Threat Agent activities

Behind every cyber-attack there is an actor with a specific intent. However, for many events, the identity and general motivation are unknown. On the other hand, some groups have been well known for years and their criminal activities and techniques are documented and monitored. Typically, they conduct targeted attacks against specific organisations, using relatively sophisticated tools and attack procedures.

Some of them are considered as State-sponsored, but the actual link with various countries stays often subject of controversies and should be considered with prudence.

In the third quarter of 2022, a substantial confirmation of the number of recognised activities of identifiable threat groups was observed.

As during previous quarters, the attribution rate of events is very low. This means that most of the ongoing attacks are not attributable.

According to the attribution found in the MISP records, the following groups were particularly active during this quarter:

Evilnum is a financially motivated threat group that has been active since at least 2018. The group’s targets are mainly fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Malware-as-a-Service (MaaS).
Gamaredon Group has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government;
Kimsuky North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the United States, Russia, Europe, and the UN. Kimsuky has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions;
Lazarus group is a North Korean state-sponsored cyber threat group; it uses a wide range of methods depending on the characteristics of the campaigns carried out and the objectives pursued. It mainly aimed at manipulating employees of strategically important companies such as those involved in the military or aerospace industry;
Silent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of Silent Librarian are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).
TA505 is a financially motivated threat group that has been active since at least 2014. The group is known for frequently changing malware and driving global trends in criminal malware distribution.

External transfer pathway and infrastructures

The transfer of the malicious artefacts or payloads is done through a number of different types of technical procedures and infrastructures.

Also, during the third quarter of 2022, it is confirmed that the most frequently used strategy is associated with scams that use email or similar approaches to reach potential victims.

Phishing is the most common strategy, but other scam strategies are also recorded.

It should be noted that during this period two attacks concerned the exploitation of the vulnerability of network port 443 to conduct an SSRF (Server Side Request Forgery) attack on an Exchange server. The attacker targets an application that supports data imports from URLs or allows them to read data from URLs. URLs can be manipulated, either by replacing them with new ones or by tampering with URL path traversal.

The attribution rates are significantly better than for threat actors, even if still fairly low. Attribution means that it was possible to identify the external transfer pathway for a given event.

Infrastructures represent the type of systems being used for supporting attacks. Some are meant to compromise or help compromise, the targeted system, others are more focused on helping to maintain the foothold in it. Indeed, once access to a system device has been gained, a communication channel is maintained through the use of command and control (C2) infrastructures.

During this period there was a significant increase in events using networks related to Internet of Things (IoT) that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet.

Events that used Bots, i.e. autonomous programs that can interact with systems or users and that can support malicious activities, are decreasing during this period.

Tool

The monitoring system showed a substantial prevalence of the use of Malware especially associated with IoT systems.

The use of Ransomware tool increased in the third quarter.

The use of tools such as trojans and ransomware increased in the third quarter.

Points of access

The most common access point reported by MISPPRIV users is e-mail, which isn’t too surprising as it’s an effective ingress vector for several types of attacks. It’s often exploiting users’ weaknesses, be they voluntary (negligence) or involuntary (lack of knowledge about a specific threat.

During this period the attribution rate decreased.

With regard to component and system vulnerabilities, the monitoring system identified the following:

Exploitation of CVE-2022-26134, an unauthenticated remote code execution (RCE) vulnerability in the collaboration tool Atlassian Confluence.
Number of vulnerabilities associated to Microsoft Exchange;
Apache Log4j Remote Code Execution Vulnerability.
new zero-day remote code execution (RCE): two 0-day vulnerabilities in Microsoft Exchange Server were recorded. The first one, later identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability that allows an authenticated attacker to remotely trigger the next vulnerability – CVE-2022-41082. The second vulnerability, in turn, allows re-mote code execution (RCE) when MS Exchange PowerShell is accessible to the attacker.

IT Target

Information on the attacked IT target is not sufficiently described by the analysed events.

It should be noted that there is still some residual evidence of the attack campaign related to the exploitation of a number of vulnerabilities in the Microsoft Exchange Server system.

During this period, no attacks on ICS (Industrial Control System) were recorded.

Type of Impact

The information detected by the monitoring system regarding the type of consequences for the victim is mainly related to ransom and scam demands.

Therefore, the attribution rate of this class remains rather low.

Type of Victim

During this quarter, there was an increase in the number of events detailing the type of affected victims, although in absolute terms, the number remains rather modest. Financial services are mainly highlighted as priority targets.