While it might seem counterintuitive to revisit last week’s newspaper for valuable information, “Those who cannot remember the past are condemned to repeat it.” Stepping back to recollect the security events from the recent past is particularly important, as the risk of repeating past mistakes is particularly high. Last year’s most popular posts on the Unit 42 Threat Research blog let us examine what the events of 2022 can tell us about the year to come.
Threat actors are tremendously fond of recycling and reusing old techniques, as long as they continue to have a high rate of return. And as past incidents have shown us, these tricks can be useful for years, if people don’t apply appropriate patches and mitigations.
Even before the beginning of the recent events starting in February 2022, there was significant cybersecurity activity in Eastern Europe. Beginning on Jan. 14, 2022, reports began emerging about a series of attacks targeting Ukrainian government websites. As a result of these attacks, numerous government websites were either defaced or inaccessible. As a result, the government of Ukraine formally accused Russia of masterminding these attacks.
Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement, Phishing and Scams
Over the next several weeks, Russia-Ukraine cyber activity escalated substantially. Beginning on Feb. 15, a series of distributed denial of service (DDoS) attacks commenced. These attacks continued, impacting both the Ukrainian government and banking institutions. On Feb. 23, a new variant of wiper malware, named HermeticWiper, was discovered in Ukraine. Shortly after, a new round of website defacement attacks were also observed impacting Ukrainian government organizations.
The Gamaredon group (aka Trident Ursa, Primitive Bear) is one of the most active, advanced and persistent threats (APT) targeting Ukraine. Given the current geopolitical situation and their specific target focus, Unit 42 continues to actively monitor for indicators of their operations.
In January 2022, Unit 42 researchers were able to map out three large clusters of Gamaredon’s infrastructure used to support different phishing and malware purposes. In further updates in February and June, these clusters were found to link to over 700 malicious domains, 215 IP addresses and over 100 samples of malware. We will continue to provide updates as needed.
The cybersecurity industry has also long considered Cloaked Ursa to be affiliated with the Russian government. This aligns with the group’s historic targeting focus, dating back to malware campaigns against Chechnya and other former Soviet bloc countries in 2008.
Campaigns in May 2022 by Cloaked Ursa were initiated with a lure of an agenda for an upcoming meeting with an ambassador. These campaigns are believed to have targeted several Western diplomatic missions between May and June 2022. The lures included in these campaigns suggest targeting a foreign embassy in Portugal, as well as a foreign embassy in Brazil. In both cases, the phishing documents contained a link to a malicious HTML file – EnvyScout – that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload.
In February, 2022, Linux announced CVE-2022-0492, a new privilege escalation vulnerability in the kernel. CVE-2022-0492 marks a logical bug in control groups (cgroups), a Linux feature that is a fundamental building block of containers.
The issue stands out as one of the simplest Linux privilege escalations discovered in recent times. The Linux kernel mistakenly exposed a privileged operation to unprivileged users. Fortunately, the default security hardenings in most container environments are enough to prevent container escape.
In March 2022, two vulnerabilities were announced within the Spring Framework – an open-source framework for building enterprise Java applications. These vulnerabilities were assigned CVE-2022-22963 and CVE-2022-22965. The vendor patched these with the release of Spring Cloud Function 3.1.7 and 3.2.3, as well as version 5.3.18 and 5.2.20 of Spring Framework respectively.
The CVE-2022-22965 vulnerability was particularly notable because it allowed an attacker unauthenticated remote code execution (RCE), which Unit 42 had observed being exploited in the wild. The exploitation of this vulnerability could result in a webshell being installed onto the compromised server that would allow further command execution.
In May 2022, details began to emerge of malicious Word documents leveraging remote templates to execute PowerShell via the ms-msdt Office URL protocol. The use of this technique appeared to allow attackers to bypass local Office macro policies. It executed code within the context of Word. Microsoft has since released protection guidance and assigned CVE-2022-30190 to this vulnerability.
BlackCat (aka ALPHV) is a ransomware family that surfaced in mid-November 2021 and quickly gained notoriety for its sophistication and innovation. Operating in a ransomware-as-a-service (RaaS) business model, BlackCat solicited for affiliates in known cybercrime forums, offering to allow them to keep 80% to 90% of the ransom payment. The payment remainder would be given to the BlackCat author.
BlackCat has taken an aggressive approach to naming and shaming victims, listing more than a dozen on their leak site at one point, in a little over a month.
GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool
In June 2022, Unit 42 identified a difficult-to-detect remote access Trojan named PingPull being used by GALLIUM, an APT group.
GALLIUM (aka Softcell) established its reputation by targeting telecommunications companies operating in Southeast Asia, Europe and Africa. Industry assessments determined that GALLIUM is likely a Chinese state-sponsored group. This determination was made based on the group’s geographic targeting, sector-specific focus and technical proficiency, combined with their use of known Chinese threat actor malware and tactics, techniques and procedures (TTPs)
PingPull has the capability to leverage three protocols (ICMP, HTTP(S) and raw TCP) for command and control (C2). This threat uses ICMP to make it more difficult to detect its C2 communications, as few organizations implement inspection of ICMP traffic on their networks.
In May, 2022, a sample containing a malicious payload associated with Brute Ratel C4 (BRc4) was uploaded to VirusTotal, where it received a benign verdict from all 56 vendors that evaluated it. Brute Ratel C4 is the newest red-teaming and adversarial attack simulation tool, which is uniquely dangerous. It is specifically designed to avoid detection by endpoint detection and response and antivirus capabilities. Its effectiveness can clearly be witnessed by the lack of detection across vendors on VirusTotal.
The initial sample was also packaged in a manner consistent with known APT29 techniques, which means that this new red team capability (with a growing user base) is being leveraged with nation-state deployment techniques.
We identified a total of 41 malicious IP addresses, nine BRc4 samples and an additional three organizations across North and South America who have been impacted by this tool so far.
Over the past year, we’ve seen an incredible number of high-profile attacks with geopolitical implications. While activity specific to Eastern Europe is unlikely to decrease in the near future, it’s also less likely to grab headlines the way it did this year as news cycles focus on newer topics, which means security practitioners would have to be more vigilant to find news of ongoing threats.
While new vulnerabilities and malware continue arriving at a swift pace, it is particularly concerning that malware is heading in two notable directions:
- More malware authors are offering their wares as subscription-based services, as their offerings continue to become more complex and potentially damaging.
- Threat actors of all skill levels can now access malicious tools that rival enterprise software.
Our researchers will continue to monitor the whole of the security landscape, and to alert the public to high-impact threats wherever and however they occur. We are committed to helping improve the security landscape, and to help people learn what to do to protect themselves from the latest threats and vulnerabilities.