Situation overview
Russia’s invasion of Ukraine is a prime example of one nation employing a combination of traditional weaponry and cyberattacks against another to disrupt business and government. As outlined by the US Cybersecurity & Infrastructure Security Agency (CISA) in its alert:
“Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries. Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.”
As foundational precautions, OpenTextTM is recommending several industry best practices including:
- Set antivirus and antimalware programs to conduct regular scans.
- Conduct threat hunting.
- Enable strong spam filters to prevent phishing emails from reaching end users.
- Filter network traffic.
- Update software.
- Require multifactor authentication.
Combatting known threats
On January 15, 2022, it was disclosed that malware known as WhisperGate was being used to strategically target organizations in Ukraine, rendering targeted devices inoperable. These threat actors were also targeting domain controllers of these businesses to disrupt their ability to operate—looking to cause as much damage as possible as quickly as possible.
Then, on February 23, 2022, it was discovered that malware known as HermeticWiper was being used against organizations in Ukraine. This malware targets Windows devices, manipulating the master boot record, which results in subsequent boot failure. HermeticWiper appears to be a custom-written application with very few standard functions. The adversaries are using a tried and tested technique of wiper malware, abusing a benign partition management driver, to carry out the more damaging components of their attacks.
In addition, the CISA has identified an increased number of Conti ransomware attacks on US companies and other entities. Conti users frequently employ spearphishing techniques to gain access to digital infrastructure and then exploit legitimate remote monitoring and management software and remote desktop software as backdoors to maintain persistence. The actors use tools already available on the victim network—and, as needed, add additional tools, such as Windows Sysinternals and Mimikatz—to obtain users’ hashes and clear-text credentials, which enable the actors to escalate privileges within a domain and perform other post-exploitation and lateral movement tasks. In some cases, the actors also use TrickBot malware to carry out post-exploitation tasks.
How OpenText protects you
As always, OpenText’s security solutions are designed to help find information no matter where it is buried to effectively conduct investigations, manage risk, and respond to incidents. By understanding the mindset of threat actors and the tactics, techniques, and procedures (TTPs) they employ, we can provide unparalleled identification and remediation of risks.
OpenText uses behavior-based detections in our managed extended detection and response (MxDR) platform, which allows us to detect threat actors earlier in the cyber kill chain and prevent attackers from infecting business operations. OpenText MxDR continuously runs threat simulations against our detection platform to ensure our visibility and detections are the best possible.
Our OpenText Network Detection and Response gives customers network visibility to detect threats, provide network telemetry, and metadata.
Overall, in all instances, we provide our customers the ability to protect, detect, and respond to any threat.
OpenText’s commitment
OpenText remains committed to helping businesses and organizations operate safely, wherever their data travels.
With data as the currency of information in the modern world, we embrace the idea that we are all connected, and must collectively take responsibility for maintaining a trusted state for commerce, government, and other communications within civil society.
For more information
OpenText can help your business stay prepared and in a trusted state by initiating threat hunting and Managed XDR services for real-time detection and rapid response.
Contact us at any time to speak with one of our skilled security experts.