Due to the complicated situation in Europe, we are seeing a significant increase in scanning/security exploration activities. This is the first hybrid war where attacks are not only physical, but also on the cyber landscape. Currently, we can distinguish attacks on various sites and financial institutions which began shortly before the first attacks in Ukraine. A few days before the Russian invasion, many Ukrainian banks were under attack. The main vectors were online banking and ATMs. Immediately after the start of the war two separate fronts were formed – groups supporting Russian activities and groups organized on social media supporting Ukraine.
The volunteer groups consist of different actors varying from users with basic skills to experienced and skilled attackers. For organizing simple attacks, like DDoS, an attacker needs only basics skills. Additionally, volunteers with richer technical background were attracted, including knowledge of platforms such as Cobalt Strike, Snort, Evilginx. Two main types of attacks were commonly used in the region – attacks for stopping the services for some time and information gathering.
Furthermore, a new type of malware was identified. The first samples of this virus were discovered on Feb 23. This malware bypasses Windows security features and gains access to many low-level data-structures on the disk. Quite quickly, this malware managed to compromise a large number of machines in Ukraine, but also in Latvia and Lithuania. Recovery from this type of attack is very difficult and leads to destruction of all the data stored on the discs. We also observed an increase of targeted fishing campaigns for compromising hosts. In fact, there is a 15-time increase in targeted campaigns compared to the same period last year. On the darknet, a lot of databases were published presenting usernames and passwords that can further be used for specific attacks.
The presented output shows the malicious activities and the scanning that was identified in the last 30 days. Different countries have been used as proxy for targeted attacks. Some examples are China, Russia, Vietnam, the USA and Iran.
The tendency for increased attacks on the cyber market is expected to continue together with the disclosure of new vulnerabilities. Supply chain attacks will continue to be a big issue. Targeted attacks will be pointed to remote workers and to individuals as they can be compromised more easily. Big companies are beginning to invest more in security by acquiring comprehensive protection systems and educating their teams. The most widely used protection tools at the moment are advanced AI modules, systems identifying and blocking attacks in real time, proactive responses in case of detected anomalies in the infrastructure, as well as advanced Next Generation System inspecting the entire traffic.
“Patches must be applied to all systems, not only to vulnerable ones. There must be a clear process for patching all systems on a regular basis, especially to public facing services, firewalls and mail service”
To ensure advanced protection, apply the following good security practices:
• Patches must be applied to all systems, not only to vulnerable ones. There must be a clear process for patching all systems on a regular basis, especially to public facing services, firewalls and mail services.
• Enforce multifactor authentications for all accounts, especially for the critical ones. Identity theft is one of the most common ways for compromising organizations.
• Backups must be made on a regular basis. With the current malware similar to HermeticWiper data is at a big risk. With this type of attack data recovery is not possible, therefore a data restoration strategy must be put in place. Testing back-up and recovery plans is critical, including business continuity testing in case your network or other key systems are disabled in an attack.
• Unused services must be blocked, while small policy changes can go a long way in decreasing the likelihood of a successful attack. Internet access must be filtered to prevent hosts from participating in botnet networks.
• Business continuity, disaster recovery plans and test communication protocol must be updated to ensure a clear mechanism for reacting in critical situations.