Scribd Logo
Upload

Welcome to Scribd!

  • 39 views

    Attack

    Uploaded by

    ASAD ULLAH
    The document analyzes a recent cyberattack on Ukraine carried out by Russian state-sponsored hackers using new MASEPIE malware. The attackers sent phishing emails with malicious attachments to government agencies and organizations in Ukraine between December 15-25, installing MASEPIE which then deployed additional malware like Steelhook and Oceanmap. While Ukraine's CERT responded swiftly, the analysis found opportunities to strengthen prevention, detection, containment and recovery capabilities according to best practices to better defend against sophisticated threats. Recommendations include improving user education, threat intelligence, and regularly testing incident response procedures.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd

    Attack

    Uploaded by

    ASAD ULLAH
    39 views7 pages
    The document analyzes a recent cyberattack on Ukraine carried out by Russian state-sponsored hackers using new MASEPIE malware. The attackers sent phishing emails with malicious attachments to government agencies and organizations in Ukraine between December 15-25, installing MASEPIE which then deployed additional malware like Steelhook and Oceanmap. While Ukraine's CERT responded swiftly, the analysis found opportunities to strengthen prevention, detection, containment and recovery capabilities according to best practices to better defend against sophisticated threats. Recommendations include improving user education, threat intelligence, and regularly testing incident response procedures.

    Original Title

    attack

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document analyzes a recent cyberattack on Ukraine carried out by Russian state-sponsored hackers using new MASEPIE malware. The attackers sent phishing emails with malicious attachments to government agencies and organizations in Ukraine between December 15-25, installing MASEPIE which then deployed additional malware like Steelhook and Oceanmap. While Ukraine's CERT responded swiftly, the analysis found opportunities to strengthen prevention, detection, containment and recovery capabilities according to best practices to better defend against sophisticated threats. Recommendations include improving user education, threat intelligence, and regularly testing incident response procedures.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    39 views7 pages

    Attack

    Uploaded by

    ASAD ULLAH
    The document analyzes a recent cyberattack on Ukraine carried out by Russian state-sponsored hackers using new MASEPIE malware. The attackers sent phishing emails with malicious attachments to government agencies and organizations in Ukraine between December 15-25, installing MASEPIE which then deployed additional malware like Steelhook and Oceanmap. While Ukraine's CERT responded swiftly, the analysis found opportunities to strengthen prevention, detection, containment and recovery capabilities according to best practices to better defend against sophisticated threats. Recommendations include improving user education, threat intelligence, and regularly testing incident response procedures.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    of 7

    Analysis of a Recent Cybersecurity

    Incident

    Title:

    Russian Military Hackers Target Ukraine with MASEPIE Malware

    Introduction:

     It is a recent cybersecurity incident involving Russian state-sponsored threat actors


    targeting Ukraine with a new malware strain named 'MASEPIE.'
     The incident, which occurred between December 15 and 25, 2023, underscores the urgency
    of understanding and evaluating the incident response plan implemented by Ukraine's
    Computer Emergency Response Team (CERT-UA).
     During December 15-25, 2023, several cases of distribution of e-mails with links to
    "documents" were discovered among government organizations, visiting which led to the
    damage of computers with malicious programs.

    Incident Overview:

     The threat actors, identified as APT28 or Fancy Bear, employed a phishing campaign to
    deliver the MASEPIE malware.
     The campaign targeted government entities, businesses, universities, research institutes,
    and think tanks in Ukraine.
     The phishing emails, urging recipients to click on a seemingly important document link,
    redirected victims to malicious web resources.
     These resources utilized JavaScript to deploy a Windows shortcut file (LNK), triggering
    PowerShell commands that initiated the infection chain for the 'MASEPIE' malware.
    Investigating the incident:

     In the process of investigating the incidents, it was found that the mentioned links
    redirect the victim to a web resource where, with the help of JavaScript and features of
    the application protocol "search" ("ms-search") [1], a shortcut file is downloaded, the
    opening of which leads to the launch A PowerShell command designed to download
    from a remote (SMB) resource and run (open) a decoy document, as well as the Python
    programming language interpreter and the Client.py file classified as MASEPIE.
     Using MASEPIE, OPENSSH (for building a tunnel), STEELHOOK PowerShell scripts
    (stealing data from Chrome/Edge Internet browsers), and the OCEANMAP backdoor are
    loaded and launched on the computer.
     In addition, IMPACKET, SMBEXEC, etc. are created on the computer within an hour from
    the moment of the initial compromise, with the help of which network reconnaissance
    and attempts at further horizontal movement are carried out.
     At the same time, it is obvious that the malicious plan also involves taking measures to
    develop a cyberattack on the entire information and communication system of the
    organization.
     Thus, the compromise of any computer can pose a threat to the entire network.
    For reference:

     OCEANMAP

     It is a malicious program developed using the C# programming language.


     The main functionality consists in executing commands using cmd.exe.
     The IMAP protocol is used as a control channel.
     Commands, in base64-encoded form, are contained in message drafts ("Drafts") of
    the corresponding directories of electronic mailboxes; each of the drafts contains
    the name of the computer, the name of the user and the version of the OS.
     The results of executing commands are stored in the directory of incoming messages
    ("INBOX").
     Implemented a configuration update mechanism (command check interval,
    addresses and authentication data of mail accounts), which involves patching the
    backdoor executable and restarting the process.
     Persistence is ensured by creating a .URL file 'VMSearch.url' in the autorun directory.

     MASEPIE

     It is a malicious program developed using the Python programming language.


     The main functionality consists in uploading/unloading files and executing
    commands.
     The TCP protocol is used as a control channel.
     Data is encrypted using the AES-128-CBC algorithm; the key, which is a sequence of
    16 arbitrary bytes, is generated at the beginning of the connection establishment.
     Backdoor persistence is ensured by creating the 'SysUpdate' key in the 'Run' branch
    of the OS registry, as well as by using the LNK file 'SystemUpdate.lnk' in the startup
    directory.

     STEELHOOK

     It is a PowerShell script that provides the theft of Internet browser data ("Login
    Data", "Local State") and the DPAPI master key by sending them to the
    management server using an HTTP POST request in base64-encoded form.

    Tactics, Techniques, and Procedures (TTPs) used:

    Tactics:
    Phishing: The primary delivery method involved sending phishing emails with malicious
    attachments disguised as legitimate documents.
    Techniques:
    1- Malware: The emails carried a novel malware strain called Masepie, written in Python,
    capable of:
     Uploading files.
     Executing commands.
     Deploying additional malware:

     Steelhook: A web browser data-stealing malware.


     Oceanmap: A backdoor leveraging email software.

    2- Open-source tools: After initial compromise, attackers used readily available tools like
    Impacket and Smbexec for:

     Reconnaissance.
     Network exploitation.
    Sub-techniques:
     Social engineering: Phishing emails likely used tailored content and sender names to
    appear trustworthy and entice victims to open attachments.
     Obfuscation: Masepie malware reportedly employed techniques to evade detection by
    security software.
     Persistence: The attackers utilized Masepie to establish remote access, allowing them to
    maintain long-term control over compromised systems.

    These TTPs demonstrate a multi-layered approach by APT28:

     Initial compromise: Lure victims into downloading and opening malware through
    phishing.
     Lateral movement: Use Masepie to upload additional malware and tools for deeper
    network infiltration.
     Data exfiltration: Steal sensitive information using tools like Steelhook.
     Command and control: Establish persistent access with Oceanmap for ongoing control
    and potential future operations.

    Incident Response Plan/Strategy:

     CERT-UA responded to the incident by identifying the malware's characteristics and


    behavior.
     MASEPIE, upon infection, modified the Windows Registry and added a deceptive LNK file
    to the Windows Startup folder, ensuring persistence on the infected device.
     The malware's primary objectives were to download additional malware and steal data.
    Breakdown of Incident Response Plan:

    1. Preparation: CERT-UA demonstrated preparedness in identifying and responding to the


    incident swiftly.
    2. Detection: The detection phase involved recognizing the phishing campaign, malware
    characteristics, and its propagation mechanisms.
    3. Containment: Measures were taken to isolate and prevent the lateral movement of the
    malware within the network.
    4. Eradication: CERT-UA focused on removing the malware and its artifacts, including
    modifications to the Registry and Startup folder.
    5. Recovery: Efforts were made to restore affected systems and enhance security
    measures to prevent future incidents.
    6. Lessons Learned: An analysis of the incident provided insights for improving future
    incident response strategies.

    Comparison with Best Practices:

     Research identified incident response best practices from frameworks such as NIST and
    ISO/IEC 27035.
     While CERT-UA demonstrated promptness, there are areas where alignment with best
    practices can be enhanced, particularly in proactive measures for preventing initial
    compromises.

    Recommendations for Improvement:

    1. Strengthen proactive measures to prevent phishing attacks, possibly through user education
    and advanced email filtering.
    2. Enhance detection capabilities, including the use of threat intelligence feeds.
    3. Improve containment strategies to mitigate lateral movement swiftly.
    4. Enhance recovery processes for quicker system restoration.
    5. Conduct regular simulations and exercises to refine incident response procedures.
    Conclusion:
     The incident underscores the importance of a robust incident response plan.
     While CERT-UA exhibited effectiveness, continuous refinement is crucial to stay ahead of evolving
    threats.
     The proposed recommendations aim to fortify Ukraine's cybersecurity posture against sophisticated
    threat actors.

    References:
    https://www.bleepingcomputer.com/news/security/russian-military-hackers-target-ukraine-
    with-new-masepie-malware/
    https://www.broadcom.com/support/security-center/protection-bulletin/apt28-group-
    targets-ukraine-with-new-masepie-malware
    https://cert.gov.ua/article/6276894

    You might also like

    pFad - Phonifier reborn

    Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

    Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


    Alternative Proxies:

    Alternative Proxy

    pFad Proxy

    pFad v3 Proxy

    pFad v4 Proxy