Back

Blogs

Ireland's Elections: What's next for climate pledges?

View All

Case Studies

Supporting BrainDrip LLC's Entry into the Hydrogen Market

View All

Upcoming Events

Webinars

Background image of various computer equipment with programming code on screens on table in dark room, cyber security conceptBackground image of various computer equipment with programming code on screens on table in dark room, cyber security concept

Thoughts

Cyber Threat Digest

30th Apr, 2024

As organisations embrace digital solutions and manage critical data more frequently, their susceptibility to cyber attacks grows. Threat actors are actively seeking out various potential vulnerabilities and the tools required to exploit them. This week, we delve into three specific attacks aimed at organisations.

“Click Bait: How a Phisherman’s Simple Hook Is Reeling in Big Cyber Fish”

Researchers have recently thrown a spotlight on a clever new phishing campaign called FROZEN#SHADOW that’s casting its net across continents, hooking systems in Asia, the Americas, and Europe with alarming simplicity. The bait? A lone hyperlink in an email that, when clicked, starts an infectious chain reaction, downloading a JavaScript file cleverly designed to act as the gateway for further malware misadventures.

This digital worm on a hook doesn’t stop wiggling there. The initial JavaScript file leads the victim to an MSI file paired with a dubious DLL, which cunningly disguises itself as a Malwarebytes Anti-Exploit software DLL. But instead of protecting against exploits, it unleashes the SSLoad malware, setting the stage for a nefarious performance. SSLoad quickly establishes rapport with a remote command and control (C2) server, ready to follow an array of malicious commands, including downloading and executing a Cobalt Strike beacon payload. The most noteworthy feature of these cyber anglers is the deployment of remote monitoring and management (RMM) software, such as ScreenConnect (now known as ConnectWise Control), to keep a strong grip on the infected systems.

The strategic reason behind this casting of a wide and seemingly random net remains murky, adding a layer of intrigue and unpredictability to FROZEN#SHADOW’s operations. On a tactical level, the lesson is clear: strong email filtering rules are essential armour against such phishing hooks, and caution must be exercised before running any executable files from email attachments without thorough external verification. As the digital seas grow more infested, vigilance remains the best defence against these phishing expeditions aiming for total domain dominance.

“Shadow Operations: How MuddyWater Exploits Atera Agent in Sophisticated Cyber Attacks”

The cyber threat landscape continues to evolve with adversaries like the @MuddyWater group cleverly manipulating legitimate tools to breach organisational defences. Since October 2023, there’s been a notable increase in the use of Atera Agent, a legitimate remote monitoring and management (RMM) software, by @MuddyWater for malevolent purposes. This group, notorious for its stealth and efficacy, has employed Atera’s 30-day free trial to create “Agents” that facilitate a range of intrusive activities, from file uploads and downloads to running interactive shells and accessing advanced generative AI assistance tools.

The operation leverages both compromised business and private email accounts, as well as email addresses possibly created by the group, to register for Atera’s services. These Atera Agent installers are then cunningly distributed through phishing emails, meticulously tailored to each targeted organisation, thus enhancing the deception. The breadth of this campaign is vast, with organisations in Israel, India, Algeria, Turkey, Italy, and Egypt falling victim. These entities span multiple sectors including aviation, IT, telecommunications, pharmaceuticals, manufacturing, logistics, and tourism, underscoring the strategic and indiscriminate targeting by @MuddyWater.

The tactical use of Atera Agent by @MuddyWater, active since at least 2017 and linked to Iran’s Ministry of Intelligence and Security by the United States Cyber Command in 2022, hints at motivations likely centred around cyber espionage. The exact purposes of installing Atera Agent on the victims’ systems remain shrouded in mystery, mirroring previous campaigns aimed at intelligence gathering. As the digital arena becomes increasingly weaponised, the blending of legitimate service abuse with phishing tactics by groups like @MuddyWater presents an escalating challenge, demanding heightened vigilance and robust defensive strategies from global organisations.

“Digital Shadows: How Sandworm’s Cyber Manoeuvres Could Threaten Global Energy Security”

As Sandworm, or APT44, falls under the global spotlight, far more is being discovered about this notorious Russia-based threat actor and their sophisticated tactics. Recently, Sandworm has been disguising its operations under the guise of hacktivist movements, using aliases like “XakNetTeam”, “CyberArmyofRussia_Reborn”, and “Solntsepek”. Through Telegram-based channels, these groups coordinate attacks and propagate pro-Russian narratives, complicating efforts to trace these activities back to their true origin. This strategy highlights the complex and adaptive nature of modern cyber warfare, where geopolitical tensions are exploited to create disruption and sow discord.

Sandworm’s recent cyberattacks, particularly against Ukrainian infrastructure, underscore the broader risks to interconnected systems worldwide. The use of sophisticated malware tools like “QueueSeed” and “GossipFlow” serves as a potent reminder of our vulnerabilities, especially as Western nations, including the UK, increasingly depend on digital technologies within critical energy infrastructures. The potential for similar attacks on the UK energy sector is a concerning possibility. Such disruptions could cause not just immediate logistical problems but also lead to significant economic and national security challenges.

For organisations within the UK energy sector and globally, it is crucial to prioritise cybersecurity readiness to defend against these types of state-sponsored threats. Strengthening the resilience of critical infrastructure necessitates enhanced cooperation among stakeholders across public and commercial sectors. By investing in proactive cybersecurity measures and fostering a culture of cyber awareness, the UK energy industry, and others worldwide can better navigate this tumultuous threat environment, safeguarding national interests and vital services against emerging cyber threats.

Authors

Ian Hirst

Partner, Cyber Threat Services

Read Bio