Security Update (Updated 04/3/2022 17.20)

Since our initial statement last week, Integrity360 has been closely monitoring the ongoing Ukraine / Russia conflict and the security and business risks this brings. Our dedicated Threat Intelligence team have continued to actively monitor for any new indicators of compromise relating to the conflict and disseminate this intelligence throughout our the business. Our SOC Analysts are working closely with the Intelligence teams to protect our Managed Security Service customers.

As the situation continues to evolve, we are keeping a close eye on the risk level posed to our customers, notifying them and reacting accordingly. We would also like to remind our customers to remain vigilant and to take action if they notice anything suspicious in their environment. We are proactively working with various teams across Integrity360 to provide our customers with the latest threat intelligence. The below roundup has been updated as part of our investigations so far. Should you require more information, please don’t hesitate to reach out to us.

Current Findings

Earlier this week, the Conti ransomware group stated their intentions in supporting the Russian government during the invasion of Ukraine. Conti, is a Ransomware-as-a-Service that was first observed in December 2019. The group has primarily targeted major corporations and government agencies, particularly in the USA. The Conti ransomware group, similar to other ransomware families, steal sensitive files and information from compromised networks, holding the target to ransom by threatening to disclose sensitive data. Along with acknowledging their support for Russian actions, they have stated that if anybody tries to interfere or attack Russia, they will “strike back at the critical infrastructures of an enemy”. This allegiance is not surprising as the group has had previous ties with the Russian based cyber crime group, Wizard Spider who are the creators of TRICKBOT, commonly used by Conti.

In addition to the Conti group, other organisations such as SandWorm, Stormous, Freecivilian, UNC1151 (Minsk-based group), The Red Bandits, and the Coomingproject have also sided with Russia.

Whilst these groups are heavily invested in attacking Ukrainian targets, Integrity360 is hearing reports of phishing campaigns relating to the ongoing invasion. Emails have been sent to users calling for bitcoin donations to help fund the Ukrainian Humanitarian aid. The emails appear to originate from npr[.]org or the United Nations Office for the Coordination of Humanitarian (OCHA) domains. Additional forum posts and websites have also appeared in an attempt to take advantage of recent reports that the Ukrainian government is accepting donations in Bitcoin, Ethereum and USDT.

How to protect your organisation

There are a number of basic cyber controls you should follow to help protect your organisation. These will aid in securing your systems, not just during a heightened cyber threat but also during normal circumstances. We recommend every effort is taken to implement the below as soon as possible.

  • Use Multi-Factor authentication
  • Implement network segmentations and filter traffic
  • Scan for vulnerabilities and check your system patching
  • Remove unnecessary applications and verify access controls
  • Implement endpoint and detection response tools
  • Limit access to resources over the network, especially by restricting RDP
  • Secure your user accounts
  • Ensure defences are working – Antivirus active and up to date, Firewall rules current
  • Understand what logging you have in place
  • Review your backups
  • Check your Incident Response Plan is up to date / Response teams know their roles
  • Be aware of what third parties have access to your estate
  • Brief your organisation on what to look out for and to be extra vigilant
  • Educate users to know how to identify phishing emails and be clear on how they report them

If you are concerned about your cyber security posture as this situation unfolds please reach out to our team and we can put you in touch with our Incident Response and Cyber Threat Intelligence teams to discuss additional protections that you may find beneficial.