Hours before Russia began its Ukraine invasion on Feb. 24, Microsoft found a new malware package, which it dubbed “FoxBlade.” As more concerns about malware fallout from the war spread, several cybersecurity firms announced protective measures for potential victims.
Microsoft’s Threat Intelligence Center (MSTIC) detected a new round of offensive and destructive cyberattacks directed against Ukraine’s digital infrastructure in the hours leading up to the invasion. The company immediately advised the Ukrainian government about the situation and provided technical advice on steps to prevent the malware’s success.
“Within three hours of this discovery, signatures to detect this new exploit had been written and added to our Defender anti-malware service, helping to defend against this new threat,” said Microsoft.
“In recent days, we have provided threat intelligence and defensive suggestions to Ukrainian officials regarding attacks on a range of targets, including Ukrainian military institutions and manufacturers and several other Ukrainian government agencies. This work is ongoing.”
As cyberwarfare in Ukraine continues to intensify, Lithuania-based cybersecurity company Surfshark made a video that sheds light on cyberwarfare dangers and gives people practical advice on how to protect themselves.
Cybersecurity firm Vectra AI is offering a slate of free cybersecurity tools and services to organizations who believe they may be targeted as a result of this conflict. Interested parties must provide information on this form.
Bank websites and ATMs, as well as military computer networks, have been disabled in recent days by cyberattacks. Disinformation campaigns meant to provoke panic have rippled across cellular networks. Any form of organization can be affected by a cyberattack in this war, warned Vectra.
“Escalating cyber conflict will lead to unanticipated consequences,” said Hitesh Sheth, president and CEO of Vectra AI. “No public or private organization is assured of remaining a mere spectator.”
Everyone at Risk
The escalation of possible cyber risks globally is increasing, confirmed Aleksandr Valentij, chief information security officer at Surfshark.
“Since Russia invaded Ukraine on Feb. 24, global cyber warfare has increased. It is challenging to contain cyberattacks in exact regions, and there is always a significant chance of collateral damage to almost any country on this planet,” he said.
Valentij urged all computer users to follow these practical mitigation measures:
- Treat any suspicious activity much more seriously, especially phishing attempts. It continues to be the most common cybercrime as every third online crime victim falls for a phishing attack;
- Do not download files from unknown or unsecured HTTP pages to avoid malware;
- Keep all your software up to date;
- Make backups of the most important data to protect yourself in case of “wiper” type of cyberattacks. Malware just like this was discovered recently, aimed to erase data from Ukrainian financial organizations and government contractors.
- Use antivirus, VPN, and firewall solutions to secure your browsing online;
- Try not to overuse communication channels, as they might be prone to crashing at this difficult time;
- Keep your mind cold, and do not panic. As propaganda surfaces, be skeptical of everything you see online.
“A good example of a similar case would be the Petya malware attack in 2016. Though it was primarily designed against Ukraine, it wreaked havoc across the globe,” Valentij added.
Extended information on the topic is available here.
For immediate assistance in the current emergency, Vectra AI offers the following services on a complimentary basis:
- Scan Microsoft Azure AD and M365 environments for signs of attack activities;
- Monitor AWS infrastructure for signs of active attacks, in addition to the provision of detection and response tools for both the network and control plane of AWS accounts;
- Surveil network infrastructure both in the cloud and on-premises for signs of attack, including deployment of Vectra sensors that are purpose-built to detect malicious behavior;
- Support the retention of historical metadata to aid incident response investigations based on indicators of compromise (IOCs) for specific attack variants.
More Vectra safety tips are available here.
The recent and ongoing cyberattacks have been precisely targeted, according to Microsoft. The company’s malware searchers had not seen the use of the indiscriminate malware technology that spread across Ukraine’s economy and beyond its borders in the 2017 NotPetya attack.
“But we remain especially concerned about recent cyberattacks on Ukrainian civilian digital targets, including the financial sector, agriculture sector, emergency response services, humanitarian aid efforts, and energy sector organizations and enterprises.
“These attacks on civilian targets raise serious concerns under the Geneva Convention,” wrote Brad Smith, Microsoft’s president and vice chair, in the company’s blog on Monday.
Before the Russians invaded, researchers detected a few attacks that seemed like tests before more advanced ones were launched, noted Hank Schless, senior manager for security solutions at cloud security company Lookout.
“While there is very little that has been shared about FoxBlade, it sounds like Microsoft is suggesting that the actors behind its development created it for the purpose of targeting critical infrastructure in Ukraine,” he told TechNewsWorld.
FoxBlade is a malicious trojan installed on systems to enable Distributed Denial of Service (DDoS) attacks. That point is not obvious in Microsoft’s blog, clarified Nathan Einwechter, director of security research at Vectra.
The malware is not deployed within the target environments. It is installed on as many targets of opportunity as possible.
“Once enough systems are under their control, the infected machines can be collectively controlled to knock the actual target (i.e., Ukrainian critical infrastructure) off the internet by flooding their public network connections with more traffic than they can handle,” he told TechNewsWorld.
Russian state threat groups are known to use attacks like this, or ransomware attacks, to act as a distraction to hide more direct attempts to breach target systems. On the other hand, an adversary unable to breach the network of a target may fall back to DDoS attacks to affect their target’s ability to operate throughout the duration of the attack, Einwechter explained.