There is nothing special or mythical about how Russian cyber-attacks begin. Like other threat actors, they use common methods to gain entrance to organizations that can be easily prevented with good cyber security hygiene.
Once they gain access, the havoc begins. This article focuses on the part you can control – the access point.
We look at the three most common ways Russian-state-sponsored hackers gain access and how you can prevent it from happening to you.
Approach 1 – Spear Phishing
Spear Phishing is more targeted than general phishing and will often use company insider lingo and even impersonate a coworker with social engineering tactics through email.
How to Fight it
- Check the email address and the domain name. If the email includes links, hover over links before clicking them. The URL that displays will reveal where that link goes. If the displayed text of the link reads something different, this should be a red flag.
- Be suspicious of any requests for personal information or emails expressing urgency.
- Reduce your risk surface by adopting the Principle of Least Privilege, or PoLP. This principle gives users only the access they need to get the job done and carefully audits existing licenses and access to programs and systems. An example of this in practice is requiring signed PowerShell scripts. This limits users to critical company functions and reduces the possible points of entry.
Add in Tech Armor
If you don’t want to trust that every employee will always follow best practices around email security, a Phishing Analyzer can fight all types of phishing.
LiveAction’s ThreatEyeNV has a phishing analyzer that activates once an email link is clicked and runs a supervised model that compares the link to hundreds of verified phishing sites and known benign sites before the phishing attempt can progress further.
Approach 2 – Insecure Remote Access
Initial access brokers (IABs) are threat actors with one job… to get access to systems as quietly as possible. That’s it. Once they acquire access, their goal is to sell the information on the dark web to a hacker who wants convenient access to the organization.
They can gain access to systems primarily through stolen passwords using phishing as described in approach 1, exploiting vulnerabilities as described in approach three, or using brute force.
BRUTE FORCE
Although an older form of hacking, it’s still popular and effective. Brute force is the hacking method that cracks weak passwords and login credentials with repeated attempts. This can be done without any programs, guessing, for example, 123456 ( which, according to Nordpass’s 2021 report, was still used by 103,170,552 active users. It is typically done through a script that will guess combinations, also called Password Spraying.
WHAT HAPPENS TO THE STOLEN CREDENTIALS?
The credentials are usually sold for remote desktop protocols (RDPs), SSH, and VPNs. Some IABs will install remote management software onto the server or disable security features for an additional fee.
The benefit to a threat actor of using an IAB is skipping the initial step of failed login attempts and possibly alerting an organization to their presence and resulting in a heightened security posture. With legitimate credentials, they can successfully log in and remain in the system undetected while they plan their attack.
How to Fight it
- Set maximums for login attempts across your organization and put into place account locking requiring admin intervention for when that threshold is reached
- Protect your passwords
- Use a password manager to store, generate, and manage your passwords in an encrypted environment. There are many free options available
- Use multi-factor authentication (MFA) organization-wide. This is more effective than 2FA, which can be easily overcome if the hacker has your password and email access.
- Use biometric identifiers as passwords wherever possible – fingerprint and facial scans are much harder to get around
- Make sure your home WiFi is password protected and use a VPN whenever using public WiFi.
- Look for these warnings
- Escalated privileges
- Unusual network activity
- Changes with security services being disabled or new services added
Add in Tech Armor
Although there are techniques you can use to better secure your passwords, once stolen, it’s tough to detect an unwanted presence on your network if they are using legitimate credentials. This is where AI and ML come into a security tool with fingerprinting and behavioral analysis scanning. These tools can identify anomalies across the network that humans cannot pick up on.
3 – Unpatched Known Vulnerabilities
There is a golden space of time called The Patching Gap that hackers live for. The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information-security vulnerabilities and exposures. Once they detect the vulnerability in the software or application, they disclose it to the organization running that program and give them a set time to create a patch before the vulnerability is disclosed to the public. Sometimes the organization will not have a patch ready when the vulnerability is disclosed by CVE. This is the challenge from one side of the patching gap. The challenge from the other side is from the point of announcement and patch availability to when the organizations apply the update to their systems.
As soon as a vulnerability is publically disclosed, hackers rush to weaponize these vulnerabilities. Shockingly many organizations choose not to update their systems for various reasons. There could be due to fear that updates will be incompatible with other applications on their network, customizations lost in the update, integrations negatively impacted, or the general hesitation to change things when everything “appears” to be doing fine. Some miss the memo because of employee changes or poorly organized operations.
How to Fight it
- Prioritize keeping systems, software, firmware, and hardware updated. When updates come out on applications and software, these aren’t just new features but often cover critical bugs or holes discovered in the program.
- Check this list compiled by cisa.gov – These are known exploits that Russian hackers have used before to gain access to organizations. Having an unpatched know exploit is putting out a welcome sign for hackers.
- CVE-2018-13379FortiGate VPNs
- CVE-2019-1653 Cisco router
- CVE-2019-2725 Oracle WebLogic Server
- CVE-2019-7609 Kibana
- CVE-2019-9670 Zimbra software
- CVE-2019-10149 Exim Simple Mail Transfer Protocol
- CVE-2019-11510 Pulse Secure
- CVE-2019-19781 Citrix
- CVE-2020-0688 Microsoft Exchange
- CVE-2020-4006 VMWare
- CVE-2020-5902 F5 Big-IP
- CVE-2020-14882 Oracle WebLogic
- CVE-2021-26855 Microsoft Exchange (often used with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)
Add in Tech Armor
Close the patching gap by using an Automated Patching Management Tool. If a patch is available for a CVE, the tool should automatically trigger a pull request and a git code change. This reduces the time an organization is vulnerable to minutes instead of hours or longer.
Final Considerations
Here are a few things to heed that will better position your organization for a cyber attack.
INVEST IN BACKUPS
Make sure your mission-critical systems are all backed up. Go through the steps of recovering your information to make sure you can recover your company data if an attack does happen.
GET REDUNDANT SERVERS
With several geographically distributed servers, it’s harder for a hacker to locate and attack all of them at once – the remaining servers can temporarily take on the additional traffic until the attacked server is back online.
USE A VPN
The VPN will hide your IP address and encrypt your traffic whenever accessing public WiFi.
Invest in an NDR Platform
The ThreatEye network detection and response (NDR) platform is purpose-built for today’s network security environment, combining next-generation data collection, advanced behavioral analysis, and streaming machine learning for threat detection and security compliance.
Unfazed by encryption, ThreatEye combines network traffic traits and characteristics with streaming machine learning-based analysis. Unlike traffic analysis solutions built on DPI technologies, the ThreatEye platform leverages Deep Packet Dynamics (DPD) to analyze traffic flows. DPD provides high-fidelity flow records with over 150 features for each flow without payload inspection. Packet Dynamics, coupled with machine learning, enables unique capabilities for regaining visibility into encrypted traffic.
Want to learn more? Let’s keep the conversation going.
