Pelosi visit encourages PRC-Taiwan cyber attacks
British “111” NHS hit by cyber attack
Gamaredon Group delivers infostealer to Ukrainian targets
Lazarus Group lures job seekers with fake employee prospects
LockBit under DDoS attack: Entrust strikes back?
CISA warns of high-severity flaw, requires government patching
GitLab discovers critical RCE vulnerability
Sometimes a bit of luck can tip a victim off to a threat actor in their network. Take one case for example, where a company’s database server suddenly crashed, despite having a substantial amount of computing resources available. The database engineers investigated and found that a database dump, compression and export command had been attempted on the server in the early hours that morning. Subsequent investigation found that a threat actor was stealing data prior to encrypting in a ransomware attack. The lesson here is that company’s should never rely purely on security events to detect a breach. Sometimes a crash or other non-security related anomaly could indicate something bad is about to happen. We’ve observed attackers that are purposely very quiet, and those that do not care about the noise they create. This also depends on the stage of the attack. Generally speaking the earlier on in the attack chain they are, the quieter they will try and be.
In early August, the US House of Representatives Speaker Nancy Pelosi visited Taiwan to reiterate US support to Taipei. This diplomatic mission caused further strain on the complicated relationship between the PRC and Taiwan. After threatening “severe consequences” if Taiwan allowed Pelosi to visit, Beijing carried out several military drills off the coasts of Taiwan to display its strength and disapproval of Pelosi’s mission. As often happens during tense geopolitical situations, the parties involved inconspicuously exchanged low-intensity cyber activity. Since Pelosi landed in Taiwan on 02 Aug 2022, the following malicious cyber activity was observed:
On 04 Aug 2022, a cyber attack targeted Advanced, a managed service provider (MSP) that provides IT and software services to clients including the UK’s National Health Service (NHS). The attack impacted the NHS 111 emergency service, causing severe delays to ambulances and general practitioners’ appointments. This instance highlights how MSPs can be valuable targets for threat actors, propagating their attacks’ impacts to multiple victims at the same time.
On 15 Aug 2022, security researchers reported that “Gamaredon Group” has been conducting a cyber-espionage campaign targeting Ukraine. Activity was first observed on 15 Jul 2022, and most recently on 08 Aug 2022. The group reportedly delivered variants of a PowerShell information stealer (infostealer) to Ukrainian targets, as well as custom backdoors, including “Pterodo” and “Giddome”. Researchers believe that the malware was delivered via spearphishing emails, likely with lures pertaining to the Russia-Ukraine war.
On 17 Aug 2022, researchers reported that the North Korea-linked APT “Lazarus Group” had been using a signed malicious executable designed to target macOS systems. Lazarus Group members were impersonating employees of the cryptocurrency-exchange company Coinbase, targeting job seekers in the financial technology sector. The campaign targeted new and old macOS versions, and used malware disguised as a PDF file containing a fake job description. The macOS malware was code-signed on 21 Jul 2022 with a certificate that was issued five months prior to a developer using the name Shankey Nohria. As of 12 Aug 2022, the certificate had not been revoked by Apple, but had not been checked by Apple’s process to discover malicious software components.
On 18 Aug 2022, the LockBit ransomware group threatened to leak the data of the company Entrust on the group’s darkweb data-leak site. Entrust is a US-based cyber-security firm whose offerings to companies include cloud security, identity verification, and secure payments. Entrust was reportedly breached by LockBit in June 2022 and the firm confirmed the breach to customers in a July 2022 notification. Following a series of unsuccessful negotiations, which likely ended without a ransom payment, LockBit named Entrust on its site and threatened to leak its data.
On 22 Aug 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory warning of a vulnerability found in Palo Alto Networks’ PAN-OS: CVE-2022-0028. The flaw allows a remote threat actor to deploy DDoS against devices without authentication. Several PA-Series, VM-Series, and CN-Series Palo Alto devices are reportedly affected by the vulnerability. Palo Alto has released patches for all devices, and CISA has advised US federal agencies to apply fixes by 09 Sep 2022.
On 24 Aug 2022, GitLab—a code repository and software development platform—warned users of a critical RCE vulnerability affecting all versions of GitLab from 11.3.4 to 15.1.4, as well as those between 15.2 and 15.2.3, and 15.3. The vulnerability allows attackers to perform RCE via a GitLab tool used for importing software projects from GitHub to GitLab. RCE vulnerabilities may allow attackers to take control of affected servers, steal or delete source code, or perform malicious code commits.
If you are worried about any of the threats outlined in this bulletin, or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively email us at TBD@integrity360.com for a complimentary, no-commitments consultation. Also feel free to explore the many cyber security resources available on our website at https://www.integrity360.com/resources.
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.