At a glance.
- Suspected Chinese threat actors target Russian government entities.
- New version of Sandworm malware loader.
- Verizon's DBIR.
- Linux botnet activity.
Suspected Chinese threat actors target Russian government entities.
Check Point has observed spearphishing campaigns targeting several defense research institutes belonging to the Russian state-owned defense conglomerate Rostec Corporation. Check Point believes "with high confidence that the campaign has been carried out by an experienced and sophisticated Chinese nation-state APT":
"This campaign is a continuation of what CPR believes to be a long-running espionage operation against Russian-related entities that has been in operation since at least June 2021. The operation may still be ongoing, as the most recent activity was observed in April 2022.... This activity was attributed with high confidence to a Chinese threat actor, with possible connections to Stone Panda (aka APT10), a sophisticated and experienced nation-state-backed actor, and Mustang Panda, another proficient China-based cyber espionage threat actor."
Researchers at Malwarebytes also outline the activities of an unknown threat actor that's launched at least four spearphishing campaigns against Russian government entities since February. At least one of these campaigns used a spoofed version of the official Rostec Corporation website. The researchers don't attribute the campaign to any specific APT, but they suspect a Chinese threat actor is behind the operation.
New version of Sandworm malware loader.
ESET has observed a new version of ArguePatch, a malware loader that was used by the Russian APT Sandworm in multiple attacks targeting Ukraine, including Industroyer2 and the CaddyWiper data wiper attacks:
"The new variant of ArguePatch – named so by the Computer Emergency Response Team of Ukraine (CERT-UA) and detected by ESET products as Win32/Agent.AEGY – now includes a feature to execute the next stage of an attack at a specified time. This bypasses the need for setting up a scheduled task in Windows and is likely intended to help the attackers stay under the radar.
"Another difference between the two otherwise highly similar variants is that the new iteration uses an official ESET executable to hide ArguePatch, with the digital signature removed and code overwritten. The Industroyer2 attack, meanwhile, leveraged a patched version of HexRays IDA Pro’s remote debug server."
Verizon's 2022 Data Breach Investigation Report.
Verizon has published its 2022 Data Breach Investigation Report, finding that ransomware rose by 13% last year (a greater increase than the previous five years combined). The researchers note that supply chain breaches were behind 62% of intrusions last year.
The report also found that external actors were behind 73% of breaches, internal actors were responsible for 18%, and 39% came through partners. However, the number of records compromised in insider breaches is far greater than those compromised by external breaches. Additionally, the vast majority of breaches (93%) involved online data.
82% of breaches involved the human element, which encompasses phishing, stolen credentials, misuse, or error. The researchers note, "These attacks continue to be split between Phishing attacks and the more convincing Pretexting attacks, which are commonly associated with Business Email Compromises." The report also found that business email compromise (BEC) actors are attempting to steal significantly higher amounts of money than in previous years.
Linux botnet activity.
Researchers at Microsoft have noted a 254% increase in activity by the Linux botnet XorDdos:
"XorDdos depicts the trend of malware increasingly targeting Linux-based operating systems, which are commonly deployed on cloud infrastructures and Internet of Things (IoT) devices. By compromising IoT and other internet-connected devices, XorDdos amasses botnets that can be used to carry out distributed denial-of-service (DDoS) attacks."
In addition to launching DDoS attacks, XorDdos can be used to install additional malware on infected devices. The researchers observed that some devices infected with XorDdos were later infected with the Tsunami backdoor and the XMRig cryptocurrency miner.