Our reporting this week focuses on the continued exploitation of the energy and utilities sector by ransomware groups. For example, Ragnar Locker ransomware operators have compromised Greece’s largest natural gas distributor DESFA, which suffered a limited scope data breach and IT system outage following the incident. The threat actors attempted to infiltrate DESFA’s network and proceeded to share a list of stolen data alongside a small set of the stolen files.

This incident follows a series of compromises we have reported on against the energy and utilities sector in recent weeks, including the ALPHV ransomware compromise of European energy supplier Encevo Group and the Clop ransomware compromise of UK-based water utility entity South Staffordshire Water PLC. Ransomware groups are known to target critical national infrastructure entities as their susceptibility to downtime increases the pressure to pay a ransom. This factor will become increasingly pertinent as countries prepare for potential energy supply shortages during the coming winter months.

Key Vulnerabilities

  1. CVE-2022-2587
    Microsoft has discovered a critical memory corruption vulnerability (CVSS: 9.8|OVSS: 26) in a ChromeOS component that can allow remote threat actors to perform a Denial-of-Service attack and remote code execution.
  2. CVE-2021-36260
    A vulnerability (CVSS: 9.8|OVSS: 63) affecting more than 70 Hikvision devices enables an adversary to launch a command injection attack. Although Hikvision released a patch in September 2021, researchers have found that approximately 80,000 devices remain unpatched and vulnerable to exploitation.
  3. CVE-2022-32893
    An out-of-bounds rite vulnerability (CVSS: 8.8|OVSS: 49), whereby a program writes outside the bounds of an allocated area of memory, affecting the WebKit web browser engine used by Safari and other Apple applications. If exploited, this vulnerability can cause a programme to crash, corrupt data, or enable code execution.

Key Intelligence Reports

  1. APT29 uses novel TTPs to target NATO countries in Microsoft 365 campaigns
    The state-backed Russian cyber espionage group APT29 (also known as Cozy Bear and Nobelium) has been targeting Microsoft 365 (365) accounts in the United States and other NATO countries with advanced tactics, techniques, and procedures (TTPs). 
    Read full report >>
  2. Cybercriminal group TA558 targets hospitality, hotel, and travel organisations
    Since 2018, the small cybercriminal group TA558 has been targeting hospitality, hotel, and travel organisations in South America, with additional targeting observed in Western Europe and North America. 
    Read full report >>
  3. Greek natural gas operator DESFA compromised in Ragnar Locker ransomware operation
    On Saturday 20 August 2022, Greece’s largest natural gas distributor, DESFA, confirmed that they had suffered a limited scope data breach and IT system outage following a ransomware attack. Ragnar Locker ransomware operators claimed responsibility for the incident after leaking the stolen data on their dedicated data leak extortion portal.
    Read full report >> 

If you come across any issues or need assistance, please do not hesitate to reach out to Secrutiny. 

What is OVSS?

The Orpheus Vulnerability Severity Score (OVSS) helps companies understand the risk associated with particular vulnerabilities. Orpheus does this by adding additional context on the likely threat to and impact of CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score.

The Orpheus Vulnerability Severity Score (OVSS)