One month ago, the Russian government began the invasion of Ukraine, triggering one of the most severe security crises in Europe since the collapse of the Soviet Union in 1992. The Photon Intelligence Team has been constantly analyzing the development of this war, providing assessment about the involvement of hacktivism in this conflict, practical advice for security leaders, and tips on how to use intelligence requirements to shape your response to the emerging cyber threats. These resources, along with various other relevant blogs and podcasts, can be found here.

As a consequence of this war, many organizations that had economic or geopolitical ties with Ukraine or its allies raised their internal cyber threat level. The Russian Federation has repeatedly demonstrated to be one of the most sophisticated actors in the cyber domain. So far, attacks against Ukrainian organizations have included defacement attacks, Distributed Denial of Service (DDoS) attacks, and the deployment of various wiper malware. Despite the fact that we haven’t yet observed any large-scale destructive cyber attack, it is realistically possible that we will do so in the coming weeks if the conflict were to further escalate. The USA is well aware of this possibility, which has been highlighted in a recent statement by US President Joe Biden.

For this reason, I have decided to focus our monthly vulnerability intelligence blog on three CVEs directly or indirectly related to this conflict. Either way, all the CVEs discussed in this blog have available patches so, if you haven’t already done so, this is the time to harden your security!

The One used to Deface Ukrainian Websites (CVE-2021-32648)

Between 13 and 14 January 2022, a Russian-attributed threat actor defaced the websites of more than 70 government agencies in Ukraine, impacting the Ukrainian Foreign Ministry, the Ministry of Education and Science, and other state services. These attacks rendered several of these websites inaccessible, and left threatening messages for Ukrainian citizens, stating that they should “be afraid and expect the worst”.

The following day, Microsoft announced that it detected a destructive wiper malware “WhisperGate” being installed onto computer systems hosting the defaced government websites mentioned above. The WhisperGate malware was designed to initially look like ransomware, although its true purpose was to destroy or render Ukrainian government systems inoperable.

According to this threat brief, threat actors had likely gained initial access to these websites by exploiting CVE-2021-32648, a vulnerability lying within the OctoberCMS platform prior to version 1.0.472 which allows attackers to gain access to any account via a specially crafted account password reset request. 

A public proof of concept (PoC) for this vulnerability was published on GitHub on 14 January 2022, on the second day of the Ukrainian website defacement attack. This PoC allowed organizations to fully grasp how this vulnerability works and how threat actors may have exploited it. A countermeasure for this vulnerability was then published on 09 Feb 2022.

Vulnerability timeline available on Digital Shadows (now ReliaQuest)’ Vulnerability Intelligence portal

The one used to deploy HermeticWiper (CVE-2021-1636)

As part of the malicious cyber activity that Russia conducted against Ukrainian targets, the deployment of wiper malware has probably been the most prevalent and pervasive based on what we have observed so far. Security researchers identified at least three different malware strains in the first weeks of the conflict, namely HermeticWiper, IsaacWiper, and Caddy Wiper.

In one instance, security researchers observed attackers exploiting CVE-2021-1636, a known vulnerability in Microsoft SQL Server, to gain an initial foothold in one of the Ukrainian organizations. The access in the victim environment was reportedly used to deploy and then execute HermeticWiper on the attackers’ target.

Additional details on CVE-2021-1636 as detailed in Digital Shadows (now ReliaQuest)’ portal

The same report also claims that the same attackers likely exploited vulnerabilities in Microsoft Exchange Server and Apache Tomcat to steal and dump credentials, run PowerShell commands, and execute malware. As such, it is likely that the threat actor behind these attacks is technically sophisticated and maintains a wide toolbox of potential intrusion vectors.

The One used to Bypass Multi-Factor Authentication (CVE-2021-34527)

On 15 Mar 2022, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint advisory containing technical details and mitigations related to the ability of Russian state-sponsored cyber actors to gain network access through exploitation of default multi factor authentication (MFA) protocols and CVE-2021-34527, a known vulnerability affectingWindows Print Spooler, widely referred to as “PrintNightmare.”

According to the advisory, Russian-state sponsored threat actors have repeatedly exploited PrintNightmare to run arbitrary code with system privileges. This privilege escalation technique was later used to access cloud servers and email accounts, with the ultimate goal of exfiltrating sensitive information.

PrintNightmare is a vulnerability that has been exploited by a wide number of threat actors and malware operators since it’s been disclosed. The Associations tab in Digital Shadows (now ReliaQuest)’ Vulnerability Intelligence portal helps security professionals analyze the various links malicious actors had with this vulnerability and thus shows how severe this vulnerability can be. Patching this vulnerability should be a high priority for organizations concerned about Russian-state sponsored cyber actors during these tense times.

Associations with CVE-2021-34527 as seen in our Search Light (now ReliaQuest GreyMatter Digital Risk Protection)portal

Making Vulnerability Intelligence Work for You

As we’ve highlighted in this blog, vulnerability intelligence can be an incredible asset for fine-tuning your vulnerability management process. By understanding the context behind individual vulnerabilities, security teams can move away from solely using CVSS scores and instead focus on what matters to your organization. Too many vulnerabilities and far too little time are common sentiments among the security community; at Digital Shadows (now ReliaQuest), we pride ourselves in allowing our clients to reduce the noise and focus on what matters. Taking a risk-based approach is the most effective method of targeting vulnerabilities, which will ultimately have the most significant impact on reducing your overall cyber risk. 

As we’ve highlighted in this blog, vulnerability intelligence can be an incredible asset for fine-tuning your vulnerability management process. By understanding the context behind individual vulnerabilities, security teams can move away from solely using CVSS scores and instead focus on what matters to your organization. Too many vulnerabilities and far too little time are common sentiments among the security community; at Digital Shadows (now ReliaQuest), we pride ourselves in allowing our clients to reduce the noise and focus on what matters. Taking a risk-based approach is the most effective method of targeting vulnerabilities, which will ultimately have the most significant impact on reducing your overall cyber risk.