Weekly Intelligence Summaries

In this weekly we investigate the emerging threat of NodePacketManager (NPM) becoming an attack vector for supply chains and the rising trend of extortion groups targeting companies without using ransomware. In terms of the war in Ukraine, we have escalated our cyber threat level from MEDIUM to HIGH due to extremely targeted hacktivist activity against entities operating in NATO countries.

QuoIntelligence is tracking a campaign where the threat actors are using the remote template injection to deliver an espionage implant targeting Russian entities. Researchers allege that the campaign in question is attributed to Chinese nation-state actors. We continue our Ukraine war Geopolitics and Cyber coverage. Since organizations increased their monitoring of Russian APTs, other threat actors are likely to leverage the void and increase their activities, as we have observed with Chinese-sponsored threat actors over the last weeks.

This week we cover our observations of #Emotet development, including differences in #TTPs observed in recent samples. We also cover #Lazarus activity reported by AhnLab targeting the #defense and #chemical sectors. We are tracking this activity for awareness and early defense and prevention before proliferation of campaigns to European entities. Additionally, as the #war in #Ukraine continues into its third month, we cover the latest #geopolitical developments.

This week, the QuoIntelligence research team observed a campaign of the Gamaredon group, where SFX archives are used to deliver a VNC utility and decoy document. This new wave started around the second week of April and it is likely still ongoing. This activity of the Gamaredon group, which is a threat group extensively linked to operations of Russian intelligence and intrusions against targets in Ukraine, is in line with the ongoing invasion in Ukraine as well as the response from the EU and NATO countries.

This week, QuoIntelligence reveals our internal investigation findings about an ongoing phishing campaign delivering the banking trojan known as Gozi (aka Ursnif), which is targeting retail, telecom, and other organizations in Italy. We also continue our coverage on the war in Ukraine, including the discovery and disruption of Industroyer2.

This week we report on the ongoing conflict in Ukraine, possibly resulting in a longer second phase of the invasion. War crime allegations against Russia are currently unlikely to be persecuted, and the rising energy crisis is likely to cause internal division in Europe. Meanwhile, new sanctions on Russia could result new cyberattacks. Separately, read about Hive RaaS which continues to improve its resources and operations to encrypt systems.

This week we cover the ongoing conflict in Ukraine as a potential peace agreement between Russia and Ukraine seems unlikely in the short and medium term. Additionally, while activity in Ukraine will likely remain mostly kinetic for the foreseeable future, long-reaching cyber retaliation efforts by Russia will likely target NATO and Ukrainian allies. Separately, we cover the significance of North-Korean TA groups exploiting a RCE vulnerability in Google Chrome.

As the invasion of Ukraine enters its second month, there are no signs of a potential peacea greement any time soon. The conflict results in a rise of activism and hacktivism as the politicization and polarization of society increases. QuoIntelligence continues to assess the threat level for cyber threats as Medium-High. Read our Weekly for further details and analysis of the cyber and geopolitical events that led to this assessment. We also cover how an Initial Access Broker dubbed Exotic Lilly is changing the threat landscape.

QuoIntelligence assesses the conflict in Ukraine is unlikely to be solved in the short and medium term. We assess that the broadest threat to companies comes from hacktivist groups, while APT groups remain a threat especially to organizations providing #aid and support to Ukraine. In terms of the global impact of the conflict, it is likely the conflict will continue affecting energy and food security and result in increasing prices, potentially impacting business continuity. Read more about our Ukraine and Russia in our weekly, as well as our analysis into alleged Russian activity exploiting MFA and Printnightmare.

As the Russian invasion in Ukraine enters its third week, we analyze the latest cyber security events surrounding the invasion and the implications the conflict has for the global economy and supplychains.

Our assessment regarding the threat level for organizations remains the same. We continue to see highly motivated hacktivist groups and APTs engaged in increased cyber activity. We also cover PatchTuesday in depth as patching technology remains a pertinent step towards mitigating against future attacks.