Monthly IntSum - October 2023

We will bring you a roundup of the top weekly threat intelligence news.

Our monthly IntSum report is a compilation of the most important and relevant news stories.

Our team of cybersecurity experts are constantly monitoring the latest threats and vulnerabilities from around the world to provide you with the most up-to-date information.

2nd October - 6th October: Progress Software and Atlassian urgently patch critical software vulnerabilities

Progress Software and Atlassian recently released patches to address high-risk vulnerabilities in their software, emphasising the importance of users managing vulnerabilities.

Progress Software disclosed eight newly discovered vulnerabilities in their WS_FTP Server file transfer tool, with two being critical and three high-risk. One of these vulnerabilities is already being actively exploited, potentially compromising vulnerable WS_FTP servers. This suggests a single threat actor is behind the campaign.

Atlassian also patched a privilege escalation vulnerability in Confluence Data Centre and Server versions 8.0.0 to 8.5.1, allowing unauthorised access to administrator accounts. While it was remotely exploited in low-level campaigns, it could lead to significant supply-chain compromises, impacting victim entity confidentiality and integrity.

Affected users are advised to disconnect their servers from the network and shared systems with the same credentials as Confluence.

The significance lies in the history of major data breaches caused by collaboration tool vulnerabilities, incurring substantial costs for victims. For instance, the MOVEit campaign targeted entities, including high-profile ones like Deloitte, PwC, Shell, and Deutsche Bank, exploiting an unpatched vulnerability to access databases and extort up to $100 million.

Timely software updates and vulnerability patching are essential to prevent such incidents, highlighting the ongoing need for robust vulnerability management. Companies are advised to proactively discover, prioritise, and remediate vulnerabilities and system misconfigurations.

9th October - 13th October: Hacktivist groups enter the Israel-Palestine conflict in support of Hamas

This week, we reported that Gaza-based threat actors and hacktivist groups targeting Israeli energy, defence and telecommunications organisations and public-facing applications to support the interests of Hamas.

Since the recent escalation of the Israeli-Palestinian conflict, the Gaza based threat actor, Storm-1133, has been linked to a series of cyber operations targeting Israeli and pro-Fatah entities - a Palestinian nationalist and social democratic party that has refused to work with Hamas.

The campaign uses social engineering tactics and fake LinkedIn profiles impersonating Israeli software developers, human resources and project managers to deliver malware and conduct espionage.

Similarly, the pro-Palestinian hacktivist group, AnonGhost targeted Red Alert - Israel’s widely used real-time rocket alerts app that ranks as the 15th most used app on AppStore. The group exploited a flaw in the app by hijacking the application programming interfaces to spread a fake nuclear strike alert notification to all of its users.

The hacktivist group has also claimed that it compromised an Israeli flight booking website and the official Israel Defence Forces app, used by local police officers. The group also leaked personal data of the Head of the National Cyber Directorate on their Telegram channel.

The hacktivist groups have urged other units to join their activity, which already has been seen with pro-Russian Killnet’s targeting of Israeli government websites. Researchers have also reported on pro-Hamas activity from China, Bangladesh, Pakistan, Morocco, and Iran.

Pro-Israel groups include the India-linked Team UCC Ops and the Indian Cyber Force, and the previously unknown hacktivist unit Garuna Ops and SilenOne. The speedy involvement of hacktivist groups in the accelerating Israeli Palestinian conflict demonstrates the increasing importance of cyber activism as an additional vector of warfare.

This is similarly showcased in the Ukraine war, which triggered the introduction of various pro-Russian and pro-Ukrainian groupings. Although not an official part of the respective states they seek to support, hacktivists continue to play a notably active part in waging war against adversarial governments and civilians alike, by disrupting communications, defacing websites, and dispersing preferred narratives globally, while providing a layer of deniability for their preferred government.

However, this involvement also blurs the ethical boundaries of activism and raises questions about the potential consequences of such actions in an already volatile geopolitical landscape.

16th October - 20th October: North Korean nation-state actors expand their cyberespionage capabilities

In the latest report, we discussed the emergence of coordinated tactics and techniques used by North Korean cyber groups in espionage campaigns aligned with state interests. Kimsuky, for instance, is utilising the Windows Remote Desktop Protocol (RDP) along with custom open-source software to infiltrate and navigate compromised systems, enhancing their capabilities. The Lazarus Group and Andariel exploited the TeamCity CVE-2023-42793 vulnerability to breach corporate networks and deploy Remote Access Trojans, posing a potential supply chain compromise risk, especially for software development, technology, and AI organisations.

Furthermore, the Lazarus Group has intensified its Operation DreamJob, targeting nuclear and defence industries, using malicious job interview files to compromise systems and exfiltrate data. These incidents signify a greater level of coordination among North Korean groups, making attribution more challenging and indicating increased cyber efforts despite the country's economic challenges.

As North Korea aims to bolster its economic and military power, we can expect more espionage campaigns, posing a higher risk for organisations, particularly those in the US and South Korea. Staying informed about the tracked tactics, techniques, and compromise indicators is crucial for these targeted sectors.

23rd October - 27th October: Russian espionage operation targets European governments and think-tanks

In our recent report, we highlighted a new espionage operation conducted by the Russia-linked group Winter Vivern, also known as UAC-0114 and TA473. They exploited a zero-day vulnerability (CVE-2023-5631) in the Roundcube Webmail server to target European governments and think tanks. This vulnerability allowed them to execute JavaScript code in victims' web browsers through specially crafted email messages hidden within innocent-looking emails. Despite the simplicity of their tools, Winter Vivern's persistence and the prevalence of unpatched vulnerabilities pose a significant threat to their targets.

Winter Vivern has a history of engaging in intelligence-gathering campaigns, focusing on elected officials, political staff, government bodies, diplomatic bodies, and military establishments in Europe and the United States. Their activities often revolve around European politics and the economy, particularly related to the ongoing conflict in Ukraine.

The targeting of email servers for espionage is of critical importance in the cybersecurity landscape. State actors like Winter Vivern can gain access to sensitive government correspondence, diplomatic negotiations, and confidential data stored in these accounts. This compromises national security and raises concerns about the manipulation and exposure of sensitive information, eroding trust and privacy at both national and international levels.

For government and defence sectors in Europe and America, it is strongly recommended to remain informed about Winter Vivern's tactics, including their use of tailored lures and known indicators of compromise to enhance cybersecurity measures.

We are committed to keeping you informed and helping you stay ahead of the ever-evolving cybersecurity landscape.

By subscribing to our newsletter, you can ensure that you stay ahead of the ever-evolving cybersecurity landscape. You'll receive monthly updates on the latest trends and threats, in-depth analysis and expert commentary. With this information at your fingertips, you can better protect yourself and your organisation from potential cyber-attacks. Subscribe here.

To see the Orpheus platform in action, click here.