2022’S CYBER SECURITY TRENDS

On February 24th 2022, Russia launched a full-scale military invasion of Ukraine with attacks on land, at sea and from the air. This was a dramatic escalation of a conflict between the two states that had been going on since 2014.

• March 2014 - following the Crimean dispute, Russia launched a massive Distributed Denial of Service (DDoS) attack against a large network in Ukraine.
• December 2015 - as geopolitical tensions continued to rise, Russian state-sponsored Advanced Persistent Threat (APT) group, Sandworm, hacked the power grid of the Ivano-Frankivsk region in Western Ukraine, which distributes power to approximately 230,000 consumers. The attackers also disabled two out of three relevant backup power supplies.
• April 2022 - two months into the current war, there was another attempt to attack a Ukrainian power grid, which showed similarities to the 2015 incident in terms of the malicious code deployed.

While not as visible as other aspects of the war, the cyber front has silently swept up thousands of ‘volunteer troops’ – hacktivists, cybercriminals, white hat researchers and even technology companies such as Elon Musk’s SpaceX. All these diverse groups chose sides and quickly joined the fight, each with its own targets and toolsets, from DDoS and website defacements to destructive critical infrastructure attacks.

The powerful Conti ransomware group, who claimed hundreds of victims within just a few months, publicly vowed to protect the Kremlin.

Researchers further observed at times that kinetic military and cyberspace actions appeared to be coordinated. For example, on March 1st, a Kyiv TV tower was hit by Russian missiles, resulting in a halt to TV broadcasting in the city. A cyberattack was also launched at the same time for the same purpose. Ukraine in turn took unprecedented steps in the fight in cyberspace by recruiting an international army of motivated hackers to act on its behalf against Russia.

Even before the full-scale invasion, the Russian government and sophisticated state-sponsored APT groups made an intelligent and coordinated use of both kinetic and cyber-based tools. Top Russian APT groups, widely known for their sophisticated toolsets and global record of attacks, joined the fight as soon as the war started, providing significant cyberspace backup that could potentially tilt the scales in Russia’s favor:

• In May, APT28 launched a campaign targeting local state entities, probably with the aim of espionage in order to steal tactical and strategic data.
• In addition to Conti, cybercrime groups such as the ‘CoomingProject’ announced at an early stage that they would assist the Russian government and protect Russian targets from attacks.
• Killnet, a key pro-Russian hacktivist gang, has consistently targeted NATO members and Ukraine supporters with sophisticated DDoS attacks against critical infrastructure bodies.
• In mid-March 2022, as the war escalated, the Ukrainian CERT reported that critical infrastructure entities were under attack by multiple APT groups. Ukraine stated that 65 critical infrastructure attacks were recorded in a single week

We estimate these groups started their preparations months earlier, collecting reconnaissance, coordinating targets, gaining access to strategic third-party entities and organizations of interest.

Though some APT groups, such as APT28 and Sandworm, have been associated with the Russian GRU, it is unclear whether coordination procedures are in place, or a general target list is simply shared and pursued. What is clear is that Russian offensive actors are aggressively targeting key national entities in Ukraine to disrupt critical services.

Destructive malware is a significant component of the attacks carried out by the cyberspace actors on the Russian side. Also referred to as a “wiper,” destructive malware is used to cause immediate disruption to functionality, destroy data storage systems and harm critical operations. This can have a major impact on public morale as well as unsettle the leadership.

Multiple wipers have been observed since January 2022, with a spike in February, just one day before the invasion when multiple malwares, including HermeticWiper, were deployed against hundreds of Ukrainian government targets, financial, IT and energy institutions. Researchers concluded that eight different wiper malware families were deployed.

From recruiting personnel, through to selecting toolsets and coordinating operations between government and individuals, the cyber strategy of the Ukrainian forces has been a major surprise. Until now, Russia had the upper hand in the cyber landscape as it is home to some of the most notorious APT groups and naturally, their loyalty lies with the Russian government and intelligence services. After the war started though, most non-state actors including hacktivist groups, white hat hackers and even the infamous Anonymous Collective, sided with Ukraine, pledging to act against Russia in cyberspace.

The most interesting part of Ukraine’s cyber defense strategy centers around the global recruitment of keyboard warriors, proactively inviting recruits from both sides of the law to join the offensive efforts in the cyber arena as part of an organized, government-led initiative. During the first few days of the war, the Ukrainian Minister of Digital Transformation, Mykhailo Fedorov, posted on Twitter calling for “digital talents” to join the newly created IT army, with operational tasks being allocated to them via a designated Telegram channel.

Figure 1 – The initiation of IT Army of Ukraine by the Ukrainian government.

Just three days after its creation, the Telegram channel had no fewer than 175,000 members. Around that time, Ukraine supporters also started posting requests on underground forums for help in protecting Ukrainian cyberspace. Now, several months into the war, the channel is still active with 262,000 members and is still used to encourage people to help protect Ukrainian critical infrastructure but mostly to promote offensive activities. Attack tools and techniques are shared on a designated website and dozens of Russian targets are published on the channel every day. The channel is also used to publicize successful attacks carried out against Russia, such as replacing the home screen of Russia’s smart TV platform with an anti-war message. This attack, which took place on Russian Victory Day, also affected Rutube and Yandex. The Ukrainian government also leveraged its media presence for fundraising via designated ads on underground forums, with over $26 million already collected.

Anonymous Collective, whose goals overlap somewhat with those of the IT army, has also had successes since it declared cyber war against Russia on Twitter. It appears that the collective launched DDoS attacks against corporate, news and state websites, compromised over 90 databases belonging to telecom, retail and government sector organizations, and leaked hundreds of thousands of documents.

National political agendas have always been a beacon for state-sponsored APT groups. However, cybercrime groups have traditionally sought mostly financial gain, with the goal of monetization clearly guiding them to select their targets. For the first time in a long time, this situation appears to be changing. The Ukraine war has been pushing cybercriminal collectives and lone hackers to back one of the two sides in the conflict. The Ukraine war has set a precedent, moving the fight to cyberspace and blurring the line between the soldiers on the front and the citizens at home. Should cyber offense be a part of every conflict? Should self-motivated hackers take part in national affairs? All we know for sure is that the cyber landscape is continuing to evolve, as it serves more groups and more agendas.

When the Russia-Ukraine war does come to an end, it’s likely that we will be in a far worse situation than we are now when it comes to cyber. This is because state-sponsored APT groups, hacktivists and other cybercriminals have been able to ‘hone their craft’ during the conflict. There will be more expertise, more tooling and more groups that have consolidated their efforts and will start to look at attacking NATO countries. And it’s not just government departments in those countries that should be concerned, businesses really need to prepare themselves for what’s coming.

Cybercrime groups will continue to target governments in order to cause maximum disruption and to support the goals of their backers, but that’s not where the money is. They need a steady income stream to replenish their cyber warfare coffers to recruit and invest in the latest technology, and that’s why they continue to target enterprises. However, with the right expertise, strategy and cybersecurity solutions in place, organizations are able to prevent attacks from happening.

Just like with a new life form we have been tracking the evolution of the ransomware parasite through its evolutionary stages. In the last six months, we have witnessed ransomware groups actively stepping up to the level of nation state actors, choosing high-level targets and taking sides in global conflicts. The Conti group, for example, picked fights with entire countries like Costa Rica and Peru, and the newly established Lapsus$ began its malicious activity attacking governmental entities. Not long afterwards, it also successfully went on to target technology giants Microsoft, NVIDIA and Samsung.

Initially, ransomware operations were conducted by individuals or small groups distributing random emails and hoping to collect small amounts of ransom from a large array of victims. As they evolved, the groups expanded to have hundreds of employees, with revenue in the hundreds of millions and sometimes billions of dollars. With their wider scope and scale of operations the groups had to start investing in research and development teams, quality assurance departments, HR people, specialist negotiation teams and sometimes even actual offices.

The larger the operation, though, the more difficult it became to stay under the radar as it is difficult to conceal a multi-billion business employing hundreds of skilled workers with offices in major cities. The larger the business, the more it relies on the cooperation or at least passive consent from local authorities. This dependency forces very large threat actors to identify and align with the geopolitical interests in their home countries. Most ransomware groups are very careful to not attack entities in post-Soviet territories, automatically aborting any operations on machines where Russian is the default language.

In our previous report, we outlined a change in attitude by international law-enforcement agencies, who intensified their war against ransomware groups. Following high-profile attacks, the US government and other law enforcement agencies adopted a more proactive stance. This included internationally coordinated action against ransomware and cryptocurrency money laundering operations, sanctions and more. The Russian authorities ‘selectively’ cooperated with these moves, detaining some but not others, and releasing them according to their global interests. In January, Russia arrested some members of the REvil ransomware gang, but the group’s blog and Tor network returned to full action by April, strangely coinciding with the war in Ukraine and the ending of collaborations between the US and Russia.

Shortly after the war started, Conti expressed its full support for the Russian government and threatened to retaliate with all its resources against “any enemy” that attacks Russian organizations. Conti took the ransomware threat to its highest level, transforming itself into an actor in the geopolitical arena, with cyber offensive weapons capable of causing serious damage to the critical infrastructures of many nation states.

Figure 2 - Conti ransomware group announcement from their site.

Conti’s declaration had immediate repercussions. Two days later, a new Twitter account called “Conti Leaks” was created by an individual who claimed to be a Ukrainian researcher and who started leaking the group’s internal communications. The leak contained nearly 170,000 messages as well as malware source code, which amounted to an unprecedented exposure of the operation and its internal strategies. Check Point Research (CPR) analyzed the Conti leaks and discovered the different layers and hierarchy that you might find in a typical high-tech company with clearly defined roles and departments.

Following its political move, Conti increased the rate of attacks. As reported on its shame blog, the group went from ten victims in January to more than 20 in February, over 50 in March, and nearly 80 in April.

April also signaled a new stage of “country extortion”, when Conti attempted to extort the entire country of Costa Rica. The group continued extorting more government entities, continuing with Peru on May 7th. A few days later, on May 12th, Costa Rica’s president declared a state of national emergency, later announcing the country was at war with Conti - the first time ever that a country has declared war on a cybercrime group. This extraordinary situation came about after the cybercriminals breached and encrypted the data of at least 27 Costa Rica government agencies, probably the most disruptive cyberattack ever inflicted on any country, including those by another government.

After Costa Rica decided to not pay the ransom, the group publicly declared its intentions to overthrow the government and called for citizens to revolt, stating it would carry out similar operations in the future. In May, the US offered a bounty of ten million dollars for information that would lead to the arrest of Conti’s leaders.

While Conti brought about the new method of ‘country extortion’, Lapsus$ reintroduced an old one and was able to get its hands on proprietary information and source code belonging to the biggest technology companies. Surprisingly, the group’s modus operandi excludes the usual encryption element you would expect to see in a ransomware attack, focusing only on data exfiltration and extortion based solely on the threat of publication. This revival of an old phenomenon could be the start of a new trend as the tactics have since been adopted by the RansomHouse group and Karakurt, the data extortion group related to Conti. Apparently, data exfiltration is much easier than encrypting an entire network and then assisting with decryption when the ransom is paid. Threat actors are clearly finding ways to do less work for more money.

Why do 34% of burglars enter homes through the front door? Because every home has one, and very often, they are left wide open. For many years, MS Office documents have been our digital front doors. Everyone uses them, mostly without questioning their source, which makes them a very widely open door indeed.

The malicious use of Microsoft docs occurs so frequently that they have a name - maldocs. One of the main techniques to create maldocs involves the abuse of Office Macros, which are a highly versatile tool with extensive programing capabilities. Security companies have been fighting this for years, but it was always clear that the key to preventing macro abuse lies in the hands of Microsoft. Indeed, in February 2022 Microsoft announced it would change Office default settings to disable.

Office macros are special purpose programs and, as stated on Microsoft’s support page, are often used for malicious purposes:

Although PoC and active exploits using VBA macros appeared as early as 1995, they lacked info-stealing functionality and were mostly used for pranks. These types of attacks died out in 2010 when Microsoft introduced “Protected view”, a yellow ribbon warning users not to enable macros’ functionality. The use of macros was re-introduced when threat actors realized that, with a bit of social engineering, they could convince users to enable macros and then use them to download and execute other binaries.

Figure 3 - Typical label designed to convince victim to enable macros.

Although Microsoft acknowledged the issue multiple times, the malicious use of Office macros and vulnerabilities increased in popularity throughout the years. By January 2022, our analysis found that as much as 61% percent of all malicious payloads attached to emails sent to our clients were various document types (such as xlsx, xlsm, xls, docx, doc, ppt, pdf, rtf and others). Our current report finds that Excel files alone made up 49% of all malicious files received by email! This trend corresponds with the evident tendency of most actors to use email (SMTP) instead of web-based sites as their initial attack vector. Typically, a carefully socially engineered email carrying an Excel file with a malicious macro is the weapon of choice for non-sophisticated actors as well as top niche APTs.

Figure 4 - Percentage of Excel files of the total
malicious files received by email.

Figure 5 - Increase in proportion of malicious
files sent by email.

Only recently, CPR reviewed a series of attacks by various APT groups, who socially engineered their attacks using articles on the current Russian war against Ukraine to send weaponized Word documents. Other major malware families using malicious Office documents include TrickBot, Qbot, Dridex and many more. The unofficial king of maldoc usage is Emotet, which routinely sends high volumes of maldocs through email, sometime concealed inside password-protected zip files, to expend its botnet.

In February this year, Microsoft announced its intention to block VBA macros on Office docs. They will present users with a series of alerts and ultimately require them to save files locally and turn off the Mark of the Web (MOTW) protection mechanism. This is in addition to its previous policy change, in which Microsoft restricted the use of Excel 4.0 macros. The policy change is planned to roll out in the coming months.

Following these announcements, threat actors began examining the alternatives for non-executable malicious email attachments. Emotet was reported in April to be testing new TTPs (Tactics, Techniques, and Procedures), emailing OneDrive URL links of Zip files containing malicious xll files. Xll files are .dll libraries designed for Excel, and threat actors typically use an exported xlAutoOpen function to download and run malicious payloads. Various existing tools and services, such as Excel-DNA, are already available to build .xll downloaders.

Another possible alternative TTP to maldocs is the use of ISO archives, which bypass the MOTW mechanism. Together with a combination of .hta payload, they can look like documents but run malicious code in the background. We already saw a rise in attacks using these archives. Bumblebee, a new downloader detected in February, delivers various payloads that often result in ransomware attacks, and is reported to initially involve .iso files delivered in email.
Blocking Office internet macros does not eliminate maldoc options. Threat actors continue to exploit vulnerabilities. (CVE-2021-40444) and the newly-discovered Follina, which use HTML template injection, are just recent examples.

Threat actors will continue to find new ways to deliver malware, but this policy update by Microsoft is certainly going to have an effect on current TTPs. Both security providers and users should prepare accordingly.

In an age when we increasingly rely on third-party applications and connect corporate networks to employees’ personal devices, mobile devices have become valuable targets, requiring us to invest resources in mobile protection. The mobile marketplace’s exponential growth over the past few years offers a wider range of opportunities for threat actors. This potential is being exploited to its fullest, as we see malicious actors investing efforts in more advanced techniques and innovative social engineering schemes, rivaling the threat landscape for PCs.

Our last security report addressed Pegasus, the notorious NSO group Spyware which made headlines in 2021 after the discovery that the tool was used to gain access to mobile devices belonging to government officials, journalists, human rights activists and business executives worldwide.

Additional Pegasus campaigns were uncovered in the first half of 2022:

• January - Pegasus was found to have infected new governmental targets in Finland’s Ministry of Foreign Affairs, targeting Finnish diplomats as part of a cyberespionage campaign.
• April - Pegasus was revealed to have been detected on multiple official UK networks, including the Prime Minister’s office.
• May - Pegasus was confirmed to have been found on devices belonging to the Spanish Prime Minister and Defense Minister.

Fortunately, Apple announced in July that it is introducing a ‘lockdown mode’ for its devices in order to protect against Pegasus hacks. But while Pegasus is one of the most powerful tools currently on the market, the surveillance vendor ecosystem has also become more competitive. Another marketed spyware called Predator, produced by the North Macedonian commercial surveillance company Cytrox, was found to have infected iPhones towards the end of 2021 via single click links sent over WhatsApp. As of today, the reach of these tools, let alone their mechanisms, is not yet fully understood by the cyber community despite extensive research efforts.

In February, researchers found that one of the same vulnerabilities in Apple software exploited by the NSO group in iPhones was simultaneously leveraged by a competing firm called QuaDream. Zero-click vulnerabilities allow a remote intrusion into iPhones without any action needed by the victim, such as clicking a malicious link, to trigger an infection.

Later in April, a new zero-click iMessage exploit leveraged to install Pegasus on iPhones was discovered, running on some early iOS versions prior to 13.2. The exploit named HOMAGE was used in a campaign against Catalan officials, journalists and activists. In this campaign, some victims were also infected with Candiru spyware, from yet another mercenary hacking company. Finally, in May, security researchers found that threat actors used five zero-day vulnerabilities and other known unpatched flaws to install the Predator malware as part of three campaigns that occurred between August and October 2021.

In addition to politically and ideologically driven spyware actors, we have also observed financially motivated operations like Flubot. Since its emergence in December 2020, it has been considered the fastest growing Android botnet ever seen. Flubot’s success is partly due to its spreading technique called “Smishing” (SMS Phishing), which uses SMS messages as the attack vector for malware distribution. It sends the same SMS to the initial victim’s contacts, resulting in exponential spread.

The Flubot gang is known to be particularly innovative and continuously seeking to improve its variants, using features that are ordinarily seen in the development of PC malware rather than mobile. Those features include DNS tunneling or Domain Generation Algorithm (DGA), which make detection and shut down more difficult. With its multiple campaigns and tens of thousands of victims, Flubot received so much attention that in June, an international law enforcement operation involving 11 countries led to its infrastructure takedown and rendered the malware inactive. Evidently, Flubot’s position could not remain vacant for too long, as a new Android malware operation called MaliBot emerged in the wild soon after. MaliBot is targeting online banking and cryptocurrency wallets in Spain and Italy, using the same smishing distribution method as Flubot.

At the other end of the mobile threat spectrum are application stores, which encapsulate a whole arena of their own for cybercriminals. The most secured stores like the Google Play Store and the Apple App Store have thorough review processes to investigate candidate applications before they are uploaded and are held to high security standards once they are admitted onto the platforms. A recent report stated that throughout 2021, Google blocked 1.2 million suspicious applications from the Google Play Store, and Apple blocked 1.6 million apps from their App Store. Resourceful cybercriminals continually try to bypass these security measures with different tactics such as manipulating their code to pass through the filters or introduce initially benign applications and add the malicious elements at a later stage.

It’s not so surprising to still find malicious applications hiding in these stores. In fact, these platforms remain the main infection vectors in mobile threats. For example, CPR recently analyzed suspicious applications on the Google Play Store and found a few of them masquerading as genuine Anti-Virus solutions, while in reality, once downloaded the apps installed an Android Stealer called SharkBot which steals credentials and banking information. SharkBot implements a geofencing feature, Domain Generation Algorithm (DGA), and evasion techniques that make it stand out in the field. SharkBot distribution is not widespread but rather targeted: it selects victims using the geofencing feature to identify and ignore users from China, India, Romania, Russia, Ukraine or Belarus.

In February, a new Android banking Trojan called Xenomorph was spotted lurking behind a fake productivity application on the Google Play Store. There were over 50,000 downloads. The Xenomorph malware has a lot of potential to evolve, as it currently uses classic overlay attacks and has the ability to steal credentials along with intercepting SMS and notification to log and use two-factor authentication (2FA) tokens. It’s evident that threat actors will continue to try and leverage official stores.

Unfortunately, cybercriminals are well aware of the central role that mobile devices play in many peoples’ lives and are always adapting and improving their tactics to match. The threat landscape is evolving rapidly, and mobile malware is a significant danger for both personal and enterprise security.

For the past few years, CPR has been following the evolution of the cloud threat landscape, as well as the constant increase in cloud infrastructure adoption by corporate environments. As many as 98% of organizations utilize cloud-based services, and approximately 76% of them have multi-cloud environments, featuring services from two or more cloud providers.

In March 2022, we released a review of the latest cloud trends and attacks on industry-leading cloud service providers. Critical vulnerabilities were exploited by cybercriminals to gain access to the corporate environments of the cloud provider’s entire customer list. We also covered the unprecedented progress made by cybercriminals in the field of supply chain attacks, from the SolarWinds Orion software breach – an innovative on-premise-to-cloud incident in which a backdoor embedded in a software update was leveraged to gain access to private cloud environments – to the Log4Shell, a vulnerability in Apache’s most popular Java logging library, Log4j, that allows threat actors to easily gain control over Java-based web servers and execute arbitrary code.

It seems we are now gearing up for when supply chain attacks meet the cloud arena. On March 21st, the notorious ransomware gang Lapsus$ released a statement in its Telegram group that said it had gained access to Okta, an identity management platform, by obtaining access to an administrative account. Lapsus$ is known for publishing sensitive information, often source code, stolen from high-profile tech companies such as Microsoft, NVIDIA, and Samsung. However, this time, the target wasn’t Okta, but rather its customers. Okta, a cloud-based software, is used by thousands of companies to manage and secure user authentication processes as well as by developers to build identity controls. This means that hundreds of thousands of users worldwide could be potentially compromised by the company responsible for their security.

Figure 6 - Lapsus$ announcement about OKTA, on their Telegram channel.

Curiously, on March 22nd, Okta released an official statement claiming that an investigation concluded that a breach did not occur, although an unsuccessful compromise attempt was observed in January 2022, when a new factor was added to the Okta account of a client’s support engineer. At that point, no notification was sent to Okta’s customers. However, another statement released in close proximity to the first one, shared that approximately 2.5% of Okta’s customers were affected by the Lapsus$ breach – around 375 companies, according to a media report.

Although the statements were probably released to reassure Okta’s customers, they only contributed to the general fear caused by the attack. Lapsus$ commented on the statements, or as it called them, “the lies given by Okta”, on its popular Telegram channel. Lapsus$ assured its 35,000 followers that the successful breach allowed the attack group to “log in to superuser portal with the ability to reset the password and MFA of ~95% of clients”.

CPR suggested that the access Lapsus$ had gained to Okta clients might possibly explain the cybercrime gang’s modus operandi and impressive record of successes, all thanks to excessive permissions having been granted to a third-party within the corporate cloud environment.

Identity and Access Management (IAM) role abuse attacks were thoroughly discussed by CPR in 2021, and while still an ongoing issue, there are other risks that businesses need to be aware of.

While the Okta breach wasn’t necessarily a ‘cloud supply chain attack’ – this would be when a cloud provider such as Azure or AWS is compromised – it was a significant event from the first half of this year that did affect the supply chain and will hopefully teach businesses some important IAM lessons. Currently, the most prominent supply chain risk we are seeing comes from open-source software.

Many modules and packages are written by individuals who may not have the expertise or budget to make it completely secure. Then when the ‘unsecure’ code is contributed to the open-source community, who owns it? Who maintains it? As a developer, you might think you’re importing one thing, but it actually has dependencies that you aren’t aware of. This is how NotPetya came about. It infiltrated computer systems using a popular piece of open-source accounting software.

Unfortunately, when it comes to your chosen cloud provider, you can’t control the security of the platform itself. And these platforms do have vulnerabilities. You could have the best will in the world and the highest expertise, but unless you’ve got a team of analysts constantly researching the platform you’re using, it’s not going to be enough. This really makes the case for multiple layers of security. You might not be able to prevent a breach of the cloud provider itself, but what you are able to do is mitigate the fallout. Implementing things like zero-trust and least privilege will mean that in the event of a breach, it is contained and cannot spread.