Sharing authentic information is critical in today’s world of the internet. It becomes more significant if the information shared benefits everyone, including the individual who uses the internet for leisure or the organization dependent on the internet for their operations. The Adversarial Threat Reports are vital bits of information that keep the community aware of the significant cyber threats that appear from time to time. Generally, security agencies and digital establishments issue adversarial threat reports quarterly, highlighting the significant challenges that emerge during the specific quarter. This article summarizes the findings of various such threat reports published in 2022.
What Are Adversarial Threats?
Adversarial threats generally denote enterprise disruptions or losses caused by the deliberate actions of malicious third parties interacting with their information systems. Any threat associated with accidental human error or environmental or structural failure is not considered an adversarial threat. The deliberate and malicious intention is critical for the threat to qualify as one.
Examples of Adversarial Threats
Adversarial threats are of various types and characteristic features. Ransomware, phishing, and cyber espionage attacks are a few of them. For example, Ukraine’s invasion by Russia has greatly impacted the phishing threat landscape. Since its initiation, phishing has seen a 10-percentage point increase over the previous year. The increase in the number and types of phishing attacks has been seen as a common concern across security service providers.
Sophos 2022 Adversarial Threat Report states that ransomware constituted 79% of cyber threats, followed by Cobalt Strike at 6% and Web shells at 4%. Other hazards include data exfiltration and miscellaneous malware. Even the Global Threat Report 2022 by Crowdstrike indicates that ransomware is an ever-increasing threat today, growing 82% between 2020 and 2021.
What Do the Adversarial Threat Reports Signify?
The significance of adversarial threat reports is that they highlight the latest threats the internet communities face from various malicious sources. For instance, the Meta Adversarial Threat Report Q1-2022 focuses on state actors, especially in the backdrop of the Russian Ukrainian War. Thus, it discusses cyber warfare, an ominous large-scale threat in today’s circumstances.
The Meta Adversarial Threat Report aims to highlight coordinated inauthentic behavior (CIB), cyber espionage efforts by Iran, and malicious mass reporting attempts from Russia. Besides reporting inauthentic behavior, such reports also examine the efforts put in by the security community to counter these activities.
The Purpose Behind the Adversarial Threat Reports
The primary reason behind the compilation of these adversarial threat reports is to share information on malicious threats capable of causing significant global damage to enterprise network systems. A glance through these reports can help educate security teams concerning the latest threats in the internet environment, even if all of them might not pose immediate cybersecurity risks.
Below are the findings of the Meta Adversarial Threat Report for the first quarter of 2022.
- Cyber Espionage Operations Linked to Iran
Cyber espionage targets people to gather intelligence, manipulate them into sharing critical information, and compromise their devices and accounts. The Meta Adversarial Threat Report Q1 2022 highlights three groups of malicious actors engaging in cyber espionage.
- A group of Iranian adversaries, also known as UNC788, targeted people from the Middle East, including the Saudi military, dissident groups from Iran and Israel, and US politicians and journalists. The malicious actors used phishing to steal users’ credentials and share links to malicious websites that hosted malware. The modus operandi included social engineering tactics, phishing, and malware injection.
- Similarly, an unreported group of threat actors from Iran used spoofing to target various organizations in multiple industrial sectors. They include energy establishments in Russia, Italy, Canada, and Saudi Arabia and targets in the IT industry in UAE and India. Other industrial sectors include the maritime logistics industry in the US, Israel, UAE, Norway, Iceland, etc., the telecommunication industry in the UAE and Saudi Arabia, and the semiconductor industrial sector in the US, Germany, and Israel. The methods of attack include using social engineering and interactive targeting, spoofing of corporate websites, and injecting malware.
- It also identified another malicious group from Azerbaijan engaging in CIB and cyber espionage targeting Azerbaijani democracy activists, opposition party leaders, journalists, and government critics. Though the group maintained a low profile and focused on news and social media websites like Twitter, Facebook, and LinkedIn, there were resemblances to a prominent threat actor named ‘Ghostwriter’ that targeted Ukraine. The modus operandi was compromising and spoofing websites, injecting malware, credential phishing, and CIB.
- Security Updates on Ukraine
The risk of the ongoing hostilities between Russia and Ukraine escalating into a full-fledged cyber war is omnipresent. Under such circumstances, almost every adversarial threat report includes security updates on Ukraine. The Meta Adversarial Threat Report identifies government-linked Russian and Belarusian actors engaging in online cyber espionage and covert influence operations. For instance, it detected CIB activity linked to the Belarusian KGB spreading misinformation about Ukrainian troops’ withdrawal even before Russia commenced war activities.
This report refers to a spike in Ghostwriter’s attempts to target people through email compromise and use the information to access their social media accounts. The group also attempted to attack the Facebook accounts of various Ukrainian military personnel by posting videos of people calling on the Army to surrender. Meta detected and took down various networks belonging to politically aligned actors for violating its policy on inauthentic behavior by mass reporting their political opponents and spreading hate speech.
As a way to protect users, Meta also suggested Ukrainians and Russians strengthen the security of their online accounts, emails, and social media. The company suggested downloading a VPN (Virtual Private Network) app, enabling MFA (Multi-factor authentication), and avoiding reusing passwords along with practicing other online safety tactics.
- Continuous CIB Enforcement
CIB includes opening fake social media accounts and coordinating with others to mislead users and manipulate public debate for a strategic goal. Meta Adversarial Threat Report identifies many such people globally, which the company has removed from the network. In addition, Meta monitors these removed accounts to ensure they do not resurface under different aliases.
The Meta Adversarial Threat Report has identified and removed 14 Facebook accounts, nine web pages, and 39 Instagram accounts in Brazil for violating Meta’s CIB policy. While the malicious actors started misleading people on Covid-19 in 2020, they later shifted their attention toward Amazon deforestation issues in 2021.
Similarly, Meta has removed 233 Facebook accounts, 84 pages, and 27 Instagram profiles in Costa Rica and El Salvador for using fake accounts to post misinformation on both sides of the political spectrum. The report also mentions fake Russian and Ukrainian social media accounts that spread misinformation about the war. Meta has successfully identified and removed 27 of these Facebook accounts and 4 of these Instagram accounts, respectively.
- Mass Reporting Network in Russia
Meta successfully identified nearly 200 social media accounts that spread fake information using mass reporting techniques. Besides focusing on Ukrainian and Russian nations, these accounts had users from the US, Poland, and Israel. The modus operandi was spreading fake information regarding the war and making people believe in false reports, thereby misleading them with the intent of causing widespread distrust in the government and local news.
- Removing Coordinated Violating Networks in the Philippines
Similarly, Meta has discovered a network of nearly 400 accounts and groups in the Philippines involved in DDoS attacks and compromising websites in the country. This network prided itself on bringing down news websites. Besides, it offered cybersecurity services to protect networks from such attacks they initiated. Eventually, they started inviting new members openly to carry out DDoS attacks.
What Constitutes Inauthentic Behavior?
Inauthentic behavior is usually centered on amplifying and increasing false content distribution to manipulate public debate in order to achieve a strategic goal. The primary objective is to mislead people. If such behavior is financially motivated, it can qualify as spam and scam activity.
IB operators focus on quantity rather than quality. They need large numbers of fake accounts to post their content in order to reach the largest audience possible. Generally, you can also find these accounts monetizing people’s attention by driving them to off-platform websites filled with ads.
The Deceptive Strategies Used by IB Operators
Here are some deceptive strategies IB operators use to boost their engagement artificially.
- Context Switching
Generally, IB operators mislead their audience by claiming to be dedicated to a specific subject but switching to an unrelated one when the account or post goes viral. They perceive the pulse of their audience and use tactics like sensationalism to deceive people into clicking links to their websites.
- Posing as Authentic Communities
IB operators trick their audience by making them believe they are operating from a specific country or community when they are actually a different one. This tactic proves helpful to indulge in context switching by posting content related to political crises or natural calamities to attract audiences and monetize their attention.
- Mass Posting, Sharing, and Liking of Content to Popularize it
Usually, IB operators use fake social media accounts to mass-post content. This way, their entire chain can start liking or sharing the content amongst their contacts to increase apparent popularity. There is not much actual engagement because there is no interaction with people outside their bubble that is composed of just their members.
While CIB is the trending threat today, especially in the backdrop of the Russian-Ukrainian war, one cannot ignore other adversarial threats. The Blackberry 2022 Threat Report lists various hazards that can affect the daily functioning of businesses globally, as listed below.
- Ransomware was the most dangerous of all adversarial threats in 2021. Trends indicate that ransomware will also continue to top the charts this year. The year 2021 saw massive ransomware attacks. Two examples are DarkSide crippling the Colonial Pipeline Network and the Russian ransomware threat group REvil attacking Acer and JBS Foods. Another significant attack included the infiltration of the insurer AXA by the Avaddon ransomware group. In a recent 2022 survey by ransomware.org, 80% of the survey respondents accepted that their organization is more likely to be a target of a ransomware attack in 2022 as compared to 2021.
- A zero-day vulnerability is also a potent adversarial threat, especially with the HAFNIUM group exploiting the Microsoft Exchange Server’s zero-day vulnerability. It allowed other threat actors to reverse engineer the patch and target organizations worldwide. Organizations and individuals can protect against zero-day vulnerabilities by keeping their network systems updated and looking for alternative security approaches like the Zero Trust framework and XDR (Extended Detection and Response) solutions.
- Supply chain attacks were the flavor of threat actors in 2020, especially with SolarWinds Attack making international headlines. Additionally, 2021 saw the supply chain attacks re-emerging with the compromising of Kaseya’s VSA software affecting over 1,000 businesses. As supply chain attacks betray the trust between service providers and customers, there is a pressing need for companies to adopt a Zero Trust framework.
Threat actors were rampant in 2021, with many adept at mimicking private sector capabilities by leveraging services like IaaS (Infrastructure-as-a-Service), RaaS (Ransomware-as-a-Service), and MaaS (Metal-as-a-Service, for the deployment of large cloud and Big Data environments) to launch their malicious attacks.
Cyber threats and malicious actors will play around as long as the internet survives. Since one cannot eliminate all threats at all levels, it is a matter of co-existence with the utmost awareness and security. Adversarial threat reports make people aware of the latest threats looming over the horizon and waiting to attack unsuspecting network systems globally.
Though phishing is considered the earliest of all cyber threats, it is significant even today because almost all the other threats rely on phishing (or its variants) in order to gain global access to network systems. Therefore, while anti-malware solutions are necessary to neutralize threats, cybersecurity awareness is critical in fighting the fundamental stages to avoid bigger contingencies. Documents like adversarial threat reports are handy for the purpose.
Every cybersecurity professional should go through these threat reports and acquire reliable knowledge of the current threat landscape and the modus operandi malicious actors use to carry out the threats. In essence, adversarial threat reports are critical for every industry.
- Meta. (2022, April). Adversarial Threat Report. Meta. https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf
- Crowdstrike. 2022 Global Threat Report. https://go.crowdstrike.com/global-threat-report-2022.html
- Blackberry. BlackBerry 2022 threat report.
- Borges, R. Scribd. Meta Quarterly Adversarial Threat Report Q1 2022.
- Sophos. Sophos 2022 Threat Report: Interrelated threats target an interdependent world.
- NCC. (2022, June 27). Threat Report 10th June 2022.
- Shier, J. (2022, June 7). The Active Adversary Playbook 2022. Sophos News. https://news.sophos.com/en-us/2022/06/07/active-adversary-playbook-2022/
- National Cyber Security Centre. (2022, June 10). Threat Report 10th June 2022. https://www.ncsc.gov.uk/report/threat-report-10th-june-2022
- Trellix. Trellix Advanced Threat Research Report: January 2022.
- Cofense. (2022, April 12). Cofense 2022 annual state of phishing report highlights. Cofense. https://cofense.com/blog/three-highlights-from-cofense-2022-annual-state-of-phishing-report
#threatreport #cybersecurity #Russia #ransomware #phishing #espionage #Meta #Ukraine #vicarius_blog
As part of our mission to secure the world’s OT, IoT and Cyber Physical infrastructures, we invest resources into offensive research of vulnerabilities and attack techniques.
Ripple20 are 19 vulnerabilities revealed by Israeli firm JSOF that affect millions of OT and IOT devices. The vulnerabilities reside in a TCP/IP stack developed by Treck, Inc. The TCP/IP stack is widely used by manufacturers in the OT and IoT industries and thus affects a tremendous amount of devices.
Among the affected devices are Cisco Routers, HP Printers, Digi IoT devices, PLCs by Rockwell Automation and many more. Official advisories by companies who confirmed having affected devices can be found here, in the “More Information” section.
The most critical vulnerabilities are three that can cause a stable Remote Code Execution (CVE-2020-11896, CVE-2020-11897, CVE-2020-11901) and another that can cause the target device’s memory heap to be leaked (CVE-2020-11898).
On behalf of our customers, we set out to explore the real impact of these vulnerabilities, which we’re now sharing with the public.
The research has been conducted by researchers Maayan Fishelov and Dan Haim, and has been managed by SCADAfence’s Co-Founder and CTO, Ofer Shaked.
We set out to check the exploitability of these vulnerabilities, starting with CVE-2020-11898 (the heap memory leak vulnerability), one of the 19 published vulnerabilities.
We created a Python POC script that is based on JSOF official whitepaper for this vulnerability. According to JSOF, the implementation is very similar to CVE-2020-11896, which is an RCE vulnerability that is described in the whitepaper. Also mentioned about the RCE vulnerability: “Variants of this Issue can be triggered to cause a Denial of Service or a persistent Denial of Service, requiring a hard reset.”
Test 1 target: Samsung ProXpress printer model SL-M4070FR firmware version V4.00.02.18 MAY-08-2017. This device is vulnerable according to the HP Advisory.
Test 1 result: The printer’s network crashed and required a hard reset to recover. We were unable to reproduce the heap memory leak as described, and this vulnerability would have been tagged as unauthenticated remote DoS instead, on this specific printer.
Test 2 target: HP printer model M130fw. This device is vulnerable according to the HP Advisory.
Test 2 result: Although reported as vulnerable by the manufacturer, we were unable to reproduce the vulnerability, and we believe that this device isn’t affected by this vulnerability. We believe that’s because the IPinIP feature isn’t enabled on this printer, which we’ve verified with a specially crafted packet.
Test 3 target: Undisclosed at this stage due to disclosure guidelines. We will reveal this finding in the near future.
Test 3 result: We found an unreported vendor and device, on which we can use CVE-2020-11898 to remotely leak 368 bytes from the device’s heap, disclosing sensitive information. No patch is available for this device. Due to our strict policy of using Google’s Responsible Disclosure, we’ve reported this to the manufacturer, to allow them to make a patch available prior to the publication date.
We’ve confirmed the exploitability vulnerabilities on our IoT lab devices.
On the negative side: The vulnerabilities exist on additional products that are unknown to the public. Attackers are likely to use this information gap to attack networks.
On the positive side: Some devices that are reported as affected by the manufacturers are actually not affected, or are affected by other vulnerabilities. It might require attackers to tailor their exploits to specific products, increasing the cost of exploitation, and prevent them from using the vulnerability on products that are reported as vulnerable.
SCADAfence Research Recommendations
Check your asset inventory and vulnerability assessment solutions for unpatched products affected by Ripple20.
The SCADAfence Platform creates an asset inventory with product and software versions passively and actively, and allows you to manage your CVEs across all embedded and Windows devices.
Prioritize patching or other mitigation measures based on: Exposure to the internet, exposure to insecure networks (business LAN and others), criticality of the asset.
This prioritization can automatically be obtained from tools such as the SCADAfence Platform.
Detect exploitation based on network traffic analysis.
The SCADAfence Platform detects usage of these exploits in network activity by searching for patterns that indicate usage of this vulnerability in the TCP/IP communications.
If you have any questions or concerns about Ripple20, please contact us and we’ll be happy to assist you and share our knowledge with you or with your security experts.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.