On the heels of the infamous Log4Shell, Java continued to be plagued by impactful vulnerabilities in April – namely Spring4Shell. While the conditions for exploitation of Spring4Shell are not as commonly found, third-party observations of active exploitation from threat actors deploying Mirai DDoS bots or Crypto-currency miner payloads underscore the threat actor interest and efficacy of this recent vulnerability.
The Russo-Ukraine conflict continues… and with it, interest from other nation-states and cybercriminal actors seeking to exploit the relevant theme in their intrusion campaigns – IcedID/Bokbot, Lyceum, Machete, SideWinder.
Russian state-sponsored threat SandWorm is attributed to OT/ICS (Operational Technology / Industrial Control System) malware toolset INCONTROLLER (aka PipeDream) Specific malware indicators were not publicly released, though YARA signatures were provided to the community to assist in hunting this threat. Cybersecurity authorities for the “5-Eyes” nations have posted an updated joint advisory outlining Russian cyber threat actor interests and activities as well as a set of recommended mitigations for IT and OT environments to limit risk from these actors – https://www.cisa.gov/uscert/ncas/alerts/aa22-110a.
Chinese state-sponsored threat HAFNIUM is attributed to operations involving Tarrask, a malware tool-set capable of evading forensic discovery by using a privilege escalation technique to remove evidence of its persistence mechanisms (e.g., scheduled tasks).
In response, Fidelis Cybersecurity enhanced our capabilities against Russian and Chinese threats as well as our capabilities against cybercriminal threats operating malware such as Emotet, SolarMarker, PYSA ransomware, and BlackGuard info stealer. These enhancements provide our clients with alerting and detection capabilities (via curated Intelligence feeds) on the most recent or prolific threats.