Our reporting this week highlighted that nation-state actors in countries engaged in conflict continue to focus on intelligence gathering campaigns that could enable kinetic military activity. For example, the Iranian cyber espionage unit UNC3890 has been observed launching multiple campaigns against entities based in Israel. Both countries have been engaged in a proxy-conflict spanning decades, which further strengthens the assessment that this activity was perpetrated by an Iranian adversary. In this latest campaign, UNC3890 targeted multiple sectors, including maritime which we assess to be a focus for military intelligence collection.
Additionally, the Russian nation-state unit Gamaredon (also tracked as Shuckworm and Armageddon) has targeted Ukrainian organisations with information stealing malware and multiple backdoors, including the Pteranodon backdoor that the threat group was observed deploying in April 2022. The backdoors are capable of audio recording through the device microphone, screen capture, keylogging, and launching executable files, that facilitate intelligence gathering operations. This is one of multiple campaigns launched by Gamaredon against Ukrainian entities since the start of the Russo-Ukrainian war in late February 2022, which are likely to persist as the war continues unabated.
A critical vulnerability (CVSS: 9.8|OVSS: 42) affecting networking devices built with Realtek SDK RTL819x system-on-chip that could allow a remote adversary to crash a device, execute arbitrary code, establish backdoors for persistence, and reroute or intercept network traffic. Researchers have developed proof-of-concept exploit code for this vulnerability.
A memory corruption vulnerability (CVSS: 8.8|OVSS: 50), also known as use after free, in the Service Worker API in Google Chrome (versions prior to 103.0.5060.134) that enables a remote adversary to exploit heap corruption via a crafted HTML page. ‘Use after free’ refers to a memory corruption vulnerability that occurs when an application tries to use memory that is no longer assigned to it.
A memory corruption vulnerability (CVSS: 8.8|OVSS: 37), also known as use after free, affecting Views in Google Chrome (versions prior to 103.0.5060.134) that allows a remote threat actor to exploit heap corruption via user interface interaction, after having convinced a user to engage in specific user interactions. This vulnerability is currently being exploited in the wild
Key Intelligence Reports
- Chinese espionage unit APT41 splits Cobalt Strike beacons into 154 fragments to evade detection
In 2021, Chinese cyber espionage unit APT41 (also known as WICKED PANDA and Winnti) launched four campaigns, tracked as ColunmTK, DelayLinkTK, Mute-Pond, and Gentle-Voice, that targeted at least 80 entities and successfully gained varying degrees of access to at least 13. Read full report >>
- Iranian espionage unit UNC3890 targets Israeli critical national infrastructure entities
Active since 2020, an Iranian cyber espionage unit, tracked as UNC3890, is using social engineering and watering holes to target Israeli entities across multiple sectors including maritime, government, healthcare, and energy. Read full report >>
- Russian espionage unit Gamaredon targets Ukrainian organisations with backdoors and information stealing malware
Since 15 July, the Russian nation-state unit Gamaredon (also tracked as Shuckworm and Armageddon) has targeted Ukrainian organisations to deliver information stealing malware and multiple backdoors. Read full report >>
If you come across any issues or need assistance, please do not hesitate to reach out to Secrutiny.
What is OVSS?
The Orpheus Vulnerability Severity Score (OVSS) helps companies understand the risk associated with particular vulnerabilities. Orpheus does this by adding additional context on the likely threat to and impact of CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score.