2022 is proving to be as surprising and eventful as the previous two years. News is bleak and on the cyber front it’s especially busy, since one of the world’s main players, Russia, has invaded neighboring Ukraine. Read on for the articles our team has been passing around this month.
Russian ‘Gamaredon’ hackers use 8 new malware payloads in attacks
In late January, the Russia-linked hackers known as ‘Gamaredon’ (aka Armageddon or Shuckworm) were spotted deploying eight custom binaries in cyber-espionage operations against Ukrainian entities. The hackers have long been believed to be operated by the Russian FSB. Symantec’s Threat Hunter team has analyzed eight malware samples used by Gamaredon against Ukrainian targets in recent attacks, which began in July with the dissemination of spear-phishing emails distributing macro-laced Word documents. The attacks drop files with 7-zip self-extracting binaries that minimize user-interaction requirements.
“In light of what is now happening, this four-week-old article looks quite prescient. What we are seeing over the last few days is just the culmination of a campaign that has been in the making for a long time.” — Shunta Sanders, Lead Senior Architect
Source: Bleeping Computer, January 31
ATT&CK 2022 Roadmap: Where We’ve Been and Where We’re Going
This article sums up the evolution of MITRE ATT&CK, which has taken some very important strides over the last year. The movement and evolution of the standard-bearing matrix means an even better tool for threat hunting and classifying adversary behavior. Changes include adding new macOS and Linux content, releasing ATT&CK for Containers, and consolidating the former AWS, Azure, and GCP platforms into a single IaaS (Infrastructure as a Service) platform. Also notable was the addition of 8 new techniques, 27 sub-techniques, 24 new Group and over 100 new Software entries. Read more about the future and also about ATT&CKCon, the gathering of the MITRE-using community happening at the end of March.
“We work hand-in-hand with MITRE, and the fact that it is constantly evolving to help better equip the cybersecurity world is fantastic.” — A member of our customer success team
Source: Medium, February 2
Shields Up: CISA Urges ‘Heightened Posture’ Against Russian Cyberattacks
The Cybersecurity and Infrastructure Security Agency (CISA) of the United States released a warning advising organizations to take up a “heightened” security posture against Russian cyberattacks. The warning comes as a result of Russia’s unprovoked attack on Ukraine, which has involved cyber-attacks on Ukrainian government and critical infrastructure organizations. CISA goes on to encourage reporting of any threat actor activity and outlines steps to take for protection. Read the full article to find out how CISA recommends reducing the likelihood of a damaging cyber intrusion.
“Although the current conflict is focused on Ukraine, the escalation in cyber-attacks has led the CISA to recommend that all organizations in the US, regardless of size, adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets. They have included a series of really thoughtful recommendations and tips on their website that every company, American or not, should follow.” — Fernando, Founder
Source: CISA, February 13
New Hacking Groups Striking Industrial / OT Targets
In a concerning announcement, three new threat groups targeting the industrial sector have appeared on the scene. Over half of the attacks are the work of only two known cybercriminal outfits. Russia has been accused of responsibility for ongoing cyberattacks, including a distributed denial-of-service (DDoS) assault on government websites. Financial services have also been impacted.The Kremlin has denied any involvement, but these cyberattacks have enabled data theft and caused real-world disruption. They were reported in Dragos’ fifth Year In Review report on Industrial Control System (ICS) & Operational Technology (OT) threats, in which Dragos asserts the three new groups have been discovered “with the assessed motivation of targeting ICS/OT.” Read on for more information on these new activity groups: Kostovite, Petrovite and Erythrite.
“Critical infrastructure is one of a country’s most valuable targets, especially when it comes to cyberwarfare. It is also a vulnerable target, long overdue for modernizing and with antiquated technology. According to experts, it only takes the toppling of a few substations to completely achieve a nationwide blackout. These kinds of attacks must be paid attention to and prevented.” – Shunta Sanders, Lead Senior Architect
Source: ZDNet, February 23
US Agencies Say Russian Hackers Compromised Defense Contractors
In more Russia-related news, hackers sponsored by the Russian government have breached the networks of multiple US defense contractors in a sustained campaign that has revealed sensitive information about US weapons-development communications infrastructure. The campaign has been ongoing since January 2020, and the hackers have targeted defense contractors that support the DoD and the intelligence community. In some cases, persistent access was maintained for over six months, and hackers were about to exfiltrate hundreds of documents with classified information.
“This article makes it clear that it is not enough to solely protect government agencies. Top-tier hackers will go after defense contractors, too. They are usually “easier” targets, manage information that can be useful for hackers, and can also be used as “trampolines” to access Defense units.” – Fernando, Founder
Source: Wired, February 17