[Updated March 10, 2022] First, our hearts go out to those impacted by this conflict. The escalating situation between Ukraine and Russia brings concerns of additional cyberattacks and cyber risks. At Alert Logic, we are in a constant state of vigilance, and we’ll continue to stay up to speed on all cyber risks, including any that come out of this conflict. 

How Can You Mitigate Your Cyber Risk?

The Cybersecurity & Infrastructure Agency (CISA) issued the advisory Shields Up which provides guidance and recommendations for organizations of all sizes. 

The recommendation includes reducing your attack footprint through patching, enabling multifactor authentication (MFA), and disabling ports and protocols that are not business essential, as well as having broad detection capabilities.  

In moments like these, visibility is critical. Be sure to prioritize any configuration or health related issues that are inhibiting any of your tool’s ability to identify an attack. While these are all cybersecurity best practices, times like these are when the stakes get raised.  

What is Alert Logic Doing?

Alert Logic monitors our customers’ environments 24/7 for attacks against their assets. Our security operations teams perform further analysis, triage, and escalate verified incidents to our customers and partners with guidance and mitigation steps to minimize potential damage. This is a core component of our service. 

Alert Logic also does continuous threat hunting by investigating the high volume of telemetry data we receive from our customer base to identify attack patterns and indicators of compromise. 

Finally, Alert Logic Threat Intelligence teams are actively monitoring the situation should any cyber-related events begin to occur from this conflict. This intelligence will feed into our processes as we continue to stay abreast of emerging threats. 

How Can I Stay Informe on Cyber Risks?

Alert Logic is constantly watching the threat landscape, and if there is an urgent cybersecurity issue, we initiate our Emerging Threats process and publish a Knowledge Base Article. World events that impact our industry are treated with the utmost priority. By clicking the “Follow” button in our Knowledge Base, you can be immediately notified as new articles are published and the latest information becomes available. 

Is There Anything Else I Should Do?

Stay calm and focus. Know that Alert Logic is always watching — this is what we do every day. We are watching and prepared to support you if there is an active attack, regardless of its source. 

Should you have additional questions please reach out to the SOC or your Customer Success Manager. 

March 10, 2022, update

Our threat intelligence teams have mapped Alert Logic’s coverage against the CISA advisory documenting the top vulnerabilities and cyber risks exploited by Russian linked threat actors. 

Top Vulnerabilities

It is our advice that all Alert Logic customers should remediate these vulnerabilities as a priority using the remediation console. 

Vendor  CVE  Type of Vulnerability  Detection  Vulnerability Scan 
Citrix  CVE-2019-19781  Arbitrary code execution  Coverage in place Coverage in place
Pulse  CVE 2019-11510  Arbitrary file reading  Coverage in place Coverage in place
Fortinet  CVE 2018-13379  Path traversal  Coverage in place Coverage in place
F5- Big IP  CVE 2020-5902  Remote Code Execution (RCE)  Coverage in place Coverage in place
MobileIron  CVE 2020-15505  RCE  Coverage in place Coverage in place
Microsoft  CVE-2017-11882  Local Exploit  Coverage in place Coverage in place
Atlassian  CVE-2019-11580  RCE  Coverage in place Coverage in place
Drupal  CVE-2018-7600  RCE  Coverage in place Coverage in place
Telerik  CVE 2019-18935  RCE  Coverage in place Coverage in place
Microsoft  CVE-2019-0604  RCE  Coverage in place Coverage in place
Microsoft  CVE-2020-0787  Elevation of privilege (Local)  Coverage in place Coverage in place
Microsoft  CVE-2020-1472  Elevation of privilege  Coverage in place Coverage in place

We have also mapped other related vulnerabilities in popularly deployed software with publicly available exploits, from a secondary CISA advisory which covers additional exploits used by Russian state-sponsored threat actors. 

Vendor  CVE  Type of Vulnerability  Detection  Vulnerability Scan 
Cisco  CVE-2019-1653  Cisco router  Coverage in place Coverage in place
Oracle  CVE-2019-2725   Oracle WebLogic Server  Coverage in place Coverage in place
ElasticSearch  CVE-2019-7609   Kibana  Coverage in place Coverage in place
Exim  CVE-2019-10149  Exim Simple Mail Transfer Protocol  Coverage in place Coverage in place
Microsoft  CVE-2020-0688  Microsoft Exchange  Coverage in place Coverage in place
Oracle  CVE-2020-14882  Oracle WebLogic  Coverage in place Coverage in place
Microsoft  CVE-2021-26855  Microsoft Exchange (Note: this vulnerability is frequently used in conjunction with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)  Coverage in place Coverage in place 

Zero-day threats relating to activities arising from the conflict are yet to be discovered or attributed to the conflict. State-backed actors are currently favoring a ‘low hanging fruit’ approach, making use of older vulnerabilities that have gone unpatched in systems. They have also been favoring DDoS attacks. Both point to relatively unsophisticated methods that have achieved the desired outcomes. Nation states and APTs tend to only deploy novel tactics and zero-days only when other avenues are exhausted. 

Alert Logic is always vigilant for emerging threats and zero-days. Our established process has seen success in creating timely content for many of the vulnerabilities listed above, including: CVE-2021-26855/Hafnium and CVE-2019-19781/Citrix ADC. Please visit this page for all emerging threat documentation. 

We will continue to monitor for emerging threats and cyber risks arising from the conflict and will trigger our established emerging threat process to rapidly develop coverage when required. 

Region Specific Threat Intel

While it should be stressed again that our established emerging threat and threat research processes are business as usual, extra focus has been placed on intelligence, breaches and cyber risks involving Russian and Ukrainian linked regions and organizations.  

Our security researchers and threat hunters have been consuming related OSint and prioritizing the ingestion of Ukraine/Russia IoCs to be used in proactive threat hunts. Customer data will also be queried retrospectively for signs of compromise. Instances of compromise will be raised with remediation recommendations if discovered.  

This has included IoCs related to: 

  • WhisperGate
  • HermeticWiper
  • MicroBackdoor
  • Ghostwriter
  • MuddyWater
  • Gamaredon group 

 Among others. 

Currently no Alert Logic customers have demonstrated signs of compromise related to the conflict. We will continue to monitor.

Tracking of Threat Groups

Alert Logic documents all IoCs observed in the numerous campaigns and compromises. The output is a wealth of threat intelligence which is clustered according to related activity. The data includes a significant footprint of attacker infrastructure geolocated to Russia, Ukraine, and linked regions. While attribution to a nation based on IP geolocation should be done with the utmost caution, constantly tracking threat group activity enables us to quickly identify compromise and respond with detailed response recommendations, as we know the tactics they favor, what they’re likely to do next, and how to remove them.  

Fortra's Alert Logic Security Team
About the Author
Fortra's Alert Logic Security Team

Related Post

Ready to protect your company with Alert Logic MDR?