Cyber security advice during the Ukraine conflict

Advice from our SOC team

Our Security Operations Centre (SOC) is actively monitoring all activity from customer logs via our Security Information Event Management (SIEM) technology and wider threat intelligence sources. Our team remains on high alert for any deviations and is monitoring for suspicious activity. This includes, but is in no means limited to, the following:

• Modifications to user, groups, and computer accounts
• Unusual login behaviour such as authenticating outside of normal office hours or from known bad actor IPs
• Spikes in activity which could suggest data exfiltration or DDoS attacks
• Installing or removing software
• Accessing applications deemed inappropriate for normal work purposes
• Additional monitoring for IPs known to be part of a Russian botnet
• Additional monitoring for the new HermeticWiper malware

Our SOC team encourages all organisations to put extra measures in place to actively monitor environments for suspicious activity. One of the most proactive steps you can take is to ensure that logs are being sent from all necessary areas of your network so that you can maintain an accurate, detailed overview of your entire attack surface.

What is the threat to UK organisations?

Where possible, we are conducting further investigations for our clients with a particular focus on organisations operating in financial services, infrastructure and public sectors. This precaution comes as a result of our own research, which has shown increased activity since 20th January 2022 targeting the financial and insurance industries in particular.

Generally, we suspect the threat to the UK may increase in these sectors specifically. If this is the case, the attacks will likely have destruction and espionage motives against larger organisations, though we cannot rule out the case of malicious opportunist hackers who may present a higher risk to smaller businesses.

On social media there has been an increase in activity amongst bug bounty hunters and members of the community that are actively discussing using the cloud to conduct DNS reflection attacks. Some of these discussions include an ‘attack list’ of target IP addresses, which all seemingly originate in the East.

At this time we are not aware of the HermeticWiper malware affecting UK organisations. The indicator of compromise (IOC) has been included as part of our additional detection queries which our SOC are monitoring in real-time. We will be doing our part to assess the situation regularly and disclose any information that suggests it has changed.

What you can do to protect your business

It is tough to pinpoint exactly what types of attacks could target UK businesses. For this reason, we highly recommend applying the usual IT hygiene and security best practice.

Our recent research shows that 83% of all cyber attacks are phishing attacks. For this reason, we would encourage organisations to be extra vigilant against this attack vector, including watering hole and ‘vishing’ attacks, due to their ease of entry.

From a technical stance, we recommend all businesses ensure up-to-date system security patches are applied without delay across firmware, client devices and servers. Additionally, customers should update their anti-virus, IPS/IDS, and EDR solutions. These are fundamental steps in cyber security and are now even more important given the current, escalated threat landscape.

Our research also showed that 28% of businesses have critical vulnerabilities that could be immediately exploited as part of a cyber attack. It is therefore vitally important to identify and remediate vulnerabilities on an ongoing basis to avoid opportunistic attacks.

• Enable Multi-Factor Authentication (MFA) on all privileged accounts (if not across the wider organisation)
• Provide user advice on using unique passwords and avoiding password reuse
• Consider placing a temporary change freeze on major technical projects – infrastructure changes may allow attackers to exploit the organisation or evade detection during such change processes
• Check, remove and/or restrict third-party access where possible
• Review your backups, follow the 3-2-1 rule and ensure that at least one of them is offsite and offline. This includes critical external credentials such as private keys and access tokens (particularly in defence against the HermeticWiper malware attack)
• Alert the wider business to remain vigilant
• Review your incident response plan

Nation state actors are much more likely to find zero-day vulnerabilities due to the resources available to them, and other hacking groups will quickly take advantage of these exploits once they become common knowledge. So on a final note, ensure you keep informed about the latest developments in the news, regularly monitor your organisation’s environments for suspicious activity and make sure that you are patching systems as quickly as possible.

While we can’t predict exactly what the cyber risk to UK organisations will be as a result of the Ukraine crisis, history tells us that the majority of attacks are successful due to poor cyber security practice and a lack of awareness. It’s therefore important to take action in order to reduce risk and prevent opportunistic attacks.