Our reporting this week highlights Russian nation-state adversaries persistently targeting Ukrainian and Western government entities. This week, we reported that the Russian state unit APT29 launched multiple phishing campaigns between May and June targeting Western diplomatic organisations. The multi-stage infection process leverages Google Drive and Dropbox to deliver the initial EnvyScout dropper and culminates in the deployment of a final payload, posing as a Google product, which gathers system information, exfiltrates data to a Google Drive share, and drops additional payloads, including Cobalt Strike.

Additionally, we covered a Russian nation-state unit that leveraged a modified version of the open-source GoMet backdoor against a Ukrainian software development company. The company provides software to Ukrainian government entities, indicating a realistic possibility that the threat group intended to launch a supply-chain compromise.

Despite a reported decrease in frequency of critical Russian state-sponsored operations against Ukraine in recent months, these latest campaigns demonstrate that Russia continues to target Ukrainian government sector organisations amidst the countries’ ongoing war. Both campaigns also showcase the nation-state groups’ evolving tactics, techniques, and procedures (TTPs) to prevent detection by developing obfuscation and persistence techniques.

Key Vulnerabilities

  1. CVE-2022-20857
    A critical vulnerability (CVSS: 9.8|OVSS: 26) impacting Cisco Nexus Dashboard for data centres and cloud network infrastructures that could enable an unauthenticated remote attacker to execute arbitrary commands, read or upload container image files, or perform a cross-site request forgery attack.
  2. CVE-2022-30222
    A high severity remote code execution vulnerability (CVSS: 8.4|OVSS: 36) affecting machines with a Japanese language pack installed that could be exploited to gain system privileges. This vulnerability is actively being exploited in the wild.
  3. CVE-2022-2385
    This vulnerability (CVSS: 8.8|OVSS: 36) is found in the IAM Authenticator for Kubernetes, a tool used by Amazon Elastic Kubernetes Service (EKS), that could enable adversaries to gain elevated privileges on a Kubernetes cluster. We assess that there is a 92% likelihood of future exploitation.

Key Intelligence Reports

  1. Russian state unit APT29 targets Western diplomatic entities to deliver EnvyScout dropper
    Between May and June 2022, Russian state unit APT29 (also known as Nobelium) launched multiple phishing campaigns to compromise Western diplomatic entities and deliver EnvyScout, a malware dropper. Read full report >>
  2. Russian state unit targets Ukrainian software development entity with GoMet backdoor
    A Russian nation-state unit has targeted a Ukrainian software development company with a modified version of the open-source GoMet backdoor. Read full report >>
  3. Operators of newly emerged BlueSky ransomware have Russian origins
    A newly identified ransomware operation, tracked as BlueSky, has actively targeted private entities and has suspected connections with the now defunct Conti ransomware syndicate. Read full report >>

What is OVSS?

The Orpheus Vulnerability Severity Score (OVSS) helps companies understand the risk associated with particular vulnerabilities. Orpheus does this by adding additional context on the likely threat to and impact of CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score.

The Orpheus Vulnerability Severity Score (OVSS)