Don't Forget to Share this Post

ECI's Response to the Ukraine-Russia Conflict

By ECI | Friday, February 25th, 2022
With the escalation of conflict in the Ukraine, ECI is providing this update on our actions to protect businesses from emerging cybersecurity threats.

We continue to monitor the threat landscape as we always do and participate in industry specific groups, such as FS-ISAC, to ensure that we are getting the latest detailed information on vulnerabilities, threats, and attacks. In addition to conducting the scheduled risk assessments as part of our cybersecurity program, we have initiated a Ukraine specific assessment using guidance provided by the U.S. Cybersecurity & Infrastructure Security Agency (CISA)

In reviewing the CISA guidance, and as we’d expect, there is no shortcut nor silver bullet to eliminate the Russian threat. The best protection is an effective long-term strategic cybersecurity program.

Recent attacks have been directed at the Ukraine., but we need to be prepared for all types of attacks, such as malware, APT, and DDoS. Ukraine has been hit with a data-wiper malware, making secure backups as important as ever. Russia is known to launch attacks against banks and broad based infrastructure like electricity, water, and transportation, but we can not rule out attacks on the largest cloud providers such as Amazon Web Services (AWS), which would have a domino effect on many sites and services. 
The attacks that have been reported have included both Denial of Service based attacks and the use of a “Wiper” malware that is used to make systems inoperable.

From our Managed SIEM we’re able to see an increase in activity and specifically events that we are blocking sourced form Russia.  The image below is showing those events over the last 60 days:



SIEM

With over 600 detection rules in place, our Security Information and Event Monitoring platform is continually monitoring for IOCs (Indicators of Compromise) specific to this event and for other threats using the globally accepted MITRE Attack framework. Below is a small sampling of our dashboard and rulesets, which being added to daily.



Initial Access
· ALERT-P1-IDS205: CVE-2018-13379 Fortigate SSL VPN Arbitrary File Reading
· ALERT-P1-IDS215: Cisco ASA XSS Detection (CVE-2020-3580)
· ALERT-P2-IDS101: Suspicious outbound traffic allowed by Palo Alto firewall
· ALERT-P1-IDS204: Suspicious traffic from Fortinet Firewall
· ALERT-P2-IDS206: Suspicious Traffic Allowed by iboss

Credential Access
· ALERT-P1-EDR303: NTDS or SAM Database File Copied
· ALERT-P1-EDR347: Mimikatz Memssp Log File Detected
· ALERT-P2-IDS102: Potential Password Spraying Attack Detected

Compromise
· ALERT-P1-ALERT-P1-EDR660: WhisperGate/ Hermetic Wiper Hermetic
· ALERT-P3-UBA104: Risky sign-in detected
· ALERT-P1-VUL102: Critical Event Reported by Eze Dark Web Monitoring



Endpoint Protection

Sentinel One, ECI’s EDR Partner, is continually monitoring threat intelligence for known and emerging malware due to the current situation.  Clients are protected against the “Hermetic Wiper” malware threat widely circulating in the Ukraine. ECI currently has over 12,000 protected endpoints under management.


Dark Web

While we have not seen any specific credential breaches related to the situation in the Ukraine, customers utilizing ECI’s Dark Web Monitoring Service are protected 24x7 for breach detection so that pro-active measures can be taken if credentials are found to be exposed.


ECI Net

Client’s leveraging our ECI Net solution have additional protections in place on their network since ECI ingests malicious IP addresses from one of our partners and they are automatically blocked for all ECI Net circuits.

Our recommendations
  • ECI recommends applying updates to any known vulnerabilities so that patches are applied to reduce exposure.
  • Keep an out for any suspicious traffic that may be coming from outside the country to your organization
  • Keep an eye out for any suspicious emails and phishing activity within your organization
As always, ECI will be closely monitoring the situation and sharing information pertaining to any potential threats that it might pose.  If you have any questions, please contact us.
 
Don't Forget to Share this Post

Related Posts

How Can Eze Castle Integration help you?Contact us today!