April 2022 Threat Intelligence Summary

On the heels of the infamous Log4Shell, Java continued to be plagued by impactful vulnerabilities in April – namely Spring4Shell.
While the conditions for exploitation of Spring4Shell are not as commonly found, third-party observations of active exploitation
from threat actors deploying Mirai DDoS bots or Crypto-currency miner payloads underscore the threat actor interest and
efficacy of this recent vulnerability.

The Russo-Ukraine conflict continues… and with it, interest from other nation-states and cybercriminal actors seeking to exploit the relevant theme in their intrusion campaigns – IcedID/Bokbot, Lyceum, Machete, SideWinder.

Russian state-sponsored threat SandWorm is attributed to OT/ICS (Operational Technology / Industrial Control System)
malware toolset INCONTROLLER (aka PipeDream) Specific malware indicators were not publicly released, though YARA
signatures were provided to the community to assist in hunting this threat. Cybersecurity authorities for the “5-Eyes” nations have
posted an updated joint advisory outlining Russian cyber threat actor interests and activities as well as a set of recommended
mitigations for IT and OT environments to limit risk from these actors – https://www.cisa.gov/uscert/ncas/alerts/aa22-110a.

Chinese state-sponsored threat HAFNIUM is attributed to operations involving Tarrask, a malware tool-set capable of evading
forensic discovery by using a privilege escalation technique to remove evidence of its persistence mechanisms (e.g., scheduled
tasks).

In response, Fidelis Cybersecurity enhanced our capabilities against Russian and Chinese threats as well as our capabilities
against cybercriminal threats operating malware such as Emotet, SolarMarker, PYSA ransomware, and BlackGuard info stealer.
These enhancements provide our clients with alerting and detection capabilities (via curated Intelligence feeds) on the most
recent or prolific threats.