Entering a Higher State of Vigilance – Ukraine Under Attack
It appears that Russia has just commenced the invasion of Ukraine. Check your preferred international news outlet, but according to the Ukrainian foreign minister “Putin has just launched a full-scale invasion of Ukraine.”
- Ukrainian airspace is closed with flights diverting.
- The Twitter Safety account just started tweeting in Ukrainian, giving users instructions on how to: 1) delete or deactivate accounts, 2) disable location services, 3) set up two-factor authentication
- I’m seeing reports of massive explosions on the Ukraine Russian border.
- The US appears to be distributing high-level officials around the country.
- I’m seeing reports of cruise missiles over Ukraine.
Wordfence is a cybersecurity organization staffed by some of the world’s leading cybersecurity professionals. Over 4 million websites are under our protection. I’m sending out this email for two reasons. Firstly, I’d like you to know that our team is entering a higher state of alert as this situation unfolds and will be closely examining the telemetry we receive from the sites under our protection. We will react quickly to emerging threats. Secondly, I’m including recommendations for you and your team, if you run a business.
Specifically, we are on the lookout for:
- WordPress site compromises with no known vulnerability present, that may be exploiting a zero-day vulnerability. It is not uncommon to see an APT (Advanced Persistent Threat – Usually a nation-state) exploit zero-days during a large-scale or strategically important operation.
- A sudden increase in reports of compromised WordPress websites.
- An increase in attacks being launched from compromised WordPress sites.
- Unusual activity reports from our user community or from our attack telemetry.
As we identify new threats, we will, as always, release protection and detection capability to our customers in real-time.
We are also taking a range of internal steps to secure our company, our team, and our infrastructure. If you run a business, I’d like to advise you to enter a higher state of vigilance. I recommend the following steps:
- Educate your team about the risks of social engineering attacks and of being phished or spear phished.
- Ensure you have two-factor authentication enabled on every important user account that you and your team operate.
- If you develop a WordPress plugin or other software that is distributed to customers, be aware that you are a target for a supply chain attack. So make sure that your code repositories and deployment systems are secure. An attacker may want to use you to distribute backdoors or other malicious code to your clients.
- Keep a close eye on your logs – security logs in particular – of all the systems under your team’s control.
- Use configuration management to manage what files should and should not be on your critical infrastructure. If you see new files appearing that you didn’t create, that’s a red flag.
- Be aware of financial activity in your organization, and be on the lookout for financial fraud attempts.
- Make sure that your HR systems and other systems that contain sensitive PII (personally identifiable information) are locked down.
- Ask your team to be on the lookout for anything that “seems weird”. Adopt an approach of “If you see something, say something” and at the very least you’ll have an interesting discussion – and at worst, it’s an attack underway.
If you have any questions, you’re welcome to post them here and I’ll answer them as best I can. Let’s hope this situation does not further escalate, and that it resolves quickly. Our thoughts are with all the affected families and communities.
Mark Maunder – Wordfence Founder & CEO.