The Ukraine-Russia conflict is big news in the world of cyber, with a large portion of cyber-attacks happening on both sides. Government entities, including financial organisations and energy providers are being targeted. Western organisations are being urged to remain vigilant as it is likely that the attacks spread to Europe and further west. More recently, the well-known (and infamous) threat actor group Conti has stated their intentions to support the Russian government during the invasion of Ukraine. This allegiance is not surprising, due to the group having previous ties with the Russian based group Wizard Spider who created the infamous Trickbot trojan. Other Russian affiliated groups such as APT29 (Cozy Bear), the Sandworm Team and Gamaredon Group have also been ramping up their activities during the conflict.
We started off February with the disclosure of several high severity vulnerabilities. The first worth mentioning were a group of remote code execution vulnerabilities in the “PHP Everywhere” plugin for WordPress (CVE-2022-24663, 24664 and 24665). This is quite critical since at its core, WordPress is one of the most popular free content management (think website building without the coding) systems in the wild. This particular vulnerability was reported by Bleeping Computer to have affected over 30,000 websites at the time of disclosure. The first vulnerability listed above (24663) is especially critical, since it only requires a valid user “subscriber” and can lead to complete site takeover.
Next in vulnerability news, a critical remote code execution and privilege escalation vulnerability in Samba (open-source version of Microsoft SMB) was disclosed on the 31st January (CVE-2022-44142). The goal of exploiting this is akin to that of the infamous EternalBlue vulnerability in Microsoft’s SMB protocol in 2017. One might argue that this is less severe than EternalBlue because it only affects specific applications running a vulnerable version of Samba, not the majority of Windows systems (that make up 90% of the market).
Several unique malware variants (some new) have been discovered being deployed primarily in Ukraine, allegedly from Russian based threat groups. A new variant of Havex, a remote access trojan first discovered in 2014), has been seen circulating in organisations that are involved in industrial appliances. Whispergate, newly discovered by Microsoft in January, is a wiper being distributed to disrupt systems in Ukraine by wiping their Master Boot Record. Hermatic, another wiper, with the sole aim to destroy data and cause disruption has been seen. Finally, a modular malware C2 framework called Cyclops Blink has been thrust back into the limelight, being used primarily by the threat actor Sandworm Team.
A new ransomware group to hit the scene called Ransom Cartell bear close similarities to the recently taken down REvil group. Researchers found that files encrypted by Ransom Cartell resembled files encrypted by REvil. Also, the ransom notes used were similar to those used by the REvil group. Researchers believe that Ransom Cartel comprises core members of REvil, despite the arrest of 14 REvil members in Russia in January 2022.
In mid-February, security researchers reported on the growing success of the Conti ransomware group. First observed in December 2019, Conti was reportedly the second most-active ransomware group in the fourth quarter of 2021. The Conti ransomware is often associated with the “Ryuk” ransomware because Conti is likely Ryuk’s successor. Like most ransomware groups, Conti has wreaked havoc on a variety of organizations. Its success has yielded considerable pay-outs and resources, enabling the group to retool and reorganize its internal structure, further improving its efficiency. Conti has advantages over other ransomware groups. One is that the ransomware executes quickly, performing speedy multi-threaded encryption of targeted shares and drives 1 Conti also makes use of its default manual operation to hone in on higher value data, rather than encrypt all of a targets’ file shares, drives, and disks.
On 16 Feb 2022, the US FBI released an advisory on the use of virtual meeting platforms for BEC scams. According to the advisory, a criminal can pose as an executive to order a transfer of funds, or they can join meetings, posing as a regular employee to gather intelligence about a business. Organisations should ensure their employees can recognise signs of social engineering attacks and implement checks prior to initiating fund transfers. Cyber criminals are exploiting the rapid changes in business operations brought about by remote working and are using benign technologies to their advantage.
On 17 Feb 2022, cyber security researchers reported that threat actors have been delivering malware using Microsoft’s Teams software since January 2022. The method of gaining initial access to Teams accounts is not known but likely involves stolen credentials for email or Microsoft 365 accounts, via phishing or compromising a partner organization.
The Russia-linked advanced persistent threat group “Sandworm” has used the new malware “Cyclops Blink” to exploit network devices, especially small office/home office (SOHO) routers and network attached storage (NAS) devices. Cyclops Blink can manipulate traffic, destroy compromised host devices, and enable downstream devices to be exploited. Cyclops Blink replaced the “VPNFilter” malware; before the latter became debilitated in 2018, its targeting was mostly indiscriminate, but it was frequently used to target Ukraine in early 2018. Sandworm has been linked to Russia’s Main Intelligence Directorate (GRU).
The Ukraine/ Russian conflict is certainly dominating cyber news at the moment. The invasion is very much a two-pronged approach from Russia. One prong is physical, the other is cyber. Integrity360’s Cyber Threat Response team is constantly monitoring the situation for our customers from a defensive point of view and will continue to do so closely until things calm down.
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.
Join us in Dublin or London for the Security First 2022 conference. We'll be bringing together industry professionals and specialist experts to discuss the latest cyber security trends and offer actionable advice on preparing your business to put security first in 2022.