Reports of a large-scale cyber attack targeting Ukrainian organizations and several government department websites have emerged in recent days. In response, the Cybersecurity & Infrastructure Security Agency (CISA), National Security Agency (NSA) and Federal Bureau of Investigation (FBI) issued a joint advisory to help organizations better understand the threats posed by nation state attackers and mitigation steps to build cyber resilience.
The authors urge defenders — particularly those in critical infrastructure sectors — to be prepared and stay vigilant. This is especially true as evidence of a new wiper malware emerged over the weekend, targeting Ukrainian organizations. While this guidance comes from U.S. government agencies, it is applicable to organizations around the world.
CyberArk Labs and Red Team conducted a technical review of the advisory to recommend event detection and risk mitigation best practices.
Is My Organization at Risk? How to Investigate a Potential Incident
Based on reports of the Ukraine attacks, the intruders were able to execute a start-to-finish compromise by stealing credentials, using the command interpreter and leveraging password stores, to name just a few of their methods. Fortunately for defenders, the attackers triggered numerous red flags — also known as indicators of compromise (IOCs) — along the way.
The CISA advisory outlines tactics, techniques and procedures (TTPs) used by nation state-sponsored advanced persistent threat (APT) actors, based on the MITRE ATT&CK framework. We will focus on three key categories: Execution, Persistence and Credential Access. If you believe your organization has been targeted in an APT-style attack, CyberArk recommends following these investigative steps to spot IOCs throughout the attack chain, gauge risk severity and respond quickly.
Execution
In this stage, the attackers used CMD.exe and PowerShell to execute commands and tasks on remote machines.
IOCs |
|
Detection Steps |
|
Persistence
As they worked to establish persistence, the attackers were observed obtaining credentials through several different mechanisms.
Brute force password attacks. Attackers conducted brute-force password guessing and password spraying campaigns to see which credentials would obtain valid access.
IOC |
|
Detection Steps |
|
Kerberoasting. Kerberoasting is when a single user tries to request tickets from service accounts within the domain for purposes of brute forcing the service account’s passwords to plaintext, then uses the account and its permissions directly within the network.
IOCs |
|
Detection Steps |
|
OS Credential Dumping. The APT actors were observed exfiltrating credentials and exporting copies of the Active Directory database ntds.dit.
IOCs |
|
Detection Steps |
|
Credential Access
From there, the attackers looked for vulnerabilities to exploit, along with private key certificate files on compromised systems for insecurely stored credentials.
Obtain Private Keys. The attackers also obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML signing certificates and perform a Golden SAML attack, which gave them access to anything that trusts SAML tokens within the environment.
IOCs |
|
Detection Steps |
|
Exploitation. The attackers also reportedly leveraged an exploit called “NetLogon” (CVE-2020-1472). This exploit essentially allows an attacker to impersonate any account on the network and change the password of the domain controller machine account, for example, to gain full access to the domain.
IOCs |
|
Detection Steps |
|
Best Practices for Risk Mitigation
Protecting organizations against increasingly sophisticated cyber attacks calls for an improved security posture centered on securing identities and safeguarding privileged access.
In most attacks — regardless of who is behind them — the identity layer is the first entry point into an organization’s environment. Advisory authors note that attackers have “demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments — including cloud environments — by using legitimate credentials.”
In addition to best practices such as implementing multi-factor authentication (MFA); adopting endpoint detection and response (EDR) and anti-virus (AV) solutions; regularly installing patches and requiring strong password practices, these additional cybersecurity steps should be followed as part of a defense in depth approach:
- Use application controls. Don’t allow execution of arbitrary executables, as many legitimate executables can be used to side execute arbitrary commands. The CISA advisory points to nation state attackers who have used cmd.exe and PowerShell to execute commands and tasks on remote machines.
- Limit accounts and Shadow Admins. Enforce least privilege access consistently throughout your organization by disabling unnecessary accounts. Limiting privilege is essential as attackers will target high-value assets and access them by stealing credentials and escalating privileges. Threat detection capabilities can help speed detection and block credential theft attempts. For example, zBang, an open source tool, can be used to detect Shadow Admins, stealthy use identities that have sensitive permissions granting them the ability to escalate privileges in cloud environments. These entities, which often arise from misconfigurations or lack of awareness, can be targeted by attackers, putting the entire environment at risk.
- Secure backups. Take steps to ensure domain controller backups are properly secured, as attackers may try to access or create a copy of the Active Directory domain database to steal credential information or other data about devices, users and access rights. Consider tools with threat detection capabilities to protect the NTDS file that stores sensitive Active Directory data.
- Use AES Kerberos encryption. Ensure AES encryption Kerberos encryption is used instead of RC4, to help prevent adversaries from abusing a valid Kerberos ticket-granting ticket (TGT) or sniffing network traffic to obtain a ticket-granting service (TGS) that may be vulnerable to brute force. The zBang tool’s RiskySPN module can be used to help detect targets for kerberoasting.
- Protect credential certificates. Protect stored certificates to block attempts at token-signing certificates and mitigate threats such as the Golden SAML attack.
The following CyberArk Identity Security offerings can help organizations protect against cyber threats and comply with the latest CISA advisory guidance: