The cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom released a joint Cybersecurity Advisory (CSA) AA22-110A on April 20, 2022. The objective of this CSA is to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity. This activity may be driven in response to the massive and unprecedented economic costs imposed on Russia, as well as material support provided by the United States and other allies.
Intelligence data indicates that the Russian government is looking at options for potential cyberattacks. The history of recent Russian state-sponsored cyber operations have included distributed denial-of-service (DDoS) attacks, and multiple instances of deployment of destructive malware against Ukrainian government and critical infrastructure organizations.
Beyond state organizations, some groups which are part of organized crime have also recently and visibly pledged support for the Russian government. These Russian-aligned organized crime groups have threatened to conduct cyber operations in retaliation to cyber offensives against the Russian government and people. Some of these organized crime groups have also threatened to conduct cyber operations against countries and organizations that are providing material support to Ukraine. Very recently, organized crime groups have conducted disruptive attacks against Ukrainian websites. This is very likely in support of the ongoing Russian military offensive.
U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities urge critical infrastructure network defenders to prepare for these potential cyber threats. This requires increased due diligence to harden cyber defense and to put in place the tools and processes to more rapidly and effectively identify indicators of malicious activity.
Recommended mitigations and initiatives to reduce risk include:
- Prioritized patching of all systems against known Common Vulnerabilities and Exposures (CVEs) ideally supported by a centralized patch management system.
- Deploy multi factor authentication (MFA) for all systems and applications which require strong passwords. Do not allow the same passwords to be used in multiple accounts.
- Secure and monitor Remote Desktop Protocol (RDP) and other risky services. RDP is often deployed and left unnoticed, with default passwords and relatively easy port access. If RDP is deemed operationally necessary, restrict the originating sources and require MFA to mitigate credential theft and reuse.
- Provide end-user awareness and training. Much of the exposure to phishing and ransomware is targeted towards the user at the end-points, generally a result of well-thought through social engineering and targeting. Phishing is one of the top infection vectors for ransomware, and Russian state-sponsored APT actors have conducted successful spear phishing campaigns to gain credentials of target networks.
To read the CISA alert directly, please refer to this direct access link.
For more information on Russian state-sponsored cyber activity, see CISA’s Russia Cyber Threat Overview and Advisories webpage. For more information on the heightened cyber threat to critical infrastructure organizations, there are many additional resources:
- Cybersecurity and Infrastructure Security Agency (CISA) Shields Up and Shields Up Technical Guidance webpages
- Australian Cyber Security Center’s (ACSC) Advisory Australian Organizations Should Urgently Adopt an Enhanced Cyber Security Posture.
- Canadian Center for Cyber Security (CCCS) Cyber Threat Bulletin Cyber Center urges Canadian critical infrastructure operators to raise awareness and take mitigations against known Russian-backed cyber threat activity
- National Cyber Security Center New Zealand (NZ NCSC) General Security Advisory Understanding and preparing for cyber threats relating to tensions between Russia and Ukraine
- United Kingdom’s National Cyber Security Center (NCSC-UK) guidance on how to bolster cyber defenses in light of the Russian cyber threat
DNS Remains Under Fire
CISA noted within the alert that under recommendations for protective controls and architecture to:
- Implement a firewall and configure it to block Domain Name System (DNS) responses from outside the enterprise network or drop Internet Control Message Protocol (ICMP) packets. Review which admin services need to be accessible externally and allow those explicitly, blocking all others by default.
- U.S. Defense Industrial Base organizations may sign up for the NSA Cybersecurity Collaboration Center’s Protective Domain Name System (PDNS) services.
In March 2022 an ICS Advisory ICSA-21-103-13 noted that the DNS domain name label parsing functionality does not properly validate the null-terminated name in DNS-responses. The parsing of malformed responses could result in a read past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to cause a denial-of-service condition or leak the read memory. CVE-2020-27736 has been assigned to this vulnerability.
Earlier in January 2022 an ICS Advisory ICSA-21-203-14 update noted that, in this case, the DNS client does not properly randomize UDP port numbers of DNS requests. This could allow an attacker to poison the DNS cache or spoof DNS resolving. CVE-2021-27393 has been assigned to this vulnerability.
A June 2021 Gartner report recommends organizations leverage DNS logs for threat detection and forensic purposes with their Security Information and Event Management platforms.
To find out more about how Infoblox can help protect your DNS infrastructure, please reach out to us via https://info.infoblox.com/contact-form/.
Russia’s invasion of Ukraine could impact organizations both within and beyond the region, to include malicious cyber activity against the U.S. homeland, including as a response to the unprecedented economic costs imposed on Russia by the U.S. and our allies and partners. Evolving intelligence indicates that the Russian Government is exploring options for potential cyberattacks. Every organization—large and small—must be prepared to respond to disruptive cyber incidents. As the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyberattacks. When cyber incidents are reported quickly, we can use this information to render assistance and as a warning to prevent other organizations and entities from falling victim to a similar attack.
Organizations should report anomalous cyber activity and/or cyber incidents 24/7 to firstname.lastname@example.org or (888) 282-0870.