Top Cyber Threats In H1 2022

Bad guys aka cybercriminals continue to innovate and find new ways to target victims to achieve their goals. This innovation is driven by attackers’ motivation which often can be monetary, geopolitical, hacktivism or at times just to prove their point. In this article, we will cover the latest threats observed in H1 2022, based on research from Help AG’s Threat Intelligence team, along with what our SOC (Security Operations Centre) analysts observed while serving some of the biggest organizations in the region.

Let us look at what the bad guys were up to in H1 2022:

Ransomware Attacks Continue to Lead

Ransomware is easy money for cybercriminals, and so it continues to be a top threat. Apart from unreported attacks on individuals and smaller organizations, there were several notable ransomware attacks that targeted an airline, a federal entity and a healthcare organization. Due to the critical nature of these enterprises’ operations, attackers take advantage and understand the pressure they can pose, since the former have a higher probability of paying the ransom to restore their services.

One such ransomware which we observed as part of our DFIR (Digital Forensics and Incident Response) engagements was BlackCat/ALPHV. This Ransomware as a Service (RaaS) software had compromised at least 60 entities worldwide recently and the group behind it is the first to do so successfully using the Rust programming language. BlackCat/ALPHV stole victim data prior to the execution of the ransomware, including client data stored by cloud providers.

Protection against such attacks is crucial. To stay protected Help AG recommends:

• Ensure all systems are patched and updated.
• Do not allow macros for unknown MS Office files.
• Enable software restriction policies and application whitelisting.
• Enforce the restricted PowerShell script execution policy for end users.
• Monitor your network for abnormal behavior.
• Ensure frequent backups are in place, which are isolated from the production setup.

Phishing Attacks – Same Attack, New Method

Phishing attacks continue to be the primary attack vector to inject malware and steal credentials. As we have observed previously, attackers always tweak their method of phishing to increase the probability of individuals and organizations falling for it.

Last quarter, we noticed phishing attacks using the Russian-Ukrainian conflict for distributing malware. Three different APT (Advanced Persistent Threat) groups from across the world have launched spear-phishing campaigns using the conflict as a lure to distribute malware and steal sensitive information.

The campaigns, undertaken by El Machete, Lyceum, and SideWinder, have targeted a variety of sectors, including energy, financial, and governmental sectors in multiple countries including the Gulf Cooperation Council (GCC) countries.

The attackers use decoys ranging from official-looking documents to news articles or even job postings, depending on the targets and the region. Many of these lure documents utilize malicious macros or template injection to gain an initial foothold into the targeted organizations, and then launch malware attacks.

A new phishing campaign was also discovered targeting professionals on LinkedIn via the more_eggs malware, which targeted recruiters in organizations with fake CVs as an infection vector. To increase the likelihood of success, these bait malicious ZIP files have the same name as the victims’ job titles collected from their LinkedIn profiles. The more_eggs operation has flipped the social engineering script, targeting hiring managers with fake CVs rather than job seekers with fake job offers. The malware’s authorship is allegedly related to Golden Chickens (also known as Venom Spider), a stealthy modular backdoor malware capable of stealing valuable information and performing lateral movement across the compromised network. In addition, more_eggs achieves execution by passing malicious code to legitimate Windows processes and letting those processes do the work for them.

To protect against phishing attacks:

• Always educate employees about detecting and reporting phishing or suspicious emails.
• Avoid clicking or opening untrusted or unknown links, files, or attachments.
• Ensure that the email server is configured to block any suspicious attachments.
• Monitor your network for abnormal behaviors.
• Ensure you have adequate investment in email security and the ability to detect malicious links and attachments in emails.
• Ensure appropriate response controls are in place to make sure any detected phishing attack can be responded to swiftly before causing a lot of damage.

Crypto Currencies, Web3 Related Attacks

While the cryptocurrency market continues its roller coaster ride, cybercriminals with an intention to make easy money, continue to find new ways to attack crypto exchanges and individuals to hack their wallets.

There are several attacks targeting users to steal their MetaMask seed phrase, which is one of the most common mobile wallets used in this space. These are usually phishing attacks but aimed at cryptocurrency users. Researchers at Armorblox have published an investigation into a phishing campaign spoofing the MetaMask cryptocurrency software. According to the analysts, this campaign is distributed via emails pretending to be from MetaMask’s support team.

In terms of the pretext, the content of the message falsely claims to be a request for regulatory matters (KYC), which prevents the user from becoming suspicious. However, the real goal behind this campaign is to impersonate the crypto wallet provider and steal victims’ password recovery phrases. To do so, the email contains an embedded link that redirects to a website that impersonates the official MetaMask website, and then the recovery phrase is requested. These phrases, consisting of 12 words, are used by MetaMask users to import their wallets from one device to another. If the victim falls for the deception, a malicious actor will proceed to exfiltrate this information and enable access to the victims’ wallets to seize the assets stored in them, which could be coins, tokens, or NFTs.

Similar attacks were also observed targeting exchanges and blockchain companies, for example the successful theft of $100 million in cryptocurrencies from the cryptocurrency platform, Harmony. They recently announced a threat actor has managed to compromise and exploit the connection bridge, which facilitated the communication and exchange of tokens between different blockchains such as the Binance Smart Chain, Ethereum and Bitcoin. The attacker allegedly managed to exploit a vulnerability in the bridge, known as the Horizon Bridge, to steal around $100 million in cryptocurrencies.

Help AG’s recommendations:

• If you do decide to invest in crypto, we recommend you understand the security requirements for placing and moving these assets in and between virtual systems.
• You could keep these assets either in online exchanges, software wallets (mobile wallets) or hardware wallets, however, it’s important to understand pros and cons of each of these, and then make a choice that suits you.
• Funds are often lost due to basic errors or lack of understanding of users, hence, always test restoration of your wallet to make sure you can recover your assets.
• Never connect your wallet to websites that you don’t trust.

Looking at these trends and while observing such attacks closely during our DFIR service, it is clear that attackers really do focus on critical systems to maximize the impact of the attack. Identity providers like the Active Directory, are always prime targets. Help AG strongly recommends our customers to closely consider a proper defense and recovery strategy for their Active Directories.

One thing we know for sure is that attacks will continue to evolve and become complex with each passing day. It is up to all of us to do our best to prevent attackers from coming in, but most importantly, we need to be resilient and have the capabilities in place to recover swiftly with minimal impact when an unfortunate incident does happen.

Stay Healthy, Stay Secure and Trust Help AG!