LA SAFE Cyber Digest 04.05.2022


Multiple Hacker Groups Capitalizing on Ukraine […] Malware -TheHackerNews-04.04.2022
At least three different advanced persistent threat (APT) groups from across the world have launched
spear-phishing campaigns in mid-March 2022 using the ongoing Russo-Ukrainian war as a lure to distribute
malware and steal sensitive information. The campaigns, undertaken by El Machete, Lyceum, and
SideWinder, have targeted a variety of sectors, including energy, financial, and governmental sectors in
Nicaragua, Venezuela, Israel, Saudi Arabia, and Pakistan. Similar warnings came from Google’s Threat
Analysis Group (TAG), which disclosed that nation-state-backed threat groups from Iran, China, North
Korea, and Russia are leveraging war-related themes in phishing campaigns, and other malicious activities.

Apple and Meta Gave User Data to Hackers […] Legal Requests-Bloomberg-03.30.2022
Apple Inc. and Meta Platforms Inc., the parent company of Facebook, provided customer data to hackers
who masqueraded as law enforcement officials. Apple and Meta provided basic subscriber details, such as
a customer’s address, phone number and IP address in response to the forged “emergency data requests.”
Normally, requests are only provided with a search warrant or subpoena signed by a judge, according to
the people. However, the emergency requests don’t require a court order. Law enforcement around the
world routinely asks social media platforms for information about users as part of criminal investigations.
Compromising the email domains of law enforcement is a large part of the issue. Analysts believe it will
be difficult to find a solution to this issue.

Analyst Note:
The goal of most APT attacks is to achieve and maintain ongoing access to a targeted network rather than
to get in and out as quickly as possible. A great deal of effort and resources can go into carrying out APT
attacks, with the goal of stealing information over a long period of time. The motives of advanced persistent
threat actors are varied but can include financial gains, trade secret theft, or espionage. Administrators
should work to detect anomalies in outbound and inbound data to see if their network has been the target
of an attack.


Modem-wiping Malware caused Viasat […] Outage in Europe-TheRegister-04.01.2022
According to SentinelOne, tens of thousands of Viasat satellite broadband modems disabled in a
cyber-attack some weeks ago were wiped by malware with possible links to Russia’s destructive VPNFilter.
As Russian troops invaded Ukraine, Viasat terminals were unexpectedly knocked offline and rendered
inoperable. This caused thousands of wind turbines in Germany to lose satellite internet connectivity needed
for remote monitoring and control. Viasat blamed a poorly configured VPN appliance. It allowed threat
actors to access a trusted management segment. It then explored the internal network until they were able
to instruct subscribers’ modems to overwrite the flash storage. This required a factory reset to restore the

April 5, 2022
Homeland Security Standing Information Needs (HSEC SINs): HSEC-1.1; HSEC-1.3; HSEC-1.3.2; HSEC-1.5; HSEC-1.5.2.
LA-SAFE SINs: LA-21010; LA-21030.
For additional information, please contact LA-SAFE at 1-800-434-8007 or and reference 22-039294

Exchange Servers Speared in IcedID Phishing Campaign-ThreatPost-03.29.2022

The ever-evolving banking trojan IcedID is back again with a phishing campaign that uses previously
compromised Microsoft Exchange servers to send emails that appear to come from legitimate accounts.
Researchers from Intezer earlier this month uncovered the campaign, which employs thread hijacking to
send malicious messages from stolen Exchange accounts, thus adding an extra level of evasion to the
campaign’s malicious intent. Threat actors use compromised Microsoft Exchange servers to send the
phishing emails from the account that they stole from, but the delivery of the malicious payload also has
shifted in a way that can execute malware without the user even knowing.

Analyst Note:
Security misconfigurations are easily exploited and can cause catastrophic harm to company operations.
Misconfiguration happens when a system administrator or developer does not properly configure the
security framework of their products, or when settings are not defined nor implemented. As seen in the
above articles, generally misconfigurations are easily to exploit after detection. Once a system falls prey
to vulnerability, threat actors can cause significant damage. It is suggested that administrators change
default values and passwords, configure settings to prevent unauthorized administrative access, run scans,
and patch systems.

Apple Rushes out Patches for Two 0-days threatening iOS and macOS Users -ArsTechnica-03.31.2022
Apple on Thursday released fixes for two critical zero-day vulnerabilities in iPhones, iPads, and Macs that
give hackers dangerous access to the internals of the OSes the devices run on. The first vulnerability,
CVE-2022-22675, resides in macOS for Monterey and in iOS or iPadOS for most iPhone and iPad models.
The second, CVE-2022-22674, also results from an out-of-bounds read issue that can lead to the disclosure
of kernel memory. CVE-2022-22674 and CVE-2022-22675 are the fourth and fifth zero-days Apple has
patched this year.

Patch Now: RCE Spring4Shell Hits Java Spring Framework-TheRegister-03.31.2022
The Java Remote Code Execution vulnerability is dubbed as “SpringShell” or “Spring4Shell.” Praetorian
Security states, “when Spring is deployed to Apache Tomcat, the WebAppClassLoader is accessible, which
allows an attacker to call getters and setters to ultimately write a malicious JSP file to disk.” Spring
acknowledged the vulnerability and released 5.3.18 and 5.2.20 to patch the issue. Jeff Costlow, CISO of
the org, warned: “This remote code execution vulnerability is a severe remote code execution zero day that
can be accessed over HTTP or HTTPS.” Spring is a popular framework, and the vulnerability is a reminder
of the importance of knowing what your apps depend on, and how those dependencies are used.

Analyst Note:
Patches are software and operating system updates that address security vulnerabilities. To protect against
attacks administrators should act as quickly as possible once a patch is advised or an issue is found. Some
good practices for software update administration include enabling automatic software updates, do not use
unsupported end of life software, avoid using email links, advertisements, or untrusted networks to
download software updates (patches). The best defense against attackers exploiting emerging
vulnerabilities is to keep software updated.

Leave a Reply