CYBER INCIDENTS RESPONSE OPERATIONAL CENTRE OF THE STATE CYBER PROTECTION CENTRE OF THE STATE SERVICE OF SPECIAL COMMUNICATION AND INFORMATION PROTECTION OF UKRAINE Q2 2022 REPORT ON VULNERABILITY DETECTION AND CYBER INCIDENTS CYBER ATTACKS RESPONSE SYSTEM TLP WHITE VULNERABILITY DETECTION AND CYBER INCIDENTS CYBER ATTACKS RESPONSE SYSTEM is a set of software and software-hardware tools that ensure round-the-clock monitoring analysis and transferring of telemetric information about cyber incidents and cyber attacks which occurred or are currently occurring at cyber protection objects and may have negative impact on their sustainable functioning Vulnerability Detection and Cyber Incidents Cyber Attacks Response System interacts with cyber security management centres industry cyber security management centres other systems of critical information infrastructure objects enterprises institutions and organizations regardless of property form for the purpose of information exchange relating detection and termination of cyber attacks and cyber incidents SUBSYSTEM ОF CYBER INCIDENTS RESPONSE OPERATIONAL CENTRE is a central component of the Vulnerability Detection and Cyber Incidents Cyber Attacks Response System and provides • centralized management of all subsystems of the Vulnerability Detection and Cyber Incidents Cyber Attacks Response System • centralized collection and accumulation of information about network information security events • real-time monitoring and processing of cyber threats and cyber incidents The Subsystem of Cyber Incidents Response Operational Centre detects malicious activity as well as system and network anomalies at cyber protection objects by analysing the data which is received from network devices active sensors firewalls vulnerability scanners workstations and servers authorization systems internal and external cyber threats data sources EXECUTIVE SUMMARY The State Service for Special Communications and Information Protection of Ukraine SSSCIP constantly fixates an increase in the number of cyber incidents and cyber attacks targeted on state information resources and critical information infrastructure objects Since the beginning of the war the trend towards an increase in the number of cyber attacks has been continuing During the II quarter of 2022 19 billion events were processed with the Vulnerability Detection and Cyber Incidents Cyber Attacks System The number of registered and processed cyber incidents increased from 40 to 64 The main goal of hackers remains cyberespionage disruption of the availability of state information services and even destruction of information systems with the help of wipers In the second quarter of 2022 we saw a significant increase in the activity of hacker groups in the distribution of malware which includes both data stealing and data destruction programs Comparing to the statistics for the 1st quarter of 2022 the number of IS events in the Malicious code category increased by 38% Comparing to the first quarter of 2022 the number of critical IS events originating from russian IP addresses decreased by 8 5 times This is primarily due to the fact that providers of electronic communication networks and or services that provide access to the Internet blocked IP addresses used by the russian federation These IPs were actively used for carrying out cyber attacks on Ukrainian information resources and propagating fake information related to discrediting the state bodies during the russianUkrainian war Currently the largest number of critical IS events is associated with source IP addresses from the USA However automatically determined geolocation of source IP addresses does not necessarily mean their attribution to the identified location By attribution the absolute majority of registered cyber incidents is related to hacker groups funded by the russian federation government In particular these are UAC-0082 UAC-0113 related to Sandworm UAC-0010 Gamaredon and others mentioned in the report In the second quarter of 2022 the main targets of hackers from the russian federation were the Ukrainian mass media the government and local authorities sectors Most information security events can be associated with APT groups and hacktivists activities Last year the Administration of SSSCIP approved the decree on the adoption of Methodological recommendations for increasing the level of cyber security of critical information infrastructure in Ukraine The State Service for Special Communications and Information Protection of Ukraine recommends to implement this guideline in order to increase the level of cyber resilience MONITORING STATISTICS 6k QUANTITATIVE INDICATORS OF COLLECTED AND PROCESSED DATA processed events received by means of monitoring analysis and transferring of telemetric information about cyber incidents and cyber attacks FPS 14 7k 19 60млн bil hosts 180 14 млнk 183Gb processed critical IS events 40 64 incoming traffic speed of sensor network 2022 Q2 during primary analysis 49 78к k input data received 5Gbit s detected suspicious IS events potential cyber incidents identified after suspicious IS events filtering and secondary analysis completion registered cyber incidents critical IS events identified and processed directly by security analysts 9% EXTERNAL CYBER THREAT DATA SOURCES 15% 4% SERVERS WORKSTATION DATA 17% DATA SOURCES MAIN SOURCES OF DATA COLLECTION AND CONTEXTUALIZATION USERS WORKSTATION DATA 5% VULNERABILITY SCANNERS • 8% NETWORK MALWARE ANALYSIS DATA NETWORK BEHAVIOUR ANALYSIS DATA IPS TRAFFIC WEB EMAIL FILTER TRAFFIC • 11% 6% 17% 2022 Q2 INTERNAL CYBER THREAT DATA SOURCES IDS TRAFFIC 8% IS EVENTS MONITORING QUANTITATIVE INDICATORS OF COLLECTED AND PROCESSED DATA displayed according to Incident Classification Taxonomy approved by the National Coordination Center for Cybersecurity under the National Security and Defense Council of Ukraine CATEGORIES OF IS EVENTS 17% Abusive content образливий вміст • 01 Шкідливий Malicious Code програмний код • 02 Шкідливий Information Gathering інформації зловмисником • 03 Збір Intrusion Attempts втручання • 04 Спроби Intrusion • 05 Втручання Availability доступності • 06 Порушення Information властивостей Content Security інформації • 07 Порушення Fraud • 08 Шахрайство Vulnerable вразливість • 09 Відома Other • 10 Інше cyber incidents by criticality presented chart displays statistical information for the reporting period obtained by analyzing registered cyber security incidents according to the internal criticality rating scale according to which incidents can be classified by this parameter STATISTICS OF CYBER INCIDENTS TYPES which dominate over other types of cyber incidents in percentage terms during the II quarter of 2022 high висока 2022 Q2 medium середня - low низька by scanning techniques network scanning мережеве сканування port scanning сканування портів vulnerability scanning сканування вразливостей • 22% • Q1 • Q2 by source IP addresses geolocation 16% automatically determined geolocation of source IP addresses does not necessarily mean the attribution of IS events in category 03 01 03 01 to the identified location 68% scanning gathering of information about systems or networks USA США 11 China Китай 19% II •I Germany Нідерланди Netherlands Німеччина • Q1 • Q2 by scanning types scanning of сканування мережевих служб TCP TCP network services scanning of сканування мережевих служб UDP UDP network services scanning of сканування мережевих служб ICMP ICMP network services 29% • 2022 Q2 31% Q1 • Q2 II russia росія 38% Compared to the statistics for the 1st quarter of 2022 during the 2nd quarter of 2022 the number of IS events in the Malicious code category increased by 38% which indicates significant increase in the level of malicious network activity associated with malware distribution and malware usage attempts for infecting new exploitation of previously infected botnet devices Q2 Q1 408 7% unique suspicious files were automatically detected by the Telemetry Collection Subsystem of the Vulnerability 02 02 Detection and Cyber Incidents Cyber Attacks Response System and processed directly by security analysts for criticality during the reporting period malware distribution by source IP addresses geolocation China Китай automatically determined geolocation of source IP addresses does not necessarily Germany Німеччина Netherlands Нідерланди mean the attribution of IS events in category 34% 02 02 to the identified location 13% russia росія 15% USA США • Q2 • Q1 2022 Q2 by malware distribution protocol by malware extention SMTP HTTP POP3 IMAP • ZIP • MSOLE2 • RAR • RTF • DOCX • Others Інші by associated software used as a malware distribution channel BitTorrent Internet Explorer Chrome Firefox Edge Chromium PaleMoon Opera Safari by malware type Outlook SeaMonkey Thunderbird Phishon by malware family tr ojan adw are spyware keylogge r stealware ransomware bot worm vir us - I I 2022 Q2 • Age nt T esla • XMRing • Formbook • GuLoader • Cobalt Strike • Emotet • Trickbot • AZORult • LokiBot Remcos presented charts display statistical information for the reporting period obtained by analysing IS events which were triggered by intrusion attempts targeted on the networks of cyber protection objects and the realization of cyber threats with the aim of detecting software vulnerabilities finding misconfigurations of services and active network devices 2 9% qualitative rating by CVSS Base Score low низький 04 01 середній medium високий high vulnerability exploitation attempt an intrusion attempt using a vulnerability in a system component or network критичний critical defined не not визначений I I I according to the approach of comparing CVSS Base Scores 1-10 to a qualitative rating scale described in CVSSv3 1 specification most exploited vulnerabilities by category bypassing extention control most exploited vulnerabilities by year I I denial of service I memory c orruption information disc losure gaining information path travers al privilege esca lation directory traversal bypassing authentication remote code execution • • I • -1- I 2022 2021 targeted OS 2020 2019 I 2018 2017 2017 and before та раніше exploited CWE Windows Ubuntu II CWE-502 Others 54 3% Others 47 6% CWE-94 CentOS CWE-20 Cisco IOS CWE-22 Debian CWE-74 2022 Q2 relevant vulnerabilities The following list of current software vulnerabilities is not complete and describes CVEs that have been documented by known cyber threat intelligence expert groups and that continue to be actively exploited in order to gain unauthorized access or privileged control The chart shows the % of detected activity in the network traffic of cyber protection objects potentially related to the exploitation of the list of CVEs described below to the total number of activity detections related to all identified vulnerability identifiers during the reporting period Інші CVE Other CVEs 93 6% • CVE-2022-26134 Successful exploitation of OGNL injection vulnerability by sending a malicious HTTP GET request with an OGNL payload in the URI can result in unauthenticated remote arbitrary code execution on affected versions of Confluence Server or Data Center instances CVE-2022-30190 Successful exploitation of the vulnerability in Microsoft Windows Support Diagnostic Tool MSDT which is a part of Microsoft’s troubleshooting pack can result in remote arbitrary code execution with the privileges of the calling application The vulnerability better known as Follina affects most supported Windows OS also server-side '---------• CVE-2022-26809 Successful exploitation of Remote Procedure Call RPC runtime vulnerability by sending a specially crafted RPC call to an RPC host can result in remote code execution RCE with the privileges of the RPC service It is potentially suggested that this vulnerability will be actively exploited in future large-scale cyber attacks due to the possibility of autonomous launch independence from user interaction '---------• CVE-2022-26925 Successful exploitation of the Windows LSA spoofing vulnerability by an authenticated attacker calling a method on the LSARPC interface can result in coercing the domain controller to authenticate to the attacker using NTLM The vulnerability is relevant for OS users starting with Windows 7 for server systems - with Windows Server 2008 • CVE-2022-26937 Successful exploitation of the stack buffer overflow vulnerability in the Windows Network File System NFS may result in remote unauthorized arbitrary code execution under the context of SYSTEM 2022 Q2 EMAIL SECURITY GATEWAY 21% blocked in automatic mode 120k emails received and analysed during reporting period blocked delivered Sender Validation failure reason domain bl oc k ip block Sender Threat category by country Sender Authentication failure reason DKIM SPF DMARK Sender Threat category Germany Finland russia Ukra ine USA Others 2022 Q2 phis hing malw are spam GEOGRAPHY OF DETECTIONS OF CRITICAL INFORMATION SECURITY EVENTS automatically determined geolocation of source IP addresses of critical IS events does not necessarily mean their attribution to the identified location ' russian hacker groups activity by sectors china Energy sector Енергетика Financial sector Фінансовий сектор ukraine Security defense sector Секторand безпеки та оборони Telecom and software Телеком та програмне забезпечення united states Commercial sector Комерційний сектор Government local authorities Уряд та and місцеві органи влади -• Mass Media ЗМІ Others Інше 8 5 by detection category times less critical IS events were detected which source IP addresses geolocation is determined to be russia compared to the 1st quarter of 2022 This is largely due to the blocking of AS from which cyber attacks were carried out on Ukrainian information resources fake information related to the discrediting of state bodies and about the progress of the russian-Ukrainian war was propagated etc providers of electronic communication networks and or services that provide access to the Internet used by the russian federation 2022 Q2 • Spam P hishing Linked to A PT Source Report ed in Threat List Linked to Malware Operat ions - Linked to Vulner abili ty THREAT ACTORS ACTIVITY the following list describes current hacker groups targeting Ukraine information resources whose activity identifiers were detected in the networks of cyber protection objects during the reporting period UAC-0010 Related names Gamaredon Armageddon PrimitiveBear Category Nation State Sponsored Location russia First Reference 2013-2014 Read more Cyber attacks of UAC-0010 group CERT-UA#4634 4648 Cyber attack of UAC-0010 group CERT-UA#4434 UAC-0056 Related names Lorec53 SaintBear GraphSteal GrimPlant Potential Category Nation State Sponsored Potential Location russia First Reference Jul 2021 Read more Cyber attack of UAC-0056 group CERT-UA#4545 Cyber attack of UAC-0056 group CERT-UA#4293 UAC-0028 Related names APT28 Fancy Bear Iron Twilight Sednit Category Nation State Sponsored Location russia First Reference Apr 2013 Read more Cyber attack of APT28 group CERT-UA#4843 Cyber attack of APT28 group CERT-UA#4622 UAC-0098 Related Malware GzipLoader IceID Cobalt Strike Beacon Potential Related Threat Group Trickbot IceID Potential Location russia First Reference Apr 2022 Read more Cyber attack of UAC-0098 group CERT-UA#4842 Cyber attack of UAC-0098 group CERT-UA#4560 UAC-0082 UAC-0113 Related Malware CrescentImp DarkCrystal RAT Potential Related Threat Group Sandworm Potential Location russia First Reference Jun 2022 Read more 2022 Q2 Cyber attack with Crescentlmp usage CERT-UA#4797 Cyber attack with DarkCrystal RAT usage CERT-UA#4874 MITRE ATT CK MAPPING statistics on identified tactics techniques according to the MITRE ATT CK knowledge base associated with a set of detected and processed IoCs that were used at different stages of the life cycle of cyber attacks which occurred during the reporting period T1190 - Exploit Public-Facing Application T1498 - Network Denial of Service T1189 - Drive-by Compromise T1566 - Phishing T1071 - Application Layer Protocol T1090 - Proxy T1102 - Web Service T1210 - Exploitation of Remote Services T1110 - Brute Force T1204 - User Execution • Initial Access TA0001 • Execution TA0002 • Credential Access TA0006 • Lateral Movement TA0008 • Command and Control TA0011 • Impact TA0040 2022 Q2 METHODOLOGICAL RECOMMENDATIONS FOR INCREASING THE LEVEL OF CYBER SECURITY OF CRITICAL INFORMATION INFRASTRUCTURE Methodological increasing critical recommendations the level of information cyber for security infrastructure of were The Recommendations describe a general approach to ensuring cyber security that allows to • carry out an analysis and provide a description of the developed in accordance with sub-clause 1 of current cyber security state of critical information part two and clause 3 of part three of Article 8 infrastructure objects of the Law of Ukraine On the Basic Principles of Ensuring Cybersecurity of • Ukraine paragraph two of part one of Article 3 clauses describe the target cyber security state of critical information infrastructure objects • identify and determine priorities the level of 85 86 and 88 of part one of Article 14 of the implementation of cyber security measures in the Law of Ukraine On the State Service for context of continuous and repetitive process of risk Special management in the field of cyber security of critical Communications and Information Protection of Ukraine paragraph two of subclause 1 of clause 3 of the Regulation on the information infrastructure objects • Administration of the State Service for Special Communications and Information Protection assess progress in achieving the target cyber security state of critical information infrastructure objects • ensure communication between entities that are of Ukraine approved by the Resolution of the directly on the critical information infrastructure Cabinet of Ministers of Ukraine September 3 objects and with entities that can be considered as 2014 № 411 and General requirements for organization's partners in terms of risk management cyber in cyber security field security of critical infrastructure objects approved by the Resolution of the Cabinet of Ministers of Ukraine June 19 2019 The Recommendations consist of 3 main parts № 518 in order to increase the level of cyber ➣ systems taxonomies of cyber seacurity measures security of critical information infrastructure ➣ levels of implementation of cyber security measures ➣ cyber security profile The Recommendations were developed taking into consideration for The approach which is defined in the Recommendations Infrastructure is not the only one for cyber security risk management Cybersecurity issued in 2014 and updated by as critical information infrastructure objects belonging the and to different sectors of such infrastructure may have Technology of the United States of America in either the same or various risks – specific threats 2018 different vulnerabilities unique acceptable risk levels Improving National the Framework Critical Institute of Standards The approach for ensuring cyber security state depends The Recommendations do not establish legal on the method of implementation of cyber security norms and are voluntary for use measures which are outlined in the Recommendations Decree of the SSSCIP Administration About the adoption of Methodological recommendations for increasing the level of cyber security of critical information infrastructure REGULATORY LEGAL BASE ◦ The Law of Ukraine On the Basic Principles of Ensuring Cyber Security of Ukraine which defines the legal and organizational foundations for ensuring the protection of the vital interests of a person and a citizen society and the state national interests of Ukraine in cyberspace the main goals directions and principles of the state policy in cyber security field powers of state authorities enterprises institutions organizations individuals and citizens from this area activities the main principles coordination to of ensure their cyber security ◦ Decree of the Cabinet of Ministers of Ukraine December 23 2020 № 1295 Some issues of ensuring the functioning of the Vulnerability Detection and Cyber Incidents Cyber Attacks Response System that defines the principles of functioning of the Vulnerability Detection and Cyber Incidents Cyber Attacks Response System which are carried out in relation to cyber protection objects designated in the second part of Article 4 of the Law of Ukraine On the Basic Principles Ensuring Cyber Security of Ukraine of CONTACTS Cyber Incidents Response Operational Centre State Cyber Protection Centre State Service of Special Communication and Information Protection of Ukraine е-mail soc@scpc gov ua Tel 38 044 281 87 37