transactions secured, 150M+ threats blocked, 400K+ new unique files detonated daily) for the team to get insights into new threat activity and ensure rapid detection coverage across the Zscaler security platform.

The following coverage was added for all the known indicators related to the recent attacks and we will continue to update as we uncover more details:

Advanced Threat Protection

Win32.Trojan.KillDisk

Win32.Trojan.HermeticWiper

VBA.Downloader.Gamaredon

VBS.Downloader.Gamaredon

DOC.Downloader.Gamaredon

Advanced Cloud Sandbox

Win32.Trojan.HermeticWiper

Advanced Cloud Sandbox Report

Figure 2 below shows the sandbox detection report for Wiper malware.

Figure 2: Zscaler Cloud Sandbox Report - Hermetic Wiper 

Figure 3 below shows the document template (from attack chain #1) detection in the Zscaler sandbox.

Figure 3: Zscaler Cloud Sandbox Report - Targeted Attack document template

Get more information

If you are a Zscaler customer and need additional help planning for or remediating attacks associated with the Russian invasion of Ukraine, please contact the ThreatLabz team through the support security channel. As your trusted security partner, we are here to help.