EclecticIQ Threat Research Team
March 24, 2022

The Analyst Prompt #05: Russo-Ukrainian Cyberattacks, and Updates on Lapsus$ and Conti Ransomware Operations

Intelligence Research

RUSSO-UKRAINIAN WAR 2022: Cyberattacks Reported At High Frequency

As anticipated in the last Analyst Prompt, the spate of cyberattacks targeting Ukraine and Western organizations continued in week three of the war. It is almost certain that the frequency of cyberattacks, as well as mis- and disinformation operations will remain high in coming weeks. EclecticIQ analysts note that reported damage from cyberattacks to date appear rather confined. Large scale cyber-attacks with major impact on Ukrainian infrastructure or services have not been observed. Analysts acknowledge that in the fog of war, government entities or private institutions likely have not identified nor reported all cyber-incidents.

On March 15th, research firm ESET reported a new data-wiping malware targeting Ukraine named CaddyWiper. [1] The malware “destroys user data and partitions information from attached drives”. According to ESET, CaddyWiper shares “no major code similarities to either HermeticWiper or IsaacWiper” - two other data wiper malware observed since the beginning of the invasion.

On March 15th, the FBI and CISA released a report about Russian state sponsored actors targeting an unnamed NGO. [2] The threat actor leveraged a set of misconfigured Multi-Factor Authentication (MFA) accounts that enabled it to enroll a new device for MFA and to access the victim network. The actors then exploited the Windows Print Spooler vulnerability “PrintNightmare” (CVE-2021-34527) to run arbitrary code and to move laterally in the target environment.

On March 12th, Ukraine's Computer Emergency Response Team (UA-Cert) warned about phishing emails impersonating Ukrainian government entities. [3] The emails redirected victims to a website delivering fake antivirus updates that eventually downloaded Cobalt Strike beacons, or two custom Go malware variants named GraphSteel and GrimPlant. The UA-Cert attributes the activity to UAC-0056.

Viasat Inc., a provider of high-speed satellite broadband, is investigating a possible attack against the KA-SAT satellite system. KA-SAT, run in cooperation with French satellite operator EUTELSAT, supplies Europe and the Mediterranean with satellite internet connection and, due to its independence from terrestrial infrastructure, connects endpoints in remote areas. KA-SAT operates 82 "spot beams", i.e., antennas that create a grid of ellipses on the earth's surface. One such beam is located over Kyiv. On the earth´s surface the beams are connected to eight gateway stations in Europe. Experts believe that Russian forces, in an attempt to cut internet connectivity in Ukraine, attacked an regional gateway, but knock-on effects also took down other gateways in Europe. [4]

Policy and Governance: German BSI Issus Warning For Kaspersky Products

The German Federal Office for Information Security (BSI) issued a warning about the use of Kaspersky products. [5] EclecticIQ researchers note the BSI does not ban Kaspersky products, unlike the US or The Netherlands which prohibited buying and installing Kaspersky software on government computers and other devices well prior to the Russian invasion. Instead, the BSI encourages German companies and private users to replace applications from Kaspersky's virus protection software with alternative products.

The BSI wrote that “actions of military and/or intelligence forces in Russia and the threats made by Russia against the EU, NATO, and the Federal Republic of Germany in the course of the current armed conflict are associated with a considerable risk of a successful IT attack. A Russian IT manufacturer can conduct offensive operations itself, be forced to attack target systems against its will, or be spied on without its knowledge as a victim of a cyber operation or be used as a tool for attacks against its own customers.”

In its response to the warning, Kaspersky argued that the decision by the BSI was made on political grounds, and should not be interpreted as a technical assessment of Kaspersky products. [6]

Similarly, since the start of the war, the National Agency for the Security of Information Systems (ANSSI) in France questioned the use of Kaspersky software, and Italian Undersecretary to the Prime Minister warned of threats from Russian anti-virus products. [7] [8]

New and Noteworthy: Lapsus$ Claims Responsibility for Cyber-Attacks on Nvidia, Samsung, Ubisoft, and Vodafone

A previously unknown cybercriminal actor named Lapsus$ claimed responsibility for recently reported security incidents targeting Nvidia [9], Samsung [10], Ubisoft [11] and Vodafone [12]. EclecticIQ analysts note the modus operandi differs from other ransomware operations. Current OSINT reporting indicates that the actor does not to deploy any file-encrypting ransomware in the target environment, but solely focuses on data theft and extortion.

It is unknown how Lapsus$ obtains initial access. It is plausible that the adversary buys access to target environments. In a post made in a Telegram group - allegedly run by the actor - the adversary recruits employees working at telecommunication, technology, or software companies. The same post also asks for credentials to virtual private network or virtual desktop infrastructure.

Lapsus$ was first seen in December 2021 attacking several websites of Brazil’s Ministry of Health, allegedly extracting data, and demanding a ransom for returning the stolen data.[13] In the beginning of 2022, the group claimed responsibility for hacking and extorting Impresa - the largest media company in Portugal.[14]

Nvidia confirmed a cybersecurity incident on February 23rd and reported that a threat actor successfully “took employee passwords and some NVIDIA proprietary information from [its] systems and has begun leaking it online.” [9] The leak contained two expired code-signing certificates. OSINT reporting shows [15] that the expired certificates were used to sign hacking tools and malware including Cobalt Strike Beacon, remote access trojans.

In a statement on March 7th, Samsung confirmed a security breach involving “some source code relating to the operation of [its] Galaxy devices”. [10] EclecticIQ analysts note that access to the source code (or parts of it) could allow adversaries to identify new vulnerabilities for later exploitation. On March 10th, Ubisoft reported a cyber security incident. A post in the Telegram channel implied that Lapsus$ took responsibility for the breach. Another post in the channel claimed releasing hundreds of gigabytes of stolen source code from Vodafone. On March 13th, Vodafone confirmed an investigation into claims made.

Threat Actor Update: Conti Ransomware Group Restored Operations

EclecticIQ analysts assess that the ransomware group Conti replaced its infrastructure after it was exposed [16] in late February so it can continue attacking new targets with its ransomware malware. Like other cyber-criminal operations (e.g., Trickbot, Emotet), the members behind Conti are almost certainly highly skilled network engineers, system architects, and developers who have accounted for resilience in their infrastructure and operational setup; thus, were able to quickly recover from the intermediate setback.

EclecticIQ analysts noted a minor dip in the frequency of drops added to the Conti News Tor blog following the first batch of leaks on February 27th, but new drops appeared as of March 1st.

It is unknown if Conti had been completely inactive, since:

  • Organizations may not disclose ransomware attacks.
  • Conti does not publish details of victims that have paid the ransom.
  • Conti did not post daily drops on the extortion site under normal operation.

Critical Vulnerabilities: Dirty Pipe - A Privilege Escalation Vulnerability in Linux Kernel

On March 7th, security researcher Max Kellerman disclosed [17] a critical vulnerability (CVE-2022-0847) in the Linux kernel 5.8 and later. The vulnerability named “Dirty Pipe” could allow an attacker with local access to gain root privileges, for example by altering sensitive files such as “/etc/passwd” or modifying any setuid-root binary by overwriting the ELF with malicious code. Kellerman and other experts released proof-of-concept exploits. Patches have been released in the Linux kernel and EclecticIQ analysts strongly recommend upgrading the Linux kernel to one of the following versions: 5.16.11, 5.15.25, 5.10.102.

Appendix:

  1. “CaddyWiper: New wiper malware discovered in Ukraine,” WeLiveSecurity, Mar. 14, 2022. https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/ (accessed Mar. 16, 2022).
  2. “Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and ‘PrintNightmare’ Vulnerability | CISA.” https://www.cisa.gov/uscert/ncas/alerts/aa22-074a (accessed Mar. 16, 2022).
  3. “CERT-UA,” Кібератака на державні організації України з використанням шкідливих програми Cobalt Strike Beacon, GrimPlant та GraphSteel (CERT-UA#4145). https://cert.gov.ua/article/37704 (accessed Mar. 16, 2022).
  4. “Viasat: Satellitennetzwerk offenbar gezielt in Osteuropa gehackt,” Der Spiegel, Mar. 05, 2022. Accessed: Mar. 17, 2022. [Online]. Available: https://www.spiegel.de/netzwelt/web/viasat-satellitennetzwerk-offenbar-gezielt-in-osteuropa-gehackt-a-afd98117-5c32-4946-ab8a-619f1e7af024
  5. “BSI warnt vor dem Einsatz von Kaspersky-Virenschutzprodukten,” Bundesamt für Sicherheit in der Informationstechnik. (accessed Mar. 16, 2022).
  6. “Kaspersky statement regarding the BSI warning,” www.kaspersky.com, Mar. 15, 2022. https://www.kaspersky.com/about/press-releases/2022_kaspersky-statement-regarding-the-bsi-warning (accessed Mar. 16, 2022).
  7. “[MàJ] Tensions internationales – Menace cyber – CERT-FR.” https://cert.ssi.gouv.fr/cti/CERTFR-2022-CTI-001/ (accessed Mar. 17, 2022).
  8. “Franco Gabrielli: «I nostri antivirus prodotti dai russi sono da cambiare. Attenti alla cybersicurezza»,” MSN. https://www.msn.com/it-it/notizie/mondo/franco-gabrielli-c2-abattenti-alla-cyber-sicurezza-i-nostri-antivirus-prodotti-dai-russi-sono-da-cambiare-c2-bb/ar-AAUZeL9 (accessed Mar. 17, 2022).
  9. “Security Notice: NVIDIA Response to Security Incident - March 2022 | NVIDIA.” https://nvidia.custhelp.com/app/answers/detail/a_id/5333 (accessed Mar. 14, 2022).
  10. “Samsung Says Hackers Breached Company Data, Galaxy Source Code,” Bloomberg.com, Mar. 07, 2022. Accessed: Mar. 14, 2022. [Online]. Available: https://www.bloomberg.com/news/articles/2022-03-07/samsung-says-hackers-breached-company-data-galaxy-source-code
  11. “Ubisoft Cyber Security Incident Update.” https://news.ubisoft.com/en-gb/article/3tSsBh25mhHhlbGSy1xbRw/ubisoft-cyber-security-incident-update  (accessed Mar. 14, 2022).
  12. “Vodafone Investigating Source Code Theft Claims | SecurityWeek.Com.” https://www.securityweek.com/vodafone-investigating-source-code-theft-claims  (accessed Mar. 14, 2022).
  13. A. Mari, “Brazilian Ministry of Health suffers cyberattack and COVID-19 vaccination data vanishes,” ZDNet. https://www.zdnet.com/article/brazilian-ministry-of-health-suffers-cyberattack-and-covid-19-vaccination-data-vanishes/  (accessed Mar. 14, 2022).
  14. “Lapsus$ ransomware gang hits SIC, Portugal’s largest TV channel,” The Record by Recorded Future, Jan. 02, 2022. https://therecord.media/lapsus-ransomware-gang-hits-sic-portugals-largest-tv-channel/ (accessed Mar. 14, 2022).
  15. Kevin Beaumont, “@cyb3rops VirusTotal search if you want ’em [...],” @GossiTheDog, Jan. 01, 2022. https://twitter.com/GossiTheDog/status/1499781976835993600  (accessed Mar. 17, 2022).
  16. conti leaks, “conti jabber leaks [...],” @ContiLeaks, Feb. 27, 2022. https://twitter.com/ContiLeaks/status/1498030708736073734 (accessed Mar. 15, 2022).
  17. “The Dirty Pipe Vulnerability — The Dirty Pipe Vulnerability documentation.” https://dirtypipe.cm4all.com/  (accessed Mar. 15, 2022)

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.

TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery

You may also download the content as eiq_json, stix1_2, stix2_1.

Please refer to our support page for guidance on how to access the feeds.

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.

Talk to one of our experts

Protect your organization with cutting-edge threat intelligence. Book your free demo today and explore how our products and services can help you meet your security needs.
Book a call
cta-footer
Book a demo