At a glance.
- Threat activity in the industrial sector.
- New information-stealing malware targets Ukraine.
- MortalKombat ransomware.
- A look at vulnerability severity scoring.
- Group-IB thwarts Tonto Team's phishing attempts.
Threat activity in the industrial sector.
Dragos has published its ICS/OT Cybersecurity Year in Review for 2022. The report found that ransomware attacks against industrial organizations nearly doubled last year, with seventy percent of these attacks targeting the manufacturing industry: "There were multiple reasons for the increase in ransomware activity impacting industrial organizations, including political tensions, the introduction of Lockbit Builder, and the continued growth of ransomware-as-a- service (RaaS). Dragos observed ransomware trends tied to political and economic events, such as the conflict between Russia and Ukraine and Iranian and Albanian political tensions."
The security firm also discovered two new threat actors in 2022: CHERNOVITE and BENTONITE. CHERNOVITE is the developer of PIPEDREAM, an ICS attack framework that Dragos says "represents a substantial escalation in adversarial capabilities." The framework was likely developed by a state-sponsored actor, but Dragos says it doesn't appear to have been deployed in the wild yet: "Dragos assesses with low confidence that no adversary has employed or leveraged components of PIPEDREAM against industrial networks for disruptive or destructive effects. Dragos’s discovery of CHERNOVITE constitutes a rare case of accessing and analyzing malicious capabilities developed by an adversary before its employment, giving defenders a unique opportunity to prepare in advance."
BENTONITE is a threat actor that's been "opportunistically targeting maritime oil and gas (ONG), governments, and the manufacturing sectors since 2021." Dragos says BENTONITE "conducts offensive operations for both espionage and disruptive purposes." Dragos as a policy doesn't attribute threat activity to particular nation-states, but the researchers note that BENTONITE has overlaps with the threat actor tracked by Microsoft as "PHOSPHOROUS," which Microsoft has tied to the Iranian government.
New information-stealing malware targets Ukraine.
Researchers at Symantec describe a new strain of information-stealing malware dubbed "Graphiron" that's being used by the Russian threat actor Nodaria against Ukrainian entities. Symantec states that the malware "is written in Go and is designed to harvest a wide range of information from the infected computer, including system information, credentials, screenshots, and files."
Nodaria primarily targets organizations in Ukraine, and its activity has increased since the Russian invasion. The researchers conclude that "the group’s high-level activity over the past year suggests that it is now one of the key players in Russia’s ongoing cyber campaigns against Ukraine."
Cisco Talos has been tracking an unidentified financially motivated threat actor that's using a new strain of ransomware called "MortalKombat," as well as the Laplas Clipper malware. The threat actor is delivering both strains of malware via cryptocurrency-themed phishing emails. Laplas Clipper is designed to monitor an infected system's clipboard for cryptocurrency wallet addresses, then hijack transactions by overwriting them with an address belonging to the attacker. Laplas was first observed in November 2022, while the MortalKombat ransomware first surfaced last month. The researchers believe MortalKombat belongs to the Xorist ransomware family:
"Talos observed that MortalKombat encrypts various files on the victim machine’s filesystem, such as system, application, database, backup, and virtual machine files, as well as files on the remote locations mapped as logical drives in the victim’s machine. It drops the ransom note and changes the victim machine’s wallpaper upon the encryption process. MortalKombat did not show any wiper behavior or delete the volume shadow copies on the victim’s machine. Still, it corrupts Windows Explorer, removes applications and folders from Windows startup, and disables the Run command window on the victim’s machine, making it inoperable."
Erich Kron, security awareness advocate at KnowBe4, commented on Talos's findings:
“Combining ransomware and other malware is not a unique approach and really highlights the need to perform digital forensics after any ransomware attack, even if you paid the ransom and were able to recover your information or were able to restore from backups. Unlike many of the modern ransomware strains that encrypt high value files and folders with surgical precision, this version is simplistic in its approach to choosing files for encryption. That certainly does not mean that this version cannot cripple organizations and cause significant downtime and financial losses.
"To defend against this wave of attacks, organizations should certainly focus on email phishing defenses, which include having a well-designed security awareness and phishing email reporting program, and should consider the types of files allowed to be received or sent through email. Many organizations still allow .ZIP files as attachments, yet may not have a reason for most employees to be able to send this type of file. Because these types of archive files are used regularly when trying to spread malware, disallowing them could significantly improve the ability to defend against these campaigns.”
A look at vulnerability severity scoring.
JFrog has published a report looking at the most prevalent open-source security vulnerabilities. The researchers found that public severity ratings, such as those provided by the National Vulnerability Database's (NVD's) Common Vulnerability Scoring System (CVSS), are often "overinflated since they ignore the real-world impact of a specific CVE." The researchers state, "Similar to how a patient would seek a second medical opinion before having major surgery, it’s wise to seek an alternate source of validation for any discovered CVE before setting a remediation plan. There are several reputable sources, beyond the NVD, that can be consulted before prioritizing the remediation of a specific vulnerability." While the NVD's CVSS can be useful, JFrog recommends taking into account non-NVD CVSS scores, distro-specific severity scores, and project-specific severity scores.
Group-IB thwarts Tonto Team's phishing attempts.
Group-IB says its employees were targeted by a phishing campaign launched by the suspected Chinese threat actor Tonto Team. During the summer of 2022, Group-IB employees received phishing emails with malicious Office documents crafted with the Royal Road weaponizer, which is often used by Chinese state-sponsored actors. The emails were meant to deliver Bisonal.DoubleT, a strain of malware exclusively used by the Tonto Team. Group-IB’s security solution flagged the emails as malicious. During their investigation, the security firm found that it was targeted by the Tonto Team in 2021 as well. These attacks were also unsuccessful.
The researchers note that most Chinese state-sponsored threat actors are focused on conducting espionage or surveillance:
“Group-IB experts have previously warned about threats from TaskMasters and TA428, other Chinese nation-state cyber threat actors. Based on the conducted analysis, the company’s Threat Intelligence team concluded that Tonto Team is behind the 2021-2022 attempted attacks on Group-IB.
“The main goal[s] of Chinese APTs are espionage and intellectual property theft. Undoubtedly, Tonto Team will keep probing IT and cybersecurity companies by leveraging spear phishing to deliver malicious documents using vulnerabilities with decoys specially prepared for this purpose.”