The emerging crisis in Ukraine
Updated: Feb 25, 2022
In light of this morning’s devastating news on the ongoing crisis in Ukraine, our thoughts and prayers are with anyone affected.
Our threat intelligence is highlighting a significant increase in cyber-attacks against the West. Specifically targeting Financial Services and FinTech organisations as well as those that host, connect to, or supply any form of critical national infrastructure.
CovertSwarm are here to offer all the support we can to our clients, connections, and wider network.
Should you need any assistance at all please contact our dedicated response line on
+44 3300 570 899 or contact us using the form here - www.covertswarm.com/contact
This alert contains some key actions to take to mitigate the likelihood of a successful attack.
Now, more than ever we should all re-double our efforts to mitigate a successful attack. Whilst many of these controls you may already have in-place we would strongly recommend auditing and enhancing wherever possible.
People are the strongest asset any business has. It is all our responsibility to protect our organisations and defend. Ensuring your people are briefed and ready to respond or raise concerns, however minor, is one of the best lines of defence.
Multi Factor Authentication (MFA)
Audit all user accounts to ensure MFA has been configured. This should include not just ‘key’ services such as Microsoft, Google and Amazon – but all third-party services you use.
Provide guidance to your teams around targeted phishing attacks as well as those which target 2FA workflows, such as those which prompt for code entry as well as password on the phishing site.
Never approve 2FA ‘push’ login requests or approvals that are not expected.
Office 365 - https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide
Google Workspace - https://support.google.com/a/answer/175197?hl=en
Consider implementing GeoLocking for key services and consider blocking or logging actions appearing for unexpected geographic locations. Whilst this technique may be limited in overall effectiveness it can help within a defence in depth approach to security and may provide early warning of unusual activity.
Firewalls Work Both Ways
Firewalls, by their very nature control traffic bi-directionally (in and out). Now is the time to review all boundary controls to not only ensure that only the minimum is allowed ‘in’ – but also only the minimum is allowed ‘out’. We often see blanket ‘allow’ rules for outbound traffic from networks which enables simple data exfiltration for an attacker.
Further, where you have sensitive systems, services, or interfaces especially those that have any kind of administrative functionality these should never be open the public internet and traffic only permitted from trusted locations – such as ‘jump’ boxes or 2FA VPN endpoints which have been hardening accordingly. This should include administrative portal and pages on any of your public websites, including any ‘brochureware’ sites.
Review System Hardening and Logging Configuration
Review actively running services on all critical systems, especially those that form any part of your perimeter. This includes all programs and which communication channels these use. Knowing what is ‘there’ helps to detect anomalies and spot compromised systems or systems that are currently under attack.
Attackers will leverage living off the land attacks to remain undetected on the compromised systems, thus, we advise increasing the monitoring for inbound and outbound traffic, as well as advanced logging for each service in use. Some options for practical implementation include:
Network Intrusion Detection System Solutions
Suricata and/or Zeek
Furthermore, it is strongly recommended to actively ‘allowlist’ (deny everything else) IP addresses able to access critical endpoints of the server such as SSH, admin interfaces or anything the end user should not have access to. We encourage you to implement application control lists that help to prevent unauthorized applications to run the servers.
Cyber Response Planning
A key part of planning for cyber-attacks is to have a clear plan for when the worst happens. As such we would recommend the following steps are taken if a plan is not already in place:
Dedicated Incident Response Point of contact
It is key that all staff know who to contact and when if they believe a compromise has taken place and for all clear process for reporting and managing cyber threats. Typically, this would be the phone number of a key contact.
Out of Band Communication
Ensure that a known and published way to communicate should your central/core communications fail (Gmail / M365 / Slack etc). This ‘Plan B’ could for example be via Signal, WhatsApp or even SMS.
How We Can Help
At CovertSwarm we are actively engaging with our clients to offer support.
If you have any concerns about your cyber security posture or need advice and guidance around the details in this threat alert, or any other areas of concern please feel free to reach out to use directly.
We can be reached on +44 3300 570 899 or contact us using the form here - www.covertswarm.com/contact
We will continue to closely monitor the situation at hand and will provide additional information and guidance where needed.