[Updated March 10, 2022]
First, our hearts go out to those impacted by this conflict.
The escalating situation between Ukraine and Russia brings concerns of additional cyber-attacks. At Alert Logic, we are in a constant state of vigilance, and we’ll continue to stay up to speed on all cyber threats, including any that come out of this conflict.
How can you mitigate your risk?
The Cybersecurity & Infrastructure Agency (CISA) issued the advisory Shields Up which provides guidance and recommendations for organizations of all sizes.
The recommendation includes reducing your attack footprint through patching, enabling multi-factor authentication, and disabling ports and protocols that are not business essential, as well as having broad detection capabilities.
In moments like these, visibility is critical. Be sure to prioritize any configuration or health related issues that are inhibiting any of your tool’s ability to identify an attack. While these are all cybersecurity best practices, times like these are when the stakes get raised.
What is Alert Logic doing?
Alert Logic monitors our customers’ environments 24/7 for attacks against their assets. Our security operations teams perform further analysis, triage, and escalate verified incidents to our customers and partners with guidance and mitigation steps to minimize potential damage. This is a core component of our service.
Alert Logic also does continuous threat hunting by investigating the high volume of telemetry data we receive from our customer base to identify attack patterns and indicators of compromise.
Finally, Alert Logic Threat Intelligence teams are actively monitoring the situation should any cyber related events begin to occur from this conflict. This intelligence will feed into our processes as we continue to stay abreast of Emerging Threats.
How can I stay informed?
Alert Logic is constantly watching the threat landscape, and if there is an urgent cybersecurity issue, we initiate our Emerging Threats process and publish a Knowledge Base Article. World events that impact our industry are treated with the utmost priority. By clicking the “Follow” button in our Knowledge Base, you can be immediately notified as new articles are published and the latest information becomes available.
Is there anything else I should do?
Stay calm and focus. Know that Alert Logic is always watching – this is what we do every day. We are watching and prepared to support you if there is an active attack, regardless of its source.
Should you have additional questions please reach out to the SOC or your Customer Success Manager. Thank you for your continued trust and partnership.
Your Alert Logic Security Team
——- March 10, 2022 update —————————————————————–
Our threat intelligence teams have mapped Alert Logic’s coverage against the CISA advisory documenting the top vulnerabilities exploited by Russian linked threat actors.
It is our advice that all Alert Logic customers should remediate these vulnerabilities as a priority using the remediation console.
|Vendor||CVE||Type of Vulnerability||Detection||Vulnerability Scan|
|Citrix||CVE-2019-19781||Arbitrary code execution||Coverage in place||Coverage in place|
|Pulse||CVE 2019-11510||Arbitrary file reading||Coverage in place||Coverage in place|
|Fortinet||CVE 2018-13379||Path traversal||Coverage in place||Coverage in place|
|F5- Big IP||CVE 2020-5902||Remote Code Execution (RCE)||Coverage in place||Coverage in place|
|MobileIron||CVE 2020-15505||RCE||Coverage in place||Coverage in place|
|Microsoft||CVE-2017-11882||Local Exploit||Coverage in place||Coverage in place|
|Atlassian||CVE-2019-11580||RCE||Coverage in place||Coverage in place|
|Drupal||CVE-2018-7600||RCE||Coverage in place||Coverage in place|
|Telerik||CVE 2019-18935||RCE||Coverage in place||Coverage in place|
|Microsoft||CVE-2019-0604||RCE||Coverage in place||Coverage in place|
|Microsoft||CVE-2020-0787||Elevation of privilege (Local)||Coverage in place||Coverage in place|
|Microsoft||CVE-2020-1472||Elevation of privilege||Coverage in place||Coverage in place|
We have also mapped other related vulnerabilities in popularly deployed software with publicly available exploits, from a secondary CISA advisory which covers additional exploits used by Russian state-sponsored threat actors.
|Vendor||CVE||Type of Vulnerability||Detection||Vulnerability Scan|
|Cisco||CVE-2019-1653||Cisco router||Coverage in place||Coverage in place|
|Oracle||CVE-2019-2725||Oracle WebLogic Server||Coverage in place||Coverage in place|
|ElasticSearch||CVE-2019-7609||Kibana||Coverage in place||Coverage in place|
|Exim||CVE-2019-10149||Exim Simple Mail Transfer Protocol||Coverage in place||Coverage in place|
|Microsoft||CVE-2020-0688||Microsoft Exchange||Coverage in place||Coverage in place|
|Oracle||CVE-2020-14882||Oracle WebLogic||Coverage in place||Coverage in place|
|Microsoft||CVE-2021-26855||Microsoft Exchange (Note: this vulnerability is frequently used in conjunction with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)||Coverage in place||Coverage in place|
Zero-day threats relating to activities arising from the conflict are yet to be discovered or attributed to the conflict. State-backed actors are currently favoring a ‘low hanging fruit’ approach, making use of older vulnerabilities that have gone unpatched in systems. They have also been favoring DDoS attacks. Both point to relatively unsophisticated methods that have achieved the desired outcomes. Nation states and APTs tend to only deploy novel tactics and zero-days only when other avenues are exhausted.
Alert Logic is always vigilant for emerging threats and zero-days. Our established process has seen success in creating timely content for many of the vulnerabilities listed above, including: CVE-2021-26855/Hafnium and CVE-2019-19781/Citrix ADC. Please visit this page for all emerging threat documentation.
We will continue to monitor for emerging threats arising from the conflict and will trigger our established emerging threat process to rapidly develop coverage when required.
Region Specific Threat Intel
While it should be stressed again that our established emerging threat and threat research processes are business as usual, extra focus has been placed on intelligence and breaches involving Russian and Ukrainian linked regions and organizations.
Our security researchers and threat hunters have been consuming related OSint and prioritizing the ingestion of Ukraine/Russia IoCs to be used in proactive threat hunts. Customer data will also be queried retrospectively for signs of compromise. Instances of compromise will be raised with remediation recommendations if discovered.
This has included IoCs related to:
- Gamaredon group
Currently no Alert Logic customers have demonstrated signs of compromise related to the conflict. We will continue to monitor.
Tracking of Threat Groups
Alert Logic documents all IoCs observed in the numerous campaigns and compromises. The output is a wealth of threat intelligence which is clustered according to related activity. The data includes a significant footprint of attacker infrastructure geolocated to Russia, Ukraine, and linked regions. While attribution to a nation based on IP geolocation should be done with the utmost caution, constantly tracking threat group activity enables us to quickly identify compromise and respond with detailed response recommendations, as we know the tactics they favor, what they’re likely to do next, and how to remove them.