Our reporting this week demonstrated that nation-state espionage units continue to prioritise Russia as a target to gather intelligence on its military and political strategies in relation to the war in Ukraine. An unidentified threat actor has deployed a newly identified custom Remote Access Trojan (RAT), labelled Woody, to target Russian entities, including the government-controlled aerospace and defence corporation OAK. The threat actor, thought to be either Chinese or North Korean-affiliated, has been observed exploiting the Follina vulnerability, tracked as CVE-2022-30190 (CVSS: 7.8|OVSS: 100), demonstrating that it continues to prove effective in state-sponsored cyber espionage campaigns.
Additionally, we covered that the ALPHV (also known as BlackCat) ransomware-as-a-service group compromised gas pipeline operator and electricity provider Creos Luxembourg S.A (Creos) in a double extortion operation, having exfiltrated 150GB of sensitive data. Creos is owned by Encevo, a leading energy supplier that is active in Germany, France, Belgium, and the Netherlands, and operates more than 300,000 delivery points for natural gas and electricity. European governments are increasingly focusing on the energy sector to reduce energy reliance on Russia, in light of its ongoing war in Ukraine. Consequently, any disruption to energy suppliers is likely to have a potential impact on supply chain operations, thereby increasing the pressure on victims to pay a ransom. This threat is especially pertinent to Critical National Infrastructure (CNI) sectors running essential services.
The flaw (CVSS: 8.8|OVS: 67), is a heap-based buffer overflow vulnerability in WebRTC that, if successfully exploited, can lead to code execution on a target device. In July 2022, it was discovered that private Israeli spyware firm Candiru exploited this former zero-day vulnerability to deliver DevilsTongue spyware to journalists and other high-value individuals in Lebanon, Turkey, Yemen, and Palestine.
An OS Command Injection vulnerability (CVSS: 8.1|OVSS: 22) present in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed. This is because IsIPAddress does not properly check if an IP address is invalid before making DBS requests. If successfully exploited, this vulnerability enables threat actors to compromise private networks through rebinding attacks.
Key Intelligence Reports
- Russian entities targeted with newly identified Woody RAT
For at least a year, an unidentified threat actor has deployed a newly identified custom Remote Access Trojan (RAT), labelled Woody, to target Russian entities, including government-controlled aerospace and defence corporation OAK. Read full report >>
- ALPHV ransomware gang compromises leading European energy supplier Encevo Group
The ALPHV, also known as BlackCat, ransomware-as-a-service gang has compromised Creos Luxembourg S.A (Creos), a gas pipeline operator and electricity provider entity and exfiltrated 150GB of sensitive data. Read full report >>
- New attack framework Manjusaka used to target Windows and Linux systems
A new attack framework, tracked as Manjusaka, is being advertised online as an imitation of Cobalt Strike and is currently being used in the wild to target Windows and Linux systems. Read full report >>
What is OVSS?
The Orpheus Vulnerability Severity Score (OVSS) helps companies understand the risk associated with particular vulnerabilities. Orpheus does this by adding additional context on the likely threat to and impact of CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score.