CISA on Ukraine Cyber Attacks: Are You at Risk?

January 19, 2022 Lavi Lazarovitz, Shay Nahari, and Arash Parsa

 

Ukraine Attacks CISA Advisory

Reports of a large-scale cyber attack targeting Ukrainian organizations and several government department websites have emerged in recent days. In response, the Cybersecurity & Infrastructure Security Agency (CISA), National Security Agency (NSA) and Federal Bureau of Investigation (FBI) issued a joint advisory to help organizations better understand the threats posed by nation state attackers and mitigation steps to build cyber resilience.

The authors urge defenders — particularly those in critical infrastructure sectors — to be prepared and stay vigilant. This is especially true as evidence of a new wiper malware emerged over the weekend, targeting Ukrainian organizations. While this guidance comes from U.S. government agencies, it is applicable to organizations around the world.

CyberArk Labs and Red Team conducted a technical review of the advisory to recommend event detection and risk mitigation best practices.

Is My Organization at Risk? How to Investigate a Potential Incident

Based on reports of the Ukraine attacks, the intruders were able to execute a start-to-finish compromise by stealing credentials, using the command interpreter and leveraging password stores, to name just a few of their methods. Fortunately for defenders, the attackers triggered numerous red flags — also known as indicators of compromise (IOCs) — along the way.

The CISA advisory outlines tactics, techniques and procedures (TTPs) used by nation state-sponsored advanced persistent threat (APT) actors, based on the MITRE ATT&CK framework. We will focus on three key categories: Execution, Persistence and Credential Access. If you believe your organization has been targeted in an APT-style attack, CyberArk recommends following these investigative steps to spot IOCs throughout the attack chain, gauge risk severity and respond quickly.

Execution

In this stage, the attackers used CMD.exe and PowerShell to execute commands and tasks on remote machines.

IOCs
  • Often when cmd.exe is used to execute remote commands, we see it proceeded by the “/c” directive. These executions are often uncommon enough that we can successfully sift through them.
  • The user creating the cmd.exe is relevant as well. Often, we won’t see the SYSTEM user creating cmd.exe shells.
  • The parent process tree here can be incredibly useful. You will usually see cmd.exe ran as a child of certain processes, such as explorer.exe when a user double clicks it. If a strange parent is spotted, this can be a great IOC for monitoring.
Detection Steps
  • Windows Event Logs event ID 4688 can provide new process creations as well as their command line arguments. We can monitor all cmd.exe /c executions with this event ID, as well as the additional arguments to identify potential malicious activity.
  • The same event ID provides the user creating the process. Use this to monitor for suspicious users accessing cmd.exe.
  • It also provides the parent process that created the new process. Use this to find strange parent procs creating cmd.exe, such as outlook.exe.

 

Persistence

As they worked to establish persistence, the attackers were observed obtaining credentials through several different mechanisms.

Brute force password attacks. Attackers conducted brute-force password guessing and password spraying campaigns to see which credentials would obtain valid access.

IOC
  • A large number of logon failures from a single user, or many logon failures across the organization in quick succession.
Detection Steps
  • Alerts can be generated for this by observing for many failed logon events using Windows Event ID 4625.

 

Kerberoasting. Kerberoasting is when a single user tries to request tickets from service accounts within the domain for purposes of brute forcing the service account’s passwords to plaintext, then uses the account and its permissions directly within the network.

IOCs
  • During a kerberoast, attackers will often attempt to do a downgrade from AES to RC4 to get a value that will be easier to brute force.
  • Attackers will often target all service accounts within a domain, which will generate large numbers of requests for a single user.
Detection Steps
  • Windows Event ID 4769 provides details on new Kerberos service tickets being granted. Observing the “Ticket Encryption Type” parameter, detections can be generated on DES (0x1 and 0x3) and RC4 (0x17 and 0x18) encryption types for further review.
  • Observing many service ticket requests for a single user via Windows Event ID 4769 and across multiple services within a short time frame, as users generally aren’t attempting to authenticate to 10+ services at once.

 

OS Credential Dumping. The APT actors were observed exfiltrating credentials and exporting copies of the Active Directory database ntds.dit.

IOCs
  • Access to the ntds.dit file. Depending on your environment and how backups are enabled, you may have false positives here. The goal is to monitor access to the ntds.dit for any attempt at abnormal access, outside of normal hours or from an abnormal user or machine, for example.
Detection Steps
  • Windows Event ID 4663 can be used to observe access to the ntds.dit file. To filter down the information, accesses can be observed as Read or something similar is all that’s required to copy the file.
  • VSSAdmin.exe executions for shadow copies can also be observed using using this event ID to observe abnormal backup runs.

 

Credential Access

From there, the attackers looked for vulnerabilities to exploit, along with private key certificate files on compromised systems for insecurely stored credentials.

Obtain Private Keys. The attackers also obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML signing certificates and perform a Golden SAML attack, which gave them access to anything that trusts SAML tokens within the environment.

IOCs
  • Unusual file access to the encryption keys.
  • Authentications within the service provider that don’t exist within the identity provider. (Golden SAML event IDs 1200 and 1202 from the ADFS server can be used to identify this information.
Detection Steps
  • Windows Event ID 4633 can be used to validate access to private key files. You can monitor READ type access to certain files ending with .ppk, for example, or any standard your company may use.
  • Monitor auths in service provider that didn’t generate Event IDs 1200 and 1202.

 

Exploitation. The attackers also reportedly leveraged an exploit called “NetLogon” (CVE-2020-1472). This exploit essentially allows an attacker to impersonate any account on the network and change the password of the domain controller machine account, for example, to gain full access to the domain.

IOCs
  • IOCs can include anonymous logon events, a machine account having its password changed (as it shouldn’t happen often) and NetLogon attempts to the same system at the same time.
Detection Steps
  • Windows Event ID 4742 can be used to observe a machine account password change and Event ID 5805 can be used to observe NetLogon attempts. Observing a 4742 password change attempt at the same time as multiple 5805 events get generated for the same machine will validate a possible exploit attempt.

 

Best Practices for Risk Mitigation

Protecting organizations against increasingly sophisticated cyber attacks calls for an improved security posture centered on securing identities and safeguarding privileged access.

In most attacks — regardless of who is behind them — the identity layer is the first entry point into an organization’s environment. Advisory authors note that attackers have “demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments — including cloud environments — by using legitimate credentials.”

In addition to best practices such as implementing multi-factor authentication (MFA); adopting endpoint detection and response (EDR) and anti-virus (AV) solutions; regularly installing patches and requiring strong password practices, these additional cybersecurity steps should be followed as part of a defense in depth approach:

  • Use application controls. Don’t allow execution of arbitrary executables, as many legitimate executables can be used to side execute arbitrary commands. The CISA advisory points to nation state attackers who have used cmd.exe and PowerShell to execute commands and tasks on remote machines.
  • Limit accounts and Shadow Admins. Enforce least privilege access consistently throughout your organization by disabling unnecessary accounts. Limiting privilege is essential as attackers will target high-value assets and access them by stealing credentials and escalating privileges. Threat detection capabilities can help speed detection and block credential theft attempts. For example, zBang, an open source tool, can be used to detect Shadow Admins, stealthy use identities that have sensitive permissions granting them the ability to escalate privileges in cloud environments. These entities, which often arise from misconfigurations or lack of awareness, can be targeted by attackers, putting the entire environment at risk.
  • Secure backups. Take steps to ensure domain controller backups are properly secured, as attackers may try to access or create a copy of the Active Directory domain database to steal credential information or other data about devices, users and access rights. Consider tools with threat detection capabilities to protect the NTDS file that stores sensitive Active Directory data.
  • Use AES Kerberos encryption. Ensure AES encryption Kerberos encryption is used instead of RC4, to help prevent adversaries from abusing a valid Kerberos ticket-granting ticket (TGT) or sniffing network traffic to obtain a ticket-granting service (TGS) that may be vulnerable to brute force. The zBang tool’s RiskySPN module can be used to help detect targets for kerberoasting.
  • Protect credential certificates. Protect stored certificates to block attempts at token-signing certificates and mitigate threats such as the Golden SAML attack.

The following CyberArk Identity Security offerings can help organizations protect against cyber threats and comply with the latest CISA advisory guidance:

 

Previous Article
Analyzing Malware with Hooks, Stomps and Return-addresses
Analyzing Malware with Hooks, Stomps and Return-addresses

Table of Contents Introduction The First Detection The Module Stomp Bypass The Module Stomp Detection Final...

Next Article
Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more
Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more

In this blog post we are going to discuss the details of a vulnerability in Windows Remote Desktop Services...