In March 2022, we have seen new cyberattack activity, in particular the recent breach affecting Okta customers. Russia’s continuing onslaught of Ukraine has been accompanied by devastating (and in some cases, not-so-devastating) cyberwarfare. The U.S. Government has warned of continuing cyberattacks.
The Zscaler ThreatLabZ team has documented threats related to the conflict, including new “wiper” malware used in DDoS attacks and two new attack chains that appear to be attributable to the Gamaredon APT threat actor. In this month’s summary, I’ll review what we at ThreatLabZ know about Ukraine-targeted cyberattacks.
ThreatLabz recommends credential-rotating, MFA enablement, policy review in response to Okta security breach
On Monday, March 21st, the LAPSUS$ adversary group claimed responsibility for breaching Okta’s internal systems in January of 2022 through a third-party subcontractor. The group provided proof via a series of screenshots, and noted that their focus was on obtaining access to Okta’s customers’ organizations, not Okta systems. Okta estimates that up to 366 of their customers have been impacted by this breach.
Zscaler was not impacted by the Okta breach. Zscaler uses Okta internally for identity provision, but access to production environments requires multiple additional factors including hardware tokens not provided by Okta. (More here.)
ThreatLabz encourages Okta customers to rotate credentials, ensure MFA is enabled, review logs, review policies, and employ best practices to identify indicators of compromise. For more technical details including SOC playbook, read my LinkedIn post here and my blog on the subject here.
Biden Administration issues advisory on Ukraine-related cyber risks
On March 21, the administration of U.S. President Joe Biden issued a security advisory warning of the potential for malicious cyber conduct against the United States as a response to economic sanctions against Russia. His statement urged immediate action to harden cyber defenses among both public and private sector organizations.
The Zscaler ThreatLabz team has aggregated guidance and resources in the Zscaler Russia-Ukraine Conflict Cyber Resource Center. We will continue to update this page and our blog with new developments, as well as add information to register for live threat briefings that we deliver when relevant cybersecurity events unfold.
HermeticWiper malware campaign targets Ukraine while PartyTicket ransomware runs interference
HermeticWiper is a sophisticated malware family that is designed to destroy data and render a system inoperable. The ThreatLabz team analyzed the malware payload involved and uncovered several new tactics used in these attacks. The wiper is multi-threaded to maximize speed. The malware utilizes a kernel driver for low-level disk access. When executed, the wiper malware extracts and decompresses a driver, which then acts to give itself admin privileges before destroying the Master Boot Record (MBR) on every physical disk by overwriting the first 512 bytes with random data. It then forces a reboot, which then generates a “missing operating system” screen.
Figure 1: Zscaler Cloud Sandbox Report - Hermetic Wiper
The HermeticWiper campaign was accompanied by a cruder, less-sophisticated ransomware campaign called “PartyTicket.” PartyTicket appears to have been created to distract attention away from the more impactful HermeticWiper malware deployments.
PartyTicket is quite distinct from typical ransomware families in that the design and implementation looks rushed and unsophisticated. For example, PartyTicket does not terminate processes such as databases and other business applications prior to encryption. In addition, the malware generates a 32 character alphanumeric key using the Go programming language’s random function, which is deterministic. Therefore, the AES encryption key can be recovered and used to decrypt files.
Figure 2. Example PartyTicket ransom note
When triggered, PartyTicket encrypts accessible individual files on a victim’s machine before displaying a ransom note on the desktop.
Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.
For more information on the HermeticWiper malware (including attack chain assessment), read the ThreatLabz team’s analysis here.
Read ThreatLabz’ detailed technical analysis of the PartyTicket ransomware here.
DanaBot Launches DDoS Attack Against the Ukrainian Ministry of Defense
Earlier this month, a threat actor using DanaBot launched a Distributed Denial of Service (DDoS) attack against the Ukrainian Ministry of Defense’s webmail server.
Figure 3. Hardcoded DDoS Target Attacked by DanaBot With Affiliate ID 5
DanaBot, first detected in 2018, is a malware-as-a-service platform. Threat actors identified as “affiliates” subscribe to the service to gain access to the platform’s shared command-and-control (C2) infrastructure and control panels. Affiliates then distribute and use the malware as they see fit--mostly to steal credentials and commit banking fraud.
On March 2, attackers deployed DanaBot as part of a HTTP-based DDoS attack on the Ukrainian Ministry of Defense’s webmail server. Within several days, however, the attackers switched course, and aimed their DDoS attacks at a specific, hardcoded IP address (138.68.177[.]158). According to language on that page, that location is associated with “an information resource of the Office of the National Security and Defense Council of Ukraine, which provides information about prisoners of war of the Russian Armed Forces.”
It’s not clear whether this particular DanaBot activity is an act of individual hacktivism, something state-sponsored, or possibly a false flag operation. Assuming the threat actor seeks to attack Ukraine directly, it’s fair to assume the cybercriminal may also extend the attack to include DanaBot’s broader functionality, such as credential and document theft.
Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.
To learn more about how hackers are using DanaBot to target Ukrainian military sites with DDoS attacks, read Zscaler ThreatLabz detailed coverage here.
Two new attack chains appear to be the work of the Gamaredon threat group
In January and February, the Zscaler ThreatLabz team detected two new attack chains deployed at systems in Ukraine. With “moderate” confidence, we were able to attribute the attacks were most likely the work of the Gamaredon APT threat group. We drew that tentative conclusion based on the malware’s reliance on familiar Gamaredon-like C2 infrastructure.
Figure 4. Targeted attack chain #1
Figure 5. Targeted attack chain #2
The first attack – which, by the way, was documented by Ukraine’s CERT team on February 1 – started with phishing emails sent to the “State Administration of Seaports of Ukraine.” The emails included RAR archive file attachments with VBAscript macros infused with malware.
Later in February, ThreatLabZ discovered a second, new attack chain, one with origins that trace all the way back to November 2020. It also relies on what appears to be Gamaredon-developed C2 infrastructure. Used less frequently, the second attack method also starts with spear-phishing emails, also with RAR archive files attached. In this case, the attachments include embedded Windows shortcut (.LNK) files that, when clicked, download payload executables from the attacker-controlled server.
Zscaler and ThreatLabZ have ensured full coverage for these types of attacks via advanced threat signatures and advanced cloud sandbox analysis.
Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.
Read more about these two attack chains linked to the Gamaredon APT group here.
Summary: ThreatLabz security advisory for conflict-related cyberattacks
In February, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a joint statement with the FBI and NSA outlining the tools and tactics used by Russian threat actors in targeting government and defense contractors with an objective to steal sensitive information. This advisory outlined the use of tactics such as spear-phishing emails, credential-stuffing, brute-forcing, privilege escalation, and persistence.
We have also seen threat actor efforts to compromise systems in North America and Europe. Some particular commercial sectors – some related to defense, some not – have recently come under cyberattack, including companies that specialize in weapons and missile development, vehicle and aircraft design, software development and IT, data analytics, and logistics.
The Zscaler Zero Trust Exchange uses the principles of zero trust to protect organizations from cyberattack. Zscaler uniquely shields customers from attack by minimizing attack surface, making apps invisible to outside eyes, detecting and blocking malicious activity, preventing lateral movement, and eliminating data-loss risk. Zscaler has added coverage for known indicators of all cyberthreats related to the Russia-Ukraine conflict.
For more information related to Zscaler coverage of Russia-Ukraine conflict-related cyberattacks, read the ThreatLabZ security advisory here.
What to read next: