Staying Safe During Unprecedented Times

The situation in Ukraine continues to unfold, and it is now clear that part of the response from both sides of the conflict is widespread usage of cyber attacks as both an offensive and retaliatory mechanism. It is also well known that both parties in the conflict have extensive cyber capabilities.
We do not believe that any of these attacks are directed at any countries outside those directly involved in the conflict. The UAE, or UAE-based organizations, should therefore not consider themselves as direct targets.
Unfortunately, as part of any cyber campaign there is a risk of collateral damage, which we are observing. Our primary concern is that any individual campaign currently deployed could go rogue. Because of this potential, there are historically a number of examples which remind us that all IT systems share a global risk exposure because of the degree of global interconnectedness.
What is Help AG doing to keep you safe?
- We are performing threat hunting, based on indicators of compromise (IoCs), for traffic pattern and attack techniques across our MDR client base. Currently, we have not seen any active hits on these indicators. We will continue to perform these assessments in conjunction with our general threat hunting activities and update our indicators as they are updated by the security community.
- There is also a widespread use of DDoS attacks in the conflict to take digital assets offline. These attacks are typically low in sophistication but high in volume and strength. While we constantly observe DDoS attacks on organizations in the UAE, we have not observed any changes of behaviour, volume or frequency of attacks. As it is near impossible to establish accurate attribution of DDoS attacks, we are continuously monitoring our ability to effectively mitigate attacks and for customers utilizing our DDoS service there is no degradation of capabilities to mitigate attacks.
- Potential supply chain issues resulting from the crisis can directly impact clients outside of the conflict, especially concerning software.
Ukraine has for many years been one of the most utilized markets to source computer development skills. Many companies develop part of their software in Ukrainian subsidiaries. While the effect is not immediate, it may impact your supplier’s ability to develop software, address patches or provide support on their solutions as their operations may be impacted.
- A number of new malware variants have been utilized by both sides in the conflict. They are highly destructive and focused on deleting system data. These malware variants are different from sophisticated ransomware families where you can potentially gain access to your data through decryption.
We are monitoring these malware variants outside of the conflict area, as we are concerned that malware can go rogue and create collateral damage. To date, we have not been able to identify any of these malware variants at any of our client environments, and we believe they are still only deployed in a highly targeted fashion.
Malware types used in recent campaigns are alterations of well-known malware types and historic campaigns. This means AV vendors have been able to create detection coverage without significant changes to their current AV platforms. We have seen these systems quickly receive broad protection for recent attacks, specifically by endpoint security vendors.
These updates should be rolling out as they are made available, if your systems are configured for automatic updates. If you are operating your AV and endpoint security, you should ensure you are running the latest AV definitions as all widely utilized AV vendors now have complete coverage for the malware. In case you have a problem establishing which release you are running, you are welcome to reach out and we will assist you in establishing this.
- Patch vulnerabilities of external systems, even if the vulnerability is not rated CRITICAL or HIGH. While we do not have any specific indicators related to exposure of specific vulnerabilities, it is always important to ensure that external facing systems are patched and up to date with the latest security updates and fixes.
If you are utilizing our vulnerability management service, you should regularly receive information about your exposure. We urge you to ensure that external systems are patched promptly, including medium and lower severity vulnerabilities, as these can be leveraged in multi-stage attacks. We are unfortunately in a situation where a number of significant, critical vulnerabilities were discovered, and this gives attackers a large attack surface. Again, external attacks are typically related to a more active phase of attacks where your organization is targeted, rather than being the victim of collateral damage.
If your regular patch management process already caters to an efficient management of vulnerabilities, there is no direct action currently, but if you have large business interests in any of the conflict areas it is worth performing an extra scan of your digital assets. If you are aware of unpatched vulnerabilities on externally facing systems it is always highly advisable to ensure these are patched, or mitigated with alternate controls, regardless of the conflict.
- One of the largest developments in the previous week is that from the hacker group Anonymous. Anonymous has declared that they will be entering the conflict on the side of Ukraine. There is no specific target list announced yet; however, we know from previous campaigns that the selection of targets by Anonymous may be broad, and an organization may end up as a target simply via association with a particular topic of the campaign. Therefore, we are monitoring any development in this space as these targets list are published.
- It should be noted that reports are starting to come in around phishing and scam campaign, which is themed around the narrative of the conflict. The numbers are relatively low, and the themes appear to center around donations to help Ukrainians and suspicious logins from Russia. This is not a surprise, as any general interest topic is quickly weaponized by cybercriminals if they are not directly involved in the conflict. We advise our clients to be specifically aware of this and introduce awareness of the issue to their userbase and ensure that especially e-mail based defenses are operating efficiently. Help AG has not seen any widespread uptick in ransomware attacks in the region since the start of the conflict.
Reference:
- Help AG Threat Intelligence Team