By Tim Wallen, UK and Ireland Regional Director, Logpoint
Many expected the war in Ukraine to be fought on two fronts – on the ground and in the ether – but the expected cyberwar has largely been restricted to misinformation and the disruption of aid and relief supplies. Amazon has been seeking to share malware intelligence and remarked upon several situations where it has seen malware specifically targeted at charities, NGOs, and other aid organizations.
It’s a story corroborated by a timeline of cyber-attacks on critical infrastructure and civilian objects kept by the CyberPeace Institute, which shows attacks on NGOs growing in number. It claims these organizations are particularly exposed to cyber-attacks because they are perceived to be “low risk and high reward for cyber attackers”. Often widely distributed and highly dependent upon technology in volatile areas, these organizations have limited resources so tend to have weaker protections in place and lax patching procedures.
It’s an issue that saw the National Cyber Security Centre (NCSC) recently issue advice on how those operating in the third sector can bolster defenses. It warned that NGOs may well see so-called Wiper malware used to erase their data, with HermeticWiper and IsaacWiper already used to attack several Ukrainian financial and government organizations.
Red Cross Attack
The advice followed a recent highly sophisticated attack on the International Committee of the Red Cross (ICRC) which was almost undoubtedly carried out by a nation-state, although it’s not clear which country was responsible. The attack saw an unpatched exploit (CVE-2021-40539) enable the group to execute an Advanced Persistent Threat (APT) crafted using code designed specifically to execute over the organisation’s servers. As this referenced unique MAC addresses it was able to bypass the ICRC’s anti-malware protection mechanisms and was only spotted when the ICRC installed new Endpoint Detection and Response (EDR) technology.
By this point, the APT had been inside ICRC’s systems for 70 days, during which time it had carried out lateral attacks and harvested and exfiltrated data from a number of systems. Using offensive security tools associated with APT attackers and obfuscation techniques, they were able to remain undetected while escalating privileges, giving them admin status that allowed them to access sensitive encrypted data. It is thought that personal data (name, location and contact information, etc.) on over 515,000 vulnerable people was compromised, relating to the Restoring Family Links program which aims to locate people, exchange messages, reunite families and clarify the fate of missing persons.
The ICRC states that it has “endpoint monitoring, scanning software, and other tools” and it has since escalated its cyber enhancement program. New measures include two-factor authentication (2FA) and advanced threat detection, and the organization also intends to penetration test all affected applications and systems. Not surprisingly, it is reluctant to be drawn on its technical architecture but many within the security industry have suggested that the attack indicates the need to focus on how we approach incident response.
Acting before the event
The EDR system alerted the organization to the compromise after the event. What is needed is the ability to foresee how events might unfold and for that you need to monitor user behavior on the network.
The ICRC attackers masqueraded as legitimate users but using User and Entity Behaviour Analytics (UEBA) would have alerted the security team to the unusual behavior of those users, in this case, the escalation of privileges. Caught early enough, this could have prevented the bogus users from accessing and exfiltrating the sensitive data.
UEBA is ideal for spotting abnormal activity because it uses machine learning to establish a baseline. This allows analysts to judge what is considered ‘normal’ and what is ‘abnormal’, instead of creating complicated predefined rules that define what is allowed. It’s a form of threat-based modeling that uses algorithms to detect beaconing, lateral movement or weaponization to dramatically reduce detection times. UEBA allows analysts to achieve situational awareness before, during and after responding to breaches, with results then used to automatically refine the acceptable parameters of behavior.
Prioritise best practice
However, it’s also important to note that a prime weakness in the Red Cross case was late patching that then saw a known vulnerability used to provide an entry point onto the network. Regular security best practices such as timely periodic patching and back-ups and the application of multi-faction authentication (MFA), are equally important when it comes to strengthening defenses. Other considerations include the segmentation of infrastructure to protect valuable or sensitive assets and a basic honeypot. As most attacks will involve lateral movement, it’s highly likely that these will touch the honeypot at some point, improving detection.
Centralizing the view of these controls is also key, which is where Security Information and Event Management (SIEM) comes in. This provides the ability to contextualize, evaluate, validate, and investigate, providing oversight that results in quicker response. It’s advisable to implement alerts and the logs needed to trigger them, before focusing on automating the Incident Response process. Once these steps are in place, automating the SIEM can further extend detection capabilities by combining it with Security Orchestration and Automation Response (SOAR) and UEBA. With respect to UEBA, the output can be correlated with a SIEM to add insight to events, enriching the original log data for faster threat hunting.
Having this kind of automated detection capability is going to become increasingly valuable given the rise to the prominence of ransomware. While the data from the Red Cross incident has not been leaked and no ransom demanded, there are numerous other examples where NGOs have been targeted to this end. The Volunteer Service Abroad (VSA), for example, was hit by a ransomware attack in May 2021 and lost some of its data as a result, while the Salvation Army was subjected to an attack in July 2021. Such attacks can massively affect charities, with the Foundation for Social Improvement (FSI) estimating that they can cost the average charity around £8,000 to recover from.
The true cost
Financial impact and business continuity aside, these attacks fundamentally affect people. In the case of the Red Cross, the victims of the attack were missing people and their families, detainees, and other people receiving services from the Red Cross and Red Crescent Movement as a result of armed conflict, natural disasters, or migration. These individuals now face potentially dramatic repercussions from registering their personal information with the Restoring Family Links operation. It’s also a dramatic blow to the reputation of the Red Cross.
Understanding how the attack was orchestrated helped to mitigate its effects and enabled the Red Cross to quickly inform the victims. Key to this was the collection and analysis of log data across the entire IT infrastructure, which allowed cybersecurity professionals to get to the root cause of the attack, determine how to respond, and put processes in place to stop it from happening again. But the attack serves as a cautionary tale to other NGOs and has undoubtedly shone a light on the need for a more sophisticated incident response.
About the Author
Tim Wallen is Regional Director for the UK and Ireland at Logpoint. With almost 20 years of cybersecurity experience, he has held senior sales and management positions within both high-growth and established vendors, including FireMon, ForeScout, Check Point, McAfee, and IBM. He is responsible for driving strategic growth in the region and for leading the growing team of Logpoint sales, marketing, and technical professionals. Tim can be reached online at firstname.lastname@example.org and at our company website http://www.logpoint.com