Suspected Threat Actors: APT29 (Cozy Bear, Cozer, CozyDuke, EuroAPT, Fritillary, Group 100, IRON HEMLOCK, Minidionis, Nobelium, Office Monkeys, TEMP.Monkeys, The Dukes)
Summary: As per the observations of the researchers who have been tracking the state-sponsored Russian cyberespionage group APT29, the threat actor operations continue to target the US, NATO, and partner countries. Despite the efforts of publicizing its operations, the threat actor group continues to be prolific and focused on organizations dealing with the foreign policy of NATO countries in 2022.
According to researchers, the group showcases exceptional operational security, advanced tactics to target Microsoft 365, and new TTPs in recent operations. One such tactic observed by researchers included disabling of Purview Audit feature on targeted accounts. The Purview Audit, formerly Advanced Audit, is a feature available in E5 licenses and certain add-ons in Microsoft 365 that allows logging of details such as user-agent string, timestamp, IP address, and user whenever an email is accessed. APT29 disabled Purview Audit before they began email collection, leaving no trace for the organization to identify which account they had targeted and when.
Other interesting findings included APT29 taking advantage of the self-enrollment process for Multi-factor Authentication in Azure Active Directory – a trend that has been observed with other threat actors. In this case, APT29 targeted dormant accounts and by launching a password guessing attack they were able to enroll such accounts for MFA when prompted.
Insights: APT29 is considered to be one of the most technically skilled Russian hacking groups. The recent findings demonstrate their extraordinary preparation and deep understanding of the environment they target. Despite defenders exposing their activities, APT29 remains persistent and continues to attack in an aggressive manner which may hint at the strict objectives assigned by the Russian government.
Summary: The newly discovered strain of ransomware dubbed HavanaCrypt which was first spotted by researchers in June 2022 is masquerading as a legitimate Google Chrome update. A sample observed by researchers was posing to be a Google software update while maintaining the icon for Google Chrome and other metadata, however, after analysis it turned out to be HavanaCrypt ransomware. According to researchers, ransomware contains sophisticated anti-analysis techniques that include code obfuscation, multiple checks to detect virtual machines, and process killing. To carry out encryption, it uses the cryptographic capabilities of KeePass, an open-source password manager, and appends encrypted files with the .Havana file extension. The ransomware leverages Microsoft web hosting services likely to avoid detection.
Insights: The ransomware currently does not drop a ransom note which suggests that it is currently nonprofitable for attackers behind its operation. However, researchers highlight that its authors intend to communicate over the Tor browser since the Tor directory is one of the directories included in the list of files it avoids encrypting. This also hints towards HavanaCrypt ransomware still going under the development phase.
Summary: On 18th August, CISA (Cybersecurity & Infrastructure Security Agency) added 7 new entries to its Known Exploited Vulnerabilities Catalog, and another vulnerability was added on 22nd August. These vulnerabilities have been in the products from Apple, Google, Microsoft, Palo Alto Networks, and SAP.
Out of the lot, the CVE-2022-22536 flaw in SAP products scores a maximum of 10 under CVSS. The agency warns that customers failing to apply patches for this issue are exposed to ransomware attacks, data theft, and other attacks that could severely hamper the business.
The CVE-2022-32893 and CVE-2022-32894 are two zero-day vulnerabilities affecting iOS, iPad, and macOS products that allow an attacker to take control of vulnerable systems.
Another zero-day affects the Google Chrome browser, tracked as CVE-2022-2856, the vulnerability has already been picked up by attackers. Successful exploitation of this vulnerability leads to ACE or system takeover.
The CVE-2022-21971 was assessed by Microsoft to be “exploitation less likely”, however, proof-of-concept (PoC) has been made available. Similarly, public PoC exploits are available for another Microsoft flaw – CVE-2022-26923.
Insights: The CISA KEV (Known Exploited Vulnerabilities) catalog is an excellent resource for organizations to keep up with trending vulnerabilities among attackers. The initiative aims to catalog the most important vulnerabilities that have been previously exploited by attackers and pose a serious risk. Organizations must monitor and prioritize vulnerabilities listed in this catalog.