The XakNet Team

Spread the love

Overview: XakNet is a Russian-language cyber group that has been active as early as March 2022. According to open-source reporting, the XakNet Team threatened to target Ukrainian organizations in response to perceived DDoS or other attacks against Russia.[33] According to reporting from industry, on March 31, 2022, XakNet released a statement stating they would work “exclusively for the good of [Russia].” According to industry reporting, the XakNet Team may be working with or associated with Killnet actors, who claimed credit for the DDoS attacks against a U.S. airport (see the Killnet section). 

Victims: according to industry reporting, in late March 2022, the XakNet Team leaked email contents of a Ukrainian government official. The leak was accompanied by a political statement criticizing the Ukrainian government, suggesting the leak was politically motivated. 

Mitigations 

U.S., Australian, Canadian, New Zealand, and UK cyber authorities urge critical infrastructure organizations to prepare for and mitigate potential cyber threats by immediately (1) updating software, (2) enforcing MFA, (3) securing and monitoring RDP and other potentially risky services, and (4) providing end-user awareness and training. 

  • Update software, including operating systems, applications, and firmware, on IT network assets. Prioritize patching known exploited vulnerabilities and critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. 
  • Consider using a centralized patch management system. For OT networks, use a risk-based assessment strategy to determine the OT network assets and zones that should participate in the patch management program.  
  • Consider signing up for CISA’s cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats. CISA’s vulnerability scanning service evaluates external network presence by executing continuous scans of public, static IP addresses for accessible services and vulnerabilities. 
  • Enforce MFA to the greatest extent possible and require accounts with password logins, including service accounts, to have strong passwords. Do not allow passwords to be used across multiple accounts or stored on a system to which an adversary may have access. As Russian state-sponsored APT actors have demonstrated the ability to exploit default MFA protocols and known vulnerabilities, organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios. For more information, see joint CSA Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability
  • If you use RDP and/or other potentially risky services, secure and monitor them closely. RDP exploitation is one of the top initial infection vectors for ransomware, and risky services, including RDP, can allow unauthorized access to your session using an on-path attacker. 
  • Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a virtual private network (VPN) or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force attempts, log RDP login attempts, and disable unused remote access/RDP ports. 
  • Ensure devices are properly configured and that security features are enabled. Disable ports and protocols that are not being used for a business purpose (e.g., RDP Transmission Control Protocol Port 3389). 
  • Provide end-user awareness and training to help prevent successful targeted social engineering and spearphishing campaigns. Phishing is one of the top infection vectors for ransomware, and Russian state-sponsored APT actors have conducted successful spearphishing campaigns to gain credentials of target networks. 
  • Ensure that employees are aware of potential cyber threats and delivery methods. 
  • Ensure that employees are aware of what to do and whom to contact when they receive a suspected phishing email or suspect a cyber incident. 

As part of a longer-term effort, implement network segmentation to separate network segments based on role and functionality. Network segmentation can help prevent the spread of ransomware and threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks. 

  • Ensure OT assets are not externally accessible. 
  • Appropriately implement network segmentation between IT and OT networks. Network segmentation limits the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a demilitarized zone that eliminates unregulated communication between the IT and OT networks. 
  • Organize OT assets into logical zones by considering criticality, consequence, and operational necessity. Define acceptable communication conduits between the zones and deploy security controls to filter network traffic and monitor communications between zones. Prohibit ICS protocols from traversing the IT network. 

To further prepare for and mitigate cyber threats from Russian state-sponsored or criminal actors, U.S., Australian, Canadian, New Zealand, and UK cyber authorities encourage critical infrastructure organizations to implement the recommendations listed below. 


Spread the love

Under Attack

Please fill out the form and we will be in touch shortly

Subscribe