DHS Issues Warning About Potential Russian Cyber Attack On The US

Please see below for expert comment from information security experts regarding the DHS issuing a warning about a potential Russian cyber attack on the US. Kev details the seriousness of this warning, the consequences of an attack, and how best to build cyber resilience against such threats.

Subscribe
Notify of
guest
4 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Adam Vincent
Adam Vincent , CEO
InfoSec Expert
January 31, 2022 12:41 pm

<p>Whilst the notion of nation state hacking is not a new phenomenon, Adam reflects on their drastic rise across the board, noting that no organisation is exempt from cyber-attacks and why states worldwide must use this as a stark reminder of the importance of protecting critical infrastructure.</p>

Last edited 10 months ago by Adam Vincent
Saryu Nayyar
Saryu Nayyar , CEO
InfoSec Expert
January 26, 2022 12:32 pm

<p>It is not surprising that the cyberattacks on the Ukraine were not going to be isolated to them based on the US involvement in Russia\’s aggressive military actions. As the CISA points out with attacks such as WhisperGate, \’identifying and quickly assessing any unexpected or unusual network behavior\’ includes activity such as privileged access violations. Cisco Talos reports that system access was most likely based on stolen credentials. Organizations in the US must go beyond traditional XDR and SIEM solutions and incorporate identity and access analytics with user and entity behavior analytics to pick out unusual network activity, lateral movement and unusual access to applications. This activity must be escalated quickly and with confidence to security teams in light of forthcoming attacks. Stolen credentials can be identified based on abnormal usage by threat actors, especially as most other detection techniques cannot discern this being an immediate threat.</p>
<p>Additionally, researchers with Trellix found a OneDrive malware campaign which targets government officials in Western Asia by using Microsoft’s Graph API to leverage OneDrive as a command-and-control server. The researchers have named the malware ‘Graphite’ due to its use of Microsoft’s Graph API. The attack takes advantage of an MSHTML remote code execution vulnerability (CVE-2021-40444) to execute a malicious executable in memory. The attack was prepared in July 2021 and eventually deployed between September and November, according to the <a href=\"https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUec7ALqwWWSiElAnTGcnNEYmr01h8kEK2qsgmf3ErktMbaI1UFuQ6ril8zy-2Bph-2FvXqTEsbr7s2Drch5p26O551PrUWJNfzyRwxfC7aKqBvccYENFakDWl4fx0JEAc7lKLuzhZsGThg5VDZM-2B3nwZlnU-3D8pGG_S3RA1gMvL7v1TdZrqvF2X48vY2LyH9KYdxKxBaPFp6Fl1TEEsXDQbgk-2FWPw9Ah5nwh5z3HPLIw79cePUeHvYGbACtpGEOUo9gKA7RdPV7CHYnRZ1BgjoepqPsAq5T4X7OPHmw4iuricWSmMEgE-2BxhZ3inqpVMOQy08WypDQzGfZT7mmTs97GkMRGag0rtk108plZUqb0iSrKzkjqwMlHsxw5s5ZhIXdRPvjDEypIhzab3d4UZlJ-2BCwIuwg4zK5YOy62ppSmTCKjfHKE-2BN-2FlUXLztV34t8u8Yqo2LSced-2FdQGR52XtQvVUnUDTsrdmXzEGqEJGSmUD3XcSwJjtbjOKbcQOlVRd9kuiotUvGHpKmgEjfqX8MXz6hK1gudQPQ-2FK\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https://www.google.com/url?q=https://u7061146.ct.sendgrid.net/ls/click?upn4tNED-2FM8iDZJQyQ53jATUec7ALqwWWSiElAnTGcnNEYmr01h8kEK2qsgmf3ErktMbaI1UFuQ6ril8zy-2Bph-2FvXqTEsbr7s2Drch5p26O551PrUWJNfzyRwxfC7aKqBvccYENFakDWl4fx0JEAc7lKLuzhZsGThg5VDZM-2B3nwZlnU-3D8pGG_S3RA1gMvL7v1TdZrqvF2X48vY2LyH9KYdxKxBaPFp6Fl1TEEsXDQbgk-2FWPw9Ah5nwh5z3HPLIw79cePUeHvYGbACtpGEOUo9gKA7RdPV7CHYnRZ1BgjoepqPsAq5T4X7OPHmw4iuricWSmMEgE-2BxhZ3inqpVMOQy08WypDQzGfZT7mmTs97GkMRGag0rtk108plZUqb0iSrKzkjqwMlHsxw5s5ZhIXdRPvjDEypIhzab3d4UZlJ-2BCwIuwg4zK5YOy62ppSmTCKjfHKE-2BN-2FlUXLztV34t8u8Yqo2LSced-2FdQGR52XtQvVUnUDTsrdmXzEGqEJGSmUD3XcSwJjtbjOKbcQOlVRd9kuiotUvGHpKmgEjfqX8MXz6hK1gudQPQ-2FK&source=gmail&ust=1643285190068000&usg=AOvVaw0YadaskY8uXhPZsT-DpkRm\">Trellix report</a>. In response to these findings, an expert with Gurucul offers perspective.</p>
<p>As described, this is a multi-stage attack over time that is similar to attacks purported by known threat actor group APT28. Without a strong set of security analytics capabilities that includes behavioral analytics to see abnormal communications, remote code execution, unauthorized file access, and other stages leveraging dwell time to stay hidden, security teams will struggle to identify this campaign quickly enough. This is especially true as most vendor solutions are leveraging rule-based machine learning (ML) models that require updates before being able to identify this variant. Current SIEM and XDR solutions are limited in their ability to do more than produce more indicators of compromise and do not provide the necessary detection for identifying an attack out of the box with both context and confidence. </p>

Last edited 10 months ago by Saryu Nayyar
Ken Westin
Ken Westin , Director, Security Strategy
InfoSec Expert
January 25, 2022 11:48 am

<p>Today, neither organisations nor private citizens should panic due to the <span class=\"il\">DHS</span> bulletin, but should remain vigilant, identify what assets may be targeted, establish plans for business continuity and cyber resilience, and pay attention to the news and threat intelligence if the situation escalates in the coming days.</p>
<p>My concern with Russia today is that they have an arsenal of zero day exploits at the ready, as well as initial access to some targets already. However any zero days they may possess will be “spent” on initial execution, so there is risk in Russia deploying them and exposing their capabilities. The U.S. and allies also have offensive cyber capabilities, and businesses can be caught in the crossfire and be collateral damage. A key target may be not just critical infrastructure, but also our financial and healthcare systems or electricity grids to try and trigger a panic.</p>
<p>While the risk today of a Russian cyber-attack is low, if <span class=\"il\">DHS</span> were aware of a threat and failed to notify law enforcement agencies and the public, the backlash after the fact could be significant. The uncertainty around both the intentions and full capabilities of Russia’s offensive cyber operations makes the situation more stressful for the government as well as businesses. The intelligence alerts and briefings for critical infrastructure and banks are being done out of an abundance of caution to prepare organisations for what could happen, not necessarily what will happen.</p>

Last edited 10 months ago by Ken Westin
Kev Breen
Kev Breen , Director of Cyber Threat research
InfoSec Expert
January 25, 2022 11:46 am

<p>The latest DHS intelligence bulletin warning of a potential Russian cyber attack on the U.S. is not something to be taken lightly. We’ve seen notable ransomware groups operating out of that region, including REvil and DarkSide, with the technical ability to compromise large networks rapidly and at great scale. It would be wrong to assume that the nation state housing such criminal elements doesn’t have a matching capability. An attack of significant magnitude, including a deliberate attack on U.S. critical infrastructure, would almost certainly have wider geopolitical consequences. With this new bulletin, the Department of Homeland Security is working on the basis that to be forewarned is to be forearmed – and preparation is key. In this fast-paced world of constant cyberattacks and zero-day exploits, it’s always better to err on the side of caution. It’s better to assume you are a target and have strategic plans in place to match that of the adversaries’ capabilities. Resilience is as much about planning and exercising capabilities to ensure all potential risks are mitigated, in advance, as well as possible.</p>

Last edited 10 months ago by Kev Breen
4
0
Would love your thoughts, please comment.x
()
x