Weekly Cyber-Intelligence Trends and Advisory – 26 May 2022

Weekly Cyber-Intelligence Trends and Advisory – 26 May 2022

Threat Actor in Focus – Sandworm

New Version of ArguePatch Used to Attack Targets In Ukraine

  • Attack Type: Malware Implant, Impersonation, Persistence
  • Objective: Unauthorized Access
  • Target Technology: Microsoft Windows
  • Target Industry: Unknown
  • Target Geography: Ukraine
  • Business Impact: Data Loss, Financial Loss

Sandworm, the APT group has carried out some of the world’s most disruptive cyberattacks and continues updating its arsenal to target Ukraine. Researchers have recently spotted an updated version of the malware dubbed ArguePatch loader which was used in the Industroyer2 attack targeting energy providers in Ukraine and multiple disruptive CaddyWiper attacks.
According to the researchers, the new variant of ArguePatch now includes a feature where the execution of the next stage in an attack is performed at a specified time. Another significant difference researchers noticed was the new ArguePatch variant is being distributed by abusing a legitimate ESET executable with a removed digital signature and overwritten code.

Attackers often maintain persistence in the targeted system once gaining initial access by setting up Scheduled tasks and/ or modifying the registry. However, the new version of ArguePatch has introduced a new time-based feature. This type of tactic is likely used to eliminate the use of setting up a scheduled task in Windows for persistence and help attackers remain undetected.

 

Major Geopolitical Developments in Cybersecurity – Internet Shutdown in Pakistan Ahead of Protests Related to Prime Minister’s Removal

In Pakistan, Internet services are said to have been limited as the government moves to curb the protests organized by Imran Khan. The former prime minister of Pakistan was recently forced to leave office due to a no-confidence motion in the respective parliament on April 10.

A watchdog organization – NetBlocks – tracks major disruptions in Internet connectivity across the globe and confirmed disruptions to Internet service from multiple service providers across Pakistan after 5 p.m. local time.

NetBlocks said real-time monitoring of network data from multiple providers “a pattern consistent with an intentional disruption to service.” Their analysis showed the incident is “consistent with previously recorded internet shutdowns and is likely to significantly impact the flow of information”. They assess widespread effects with high impacts in major cities including Islamabad, Karachi, and Lahore.

As the former prime minister called for anti-government protests and supporters took to the streets to call for new elections, the reports of the Internet shut down were confirmed on social media by hundreds of citizens.

Ironically, there has been a long history of imposing such nationwide restrictions during the time of unrest by Pakistani leaders, this also includes Imran Khan himself.

Updates on LockBit 2.0 Ransomware Group

Around January 2020, LockBit operators first appeared on Russian-language cybercrime underground forums. In June 2021, the operators introduced version two of the LockBit RaaS, advertised as LockBit 2.0, and was reportedly bundled with StealBit – a built-in information stealing function.

The LockBit 2.0 operators are known to implement the double extortion techniques by threatening to publish the exfiltrated data to their dark web leak site “LockBit BLOG” if ransom demands are not met. The enforcement of such tactics coerces victims into paying the ransom demands.

At the start of November 2021, the increased pressure from law enforcement agencies and the unavailability of members forced the prolific RaaS group BlackMatter to shut down its operations. However, researchers reported that existing BlackMatter affiliates are moving their victims to LockBit DLS – most likely to facilitate their extortion efforts. They observe that the BlackMatter victims are provided with URLs to new negotiation pages which belong to LockBit. With more experienced affiliates joining the LockBit ransomware group, it is going to be one of the largest and arguably the most successful ransomware groups in operation.

Alongside Conti, LockBit is one of the most prominent ransomware groups – with both groups accounting for nearly half of all ransomware attacks. Last month alone, LockBit ransomware had claimed more than 60 victims on their dedicated leak site with the majority of victims operating in US and European countries.

 

Latest Cyber-Attacks, Incidents, and Breaches – Twitter fined $150 million by FTC for alleged privacy violations

  • Attack Type: Privacy Violation
  • Target Technology: Twitter
  • Target Industry: Social Media
  • Target Geography: Global
  • Business Impact: Financial Loss

The social media giant Twitter has agreed to pay a fine of $150 million for violating a 2011 administrative order with the U.S. Federal Trade Commission. The order relates to how Twitter used the email addresses and phone numbers of its users for targeted advertising. Twitter collected contact information from its users to make their accounts secure, however, the company failed to notify users the information will also be used in targeted advertisements. The FTC stated that Twitter “engaged in deceptive acts or practices” by misrepresenting how it handled user data and that the company lacked reasonable safeguards to keep accounts and data secure.

According to the reports, this practice has affected more than 140 million Twitter users. For a social media company advertisement is one primary source of revenue and this act may have significantly boosted its revenue. Twitter has stopped such collection of contact information in 2019 stating the use of data for advertisement was “unintentional”. In 2020, Twitter communicated to its shareholder about FTC allegations and expected a potential fine of $250 million which turned out to be lower than expected.

 

Vulnerabilities and Exploits – Vulnerabilities in Open Automation Software Platform

  • Attack Type: Vulnerabilities & Exploits, Information Disclosure, DoS, ACE, Directory Listing
  • Target Technology: Open Automation Software Platform (OAS)
  • Vulnerability: CVE-2022-26082 (CVSS score: 9.1), CVE-2022-26833 (CVSS score: 9.4), CVE-2022-27169 (CVSS score: 7.5), CVE-2022-26067 (CVSS score: 4.9), CVE-2022-26077 (CVSS score: 7.5), CVE-2022-26026 (CVSS score: 7.5), CVE-2022-26303 (CVSS score: 7.5), CVE-2022-26043 (CVSS score: 7.5)
  • Vulnerability Type: Missing Authentication for Critical Function, Cleartext Transmission of Sensitive Information,

Researchers have recently discovered eight vulnerabilities in the OAS that may allow attackers to perform a variety of malicious actions, including improper authentication to the targeted device and causing DoS attack. Notably, the OAS enables simplified data transfer between various proprietary devices and applications. The discovered vulnerabilities are as follows

  • CVE-2022-26082 – one of the most serious vulnerabilities spotted by researcher which leads to arbitrary code execution
  • CVE-2022-26833 – leads to the unauthenticated use of the REST API.
  • CVE-2022-27169 and CVE-2022-26067 – allows for directory listing at any location allowed to the underlying user
  • CVE-2022-26077 – is a type of information disclosure
  • CVE-2022-26026 – triggers a DoS or loss in communication
  • CVE-2022-26303 and CVE-2022-26043 – allow an attacker to make external configuration changes, including creation of new security group and new user accounts.

There has been no report of these vulnerabilities being exploited in the wild or listed in CISA KEV catalong. It should be noted that CISA’s ‘Catalog of Known Exploited Vulnerabilities’ is an excellent resource for organizations to keep up with trending vulnerabilities among attackers. The initiative aims to catalog the most important vulnerabilities that have been previously exploited by attackers and pose a serious risk. Organizations are encouraged to monitor these vulnerabilities listed in this catalog.