{"objects": [{"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": {"tlp": "white"}, "type": "marking-definition", "spec_version": "2.1"}, {"id": "report--9fae0a8f-358b-5c1f-840b-28939e5c647c", "created": "2022-04-20T07:06:52.401501Z", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "description": "\n \n \n \n \n \n The Analyst Prompt - 2022 Issue #07\n \n \n \n
\n \n

The Analyst Prompt - 2022 Issue #07

\n
\n \n
\n

Analysis

\n
\n

Threat Actor Update: Opportunistic and Strategic Information Gain Will Likely Drive Further APT Cyber Conflict Outside the Russia-Ukraine War

Since the beginning of April, EclecticIQ analysts have noted increased open-source reporting of APT groups using Ukraine war themes in phishing attacks targeting countries not directly participating in the conflict (\n 1\n , \n 2\n , \n 3\n ). APT groups with alleged links to China, Iran, North Korea, and an unidentified Spanish-speaking APT have been identified carrying out these attacks, in addition to Russia.

EclecticIQ analysts evaluate this behavior is typical of APT groups that are already continually adjusting operations to remain effective and breach new targets. As the war continues, its progression provides attention-grabbing themes used to direct cyberattacks at users who are most likely to engage with that material. The majority of APT attacks are aimed at information theft, based on malware used in campaigns that lends heavily to remote access and information gathering, and the initial access vectors.

Less common attacks are possibly aimed at strategic service disruption as part of more complex State-on-State conflict (\n 4\n , \n 5\n , \n 6\n , \n 7\n ). The April 12 attack targeting a Bremen-based German wind power company represents the third attack on a German wind power company since the start of the war. This third attack is alleged to be linked to the war in Ukraine based on initial comments from \u201cexperts\u201d connected to the matter. It is possible that ransomware attacks will also serve as an extension for strategic activities of APT groups connected to State interests, providing both disruption and strategic information gain.

New and Noteworthy: Law Enforcement Operations Chip Away at Illicit Markets With Little Effect

On February 27th RaidForums\u2019 primary command and control infrastructure was taken down and US law enforcement placed an announcement on the landing page (\n 8\n ). RaidForums was a very popular marketplace that often advertised illicit cyber-related activities. A separate law enforcement operation recently took down the Hydra marketplace (\n 9\n ). Many, many more dark marketplaces remain available through the internet and TOR.

These sanctioned operations demonstrate a degree of prioritization of official resources aimed at combating these prevalent websites. Targeted takedowns are very likely not having a significant effect on the larger landscape for the exchange of illicit goods and data. The primary administrator of RaidForums started the service when he was about 14 years old. This is a very clear indication of how easily these markets are set up and maintained. Much like a literal hydra, dark marketplaces will continue to spring up in different forms, hosted in various countries, offering the same services and end users will migrate to new sites with ease. A 2020 study of almost 40 million users\u2019 activity across dark markets found that the ecosystem is resilient and largely aided by fluid user migration (https://www.nature.com/articles/s41598-020-74416-y) Narrowing the time between identification and takedown of dark marketplaces is likely to provide further, more effective deterrent for threat actors involved in creating and maintaining infrastructure.

\n
\n
\n
\n
\n\n \n \n", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-ba6464d9-63b3-44db-bd13-f9db6955539a", "object_refs": ["report--9fae0a8f-358b-5c1f-840b-28939e5c647c"], "published": "2022-04-20T00:00:00Z", "name": "The Analyst Prompt - 2022 Issue #07", "modified": "2022-04-20T07:06:52.401501Z", "type": "report", "spec_version": "2.1"}, {"id": "report--5a2824df-d2ed-50d2-8ed2-a879db8d5e14", "created": "2022-05-03T09:36:57.50748Z", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "description": "\n \n \n \n \n \n Analyst Prompt 2021 issue #41\n \n \n \n
\n \n

Analyst Prompt 2021 issue #41

\n
\n \n
\n

Analysis

\n
\n

Policy and Governance: The Cyber Insurance Market is Changing Course Due to Continued High Rates of Ransomware.

High volumes of ransomware attacks against U.S.-based organizations are rapidly driving insurers to reorient their cyber insurance policies. Since 2020, payouts in cyber insurance related to ransomware have approximately halved, while charges for cyber insurance premiums have approximately doubled. The demand for cyber insurance remains strong despite these trends as evidenced by many clients who are still willing to pay. Rates in the UK have polarized even more. The industry-wide trend continues upward from the start of 2020, when the same source reported cyber insurance rates climbing 5%-25% higher than they were in 2019 (1).

Ransomware threat actors are now highly attuned to the cyber insurance market and attempt to match extortion demands to insurance payouts as part of a new pattern of attack TTPs (https://research.nccgroup.com/2021/11/12/we-wait-because-we-know-you-inside-the-ransomware-negotiation-economics/). Ransomware threat actors now perform more reconnaissance and discovery work to find the victim\u2019s specific insurance policies as a way of ensuring ransoms can be met.

Last year, increasingly expensive payouts for ransomware contributed to a large rise in insurers\u2019 measure of profitability calculations (2). Broker Aon calculated ransomware contributed over 1/5th of their total risk last year. The insurance market is repositioning itself against the risk from ransomware attacks by shifting more risk back to clients. The shift in risk back to clients will, in turn, put pressure back on governments to launch more law enforcement operations against ransomware cybercriminals and develop firmer policies of intervention, such as coordinated law enforcement operations to seize infrastructure or individuals. EclecticIQ analysts note 2021 has been a significant year for coordinated law enforcement operations against prominent cyber organizations (3). The number of similar cooperative law enforcement investigations and operations is likely to grow through 2022.

New and Noteworthy: Strict Removable Media Policy Will Best Protect Air Gapped Systems

As ransomware and APT attacks escalated against critical systems throughout 2021, perhaps the last solution to protect critical information is to leverage an air gapped network or system. Air gap systems are considered highly secure because a physical connection to the internet is not maintained (4). Nonetheless, air gapped systems remain vulnerable to intrusion, especially from APT groups. A recent, comprehensive analysis of APT attacks on air gapped networks by ESET found that all initial access used in all attacks over the past 15-years relied on introducing a compromised USB stick into the target environment. Replication Through Removable Media (MITRE ATT&CK technique T1091) initiated every air gap attack kill chain (5).

EclecticIQ analysts highly recommend that administrators of air gapped systems prioritize resources for enforcement of a strict removable media policy to mitigate against very high-risk attacks to physically isolated data.

Policy and Governance: Cyberthreats to Satellites Escalate Outside Established Norms.
Satellites remain an often overlooked but critical piece of infrastructure supporting many different cyber capabilities on earth. China, Russia, and the U.S. are currently supporting cyberattacks in space \u201cevery single day\u201d that qualify as \u201creversible attacks\u201d - attacks that interfere with a satellite\u2019s ability to communicate, according to the U.S. Space Force general (6). Operations are almost always recovered or return to normal in reversible attacks. Different countries including China and Russia are developing their own network of satellites, such as independent GPS networks, to support ground operations. The goal is technological independence in space-based communications.

Cyberthreats to space have, thus far, avoided \u201ckinetic attacks\u201d, or attacks that destroy satellites. There remains no common framework or bilateral agreements as to how threats to space-based asses should be mitigated or handled by conflicting nations. Kinetic attacks are prevented in part, through a deterrent effect. If a satellite is physically destroyed, the shrapnel created poses an immediate threat to all other satellites in that orbit. An escalation to kinetic attacks would guarantee further fallout in the form of additional damage and disruption to the IT infrastructure of other nation-owned satellites, which are not easily replaceable. Many nations are testing new TTPs against satellites (7). The current U.S. administration reportedly reached out to China to generate a dialogue specific to the issue of cyberattacks in space, in a global first, but so far efforts have not been successful.

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.

\n
\n
\n
\n
\n\n \n \n", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-c4d05165-49e1-4970-b9d4-920a9981ed18", "object_refs": ["report--5a2824df-d2ed-50d2-8ed2-a879db8d5e14"], "published": "2021-12-06T00:00:00Z", "name": "Analyst Prompt: 2021 issue #41", "modified": "2022-05-03T09:36:57.50748Z", "type": "report", "spec_version": "2.1"}, {"id": "report--bf04d287-605f-560d-993d-18179bc83dde", "created": "2021-10-06T18:46:02.61699Z", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "description": "\n \n \n \n \n \n The Analyst Prompt: 2021 Issue #37\n \n \n \n
\n \n

The Analyst Prompt: 2021 Issue #37

\n
\n \n
\n

Analysis

\n
\n

Policy and Governance: China and the U.S. Take Big (But Very Different) Steps to Regulate Cryptocurrency

On 24 September, the People\u2019s Bank of China issued a statement proclaiming all cryptocurrency transactions illegal in China. (4) Less than a week after the announcement crypto-related firms have begun shutting down business in mainland China. (5) China\u2019s reason for the ban was to address \u201cillegal financial activities\u201d which \u201c\u2026seriously endangers the safety of people\u2019s assets\u201d (4), but some experts assess the very idea of a cryptocurrency went contrary to Beijing\u2019s vision for a state-controlled economy. (6)

In a more targeted move, the U.S. Treasury\u2019s Office of Foreign Assets Control (OFAC) on 21 September announced sanctions against the cryptocurrency exchange SUEX \u201cfor its part in facilitating financial transactions for ransomware actors.\u201d (7) The announcement explains the sanctions prevent U.S. citizens from doing business with SUEX and \u201cblock\u201d any SUEX assets or property under U.S. jurisdiction. The Treasury also issued updated guidance on \u2018potential sanctions risks for facilitating ransomware payments\u2019 \u2013 which are not illegal but remain highly discouraged. (8)

These vastly different Chinese and U.S. actions illustrate the range of issues arising from increasing use of cryptocurrency, and the challenges governments face as they decide if and how to regulate crypto. The coming months will almost certainly bring more news of nations taking steps to regulate crypto in a way that they view as most beneficial\u2013 but these steps may be increasingly at odds with the actions or interest of other nation-states. These actions may also put governments at odds with threat actors who use cryptocurrency, including many successful ransomware gangs. EclecticIQ will watch for indicators that threat actors alter their modus operandi in reaction to sanctions and similar regulation.

Exploit Tools and Targets: Details Emerge About Backdoor FoggyWeb

Microsoft recently divulged more detail about a relatively new piece of malware exploiting MS systems called FoggyWeb. According to Microsoft, FoggyWeb is a persistent backdoor through which attackers can exfiltrate data from a compromised Active Directory Federated Services (AD FS) server, including token-signing and token-decryption certificates. FoggyWeb was first observed in April 2021 and has been used by the sophisticated Russian threat group NOBELIUM, which was behind the Sunburst backdoor used in the attack on SolarWinds. Microsoft\u2019s primary advice to counter this threat is to secure AD FS servers. A list of known IOCs for FoggyWeb is available here. (9, 10)

More research on FoggyWeb is sure to be forthcoming in coming weeks, along with more information about who has been targeted via the FoggyWeb backdoor. For now, looking to the SolarWinds attack may give limited insight on the possible scope of the damage. Given the value of FoggyWeb and that the actor behind it is the highly skilled group NOBELIUM, it is likely that many victims of FoggyWeb have yet to be identified \u2013 or even realize they may be compromised. Those who have been compromised by this exploit are likely to be government targets or government partners and service providers, as well as companies who work in critical infrastructure or who work with unique intellectual property. Nonetheless, EclecticIQ recommends all cyber defenders review Microsoft's blog post for identifying and responding to a FoggyWeb breach.

New and Noteworthy: The Netherlands Announces an Industry-Led Cyber Threat Information Sharing Community

The Dutch business community is moving forward with plans to set up a cyber defense warning and information sharing network which can share threat data more quickly than established government-led procedures, according to a 29 September article by The Hauge Security Delta (HSD). (1) The new sharing network will enable anybody who identifies a vulnerability to report it in the system, which will trigger an alert to the targeted individual or that person\u2019s internet provider. Prior to this initiative, threat information could be shared only via the Dutch National Cyber Security Center (NCSC). According to the director of Fox-IT, this new network is intended to complement the NCSC\u2019s efforts, and to pass information quickly when the government cannot.

As cyber threats grow, non-governmental sharing networks will be increasingly helpful in identifying solutions to time-sensitive problems and in addressing issues outside the government\u2019s purview. The degree of success for this group and others like it will be determined largely by the presence of strong leadership with clear vision, proper resourcing, and acceptance by the wider community as the venue for information sharing and problem solving. Also, the success of non-governmental networks can be amplified by effective partnership with government. The NCSC is leaning forward with its own efforts to improve cyber threat sharing, including establishing its own information sharing network, Secure Net (detail available here) and in setting up its own network of partnerships (see the NCSC\u2019s website here). (2, 3) EclecticIQ sees both industry and government-led efforts as necessary and will continue supporting both government and industry partners to counter cyber threats.

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please give us your feedback by filling in this quick survey. It takes less than a minute.

https://forms.office.com/r/6TZswkuGYN

\n
\n
\n
\n
\n\n \n \n", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-6ea6c7ec-9d9d-4053-985d-db8e103b34f8", "object_refs": ["campaign--13a0362d-c013-5b15-877c-8d4820fd01cc"], "published": "2021-10-06T18:46:01.37946Z", "name": "The Analyst Prompt: 2021 Issue #37", "modified": "2021-10-06T18:46:02.61699Z", "type": "report", "spec_version": "2.1"}, {"id": "report--31a0efe3-9906-51ab-bf61-ba234815bf17", "created": "2021-11-05T14:17:04.423067Z", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "description": "\n \n \n \n \n \n Analyst Prompt: 2021 Issue #39\n \n \n \n
\n \n

Analyst Prompt: 2021 Issue #39

\n
\n \n
\n

Analysis

\n
\n

Policy and Governance: Tensions Rise between Ransomware Gangs and Western Governments

After the second government takedown of ransomware group REvil\u2019s online infrastructure on 22 October 2021 [1], ransomware gangs Arvin, Groove, and Conti all posted comments sympathetic to REvil and inflammatory toward the U.S. on their respective data leak sites.

Groove operators called for partner programs to stop competing with one another and coordinate attacks on the US Public Sector. They urged their partners to not attack Chinese interests in case they need to flee their \u201chomeland\u201d. Shortly after making this announcement, the Groove operator announced that the Groove project was a hoax to troll western media. The next day both posts had been removed from the site and replaced with a new victim [2]. A few days prior, a Groove associate posted on the RAMP cybercrime forum that they will target U.S. hospitals, government agencies and will also consider some EU countries specifically \u201cItalian Hospitals\u201d as targets [3]. While the credibility of such threats is questionable these actions do speak the general sentiment of some ransomware operators towards western media and interests.

The Conti gang stopped short of asking partners to coordinate an attack on the U.S. private sector, but their post does show a similar disdain as Groove toward the United States. The Arvin Club posted a Simpsons meme which suggested the takedown of REvil was not warranted and wished REvil success [4].

As of 1 November 2021, the Arvin and Groove leaks sites and the RAMP forum were no longer accessible by EclecticIQ researchers. At this time, it is unknown if there has been a coordinated government effort to take down these sites or if the site administrators shut them down.

While some ransomware gangs are looking to counter recent efforts by Western law enforcements by ramping up the targeting of the U.S. private sector, others such as BlackMatter appear content to lay low and shut down operations. On 1 November 2021, BlackMatter announced in an apparent message to affiliates they would shut down their \u201centire infrastructure\u201d within 48 hours. The group cites \u201cpressure from authorities\u201d and \u201cpart of the team is no longer available, after the latest news\u201d as the reasons for the shutdown [5]. While it is not clear what the group is referring to by the \u201clatest news,\u201d that the timing suggests they are referring to the coordinated Europol effort to target 12 individuals who have been involved in ransomware attacks against critical infrastructure [6]. The BlackMatter leak and support pages were no longer accessible by the EclecticIQ Research Team as of 4 November 2021.

Despite the efforts of law enforcement, the EclecticIQ Threat Research Team has not identified a significant reduction in reports of ransomware nor a reduction in the infrastructure used in attacks. For this reason, organizations should continue to prioritize defenses against the ransomware threat.

New and Noteworthy: Falsified Digital COVID Certificates Under Investigation

As countries continue to recover from the Coronavirus pandemic, a number of countries are creating COVID certificates to allow the vaccinated, and those who have recently tested negative or recovered, to travel, access the hospitality, cultural and events industries. The implementation of such a system has sparked concerns over privacy and protests throughout Europe. This has also created a marketplace for falsified COVID certificates.

In the past week, falsified certificates for Adolf Hitler, Mikey Mouse, and SpongeBob were posted online that return valid results from official COVID19 validator apps of certain countries. The European Commission immediately launched an investigation into how these valid certificates were generated [7]. The Italian wire service, ANSA, reported on October 27th that some of the private keys used to sign the health certificates were stolen [8]. However just a day later the French and Polish authorities announced there was \u201cno cryptographic compromise\u201d [7]. Security researchers tracking fake certificates via a github repository speculate that it is more plausible that the chain of trust between the government and those authorized to generate certificates was compromised, or that someone managed to install malware on system with access to generate certificates [10].

EclecticIQ Researchers also believe it is very unlikely the private keys were stolen. Stealing the keys would likely require significant technical capabilities as protecting these keys is a high priority. The theft of such keys would allow threat actors the ability to mark any COVID19 certificate as valid. Every individual would require a reissued COVID19 certificates. It is more likely either authorized individuals are generating the false certificates to be sold, or unauthorized individuals have gained access to a system that can generate certificates. It is likely European governments will implement new measures to protect the chain of trust and improve security to systems with access to generate certificates.

Policy and Governance: NSO Group Added to US Trade Blacklist

On 5 November 2021, the U.S. Commerce Department\u2019s Bureau of Industry and Security (BIS) announced that the Israeli military-grade spyware manufacturer, NSO Group, would be added the Entity List for developing and suppling spyware to \u201cforeign government officials, journalists, businesspeople, activists, academics and embassy workers [11].\u201d The Entity List is a tool leveraged by the BIS to restrict exports to an individual, organization, or company.

The NSO Group\u2019s spyware, Pegasus, was linked to the killing and dismemberment of Washington Post Columnist Jamal Khashoggi by Saudi Operatives, the targeting of human rights activists and even found on French President Emmanuel Marcon\u2019s Phone [12] [13].

Three other offensive security companies were added to the Entity List on Wednesday including Candiru (Israel), Positive Technologies (Russia) and Computer Security Initiative Consultancy PTE. LTD (Singapore) [11].

Being subjected to the Entity List essentially cuts these organization off from the US technology industry. EclecticIQ Researchers expect this to cause significant disruption to business operations for these companies and could lead to shutting down operations unless they are able to retool without utilizing U.S. software and hardware technologies.

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please give us your feedback by filling in this quick survey. It takes less than a minute.

\n https://forms.office.com/r/pAp63skNuj\n

\n
\n
\n
\n
\n\n \n \n", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-163bbe05-cadc-4878-827a-4915d243a5ab", "object_refs": ["report--31a0efe3-9906-51ab-bf61-ba234815bf17"], "published": "2021-11-05T13:39:52.971369Z", "name": "Analyst Prompt: 2021 Issue #39", "modified": "2021-11-05T14:17:04.423067Z", "type": "report", "spec_version": "2.1"}, {"id": "report--e906884d-1a9d-5e09-8d30-f2a8e0567b2d", "created": "2022-03-01T15:40:35.396859Z", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "description": "\n \n \n \n \n \n The Analyst Prompt - 2022 Issue #03 - SPECIAL EDITION\n \n \n \n
\n \n

The Analyst Prompt - 2022 Issue #03 - SPECIAL EDITION

\n
\n \n
\n

Analysis

\n
\n

Threat Actors: Conti Ransomware Group Announces it will Use \u2018Retaliatory Measures\u2019 Against \u2018Western Warmongers\u2019

On Friday, February 25th security researcher Brett Callow shared on Twitter a statement from the ransomware group Conti stating "The Conti Team is officially announcing a full support of Russian government. If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy." (1) By Sunday evening the Conti Team modified their statement to be more nuanced, beginning with \u201cAs a response to Western warmongering and American threats to use cyber warfare against the citizens of Russian Federation, the Conti Team is officially announcing that we will use our full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world\u2026..\u201d (2) While still politically charged, the updated Conti statement attempts to distance the group from the Russian government while threatening cyberattacks toward the U.S. and the West.

By Sunday, February 27th, an unidentified actor leaked alleged Conti Group internal communications, concluding that message with \u2018Glory to Ukraine!\u2019 (3) The leaked information included information about Conti\u2019s relationship with other cybercrime organizations, details of ransom negotiations, Bitcoin addresses, and more. (4)

In the year a half since Conti was first observed, it seemed to enjoy a permissive environment in which their Russian benefactors allowed them significant autonomy. For example, Conti has been known for targeting critical infrastructure; in May 2021 the FBI released an advisory describing sixteen Conti ransomware attacks targeting U.S. healthcare and first responder networks. (5) The long-term impact of the Russia-Ukraine conflict on cybercriminal organizations like Conti Group is yet to be seen. With the Russia-Ukraine conflict bringing more scrutiny to cyber as a tool of war, EclecticIQ analysts speculate that the Conti Group and others like it may be forced to change their modus operandi. Increased public awareness of cybercrimes, a host government which is increasingly isolated, and even the group\u2019s own internal divisions over issues like Russia\u2019s invasion of Ukraine may force cybercriminal groups to adapt in unexpected ways. One of the more likely scenarios for the near term is an escalation on both sides of cyber conflict; increasingly aggressive and government-directed attacks on one side, with growing defense and counter measures on the other.

Policy and Governance: Governments Across the World Warn of (or Brace For) Conflict-Related Cyberattacks

Last week, EclecticIQ noted cyberattacks against Ukrainian websites were likely to continue as tensions between Russia and Ukraine increased. We also noticed warnings from authorities in Germany, Australia, and the U.S. that Russia may launch cyberattacks targeting assets of Ukraine and its allies, and that organizations should take measures to secure and defend their networks. (6,7,8) This week, our analysts note a spate of cyberattacks targeting organizations around the world, including against McDonalds, a supplier for Toyota plants in Japan, satellite giant Viasat (which enables remote control of wind turbines in Germany), and a Bridgestone tire plant in Iowa (U.S.). (9, 10, 11, 12)

More aggressive cyberattacks are probably increasingly likely once economic sanctions targeting Russian actors and assets are in place. So far, only one of the four recent attacks mentioned above has been claimed by Russian-linked threat actors (McDonalds). It is possible that the other three attacks could have been in the works for weeks or months. The timing of these attacks coincides with news that each of these nations will impose sanctions on Russia, but so far there is no definitive evidence Russia initiated attacks because of sanctions. (13, 14.) EclecticIQ analysts will watch for indicators that any forthcoming attacks may be specifically targeting nations which are most vocal in their opposition to Russian military action as a form of retribution, which could indicate Russian criminal actors shifted from a financial motivation to more ideological driven attacks.

New and Noteworthy: Many Industries, Including Big Tech, Find Themselves with a Role to Play as the War of Words Intensifies

This conflict is one of the clearest examples to date of private corporations using their business reach to participate in shaping the narrative surrounding the conflict. The EU announced part of its sanctions package against the Kremlin would include banning Russian state TV channels RT and Sputnik and their subsidiaries from sowing \u2018division in our union.\u2019 (15) U.S. tech giants Meta and Google announced they are disallowing Russian state-owned media from monetizing their platforms or spreading disinformation, and energy companies from the UK and Norway reduced or eliminated their cooperation with Russian partners. (16) Even more symbolic moves are gaining media attention; international soccer governing bodies FIFA and UEFA banned Russian teams from competing, but Polish and Swedish teams had already declined to play Russia in this spring\u2019s World Cup qualifying matches. (17) Many U.S. state governors and business owners in the U.S. and Canada assumed a different tactic\u2014either banning or refusing to sell Russian vodka in liquor stores and bars. (18) Russia is being equally aggressive in its aim to influence the narrative. Internal to Russia, where commerce and governance are more tightly controlled, the government asserted its control over the narrative by shutting down some free press outlets and banning press from describing Russia\u2019s actions as an attack, an invasion, or a war. (19)

Most interesting to EclecticIQ is how the information warfare angle of the conflict is playing out when large TV stations, social media companies, and internet providers decide to amend information or access to it. Both sides are playing the media game with specific intent: Ukraine to garner quick international support of any kind (especially military support), and Russia to convince a domestic audience of the legitimacy of the conflict. Unlike normal CTI analysis of indicators and artefacts, the measure of success in a war of words comes down to popular opinion\u2014or, as the phrase goes \u2018winning hearts and minds.\u2019

One measure of the effectiveness of the war on words is the myriad of players who recently entered the hacktivism space willingly. In addition to Conti declaring support for the Russian government (discussed above), reporting indicates several hacking groups including Anonymous will use their skills to support Ukrainian cyber objectives. (20, 21) Ukraine\u2019s Vice Prime Minister Fedorov called supporters to create an \u2018IT army\u2019 to fight Russian cyber intrusions. (22) EclecticIQ analysts will continue reporting on the success and challenges associated with this phenomenon as the conflict continues.

We would love to hear from you.\u202fPlease\u202fsend us your feedback by\u202femailing\u202fus at\u202fresearch@eclecticiq.com.

\n
\n
\n
\n
\n\n \n \n", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-a32ca501-a18a-4f95-bba9-ecccf7cb588a", "object_refs": ["report--e906884d-1a9d-5e09-8d30-f2a8e0567b2d"], "published": "2022-03-01T15:40:33.478025Z", "name": "The Analyst Prompt - 2022 Issue #03 - SPECIAL EDITION", "modified": "2022-03-01T15:40:35.396859Z", "type": "report", "spec_version": "2.1"}, {"id": "report--5279d43f-fa7b-5900-971a-38915696ebd1", "created": "2021-10-25T14:03:51.980849Z", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "description": "\n \n \n \n \n \n Analyst Prompt: 2021 issue #38\n \n \n \n
\n \n

Analyst Prompt: 2021 issue #38

\n
\n \n
\n

Analysis

\n
\n

New and Noteworthy: Fake Media Will Likely Become a Mainstream Tactic in 2022
Cybercriminals used technology to recreate or clone the voice of the director of a bank in the U.A.E. so that a bank manager would authorize a transfer of $35 million to cybercriminals, under the pretext of a new acquisition (1). Reporting indicates they spoofed both voice and email, which could count as successfully subverting multi-factor authentication. Investigators believe the threat actor group comprised at least 17 people.

The attack represents an evolved form of a classic BEC (Business Email Compromise) scam; only this time voice is the primary medium for the attack. Voice cloning is well suited to this type of attack because it is more convincing and immediate. There is low risk of being caught once the criminals receive the transferred money, so BEC and social engineering scammers are very likely to be early adopters of unproven new attack vectors such as this. EclecticIQ analysts expect cybercriminals will rapidly adapt voice and visual cloning technologies in new attacks first for financially motivated cyber-crimes and next, in highly strategic APT attacks. There are many social engineering opportunities to which this can be applied. Most people are unprepared with prudent training or protocols for recognizing spoofed audio and video.

Policy and Governance: Escalating Threat of Ransomware Will Drive Regional Cooperation to Address Attacks in Lieu of a Global Framework

Data from Checkpoint indicates a current surge in both ransomware infections and botnets able to deliver ransomware since the Covid-19 pandemic began in early 2020, with companies in North America experiencing the highest growth in attack volume (2).\u00a0 EclecticIQ analysts note an annual relative increase in ransomware occurred last year at this time, but was largely aimed at the US education sector (3). The attack increase this year is occurring across a broader set of industries. Another significant sign of ransomware escalation comes from US disclosure of four ransomware attacks against water facilities in the past two years (4). The public disclosure contains the largest number of ransomware attacks against US critical infrastructure announced at one time.

Pressures from ransomware led the US and 30 other countries to meet virtually for an introductory forum on how to better address ransomware (5). The absence of an invitation to China and Russia is a strong signal that regional coalitions to combat ransomware syndicates are likely to form instead of global efforts. New policies resulting from regional coalitions will very likely involve cross-border law enforcement cooperation, reporting of ransomware attacks, and accountability policies aimed at tracking and disincentivizing ransom payment.\u00a0 Cooperation among smaller groups of states in dealing with ransomware is likely to be effective at restricting ransomware attacks because cooperative policy will likely aid law enforcement operations against ransomware threat actors across borders.

Individually, The Netherlands announced it is escalating its response to ransomware against critical infrastructure and national security (6). The government plans to prioritize prevention, attribution, and response to critical ransomware incidents. The announcement is likely aimed at deterrence, in an effort to protect the Netherlands\u2019 tech startups and vulnerable businesses. Ransomware attacks to critical industry could possibly have a greater impact in the Netherlands than they would have on a larger nation with a larger distributed infrastructure and resources. EclecticIQ analysts note it remains extremely difficult to establish firm attribution to State-linked ransomware attacks, making formal military and diplomatic channels nearly impossible to work through. Given this fact it is unclear how the escalated efforts will be directed. The Dutch government stated it is prepared to share further specific intelligence on ransomware with private businesses.

It has been widely observed that many ransomware families specifically avoid targeting Commonwealth of Independent States (CIS) countries via language-based whitelists that prevent malware installation (7). It has been strongly speculated that the Russian government turns a blind eye to attacks that operate outside of the CIS region (8). This intolerance to local ransomware attack has led ransomware syndicates to prevent targeting countries of the CIS region. If other countries express similar intolerance via frameworks that allow prosecution of operators more easily regionally, then overall ransomware operations may become more scarce because law enforcement will be able to more readily disrupt operations.

Regional cooperation against ransomware may force ransomware syndicates to expand similar blanket-style whitelists to their ransomware operations to avoid being targeted and shutdown by law enforcement (as the REvil group has now experienced twice (9)). Ransomware gangs shutdown operations if law enforcement pressure reaches certain thresholds resulting from specific ransomware attacks. The shutdowns greatly affect operations and profit. If Ransomware whitelisting against certain regions expands, it could restrict the growth potential of current operating ransomware families and establish reverse incentives for the development of new ransomware families.

\n
\n
\n
\n
\n\n \n \n", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-d86a3140-4beb-4b7c-b98d-eddfa533c455", "object_refs": ["report--5279d43f-fa7b-5900-971a-38915696ebd1"], "published": "2021-10-25T00:00:00Z", "name": "Analyst Prompt: 2021 issue #38", "modified": "2021-10-25T14:03:51.980849Z", "type": "report", "spec_version": "2.1"}, {"id": "report--bfd16d0a-c0e7-5910-9d23-d500276152c6", "created": "2021-12-17T19:45:33.202986Z", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "description": "\n \n \n \n \n \n The Analyst Prompt: 2021 Issue #42\n \n \n \n
\n \n

The Analyst Prompt: 2021 Issue #42

\n
\n \n
\n

Analysis

\n
\n

Malware: Ransomware Attacks Don Not Let Up at the End of 2021

In what seems like an appropriate end to a year defined by an increased focus on ransomware, December proved to be a busy month for cyber defenders. Organizations of all kinds around the world fell victim to or became aware of ransomware attacks. Among them were the Brazilian ministry of health, which lost access to a system used to issue vaccination certificates, and a medical group in the U.S. which learned 750K patient records were compromised earlier this year. Two organizations associated with HR software and functions were hit, as were some parts of the Virginia state legislature. And in a more bizarre incident, the Twitter account of Indian Prime Minister Modhi was hacked with hackers falsely tweeting that New Dehli would distribute cryptocurrency to the public.

EclecticIQ\u2019s Threat Research team sees no indication that the rate of cyberattacks will drop off toward the end of the year; in fact, criminal actors may seek to leverage minimal staffing during the holiday season to execute attacks. This recent spate of attacks is line with 2021\u2019s steady rate of reports coming to light about ransomware attacks and other intrusions. Furthermore, these recent attacks prove that no industry or geography is safe from attack; the era in which cyber security personnel could confidently assume their network was safe is long gone. Defenders\u2019 best choice is to remain proactive in addressing vulnerabilities as quickly as possible in both their internal network and their supply chain\u2019s network.

Policy and Governance: Scrutiny of Tech Companies Tied to Social Justice Issues

In mid-December, the U.S. government added eight Chinese firms, several of them technology firms, to the \u2018entity list\u2019\u2014meaning U.S. investors are unable to invest in those firms. Among those added to the entity list were facial and image recognition software, AI, cyber security, and cloud computing companies. Part of the justification for adding these companies to the entity list was the Chinese government\u2019s alleged treatment of its Muslim Uyghur population. (7) Separately, California-based Meta announced it will ban certain Facebook activity by Myanmar\u2019s military. (8) This followed two lawsuits, filed earlier this month in the U.S. and UK, which each alleged Facebook materially contributed to genocide against the Rohingya. (9)

Another often overlooked theme of 2021 was the growing call for a closer look at the role and impact of technology on individuals and societies. This issue was pushed further to the forefront when a former Facebook employee leaked company communications detailing internal foreknowledge about the potential deleterious effects of social media on society in early Fall. (10) The European Commission in May proposed guidelines which would more easily combat misinformation online, but these guidelines are not yet final. (11) This fall, Australia took it a step further by enacting a law forcing social media platforms to identify uses posting defamatory comments. (12) EclecticIQ\u2019s Threat Research team expects initiatives to regulate social media content and increase accountability to platforms to gain more momentum in 2022. Increased study of the long-term effects of social media will provide a more nuanced understanding of social media. With a better understanding, societies could choose to enact sensible safeguards which harness social media\u2019s potential while minimizing its risks.

Infrastructure and Vulnerabilities: NIST Data Show Slight Drop in High Severity CVEs in 2021, but Log4j Illustrates the Potential Impact of an Individual CVE

The U.S. National Institute for Standards and Technology (NIST) recently released data about the number of low, medium and high severity CVEs identified in 2021. The data show the overall number of CVEs identified in 2021 grew from 2020 numbers, but only slightly. The number of low and medium severity CVEs each grew, but the number of high severity CVEs fell from 2020 to 2021. (13)

\n \n \n \n \n

Figure 1: Low, Medium, and High Severity CVEs: 2001 \u2013 2021 (NIST)

In the shadow of Log4j, it is encouraging that fewer high-severity CVEs were found in 2021 than the year prior, and that the overall number of CVEs identified demonstrated only a modest increase. What this graph cannot capture is the potential damage that could arise from even one single high severity CVE such as Log4j, and the tremendous effort devoted to mitigating it. It is possible that with each year, the potential impact of a single CVE could grow over the year prior, not because the CVE is any more severe, but rather because a single vulnerability may affect so many more networks. EclecticIQ is cautiously optimistic that 2021\u2019s media coverage and government attention to cyber issues will bring attention and resources needed to make 2022 more secure by both preventing and detecting the emergence of highly disruptive vulnerabilities.

About\u202fEclecticIQ\u202fThreat Research

EclecticIQ\u202fis a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the\u202fEclecticIQ\u202fThreat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you.\u202fPlease\u202fsend us your feedback by\u202femailing\u202fus at\u202fresearch@eclecticiq.com.

\n
\n
\n
\n
\n\n \n \n", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-03e1c083-3e11-487f-9a17-fe40aaf011ab", "object_refs": ["report--bfd16d0a-c0e7-5910-9d23-d500276152c6"], "published": "2021-12-17T19:45:33.31364Z", "name": "The Analyst Prompt: 2021 Issue #42", "modified": "2021-12-17T19:45:33.202986Z", "type": "report", "spec_version": "2.1"}, {"id": "report--812c8b8c-517b-5484-ad8d-5fa2626f77c9", "created": "2022-03-22T15:35:18.6474Z", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "description": "\n \n \n \n \n \n The Analyst Prompt: 2022 Issue #5\n \n \n \n
\n \n

The Analyst Prompt: 2022 Issue #5

\n
\n \n
\n

Analysis

\n
\n

RUSSO-UKRAINIAN WAR 2022: Cyberattacks Reported At High Frequency

As anticipated in the last Analyst Prompt, the spate of cyberattacks targeting Ukraine and Western organizations continued in week three of the war. It is almost certain that the frequency of cyberattacks, as well as mis- and disinformation operations will remain high in coming weeks. EclecticIQ analysts note that reported damage from cyberattacks to date appear rather confined. Large scale cyber-attacks with major impact on Ukrainian infrastructure or services have not been observed. Analysts acknowledge that in the fog of war, government entities or private institutions likely have not identified nor reported all cyber-incidents.

On March 15th, research firm ESET reported a new data-wiping malware targeting Ukraine named CaddyWiper. [\n 1\n ] The malware \u201cdestroys user data and partitions information from attached drives\u201d. According to ESET, CaddyWiper shares \u201cno major code similarities to either HermeticWiper or IsaacWiper\u201d - two other data wiper malware observed since the beginning of the invasion.

On March 15th, the FBI and CISA released a report about Russian state sponsored actors targeting an unnamed NGO. [\n 2\n ] The threat actor leveraged a set of misconfigured Multi-Factor Authentication (MFA) accounts that enabled it to enroll a new device for MFA and to access the victim network. The actors then exploited the Windows Print Spooler vulnerability \u201cPrintNightmare\u201d (CVE-2021-34527) to run arbitrary code and to move laterally in the target environment.

On March 12th, Ukraine's Computer Emergency Response Team (UA-Cert) warned about phishing emails impersonating Ukrainian government entities. [\n 3\n ] The emails redirected victims to a website delivering fake antivirus updates that eventually downloaded Cobalt Strike beacons, or two custom Go malware variants named GraphSteel and GrimPlant. The UA-Cert attributes the activity to UAC-0056.

Viasat Inc., a provider of high-speed satellite broadband, is investigating a possible attack against the KA-SAT satellite system. KA-SAT, run in cooperation with French satellite operator EUTELSAT, supplies Europe and the Mediterranean with satellite internet connection and, due to its independence from terrestrial infrastructure, connects endpoints in remote areas. KA-SAT operates 82 "spot beams", i.e., antennas that create a grid of ellipses on the earth's surface. One such beam is located over Kyiv. On the earth\u00b4s surface the beams are connected to eight gateway stations in Europe. Experts believe that Russian forces, in an attempt to cut internet connectivity in Ukraine, attacked an regional gateway, but knock-on effects also took down other gateways in Europe. [\n 4\n ]

Policy and Governance: German BSI Issus Warning For Kaspersky Products

The German Federal Office for Information Security (BSI) issued a warning about the use of Kaspersky products. [\n 5\n ] EclecticIQ researchers note the BSI does not ban Kaspersky products, unlike the US or The Netherlands which prohibited buying and installing Kaspersky software on government computers and other devices well prior to the Russian invasion. Instead, the BSI encourages German companies and private users to replace applications from Kaspersky's virus protection software with alternative products.

The BSI wrote that \u201cactions of military and/or intelligence forces in Russia and the threats made by Russia against the EU, NATO and the Federal Republic of Germany in the course of the current armed conflict are associated with a considerable risk of a successful IT attack. A Russian IT manufacturer can conduct offensive operations itself, be forced to attack target systems against its will, or be spied on without its knowledge as a victim of a cyber operation or be used as a tool for attacks against its own customers.\u201d

In its response to the warning, Kaspersky argued that the decision by the BSI was made on political grounds, and should not be interpreted as a technical assessment of Kaspersky products. [\n 6\n ]

Similarly, since the start of the war, the National Agency for the Security of Information Systems (ANSSI) in France questioned the use of Kaspersky software, and Italian Undersecretary to the Prime Minister warned of threats from Russian anti-virus products. [\n 7\n ] [\n 8\n ]

New and Noteworthy: Lapsus$ Claims Responsibility for Cyber-Attacks on Nvidia, Samsung, Ubisoft and Vodafone

A previously unknown cybercriminal actor named Lapsus$ claimed responsibility for recently reported security incidents targeting Nvidia [\n 9\n ], Samsung [\n 10\n ], Ubisoft [\n 11\n ] and Vodafone [\n 12\n ]. EclecticIQ analysts note the modus operandi differs from other ransomware operations. Current OSINT reporting indicates that the actor does not to deploy any file-encrypting ransomware in the target environment, but solely focuses on data theft and extortion.

It is unknown how Lapsus$ obtains initial access. It is plausible that the adversary buys access to target environments. In a post made in a Telegram group - allegedly run by the actor - the adversary recruits employees working at telecommunication, technology, or software companies. The same post also asks for credentials to virtual private network or virtual desktop infrastructure.

Lapsus$ was first seen in December 2021 attacking several websites of Brazil\u2019s Ministry of Health, allegedly extracting data, and demanding a ransom for returning the stolen data. [\n 13\n ] In the beginning of 2022, the group claimed responsibility for hacking and extorting Impresa - the largest media company in Portugal. [\n 14\n ]

Nvidia confirmed a cybersecurity incident on February 23rd and reported that a threat actor successfully \u201ctook employee passwords and some NVIDIA proprietary information from [its] systems and has begun leaking it online.\u201d [9] The leak contained two expired code-signing certificates. OSINT reporting shows [\n 15\n ] that the expired certificates were used to sign hacking tools and malware including Cobalt Strike Beacon, remote access trojans.

In a statement on March 7th, Samsung confirmed a security breach involving \u201csome source code relating to the operation of [its] Galaxy devices\u201d. EclecticIQ analysts note that access to the source code (or parts of it) could allow adversaries to identify new vulnerabilities for later exploitation. On March 10th, Ubisoft reported a cyber security incident. A post in the Telegram channel implied that Lapsus$ took responsibility for the breach. Another post in the channel claimed releasing hundreds of gigabytes of stolen source code from Vodafone. On March 13th, Vodafone confirmed an investigation into claims made. \u2003

Threat Actor Update: Conti Ransomware Group Restored Operations

EclecticIQ analyst assess that the ransomware group Conti replaced its infrastructure after it was exposed [\n 16\n ] in late February so it can continue attacking new targets with its ransomware malware. Like other cyber-criminal operations (e.g., Trickbot, Emotet), the members behind Conti are almost certainly highly skilled network engineers, system architects, and developers who have accounted for resilience in their infrastructure and operational setup; thus were able to quickly recover from the intermediate setback.

EclecticIQ analysts noted a minor dip in the frequency of drops added to the Conti News Tor blog following the first batch of leaks on February 27th, but new drops appeared as of March 1st.

It is unknown if Conti had been completely inactive, since:

  • Organizations may not disclose ransomware attacks.
  • Conti does not publish details of victims that have paid the ransom.
  • Conti did not post daily drops on the extortion site under normal operation.

Critical Vulnerabilities: Dirty Pipe - A Privilege Escalation Vulnerability in Linux Kernel

On March 7th, security researcher Max Kellerman disclosed [\n 17\n ] a critical vulnerability (CVE-2022-0847) in the Linux kernel 5.8 and later. The vulnerability named \u201cDirty Pipe\u201d could allow an attacker with local access to gain root privileges, for example by altering sensitive files such as \u201c/etc/passwd\u201d or modifying any setuid-root binary by overwriting the ELF with malicious code. Kellerman and other experts released proof-of-concept exploits. Patches have been released in the Linux kernel and EclecticIQ analysts strongly recommend upgrading the Linux kernel to one of the following versions: 5.16.11, 5.15.25, 5.10.102.

\n
\n
\n
\n
\n\n \n \n", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-1945cce4-27a5-40df-83fc-73ada90ff0ae", "object_refs": ["report--812c8b8c-517b-5484-ad8d-5fa2626f77c9"], "published": "2022-03-22T00:00:00Z", "name": "The Analyst Prompt: 2022 Issue #5", "modified": "2022-03-22T15:35:18.6474Z", "type": "report", "spec_version": "2.1"}, {"id": "report--5da0e6a8-2cc1-5d48-86aa-a80439597aae", "created": "2022-02-07T14:18:35.862179Z", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "description": "\n \n \n \n \n \n The Analyst Prompt: 2022 Issue #2\n \n \n \n
\n \n

The Analyst Prompt: 2022 Issue #2

\n
\n \n
\n

Analysis

\n
\n

Policy and Governance: Making a Case for Cryptocurrency Threat Intelligence

In late January, Blockchain Bridge, a Fintech organization in the Decentralized Finance (DeFi) space that provides 3rd party services to support six blockchains, suffered the second-highest loss (to Poly Network) of cryptocurrency assets so far (1). Threat actors exploited a Boolean logic fallacy in code used in a proprietary approval protocol for cross-chain transactions, enabling theft of around $320M in assets. The code-based vulnerability becomes apparent only after reverse engineering and triaging the transaction protocol. Threat actors are flocking to Fintech. The amount of stolen crypto assets in 2021 reached between $2.3-4.5 billion (2). This represents a 1330% increase from 2020, and the 2020 total represents a 335% increase over the total stolen from DeFi platforms in 2019. Risks and solutions are better discerned by analyzing attack patterns and the types of threat actors beginning to establish over the past two years.

EclecticIQ analysts and other threat intelligence organizations are taking notice of important and rapidly growing niches regarding threat intelligence applications in the DeFi space (3). Existing standards including the Diamond model and the Kill-Chain can be leveraged with open-source data and tooling from existing Cyber Threat Intelligence to produce a strong foundation for analysis, and to develop and illuminate new DeFi security use cases. There are already some highly relevant and consistent intelligence feeds which provide valuable data on cryptocurrency transactions (bitcoinabuse.com, whale-alert.io). Government and Financial policy makers as well as developers and executives in Fintech will find it increasingly useful to highlight common attack patterns, describe threat actors and associate their activity to aid attribution, and understand how risk in the DeFi space changes.

Threat Actor Update: NSO Group May Rebrand, But Copycats Will Persist, Morph, and Proliferate

The NSO Group, the Israeli tech company behind the \n \n \n \n \n \n \n Malware: Pegasus\n spyware, is likely to sell and rebrand under new ownership (4). Even with a rebranding, EclecticIQ analysts assess the group is very likely to persist in developing further zero-day exploits for mobile platforms. Ubiquitous cell phone use can provide a wealth of detailed, on-demand, targeted intelligence, which is highly valuable and thus potentially highly lucrative. Other organizations in the same grey space of high-end 3rd party exploitation retail already exist and have developed further leading mobile exploits (5). The details of NSO Groups tooling, reported by CitizenLabs and recent publicization is not likely to stop the wider private espionage industry from persisting and succeeding unless wider action is taken against the sector.

The best defense for overly invasive and possibly illegal mobile surveillance is to hold companies accountable by at least bringing formal charges to the individuals central to the direction and development of the company, as the US does with ransomware cybercriminals (6). This at the very least can restrict the assets and movements of key individuals. Barring that, individuals\u2019 next best option is to seek out mobile communication applications that hold high standards of encryption and lowest possible data retention. This will provide better, but not complete protection from new zero-days and potentially narrow impact.

New and Noteworthy: PwnKit Requires Initial Access to the Network

PwnKit, first disclosed 18th November 2021 by Qualys\u2019 researchers and effective since May 2009, affects Unix and is tracked as \n \n \n \n \n \n \n CVE-2021-4034\n with a severity score of 7.8. PwnKit is a local privilege escalation vulnerability leading to arbitrary code execution. The vulnerability resides in the PKEXEC command of POLKIT, which leads to a memory corruption flaw when null data is passed to it (7). The vulnerability will allow escalation to full Root privileges on default installation most of the popular Linux flavors.

Proof of concepts have been released publicly. Potential threats can be hunted by looking in logs for unexpected environmental variables running under POLKIT or a null value is present for the SHELL variable within the program. Looking for new unexpected processes spun up as a root user after suspicious connections to the internal network may also provide incident-response leads. Removing the command option is a temporary workaround, but subsequent reliant processes are likely to break. Overall threat risk is moderate because it is not remotely accessible.

About\u202fEclecticIQ\u202fThreat Research

EclecticIQ\u202fis a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the\u202fEclecticIQ\u202fThreat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please give us your feedback by filling in \n this quick survey\n . It takes less than a minute.

\n
\n
\n
\n
\n\n \n \n", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-2610ece5-bb56-4701-9ba0-75b514aefdd2", "object_refs": ["report--5da0e6a8-2cc1-5d48-86aa-a80439597aae"], "published": "2022-02-04T00:00:00Z", "name": "The Analyst Prompt: 2022 Issue #2", "modified": "2022-02-07T14:18:35.862179Z", "type": "report", "spec_version": "2.1"}, {"id": "report--e7e83455-82ff-5cfa-a7c6-c768449f3c3a", "labels": ["zero-day"], "created": "2022-05-03T09:51:02.261531Z", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "description": "\n \n \n \n \n \n The Analyst Prompt: 2022 Issue #08\n \n \n \n
\n \n

The Analyst Prompt: 2022 Issue #08

\n
\n \n
\n

Analysis

\n
\n

EIQ Intelligence Center Data: Emotet Gains Momentum in Recent Months

EclecticIQ Researchers identified continued growth of the Emotet botnet\u2019s activity based on reported botnet command and control (C2) nodes and unique payloads observed from November 2021 through April 2022.

Figure 1 below illustrates new botnet C2 nodes discovered daily and indicates Emotet operators appear to be adding new botnet nodes daily, with growth accelerating in March and April. The increase in C2 nodes likely indicates the continued growth of the botnet. It is also likely that with more nodes the botnet will become more stable, meaning takedown efforts will be difficult and require significant cooperation between law enforcement and private organizations.

\n \n \n \n \n

Figure 1 Emotet bots reported per day

Figure 2 illustrates that Emotet operators regularly compile new payloads to be delivered via phishing. The number of payloads observed in the given timeframe, at times more than 1,000 unique payloads in a 24-hour period, likely indicates an automated method for compiling payloads. Changing payloads can make it more difficult for network defenders to identify infections and respond quickly.

\n \n \n \n \n

Figure 2 Emotet payloads reported per day

EclecticIQ Researchers assess it is likely the increasing number of C2 nodes combined with regularity of newly observed payloads that Emotet will continue to re-establish and stabilize its operations after past takedowns, while expanding the botnet\u2019s reach and sophistication to avoid future take down attempts. Organizations should consider Emotet a growing threat especially with its previous associations with Colbalt Strike Beacons and ransomware operations.

New and Noteworthy: Ransomware Operators may Target Agriculture Organizations during Critical Operating Periods

The Federal Bureau of Investigation (FBI) issued a warning to the US Food and Agriculture sectors during planting and harvesting seasons that ransomware actors may be more likely to attack during critical planting and harvesting seasons [1]. Attacks during these periods would likely cause significant disruptions to operations, causing financial losses, and possibly disrupt the food supply chain. The FBI notes that ransomware operators may perceive these critical periods as factors that will increase the willingness to pay the ransom quickly to avoid significant disruptions.

It is likely that ransomware operators have also targeted other industries during critical periods and holidays to apply pressure to pay ransoms. The Covid-19 pandemic caused significant stress on the shipping and logistics sectors. Some ransomware operators utilized this pretext to apply additional pressure to victims to pay ransoms and recover quickly [2]. CISA released two alerts between August and November 2021 for organizations to \u201cstay vigilant\u201d of ransomware attacks during the holiday periods [3] [4].

EclecticIQ Researchers assess it is likely ransomware operators will utilize critical operating periods and holidays to target organizations on an increasing basis. It is important that businesses in all industries anticipate these days and prepare accordingly. This may include extra security awareness training to all employees for potential phishing lures, reviewing vulnerabilities and patch managements, and ensuring disaster recovery plans have been tested recently.

Exploit Tools and Targets: Zero-days Exploited in 2021 more than Double

According to Mandiant zero-day exploitation more than doubled in 2021 over the year prior[MG1] [MG2] [5]. Research found that state sponsored espionage groups primary based out of China were the most likely to utilize zero-day exploits in cyber-attacks. Financially motivated actors including ransomware groups account for about one-third of the observed exploits. Mandiant suggests that with the continued growth of the of the exploit market zero-day exploitation will continue to increase in coming years.

The increasing threat of zero-day exploitation poses a risk across most industries and sectors. However, EclecticIQ Researchers assess these exploits are most likely to be used when targeting governments, software supply chains, critical infrastructure, or large financial institutions. These organizations are more likely to have mature security practices that make using a zero-day more necessary and the kind of payoffs that are lucrative enough for the threat actor to utilize it.

It is important that organizations adopt a layered secured approach, adhere to best practices, and quickly patch vulnerabilities as quickly as possible. These measures can limit the impact from zero-day exploits.

\n
\n
\n
\n
\n\n \n \n", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-042a14af-841c-4dd9-a488-7000fd046f25", "object_refs": ["report--e7e83455-82ff-5cfa-a7c6-c768449f3c3a"], "published": "2022-05-03T09:33:14.968515Z", "name": "The Analyst Prompt: 2022 Issue #08", "modified": "2022-05-03T09:51:02.261531Z", "type": "report", "spec_version": "2.1"}, {"id": "report--da6841c0-8970-5a43-b44d-47e5a8b8708d", "created": "2022-01-16T17:12:23.086169Z", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "description": "\n \n \n \n \n \n The Analyst Prompt: Issue 1 #2022\n \n \n \n
\n \n

The Analyst Prompt: Issue 1 #2022

\n
\n \n
\n

Analysis

\n
\n

Exploit Tools and Targets: Threat Actors Continue to Leverage the Log4j Exploit

According to a recent research article by CrowdStrike, AQUATIC PANDA, a China-based group known for intelligence collection and industrial espionage, has been observed exploiting CVE-2021-44228 to target a large academic institution (1). The threat actor likely used a modified version of the Log4j exploit with the goal of installing a reverse shell and credential harvesting (1). The actor used a Base64-encoded PowerShell command to retrieve three files from a C2 server, which were decoded and believed to constitute the reverse shell (1). They made multiple attempts of credential harvesting using living-off-the-land binaries and dumping the LSASS process (1). AQUATIC PANDA used WinRAR to compress the memory dump for exfiltration and deleted all executables from ProgramData and Windows\\temp\\ directories to cover their activity (1).

Similarly, Checkpoint noted that APT35, a suspected Iranian nation-state actor known for espionage operations, exploited CVE-2021-44228 to install a modular PowerShell backdoor named CharmPower, which is used to gain persistence, collect information and execute commands (2). The exploit retrieves a malicious Java class which executes a PowerShell command with a base64-encoded payload to download the main module. The main module is responsible for validating the network connection, basic system enumeration, decode the command and control (C2) domain and to receive, decrypt and execute the following modules:

  • Applications module
  • Screenshot module
  • Processes Module
  • System Information Module
  • Command Execution module
  • Cleanup Module

AQUATIC PANDA\u2019s and APT35\u2019s recent use of the Log4j exploit highlights the continued risk CVE-2021-44228 poses to organizations. Nation-state and criminal groups added CVE-2021-42288 into their toolset from release (3), and the recent activity by AQUATIC PANDA and APT35 shows that advanced groups are still exploiting the vulnerability. This trend is almost certainly going to continue due to the ease of exploitation and the wide threat surface, with there being more than 2,800 distinct products that contain Log4j and an estimate of hundreds of millions of individual devices affected (4).

Malware: New Web Skimmer Targets Real Estate Websites

Researchers from Palo Alto Networks identified a new webskimmer which infected over 100 real estate websites through a supply chain attack (5). The unknown threat actor injected malicious JavaScript code into the player of a cloud video platform used by real estate websites (5). When the real estate sites imported the video, they became infected with the webskimmer (5). The webskimmer is designed to steal a user\u2019s sensitive information they input into the real estate website such as credit card details, name, and email address (5).

Supply chain attacks are an increasing risk to organizations moving forward. The nature of the supply chain attack allows an actor to have oversized impact by successfully executing a single attack which affects multiple downstream stakeholders. Criminal and nation-state groups recognized this and are using supply chains attacks such as SolarWinds (6) and the Kaseya attack (7) to achieve their objectives. Organizations are likely to push for more visibility into their vendor security practices to reduce the risk posed by supply chain attacks.

About\u202fEclecticIQ\u202fThreat Research

EclecticIQ\u202fis a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the\u202fEclecticIQ\u202fThreat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please give us your feedback by filling in this quick survey. It takes less than a minute. https://forms.office.com/r/VzfuC78Lk6

\n
\n
\n
\n
\n\n \n \n", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-ac089666-3a3d-490a-9127-82fcc15da848", "object_refs": ["report--da6841c0-8970-5a43-b44d-47e5a8b8708d"], "published": "2022-01-16T16:57:44.941445Z", "name": "The Analyst Prompt: Issue 1 #2022", "modified": "2022-01-16T17:12:23.086169Z", "type": "report", "spec_version": "2.1"}, {"id": "report--67b9c305-d114-5799-b4ce-8879979c8abd", "created": "2022-03-04T14:40:21.228834Z", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "description": "\n \n \n \n \n \n The Analyst Prompt: 2022 Issue #4\n \n \n \n
\n \n

The Analyst Prompt: 2022 Issue #4

\n
\n \n
\n

Analysis

\n
\n

Threat Actor Update: Iranians State Sponsored APT Conducts Cyber Espionage and Ransomware Activities

EclecticIQ researchers assess MuddyWater is a well-funded, state supported, and skilled adversary group based on the variety of tactics, tools, and targets used by the group which can cause significant damage to both government and enterprises through data theft and ransomware.

MuddyWater is the first APT group attributed as a subordinate element to the Iranian Ministry of Intelligence and Security (MOIS) by The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the United Kingdom\u2019s National Cyber Security Centre (NCSC-UK). MuddyWater has been observed conducting cyber espionage and other cyber activities targeting telecommunication, defense, government, oil and natural gas in Asia, Europe, and North America since approximately 2018 [1].

The attribution of MuddyWater to MOIS likely signals the growth of Iranian cyber capabilities. According to a report by the US Federal Research Division, MOIS is the most powerful and well supported ministry of all Iranian ministries and ranks as \u201cone of the largest and most dynamic intelligence agencies in the Middle East.\u201d [2]

EclecticIQ Researchers assess it is likely MuddyWater will target strategic government agencies, organizations and individuals that have contrasting interests or have dissented with the leadership of Iran. In 2017, MOIS\u2019s powers and responsibilities were formally expanded [3]. The increase of activities abroad has included extensive monitoring and targeting of dissidents and defectors according to the Washington Institute for Near East Policy.

The actor is known to utilize spearphising, exploit publicly known vulnerabilities and use open-source tools to gain access to sensitive data and deploy ransomware. Spearphishing campaigns have lured victims into downloading ZIP files containing a macro enabled Excel document or a PDF file that drops a malicious file to initiate command and control (C2) communications [1].

Once initial access is established, MuddyWater utilizes a variety of malware to accomplish its objectives. The malware suit includes: [1]

\u00b7 PowGoop

\u00b7 Small Sieve

\u00b7 Canopy

\u00b7 Mori

\u00b7 POWERSTATS

\u00b7 Survey Scripts

\u00b7 Custom PowerShell Backdoor

MuddyWater may also be known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros by various vendors.

Policy and Governance: Joint Advisory Shows Increased Globalized Threat of Ransomware

A joint advisory released by the United States, UK and Australian cyber security authorities reports an increase in 2021 of \u201csophisticated, high-impact ransomware incidents against critical infrastructure organizations globally.\u201d [4] According to the report, ransomware tactics continued to evolve in 2021 which demonstrated the continued technical growth of threat actors and an increased threat to organizations globally.

EclecticIQ Researchers also assess the ransomware threat will continue to grow in 2022. The increase in professionalism of threat groups including improved victim assistance, and negotiation services; as well as evolving tactics such as targeting cloud infrastructure, supply chains and use of triple extortion (threaten to publicly release sensitive information, disrupt victim\u2019s internet access, and inform victim partners, shareholder, and suppliers of the incident) all show that the RaaS ecosystem is growing. This growth is likely to mean targeting more organizations across the globe to increase profits.

We would love to hear from you. Please give us your feedback by filling in this quick \n survey\n . It takes less than a minute

\n
\n
\n
\n
\n\n \n \n", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-b3d040f1-25f0-40ee-b437-f39741ea7124", "object_refs": ["report--67b9c305-d114-5799-b4ce-8879979c8abd"], "published": "2022-02-18T09:38:16.274339Z", "name": "The Analyst Prompt: 2022 Issue #4", "modified": "2022-03-04T14:40:21.228834Z", "type": "report", "spec_version": "2.1"}, {"id": "report--43db7e71-0f43-5b72-b675-9324d8c96bcd", "created": "2022-04-01T08:34:54.228436Z", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "description": "\n \n \n \n \n \n The Analyst Prompt - 2022 Issue #06\n \n \n \n
\n \n

The Analyst Prompt - 2022 Issue #06

\n
\n \n
\n

Analysis

\n
\n

Threat Actor Update: LAPSUS$ Compromises Highlight the Effectiveness of Insider Threats

Extortion group LAPSUS$ announced in March it compromised Okta (1), a widely used identity and access management provider, and Microsoft (4). LAPSUS$ claimed to have \u201csuperuser/admin\u201d access to Okta and that it had accessed customer data (2). Okta suspects LAPSUS$ gained access to a support engineer\u2019s laptop between 16th and 21st January 2022 (1). The data of approximately 2.5% of Okta\u2019s customers has potentially been viewed or acted upon (1). In a separate incident, LAPSUS$ claimed to have leaked 37GB of source code belonging to Microsoft (3). Microsoft confirms that a single account had been compromised and portions of source code was exfiltrated (4).

LAPSUS$, tracked as DEV-0537 by Microsoft, uses an extortion and destruction model without ransomware (4). According to Microsoft, LAPSUS$ typically focuses on compromising user identities of the targeted organization for initial access. LAPSUS$ leverages multiple TTPs such as paying employees at targeted organizations for credentials and multi-factor authentication (MFA) approval, buying credentials and session tokens from criminal forums and searching public code repositories for credentials. After gaining initial access, LAPSUS$ focuses on extending its access within the network by enumerating credentials for higher privileged users and exploiting unpatched vulnerabilities on internally accessible servers. LAPSUS$ uses known virtual private server (VPS) providers and geographically aligned NordVPN egress points to exfiltrate victim\u2019s data. After exfiltration, LAPSUS$ has been observed deleting the target\u2019s systems and resources (4).

The City of London Police in late March arrested seven teenagers related to the LAPSUS$ group including a 16-year-old from Oxford, who is accused of being one of the leaders of LAPSUS$ (5). The accused leader goes by the online aliases \u201cWhite\u201d or \u201cBeachbase\u201d and was doxed online, revealing his name, address, and social media pictures (5). Security researchers have been monitoring \u201cWhite\u201d since mid-2021 and have been notifying law enforcement of the latest activity (5). LAPSUS$ activity continued even despite the arrests; they claimed to have leaked customer source code from Globant, a software services company according to 30 March reporting (12).

LAPSUS$, although not the first group to leverage insider threats, has proven how vulnerable even large, well-resourced organizations are to this TTP. Many organizations have rightfully focused on the threat traditional ransomware groups and their affiliates pose to them; however, the recent success of LAPSUS$ should cause organizations to assess their current insider threat program to see whether it is effective in the current threat landscape.

Malware: Ukraine War Continues to Impact Cybercriminal Ecosystem

The developers of the commodity information stealer Racoon Stealer temporarily closed all sales due personnel loss in the Russia-Ukraine war (6). According to a 25th March tweet from the group, a critical member of the team was killed \u201cdue to the \u2018special operation\u2019\u201d - a likely reference to Russia\u2019s invasion of Ukraine. The loss stops the group providing stable operation for customers of the malware (6). The group states that this is not a permanent hiatus and that they will be back with a second version in a few months (6). The temporary closure of Racoon Stealer is causing customers to turn to Mars Stealer, causing their operators to be overwhelmed with messages (7).

The Ukraine war continues to impact the cybercriminal ecosystem in various ways, including causing financially motivated groups to become more politically oriented. Raidforums, an illicit forum, published a notification banning any user connecting from Russia (7) to show their position on the Russia-Ukraine war. The ransomware group Conti, after openly backing the Russian state, was the subject of a massive leak by a Ukrainian security researcher (13).

Exploit Tools and Targets: State-Backed North Korean Groups Exploit Chrome Vulnerability

Two North Korean state-backed groups (8) exploited CVE-2022-0609, a remote code execution (RCE) vulnerability in Chrome (9). The campaign targeting news media and IT organizations sent emails claiming to be recruiters at Disney, Google, or Oracle containing links spoofing job hunting websites. Clicking on the link would serve a hidden iframe that would trigger the exploit kit. The campaign targeting cryptocurrency and fintech industries set up fake websites and compromised at least two legitimate fintech company websites to serve the exploit kit to targets. The exploit kit fingerprinted the targets system then requested the next stage if the conditions were met.

The number of Chrome vulnerabilities exploited has been growing steadily over the past years. The number of Chrome vulnerabilities exploited in the wild increased from 8 in 2020 to in 14 in 2021 (10). Google has already announced two zero-days this year, CVE-2022-0609 (9) and CVE-2022-1096 (11). Google attributes the rise in Chrome vulnerabilities to the deprecation of Flash, Chromium being used is multiple browsers, multiple bugs needing to be chained for a single exploit and the increasing complexity of the browser (10). Google has released security fixes for CVE-2022-0609 (9) and CVE-2022-1096 (11).

\n
\n
\n
\n
\n\n \n \n", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-4fe21d52-8939-4a67-a035-cb60a6f00e7a", "object_refs": ["report--43db7e71-0f43-5b72-b675-9324d8c96bcd"], "published": "2022-04-01T08:34:34.71596Z", "name": "The Analyst Prompt - 2022 Issue #06", "modified": "2022-04-01T08:34:54.228436Z", "type": "report", "spec_version": "2.1"}, {"id": "report--0f5ef542-7b3c-5a12-93f5-aeba8d169314", "created": "2021-11-23T18:55:20.246519Z", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "description": "\n \n \n \n \n \n The Analyst Prompt: 2021 Issue #40\n \n \n \n
\n \n

The Analyst Prompt: 2021 Issue #40

\n
\n \n
\n

Analysis

\n
\n

Threat Actor Update: TA505 Shifts Towards Exploitation of Publicly Exposed Applications for Initial Access

The cybercriminal group known as TA505 exploits publicly available SolarWinds Serv-U servers vulnerable to CVE-2021-35211 (1) for initial access (2). Exploitation executes Base64 encoded PowerShell deploying Cobalt Strike Beacon. TA505 occasionally hijacks theRegIdleBackup scheduled task and abuses the COM handler to gain persistence and to execute the FlawedGrace remote access trojan. The intrusions are likely preparation for the deployment of ransomware (3).

TA505\u2019s exploitation of CVE-2021-35211 represents a shift in initial access techniques. Historically, TA505 relied on socially engineered phishing campaigns with a malicious attachment or link (4). This technique requires users to manually click on the attached file or link for execution, whereas exploitation of public facing vulnerable servers requires no user execution for initial access. EclecticIQ recommended SolarWinds Serv-U users visit the official SolarWinds security advisory for affected products and patches (1).

Threat Actor Update: Iranian Nation State Groups use of Ransomware Highlights Continued Dominance of Ransomware Threat

Six Iranian threat groups are deploying ransomware with the goal to disrupt or collect funds from their targets (5). PHOSPHORUS gained initial access by exploiting vulnerabilities affecting Fortinet FortiOS SSL VPN (CVE-2018-13379) and - in the latter half of 2021 - by targeting unpatched on-premises Exchange Servers vulnerable to ProxyShell (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065). After compromise the actor moved laterally deploying Bitlocker to encrypt and ransom the victim. Multiple Iranian groups are also moving away from unsolicited phishing emails towards targeted social engineering for user execution and credential theft.

Ransomware is and will remain the most significant cyber threat for public and private organizations. Iranian based threat groups use of ransomware represents a growing emphasis by threat groups (6) on ransomware, for both financial and non-financial motivations. This shift will continue due to the effectiveness of encrypting an organization\u2019s or individual\u2019s data for monetary or disruptive reasons.

New & Noteworthy: U.S. Justice Department Charges Ukrainian and Russian Nationals in Continued Escalation Against Ransomware Threat

The U.S. Justice Department charged one Ukrainian and one Russian national for their involvement in deploying Sodinokibi/REVil ransomware against U.S. businesses and government entities (7). Yaroslav Vasinskyi, a Ukrainian national and Yevgeniy Polyanin, a Russian national have been charged with conducting ransomware attacks, including the Kaseya attack in July 2021 (8). The Department also seized $6.1 million USD, traceable to ransom payments obtained by Yevgeniy Polyanin. Vasinskyi was taken into custody in Poland awaiting extradition by request from the U.S. Polyanin remains at large.

The charges against Vasinskyi and Polyanin represent a continued escalation by the U.S. government in response to the ransomware threat. The charges are part of a larger effort by the U.S. government and the newly setup Ransomware Task Force to directly disrupt and counter ransomware groups using four lines of effort (9). The U.S. Department of the Treasury sanctioned the cryptocurrency exchange SUEX in September for its role in facilitating financial transactions related to ransomware (10), showing the willingness of the U.S. to disrupt financial infrastructure used by ransomware groups. International partnerships are also key, with the arrest of Vasinskyi involving multiple international partners including Poland (7).

About\u202fEclecticIQ\u202fThreat Research

EclecticIQ\u202fis a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the\u202fEclecticIQ\u202fThreat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please give us your feedback by filling in this quick survey. It takes less than a minute.

https://forms.office.com/Pages/ShareFormPage.aspx?id=tXq37P9XA0CfybqRjWdI5i68gaYvaDJGupd4xaVnUMVUMEFPWlpUUTZHN05EUEROSEdGQ1VDRTM2QiQlQCN0PWcu&sharetoken=uA0GFoqSR8pi3AOkJbPT

\n
\n
\n
\n
\n\n \n \n", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-7cafd28e-c9ae-4996-93b8-d2509cab3943", "object_refs": ["report--0f5ef542-7b3c-5a12-93f5-aeba8d169314"], "published": "2021-11-23T18:55:03.373227Z", "name": "The Analyst Prompt: 2021 Issue #40", "modified": "2021-11-23T18:55:20.246519Z", "type": "report", "spec_version": "2.1"}, {"external_references": [{"source_name": "cve", "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34527", "external_id": "CVE-2021-34527"}], "id": "vulnerability--10a2236f-aefd-574b-911c-ebd65ef8c8b0", "labels": ["CVSS v2 - Attack Complexty - HIGH", "CVSS v2 - Authentication - SINGLE", "CVSS v2 - Availability Impact - COMPLETE", "CVSS v2 - Confidentiality Impact - COMPLETE", "CVSS v2 - Integrity Impact - COMPLETE", "CVSS v3 - Attack Complexty - LOW", "CVSS v3 - Attack Vector - NETWORK", "CVSS v3 - Availability Impact - HIGH", "CVSS v3 - Base Severity - HIGH", "CVSS v3 - Confidentiality Impact - HIGH", "CVSS v3 - Integrity Impact - HIGH", "CVSS v3 - Privileges Required - LOW", "CVSS v3 - Scope - UNCHANGED", "CVSS v3 - User Interaction - NONE", "PrintNightmare"], "created": "2022-03-22T08:20:30.33577Z", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "description": "Windows Print Spooler Remote Code Execution Vulnerability\n\nReferences:\n- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34527\n\nCVSS Version 3.x:\nVector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\nAttack Vector: NETWORK\nAttack Complexty: LOW\nPrivileges Required: LOW\nUser Interaction: NONE\nScope: UNCHANGED\nConfidentiality Impact: HIGH\nIntegrity Impact: HIGH\nAvailability Impact: HIGH\nBase Severity: HIGH\nBase Score: 8.8\n\nCVSS Version 2.0\nVector String: AV:N/AC:L/Au:S/C:C/I:C/A:C\nAuthentication: SINGLE\nConfidentiality Impact: COMPLETE\nIntegrity Impact: COMPLETE\nAvailability Impact: COMPLETE\nBase Score: 9.0\n\nSeverity: HIGH\nExploitability Score: 8.0\nImpact Score: 10.0\n", "x_eiq_json_id": "{https://cloud.nvd.com/}exploit-target-d92e706e-ea55-5c69-9b54-bf7956919e45", "name": "CVE-2021-34527", "modified": "2022-03-22T08:20:30.33577Z", "type": "vulnerability", "spec_version": "2.1"}, {"id": "campaign--13a0362d-c013-5b15-877c-8d4820fd01cc", "labels": ["Admiralty Code - Confirmed by other sources", "Malware - Information Stealer Harvester", "Admiralty Code - Completely reliable", "Threat Actors - APT", "Industry Sector - Software"], "created": "2021-10-25T12:43:59.358233Z", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "description": "

Microsoft reports it was attacked again by the Russia-linked Nobelium group. The attackers compromised a MS customer support agent. Nobelium used that info to launch further targeted spearphishing attacks that are known to have compromised at least 3 clients.

", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}campaign-3f2b0eaa-b886-47eb-95c4-687879016791", "first_seen": "2021-05-01T00:00:00Z", "name": "Nobelium Activity May 2021", "objective": "Advantage", "last_seen": "2021-05-31T00:00:00Z", "modified": "2021-10-25T12:43:59.358233Z", "aliases": ["Nobelium Activity May 2021", "new breach discovered in probe of suspected SolarWinds hackers"], "type": "campaign", "confidence": 100, "spec_version": "2.1"}, {"external_references": [{"source_name": "cve", "url": "https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt", "external_id": "CVE-2021-4034"}, {"source_name": "cve", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2022-001", "external_id": "CVE-2021-4034"}, {"source_name": "cve", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025869", "external_id": "CVE-2021-4034"}, {"source_name": "cve", "url": "https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683", "external_id": "CVE-2021-4034"}, {"source_name": "cve", "url": "http://packetstormsecurity.com/files/166196/Polkit-pkexec-Local-Privilege-Escalation.html", "external_id": "CVE-2021-4034"}, {"source_name": "cve", "url": "http://packetstormsecurity.com/files/166200/Polkit-pkexec-Privilege-Escalation.html", "external_id": "CVE-2021-4034"}, {"source_name": "cve", "url": "https://www.suse.com/support/kb/doc/?id=000020564", "external_id": "CVE-2021-4034"}, {"source_name": "cve", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "external_id": "CVE-2021-4034"}], "id": "vulnerability--9a00045f-1714-5f2d-9176-59b969dfa489", "labels": ["CVSS v2 - Attack Complexty - HIGH", "CVSS v2 - Authentication - NONE", "CVSS v2 - Availability Impact - COMPLETE", "CVSS v2 - Confidentiality Impact - COMPLETE", "CVSS v2 - Integrity Impact - COMPLETE", "CVSS v3 - Attack Complexty - LOW", "CVSS v3 - Attack Vector - LOCAL", "CVSS v3 - Availability Impact - HIGH", "CVSS v3 - Base Severity - HIGH", "CVSS v3 - Confidentiality Impact - HIGH", "CVSS v3 - Integrity Impact - HIGH", "CVSS v3 - Privileges Required - LOW", "CVSS v3 - Scope - UNCHANGED", "CVSS v3 - User Interaction - NONE"], "created": "2022-04-20T10:11:02.870068Z", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "description": "A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.\n\nReferences:\n- https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt\n- https://access.redhat.com/security/vulnerabilities/RHSB-2022-001\n- https://bugzilla.redhat.com/show_bug.cgi?id=2025869\n- https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683\n- http://packetstormsecurity.com/files/166196/Polkit-pkexec-Local-Privilege-Escalation.html\n- http://packetstormsecurity.com/files/166200/Polkit-pkexec-Privilege-Escalation.html\n- https://www.suse.com/support/kb/doc/?id=000020564\n- https://www.oracle.com/security-alerts/cpuapr2022.html\n\nCVSS Version 3.x:\nVector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\nAttack Vector: LOCAL\nAttack Complexty: LOW\nPrivileges Required: LOW\nUser Interaction: NONE\nScope: UNCHANGED\nConfidentiality Impact: HIGH\nIntegrity Impact: HIGH\nAvailability Impact: HIGH\nBase Severity: HIGH\nBase Score: 7.8\n\nCVSS Version 2.0\nVector String: AV:L/AC:L/Au:N/C:C/I:C/A:C\nAuthentication: NONE\nConfidentiality Impact: COMPLETE\nIntegrity Impact: COMPLETE\nAvailability Impact: COMPLETE\nBase Score: 7.2\n\nSeverity: HIGH\nExploitability Score: 3.9\nImpact Score: 10.0\n", "x_eiq_json_id": "{https://cloud.nvd.com/}exploit-target-9946da0c-8fec-5bc8-bab3-42c60c163bcd", "name": "CVE-2021-4034", "modified": "2022-04-20T10:11:02.870068Z", "type": "vulnerability", "spec_version": "2.1"}, {"external_references": [{"source_name": "cve", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060795", "external_id": "CVE-2022-0847"}, {"source_name": "cve", "url": "https://dirtypipe.cm4all.com/", "external_id": "CVE-2022-0847"}, {"source_name": "cve", "url": "http://packetstormsecurity.com/files/166229/Dirty-Pipe-Linux-Privilege-Escalation.html", "external_id": "CVE-2022-0847"}, {"source_name": "cve", "url": "http://packetstormsecurity.com/files/166230/Dirty-Pipe-SUID-Binary-Hijack-Privilege-Escalation.html", "external_id": "CVE-2022-0847"}, {"source_name": "cve", "url": "http://packetstormsecurity.com/files/166258/Dirty-Pipe-Local-Privilege-Escalation.html", "external_id": "CVE-2022-0847"}, {"source_name": "cve", "url": "https://www.suse.com/support/kb/doc/?id=000020603", "external_id": "CVE-2022-0847"}, {"source_name": "cve", "url": "https://security.netapp.com/advisory/ntap-20220325-0005/", "external_id": "CVE-2022-0847"}], "id": "vulnerability--e8a2211d-efc2-52c0-87d3-1505de6b9994", "labels": ["CVSS v2 - Attack Complexty - HIGH", "CVSS v2 - Authentication - NONE", "CVSS v2 - Availability Impact - COMPLETE", "CVSS v2 - Confidentiality Impact - COMPLETE", "CVSS v2 - Integrity Impact - COMPLETE", "CVSS v3 - Attack Complexty - LOW", "CVSS v3 - Attack Vector - LOCAL", "CVSS v3 - Availability Impact - HIGH", "CVSS v3 - Base Severity - HIGH", "CVSS v3 - Confidentiality Impact - HIGH", "CVSS v3 - Integrity Impact - HIGH", "CVSS v3 - Privileges Required - LOW", "CVSS v3 - Scope - UNCHANGED", "CVSS v3 - User Interaction - NONE"], "created": "2022-04-05T10:02:55.060643Z", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "description": "A flaw was found in the way the \"flags\" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.\n\nReferences:\n- https://bugzilla.redhat.com/show_bug.cgi?id=2060795\n- https://dirtypipe.cm4all.com/\n- http://packetstormsecurity.com/files/166229/Dirty-Pipe-Linux-Privilege-Escalation.html\n- http://packetstormsecurity.com/files/166230/Dirty-Pipe-SUID-Binary-Hijack-Privilege-Escalation.html\n- http://packetstormsecurity.com/files/166258/Dirty-Pipe-Local-Privilege-Escalation.html\n- https://www.suse.com/support/kb/doc/?id=000020603\n- https://security.netapp.com/advisory/ntap-20220325-0005/\n\nCVSS Version 3.x:\nVector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\nAttack Vector: LOCAL\nAttack Complexty: LOW\nPrivileges Required: LOW\nUser Interaction: NONE\nScope: UNCHANGED\nConfidentiality Impact: HIGH\nIntegrity Impact: HIGH\nAvailability Impact: HIGH\nBase Severity: HIGH\nBase Score: 7.8\n\nCVSS Version 2.0\nVector String: AV:L/AC:L/Au:N/C:C/I:C/A:C\nAuthentication: NONE\nConfidentiality Impact: COMPLETE\nIntegrity Impact: COMPLETE\nAvailability Impact: COMPLETE\nBase Score: 7.2\n\nSeverity: HIGH\nExploitability Score: 3.9\nImpact Score: 10.0\n", "x_eiq_json_id": "{https://cloud.nvd.com/}exploit-target-6bfabeba-1e78-54e8-8a98-c5df1cf7d35d", "name": "CVE-2022-0847", "modified": "2022-04-05T10:02:55.060643Z", "type": "vulnerability", "spec_version": "2.1"}, {"external_references": [{"source_name": "", "url": "https://twitter.com/ESETresearch/status/1503436420886712321?s=20&t=xh8JK6fEmRIrnqO7Ih_PNg"}], "id": "identity--093059e6-4c11-57e1-858f-ae8feabe6bbf", "roles": ["Initial Author"], "created": "2014-08-27T14:00:00.000Z", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "description": "Florian Roth", "identity_class": "unknown", "name": "", "modified": "2014-08-27T14:00:00.000Z", "type": "identity", "spec_version": "2.1"}, {"external_references": [{"source_name": "Florian Roth", "url": "https://twitter.com/ESETresearch/status/1503436420886712321?s=20&t=xh8JK6fEmRIrnqO7Ih_PNg"}], "id": "identity--762bf90f-1efb-5189-b54f-1f74cce7b27b", "created": "2014-08-27T14:00:00.000Z", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "identity_class": "unknown", "name": "Florian Roth", "modified": "2014-08-27T14:00:00.000Z", "type": "identity", "spec_version": "2.1"}, {"external_references": [{"description": "Florian Roth", "source_name": "", "url": "https://twitter.com/ESETresearch/status/1503436420886712321?s=20&t=xh8JK6fEmRIrnqO7Ih_PNg"}, {"source_name": "Florian Roth", "url": "https://twitter.com/ESETresearch/status/1503436420886712321?s=20&t=xh8JK6fEmRIrnqO7Ih_PNg"}], "id": "indicator--68789ffe-ff3a-5256-b210-64600fa288cd", "labels": ["yara", "MAL_WIPER_CaddyWiper_Mar22_1"], "created": "2022-03-17T11:05:22.773261Z", "created_by_ref": "identity--093059e6-4c11-57e1-858f-ae8feabe6bbf", "pattern_type": "yara", "description": "Detects CaddyWiper malware", "valid_from": "2022-03-15T00:00:00Z", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "x_eiq_json_id": "{https://www.eclecticiq.com/ns}indicator-fb5665d7-4c60-4160-b784-3244f6118a82", "name": "YARA rule for MAL_WIPER_CaddyWiper_Mar22_1", "modified": "2022-03-17T11:05:22.773261Z", "confidence": 67, "pattern": "rule MAL_WIPER_CaddyWiper_Mar22_1\n{\n\tmeta:\n\t\tdescription = \"Detects CaddyWiper malware\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"https://twitter.com/ESETresearch/status/1503436420886712321?s=20&t=xh8JK6fEmRIrnqO7Ih_PNg\"\n\t\tdate = \"2022-03-15\"\n\t\tscore = 85\n\t\thash1 = \"1e87e9b5ee7597bdce796490f3ee09211df48ba1d11f6e2f5b255f05cc0ba176\"\n\t\thash2 = \"a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea\"\n\t\thash3 = \"ea6a416b320f32261da8dafcf2faf088924f99a3a84f7b43b964637ea87aef72\"\n\t\thash4 = \"f1e8844dbfc812d39f369e7670545a29efef6764d673038b1c3edd11561d6902\"\n\n\tstrings:\n\t\t$op1 = { ff 55 94 8b 45 fc 50 ff 55 f8 8a 4d ba 88 4d ba 8a 55 ba 80 ea 01 }\n\t\t$op2 = { 89 45 f4 83 7d f4 00 74 04 eb 47 eb 45 6a 00 8d 95 1c ff ff ff 52 }\n\t\t$op3 = { 6a 20 6a 02 8d 4d b0 51 ff 95 68 ff ff ff 85 c0 75 0a e9 4e 02 00 00 }\n\t\t$op4 = { e9 67 01 00 00 83 7d f4 05 74 0a e9 5c 01 00 00 e9 57 01 00 00 8d 45 98 50 6a 20 }\n\n\tcondition:\n\t\tuint16(0)==0x5a4d and filesize <50KB and 3 of them or all of them\n}\n", "type": "indicator", "spec_version": "2.1"}, {"id": "relationship--36a7aadb-81f7-51c4-9602-ab583da27f78", "created": "2022-03-17T11:05:22.773261Z", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "x_eiq_test_mechanism_identity": true, "modified": "2022-03-17T11:05:22.773261Z", "type": "relationship", "spec_version": "2.1", "source_ref": "indicator--68789ffe-ff3a-5256-b210-64600fa288cd", "relationship_type": "related-to", "target_ref": "identity--762bf90f-1efb-5189-b54f-1f74cce7b27b"}], "type": "bundle", "id": "bundle--88fe5209-812e-45bb-bb15-34c67e9b03be"}