Proudly serving Virginia, Maryland and DC // Call us today! 703.396.6120
V2 SystemsV2 Systems
Concerned About Russia/Ukraine Spillover, CISA Urges Businesses to Take Precautions

by Erik Briceno

In our previous post, we shared the joint advisory issued from the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Today we’re delving into the key sections of the advisory that CISA outlines specifically to mitigate cybersecurity threats from WhisperGate and HermeticWiper caused by spillover. Here are a few items from the list that require special attention.

Distribution Vectors

Destructive malware may use popular communication tools to spread, including worms sent through email and instant messages, Trojan horses dropped from websites, and virus-infected files downloaded from peer-to-peer connections. Malware seeks to exploit existing vulnerabilities on systems for quiet and easy access.

The malware has the capability to target a large scope of systems and can execute across multiple systems throughout a network. As a result, it is important for organizations to assess their environment for atypical channels for malware delivery and/or propagation throughout their systems. Systems to assess include:

  • Enterprise applications – particularly those that have the capability to directly interface with and impact multiple hosts and endpoints. Common examples include:
    • Patch management systems
    • Asset management systems
    • Remote assistance software (typically used by the corporate help desk)
    • Antivirus (AV) software
    • Systems assigned to system and network administrative personnel
    • Centralized backup servers
    • Centralized file shares

While not only applicable to malware, threat actors could compromise additional resources to impact the availability of critical data and applications. Common examples include:

  • Centralized storage devices
    • Potential risk – direct access to partitions and data warehouses
  • Network devices
    • Potential risk – capability to inject false routes within the routing table, delete specific routes from the routing table, remove/modify, configuration attributes, or destroy firmware or system binaries — which could isolate or degrade availability of critical network resources

Best Practices and Planning Strategies

Concerned About Russia/Ukraine Spillover, CISA Urges Businesses to Take PrecautionsIt’s important to note that this list does not contain the full set of recommendations outlined by CISA. We’ve highlighted some of the more general practices all businesses should be adhering to, and deals exclusively with access control and monitoring.

Access Control
  • For enterprise systems that can directly interface with multiple endpoints:
    • Require multi-factor authentication for interactive logons.
    • Ensure authorized users are mapped to a specific subset of enterprise personnel.
      • If possible, the “Everyone,” “Domain Users,” or the “Authenticated Users” groups should not be permitted the capability to directly access or authenticate to these systems.
    • Ensure unique domain accounts are used and documented for each enterprise application service.
      • Context of permissions assigned to these accounts should be fully documented and configured based upon the concept of least privilege.
      • Provides an enterprise with the capability to track and monitor specific actions correlating to an application’s assigned service account.
    • If possible, do not grant a service account with local or interactive logon permissions.
      • Service accounts should be explicitly denied permissions to access network shares and critical data locations.
    • Accounts that are used to authenticate to centralized enterprise application servers or devices should not contain elevated permissions on downstream systems and resources throughout the enterprise.
  • Continuously review centralized file share ACLs and assigned permissions.
    • Restrict Write/Modify/Full Control permissions when possible.
Monitoring
  • Audit and review security logs for anomalous references to enterprise-level administrative (privileged) and service accounts.
    • Failed logon attempts
    • File share access
    • Interactive logons via a remote session
  • Review network flow data for signs of anomalous activity, including:
    • Connections using ports that do not correlate to the standard communications flow associated with an application
    • Activity correlating to port scanning or enumeration
    • Repeated connections using ports that can be used for command and control purposes
  • Ensure network devices log and audit all configuration changes.
    • Continually review network device configurations and rule sets to ensure communication flows are restricted to the authorized subset of rules.

For assistance in implementing these strategies, contact us today. Our team of experts will monitor your systems 24/7.

Since 1995, Manassas Park, VA-based V2 Systems has employed local systems administrators, network engineers, security consultants, help desk technicians and partnering companies to meet a wide range of clients’ IT needs, from research, to implementation, to maintenance. Concentrate on your VISION…We’ll handle the TECHNOLOGY!

ebriceno
About ebriceno
Erik Briceño is the owner of V2 Systems, Inc., one of Northern Virginia’s leading Information Technology Managed Service Providers. He is an inspiring leader for its employees and instrumental business partner for its customers. He is passionate about V2’s purpose, dedicated to exceeding expectations and a consummate professional not afraid of jumping in and getting his hands dirty. Prior to joining V2 Systems in 2002, Erik was a co-founder and COO of Ampcast.com, a leading provider of online resources servicing over 5,000 independent musical artists. At Ampcast.com, Erik spearheaded all aspects of corporate development, funding, strategic vision, and business development for the firm. From 1997 to 1999 Erik held the position of Acoustic Systems Engineer for Electric Boat Corporation, a leading defense contractor. In this role, Erik was responsible for the acoustic fidelity of two noise critical systems and components in the US Navy’s nuclear submarine systems. Erik holds a B.S. in Mechanical Engineering from Vanderbilt University and a Masters of Business Administration from George Mason University. When not working, you will find Erik a dedicated family man, raising two young children with his lovely wife Karen. Together, they enjoy building legos, playing baseball, skiing, riding horses, swimming, traveling, and fixing up old Mopars.
Concerned About Russia/Ukraine Spillover, CISA Urges Businesses to Take Precautions
Concerned About Russia/Ukraine Spillover, CISA Urges Businesses to Take Precautions