As you’d imagine, our talented team of intelligence analysts spend a considerable amount of time reading different material each month, in order to stay abreast of the latest developments within our industry. This puts the team in the best place to provide answers to the important questions that our clients need to know about. Some articles that have taken our attention this month can be seen below.
Roman – Defending Ukraine: Early Lessons from the Cyber War
In the 29-page report, published on 22 Jun 2022, Microsoft detailed lessons learned from the battles along the various fronts of cyberspace in the Russia-Ukraine war of 2022.
The report provides insight into five key areas of the cyberwar. It details the value of Cloud technology in protecting Ukraine’s digital operations and data assets. By moving their digital infrastructure to the Cloud, Ukraine minimized the impact that attacks on their physical infrastructure would have on the country’s ability to stay online and operate effectively. It showed how technological advances in internet-connected end-point protection since the NotPetya attacks in 2017 had enabled Ukraine to more quickly push out protective software code to the country’s digital infrastructure. It was interesting to visualize the different TTPs used by Russia’s various security agencies, as well as the time and locations of significant cyberattacks laid over a map of Ukraine. Fans of Liveuamap take note.
Microsoft provides some interesting statistics in their report regarding attacks on allied governments outside of Ukraine. Notably, since the start of the war, Russia had seen a 29 percent success rate when attempting to gain initial access to targeted organizations, with Poland being the top target geography, and following a successful intrusion they were able to exfiltrate an organization’s data 25 percent of the time.
Perhaps most interestingly, the report details Russia’s complex and deep-rooted global cyber-influence operations coordinated in support of the war effort and their goals in the various targeted geographies and spheres of influence. It shows how Russia deployed different narratives and “fake news” similarly to how they deploy malware, and how the information war and cyberwar go hand-in-hand. It certainly shed further light on why I was seeing different headlines depending on the language in which I was reading the news.
Most importantly, the report shows how both the public and private sectors must work together to increase their cyber defensive capabilities, and calls for a coordinated and comprehensive strategy to strengthen defenses against the full range of cyber destructive, espionage, and influence operations.
Overall, the report is a comprehensive and insightful review of the cyberwar in Ukraine, a topic often presented in too little or too much detail, and is certainly required reading for any threat intelligence professional!
Check out Microsoft’s report here.
Chris – Chaos in Crypto
So it’s been a pretty challenging month in the world of cryptocurrency, however, if we’re being honest, the factors impacting the latest spectacular crash are clearly wider than the cryptocurrency market itself. Macro-economic factors like the skyrocketing inflation rate and the decisions taken by the Federal Reserve, are clearly having the biggest impact on investments of all kinds. There are however a number of factors that had hardly helped, notably the catastrophic collapse of LUNA, the decision by cryptocurrency loan company Celsius to pause users’ ability to withdrawals (drawing several comparisons with Northern Rock, if you’re old enough to remember that), in addition to liquidity problems also affecting crypto hedge fund company Three Arrows Capital (3AC); 3AC have since been forced into liquidation this week.
We should also mention the “almost funny because it’s so bad” decisions taken by Solana (SOL) based borrowing and lending provider Solend, who found themselves in a liquidity crisis of their own. A large account holder—also known as a whale account— on Solend who held an outstanding loan of $108 million worth of US Dollar Coin (USDC) and Tether (USDT), collateralized in SOL. With the price of SOL dropping like a stone, the whales loan risked being liquidated. In doing so, this risked the ability of Solend to continue operations.
A subsequent rush to buy SOL at such low prices could have also crashed the network, which in turn would have inevitably left many investors rushing to offload other cryptocurrency assets, in turn aggravating a further crash. Solend eventually were able to work with the whale to redistribute its Solana bets into other Solana outposts, however a catastrophe was only narrowly avoided.
One of the best articles I’ve read this month summarizing these recent problems was a blog published on Medium, highlighting the problems affecting these service providers in the past month. While of course, we should prioritize our daily news scans across mainstream news providers, there’s also value in picking up pieces from independent content creators, particularly in something as nuanced as crypto.
Learn all about the recent issues within crypto here.
Nicole – AvosLocker expands threat capabilities
“AvosLocker” ransomware was first observed in June 2021 when it was advertised as an affiliate program on the Reddit-style cybercriminal site “Dread”. Often referred to as ransomware-as-a-service, ransomware operators create affiliate programs rent their malware to other cybercriminals, known as affiliates, to carry out attacks in exchange for a percentage of the ransom payments. AvosLocker features multithreaded encryption and the ability to overwrite files instead of creating copies. It also has the capability to reboot compromised devices in safe mode before beginning encryption. Many applications, including security tools, will not run in safe mode making it easier to encrypt system files. In their recent blog, “Avos ransomware group expands with new attack arsenal”, Cisco Talos provides a technical overview of their analysis of a recent month-long AvosLocker campaign.
In their article, authors Flavio Costa, Chris Neal, and Guilherme Venere dive into the newly discovered attack techniques, tactics, and procedures used by AvosLocker in a recent campaign. The group appears to have expanded their toolset and capabilities including a new AvosLocker ransomware variant that targets Linux environments. Although AvosLocker typically gains initial access via spam email campaigns, during the analyzed attack they exploited the “Log4Shell” vulnerabilities in public-facing ESXi servers.
Throughout the attack, AvosLocker tried several times to gain an additional foothold in the target network including the use of several secondary payloads and malicious tools including PowerShell, the “DarkComet” remote access trojan (RAT), and the “Mimikatz” credential stuffing malware. There were several legitimate commercial tools used in the attack such as the adversary emulation tools Cobalt Strike and Silver as well as the software deployment tool PDQ Deploy.
The victim network had security tools that were misconfigured. Talos researchers stress the importance of ensuring tools are configured correctly to prevent a prolific ransomware group such as AvosLocker from carrying out a successful attack.
Read more about Avos here.
THE Digital Shadows (now ReliaQuest) DIFFERENCE
This is the stuff us analysts love to do: Researching and learning more about the myriad threats out there, and contextualizing them with the world around us. We love cyber threat intelligence!
Find out more about the intelligence we provide in SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) with a 7-day test drive, or contact us to schedule a demo to learn more about your use cases and how intelligence might make a difference for you.