News Insights: DHS bulletin to critical infrastructure operators and local government

journalofcyberpolicy

Hugh Taylor | journalofcyberpolicy.com »

The Department of Homeland Security reportedly sent out a bulletin Sunday to critical infrastructure operators and local government officials warning of the potential for cyberattacks launched by the Russian government in response to any US involvement in a potential war in Ukraine.

Research Insights:
Saryu Nayyar
Saryu Nayyar, CEO and Founder, Gurucul

“It is not surprising that the cyberattacks on the Ukraine were not going to be isolated to them based on the US involvement in Russia’s aggressive military actions. As the CISA points out with attacks such as WhisperGate, ‘identifying and quickly assessing any unexpected or unusual network behavior’ includes activity such as privileged access violations. Cisco Talos reports that system access was most likely based on stolen credentials. Organizations in the US must go beyond traditional XDR and SIEM solutions and incorporate identity and access analytics with user and entity behavior analytics to pick out unusual network activity, lateral movement and unusual access to applications. This activity must be escalated quickly and with confidence to security teams in light of forthcoming attacks. Stolen credentials can be identified based on abnormal usage by threat actors, especially as most other detection techniques cannot discern this being an immediate threat.”

Additionally, researchers with Trellix found a OneDrive malware campaign which targets government officials in Western Asia by using Microsoft’s Graph API to leverage OneDrive as a command-and-control server. The researchers have named the malware ‘Graphite’ due to its use of Microsoft’s Graph API. The attack takes advantage of an MSHTML remote code execution vulnerability (CVE-2021-40444) to execute a malicious executable in memory. The attack was prepared in July 2021 and eventually deployed between September and November, according to the Trellix report. In response to these findings, an expert with Gurucul offers perspective.

 

Saryu Nayyar, CEO and Founder, Gurucul

“As described, this is a multi-stage attack over time that is similar to attacks purported by known threat actor group APT28. Without a strong set of security analytics capabilities that includes behavioral analytics to see abnormal communications, remote code execution, unauthorized file access, and other stages leveraging dwell time to stay hidden, security teams will struggle to identify this campaign quickly enough. This is especially true as most vendor solutions are leveraging rule-based machine learning (ML) models that require updates before being able to identify this variant. Current SIEM and XDR solutions are limited in their ability to do more than produce more indicators of compromise and do not provide the necessary detection for identifying an attack out of the box with both context and confidence.”

DHS bulletin to critical infrastructure

DHS bulletin to critical infrastructure
External Link: News Insights: DHS bulletin to critical infrastructure operators and local government

Share this page:

Related Posts