2022 - III Quarterly Bulletin

NC3 TOP – Threat Observatory Platform


Threat Agent activities

Behind every cyber-attack there is an actor with a specific intent. However, for many events, the identity and general motivation are unknown. On the other hand, some groups have been well known for years and their criminal activities and techniques are documented and monitored. Typically, they conduct targeted attacks against specific organisations, using relatively sophisticated tools and attack procedures.

Some of them are considered as State-sponsored, but the actual link with various countries stays often subject of controversies and should be considered with prudence.

In the third quarter of 2022, a substantial confirmation of the number of recognised activities of identifiable threat groups was observed.

As during previous quarters, the attribution rate of events is very low. This means that most of the ongoing attacks are not attributable.

According to the attribution found in the MISP records, the following groups were particularly active during this quarter:


External transfer pathway and infrastructures

The transfer of the malicious artefacts or payloads is done through a number of different types of technical procedures and infrastructures.

Also, during the third quarter of 2022, it is confirmed that the most frequently used strategy is associated with scams that use email or similar approaches to reach potential victims.

Phishing is the most common strategy, but other scam strategies are also recorded.

It should be noted that during this period two attacks concerned the exploitation of the vulnerability of network port 443 to conduct an SSRF (Server Side Request Forgery) attack on an Exchange server. The attacker targets an application that supports data imports from URLs or allows them to read data from URLs. URLs can be manipulated, either by replacing them with new ones or by tampering with URL path traversal.

The attribution rates are significantly better than for threat actors, even if still fairly low. Attribution means that it was possible to identify the external transfer pathway for a given event.

Infrastructures represent the type of systems being used for supporting attacks. Some are meant to compromise or help compromise, the targeted system, others are more focused on helping to maintain the foothold in it. Indeed, once access to a system device has been gained, a communication channel is maintained through the use of command and control (C2) infrastructures.

During this period there was a significant increase in events using networks related to Internet of Things (IoT) that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet.

Events that used Bots, i.e. autonomous programs that can interact with systems or users and that can support malicious activities, are decreasing during this period.



Tool

The monitoring system showed a substantial prevalence of the use of Malware especially associated with IoT systems.

The use of Ransomware tool increased in the third quarter.

The use of tools such as trojans and ransomware increased in the third quarter.


Points of access

The most common access point reported by MISPPRIV users is e-mail, which isn’t too surprising as it’s an effective ingress vector for several types of attacks. It’s often exploiting users’ weaknesses, be they voluntary (negligence) or involuntary (lack of knowledge about a specific threat.

During this period the attribution rate decreased.

With regard to component and system vulnerabilities, the monitoring system identified the following:


IT Target

Information on the attacked IT target is not sufficiently described by the analysed events.

It should be noted that there is still some residual evidence of the attack campaign related to the exploitation of a number of vulnerabilities in the Microsoft Exchange Server system.

During this period, no attacks on ICS (Industrial Control System) were recorded.


Type of Impact

The information detected by the monitoring system regarding the type of consequences for the victim is mainly related to ransom and scam demands.

Therefore, the attribution rate of this class remains rather low.


Type of Victim

During this quarter, there was an increase in the number of events detailing the type of affected victims, although in absolute terms, the number remains rather modest. Financial services are mainly highlighted as priority targets.