The well-known threat actor groups like Cl0p, REvil and Conti seem to always dominate front page cyber news because their targets include big fish like IBM, Acer and Gigabyte.
What people seem to miss (because it’s not front page news) is that for every 5 big organisations breached by the big threat actors, more than 500 smaller organisations are hit by lesser known threat actors at the same time. Whilst the reward is much less for these “smaller breaches”, the risks and effort required is also much smaller. For example, the big victims often have the budget for expensive security tooling, analysts and a big insurance policy whereas the small victims will only have the budget for minimal tooling, little to no dedicated cyber staff and a cheap insurance policy. This is likewise for the threat actors.
The lesser known threat actors don’t “need” the same sophisticated and new-age malware that the big threat actors need to breach their target. The important thing to remember here and this is something the CTR team observes every day, is that the damage to the organisation is bad regardless of the size or capabilities of the threat actor.
On 14 Oct 2022, security researchers at Palo Alto’s Unit 42 released a report analyzing the Ransom Cartel ransomware group. They revealed that the group’s ransomware shows many similarities and technical overlaps with the REvil ransomware. Ransom Cartel reportedly used REvil’s source code to create its own variant, but seemingly did not use the newest version of REvil: The variant did not include some newer REvil developments, such as the obfuscation engine, which were introduced after REvil resumed operations in April 2022, following the arrest of some of its affiliates.
REvil is one of the most successful ransomware gangs that has existed, with activity spanning early 2020 to late 2021, when several of its affiliates were arrested, and picking up again in April 2022. The group has named more than 300 victims on its data-leak site.
October’s Patch Tuesday saw Microsoft release a new round of patches this week which addressed two Zero days and a multitude of other vulnerabilities.
All in all, the latest fixes cover eighty-four flaws with one of the zero days known to have been used in cyber-attacks and out of the total, thirteen are classed as critical risks.
The actively exploited zero-day vulnerability fixed was tracked as 'CVE-2022-41033'- Windows COM+ Event System Service Elevation of Privilege Vulnerability and was could be used to gain system privileges.
“We would urge customers to apply the most recent Microsoft patches which address the 2 Zero days,” says Integrity 360’s Andrew Lam.
Regarding the Fortinet vulnerability CVE-2022-40684, our Cyber Threat Response team witnessed an increasing number of exploitations in the wild. As a result of this it is more important than ever to express that management portals for firewalls and other important security devices should NOT be publicly accessible from the Internet.
According to Check Point’s Q3 Brand Phishing Report delivery company DHL is the company that is imitated the most in phishing attempts. The company knocked Linkedin off the top spot as it was shown to have accounted for just under a quarter of all phishing attempts globally.
Microsoft rose in the rankings to second place as it was shown to have accounted for 16% of all phishing attempts recorded in the third quarter of 2022. Linkedin meanwhile fell to third place making up 11% a sharp fall from the 52% seen in Q1 and the 45% seen in Q2.
The change in rankings shows how phishers adapt their strategies throughout a year and we urge all customers to be extra cautious when receiving unexpected or unsolicited emails or SMS messages from DHL, Microsoft or Linkedin.
Read our guide on Phishing HERE
October has been Cyber Awareness Month and we hope that you have taken the opportunity to raise awareness across your organisation.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively email us at TBD@integrity360.com for a complimentary, no-commitments consultation. Also feel free to explore the many cyber security resources available on our website at https://www.integrity360.com/resources
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.