CISA warns of potential critical threats following attacks against Ukraine

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned organizations about “potential critical threats” following the recent cyberattacks that hit Ukraine.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an “insights” document that warned organizations about “potential critical threats” following the recent cyberattacks aimed at Ukraine.

The document starts from most recent attacks targeting public and private entities in Ukraine, including website defacement and destructive malware-based attacks on local systems that could have severe impact on critical functions.

“The identification of destructive malware is particularly alarming given that similar malware has been deployed in the past—e.g., NotPetya and WannaCry ransomware—to cause significant, widespread damage to critical infrastructure.” reads the insights” document. “This CISA Insights is intended to ensure that senior leaders at every organization in the United States are aware of critical cyber risks and take urgent, near-term steps to reduce the likelihood and impact of a potentially damaging compromise. All organizations, regardless of sector or size, should immediately implement the steps outlined below.”

Microsoft spotted a destructive malware, tracked as WhisperGate, that targeted government, non-profit, and IT entities in Ukraine with a wiper disguised as ransomware.

The attackers were discovered by Microsoft on January 13, the experts attributed the attack to an emerging threat cluster tracked as “DEV-0586.” The experts pointed out that the operation has not overlapped with TTPs associated with past campaigns.

“MSTIC assesses that the malware, which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.” reads the post published by the Microsoft Threat Intelligence Center.

“At present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues.”

However, Reuters in exclusive reported that the attacks were launched by the Belarus-linked APT group tracked as UNC1151 (aka Ghostwriter).

The CISA document provides recommendations to reduce the likelihood of a damaging cyber intrusion and increase the resilience of the infrastructure.

According to Symantec, the WhisperGate wiper may have been employed in attacks against unknown victims since at least October 2021.

In recent attacks against Ukraine, threat actors compromised Ukrainian government networks through a supply chain attack that involved the third-party software supplier Kitsoft.

“As we noted earlier, the diagnostics showed the scale of the cyberattack, the platforms created by various companies were damaged.The complexity of the cyber attack is confirmed through an analysis using the Microsoft Threat Intelligence Center (MSTIC) that “has identified evidence of a major destructive malware operation targeting multiple organizations in Ukraine. This malware first appeared on systems in Ukraine on January 13, 2022. MSTIC has not found any notable associations between this observed activity, and other known activity groups” — the statement said. Kitsoft’s infrastructure was also damaged during the cyber attack.” reported Kitsoft. “Our specialists have identified this as one of the ways the attack was developed.”

According to Ukrainian cybersecurity agencies, threat actors exploited a vulnerability in the October CMS tracked as CVE-2021-32648, and the log4Shell vulnerability (CVE-2021-32648). Government authorities also reported DDoS attacks against their infrastructure.

The October CMS vulnerability was added by CISA this week to its Known Exploited Vulnerabilities Catalog.

Below are the recommendations provided by CISA in the insights document:

• Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
• Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
• Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
• If the organization is using cloud services, ensure that IT personnel have reviewed and implemented strong controls outlined in CISA’s guidance.
• Sign up for CISA’s free cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

[adrotate banner=”5″]

[adrotate banner=”13″]