February 28, 2022 by Alex Kirk
Given that active cyber warfare has broken out alongside Russia’s active invasion of Ukraine - from Russian wiper malware to Anonymous hacking Russian state TV - CISA’s recent “Shields Up” memo is a timely insight into some of the TTPs defenders of critical infrastructure should be keeping an eye out for. Let’s break down the four key areas outlined in the memo and examine ways they can be detected with network data.
Russian attackers are well-known for using VPNs to disguise the true source of their traffic, and the memo calls out both credential harvesting and abuse of specific CVEs to compromise public-facing VPN concentrators. Savvy defenders will have already patched their VPN head-ends against vulnerabilities from 2018 and 2020 - though given the neglect that is often the case with shadow IT assets, those attacks can be detected by Suricata SIDs 202788, and 2034005 (CVE-2018-13379), and 2029540 (CVE-2020-0688). For those that are decrypting inbound requests to their networks, the remaining vulnerability called out, CVE-2020-17144, can be detected by looking for the string “
/ews/soap/?pass=whoami” inside their Corelight HTTP logs.
A much more intriguing detection capability is the ability to see when your users are connecting to unusual VPN-based services. Corelight’s new VPN Insights collection parses Wireguard, IPSec, OpenVPN, and DTLS/SSL traffic in order to produce a vpn.log that fingerprints connection types and reports many relevant data points around them. Using this log to investigate any unofficial/unsanctioned VPN connectivity could tip defenders off to Russian attack activity, or something as simple - yet equally unwanted - as users circumventing proxies and other security measures.
Every application is a bit different, of course, so there’s not one specific recipe for detecting multiple logon failures against your infrastructure. Typically, systems give off clear indicators when an authentication failure has occurred, from an HTTP 400-series error on a web server to the myriad of Kerberos failure codes available on a domain controller. At a generic level, detecting these types of attacks should be done by aggregating logs based on originating and responding IP addresses, and then either by protocol/service for Layer 4 connection logs, or by the specific Layer 7 protocol error code that you’re trying to inspect. Once aggregated like this, sorting by counts of the data point in question for specific host pairs, and then filtering out obviously legitimate things like vulnerability scanners or trusted partner applications, will produce lists of potential brute force attackers, whose IP addresses can be cross-searched in the data for indications of successful logins. More details can be found in the free Corelight Threat Hunting Guide.
Corelight also has specific detection for SSH brute force scanning in its Encrypted Traffic Collection, which uses heuristics around packet size and timing to detect behaviors in SSH without the need to decrypt traffic. Customers should look for occurrences of the “BF” or “BFS” inference codes in their SSH logs.
Given that credential access vulnerabilities can sometimes be present without the need for brute forcing - as is the case with password dumps, for example - defenders should employ behavioral anomaly detection on sensitive logins wherever possible. For example, RDP logs for decrypted streams will contain the keyboard_layout field; and for many organizations, the presence of any non-English keymaps is far enough outside the norm to warrant further investigation. For those that need to be more targeted, looking for any Cyrillic-language keymap (to encompass not just Russian, but other nearby languages like Belarusian, as regional alliances come into play) would be advisable.
GreyNoise.io has also published a feed of IP addresses targeting Ukranian infrastructure, which can be ingested into the Corelight/Zeek intel framework for easy alerting on all communications from those sources. This can help catch actors that are stealthy enough to evade common credentialed access detection methodologies.
The migration to cloud-based email has made monitoring threats in that medium difficult for defenders, who are often left at the mercy of vendors’ logging schemes. Since all phishing attacks involve a user clicking a link, network-level detection is best done on the DNS lookups of those links. Defenders have an array of techniques available here, from frequency analysis - malicious domains tend to be rare - to looking at all internationalized domains, which helpfully contain the string “xn–” in the query to signify non-ASCII encoding.
State-sponsored actors are happy to live off the land, using well-known vulnerabilities that have been left open on neglected systems wherever possible. While patching vulnerabilities is obviously the most effective way to close this avenue, doing so across large, distributed environments can be challenging, time-consuming, and error-prone. Smart defenders will integrate their vulnerability management data with their detection technologies, to prioritize cases where attacks are detected against known-vulnerable systems. Corelight has out-of-the-box integration with Tenable to help operationalize this type of correlation in our Suricata IDS engine.
Many of the recommendations from the memo, and the further official reading it references, go back to the fundamentals of cyber defense. Centralized logging and monitoring, in a manner that’s efficient enough for defenders to search through quickly; asset identification and monitoring; and running a comprehensive patch management system are all known best practices. Regardless of whether you feel you’re a target for Russian cyberwarfare, it’s worth listening to CISA’s advice, and taking the current conflict as an exercise to test your defensive capabilities.
Research specific to the cyber aspect of the conflict in Ukraine is continuing to emerge from the public and private sector. CISA has already released a detailed bulletin about the disk-wiping malware targeting Ukraine specifically, based on work from ESET, SentinelOne, and Symantec; while the indicators there are more endpoint-focused, network-level details such as certificate fingerprints can also be pulled from the reports.
Corelight is following this situation as it develops, and may publish more in-depth research and guidance as warranted. Check back here for further content as it is created.
By Alex Kirk, Manager Global Security Consultants, Corelight