As the current situation continues to evolve, the Kudelski Security Cyber Fusion Center is
continuously adapting our response to events, intelligence, and new details being released. For
details on how the CFC is responding to newly released information, please review the following
updates.
- Notified Vulnerability Scanning Clients of Newly Identified Vulnerabilities Known to be Actively Exploited
On March 3rd, the United States Cybersecurity and Infrastructure Security Agency (CISA) updated
their catalog of known commonly exploited vulnerabilities and added 95 new entries after increased analysis of suspected Russian intrusions. The bulk of these newly added vulnerabilities appear to have been actively exploited by Russian threat actors, and as such, should be prioritized for remediation. In response to this new set of known exploited vulnerabilities, the CFC has reviewed vulnerabilities found for clients of the Kudelski Security’s Vulnerability Scanning Service, the CFC proactively updated all impacted clients with the list of known exploited vulnerabilities on their internet-exposed systems.
2. Fine Tuning of Volume Shadow Copy (VSC) Auditing for MDR For Endpoint clients
with CrowdStrike Falcon
For clients of the CFC’s MDR for Endpoints service, the CFC continues to fine tune the extra visibility on enabled to identify tampering with Windows Volume Shadow Copy (VSC) “backups”. The CFC has analyzed and reviewed all alerts generated and is working with clients for to gather additional input regarding the legitimacy of the activity observed. The CFC will await client’s feedback in order to fine tune configurations prior to enabling the VSC deletion features in order minimize disruption of any legitimate activity.
3. Analysis and Vigilance of New WMI and SMB Worm used to deploy HermetricWiper
in Ukraine
The CFC has continued to monitor information and research about the malicious software deployed against Ukraine. As part of this monitoring, the Kudelski Security Detection Engineering team analyzed the worm component named “HermeticWizzard” to ensure the CFC’s security analysis team remained informed about how destructive attacks against Ukraine were carried out. As an example of this analysis, the following diagram was created by our team describing the logic and potential indicators of compromise of this new worm component:
4. Validation of Newly Deployed Claroty Signatures for MDR for O.T Clients
For our MDR for O.T clients, on February 27th, Claroty released a new threat bundle that included new and updated detections for HermeticWiper and additional detections for newly discovered malware dubbed “SockDetour”. SockDetour is a highly stealthy malware used as a secondary implant on compromised Windows servers since at least July 2019. As we already ensured all our Claroty Continuous Threat Detection (CTD) deployments are configured to receive automatic signature updates, all MDR for O.T. clients have already benefitted from these extra detection capabilities.
5. Continuous Vigilance and Advisory Development
In addition to the previous measures, the CFC released an advisory on Cyclops Blink, a new malware that appears to be a replacement of the previously discovered and documented VPNFilter malware. While Cyclops Blink is known to only target SOHO devices from WatchGuard so far, an assessment of the malware reveals that it could also be compiled and deployed onto other architectures and SOHO networking equipment. This information leads CFC to continuously monitor this threat and its evolution in order to identify potentially infected system and provide clients with mitigation and remediation steps as soon as possible.
Summary
As communicated previously, the Kudelski Security Cyber Fusion Center is aware of and actively
monitoring the current global tensions resulting from the events surrounding Russia and Ukraine. The United States Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory regarding potential Russian attempts to utilize cyber-attacks for force projection and as a response to western sanctions.
There are currently no specific threats targeting the United States, other NATO members or partner countries. However, Russian interests have recently expressed discontent with ongoing sanctions and have shown willingness to target “sensitive” assets. Additionally, the CFC is aware of several cyber-criminal groups (such as the Conti ransomware group) who have pledged to attack critical infrastructure of “Russian enemies” in the event that a cyber-attack is launched against Russia. In light of these threats and the ongoing situation with Ukraine, the Cyber Fusion Center is operating with increased vigilance and is actively monitoring for potential cyber-attack related activity as part of these increased tensions. This increased vigilance will continue until tensions ease.
Additionally, the CFC is aware of active deployment of data wipers (dubbed “HermeticWiper”) being discovered and potentially deployed in critical infrastructure within Ukraine. These wipers have also been discovered on systems of Ukrainian government contractors based in Latvia and Lithuania.
The CFC strongly recommends all clients and organizations investigate systems that may be
vulnerable to CISA’s “Known Exploited Vulnerabilities” listed here:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
The CFC will continue to monitor the situation and provide our CFC analyst team and clients any
additional technical and cyber security related insights.
What the Cyber Fusion Center is doing
1. Identified Known Exploited Vulnerabilities discovered on vulnerability scanning
client perimeters
For clients using Kudelski Security’s Vulnerability Scanning Service, the CFC has proactively
reviewed vulnerability scan results for internet-exposed systems for vulnerabilities that are known to be actively exploited, according to CISA.
The CFC has prioritized identifying vulnerabilities known to be used by Russian Threat Actors. For
clients who have known exploited vulnerabilities on their internet perimeter, the CFC has opened
cases to communicate which assets may be vulnerable and should be remediated as soon
possible.
Cyber Fusion Center strongly suggests clients who use the Kudelski Security Vulnerability Scanning service to validate their vulnerability scanning scope to ensure all internet facing assets are being properly scanned.
2. Enabling Additional visibility into wiper and ransomware technical precursors or
MDR for Endpoint clients
Based on guidance from our Detection Engineering and Incident Response organizations, the CFC is working to enable additional CrowdStrike visibility (Volume Shadow Copy – Audit) for technical precursors of ransomware across the client base. As this additional audit visibility may generate false positive CrowdStrike detections, the CFC will be investigating all volume shadow copy related activity, escalating activity believed to be suspicious, and tuning as appropriate.
The CFC will monitor for the effects of the auditing policy mentioned above, and for clients with
CrowdStrike’s Prevent module, the CFC may recommend enabling specific Crowdstrike features
that prevent the deletion of Windows “backups” (volume shadow copies). The CFC will
communicate with clients and get approval prior to enabling any preventative controls.
Note: No additional auditing is currently required for clients with Microsoft Defender for Endpoint.
3. Enabling automatic updates of Claroty threat detection signatures for MDR for O.T
clients
The CFC has worked to ensure all Claroty Continuous Threat Detection (CTD) deployments are
configured to receive automatic updates to passive Claroty threat signatures. Additionally, we’ve
worked with Claroty to confirm that the Claroty team will release additional threat signatures as
the situation evolves.
4. Continuous monitoring and vigilance
The Kudelski Security Incident Response, Detection Engineering, and Cyber Fusion Center teams
continues to monitor events and provide guidance to both our clients and the CFC.
Please note that that the CFC is working diligently to provide the best detection and response
capabilities possible during this time of heighten tension. However, some of the activities
performed in order to provide better service may lead to an increased number of security events
that need to be triaged and investigated on your behalf by the CFC.
This bulletin and guidance will be updated as the situation develops.
Sources
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://www.cisa.gov/shields-up
• https://twitter.com/cisajen/status/1499496597234855940
Kudelski Security Research 