The new Cyber Threats Snapshot Report analyses the most significant threat actors, vulnerabilities and cybercrime activities in Q2 2022. The report, issued by Leonardo’s Cyber Threat Intelligence experts, focuses on various trends prevalent during the period:

• Intense activities involving pro-Russian and pro-Ukrainian threat actors;
• New attack techniques;
• New malware.

Pro-Russian and pro-Ukrainian threat actors: the battle in cyberspace continues

Since the beginning of the conflict, between April and June 2022 pro-Russian threat actors have continued to perpetrate malicious activities against countries that support Ukraine. The most common action was the DDoS (Distributed Denial of Service) attack, which disrupts the regular operation of a website or system by sending continuous requests that saturate its resources. Attacks on critical infrastructure and organisations operating in the airport, banking, military, government and public administration sectors also affected private and public Italian companies. Pro-Ukrainian threat actors countered the activities of their pro-Russian counterparts with similar actions and targets.

In this hybrid war there are new, specially-designed artefacts, like the Acid Rain wiper. This malware seeks to erase data and programmes on devices, rendering them unusable. In this case, it targeted a satellite communication service, leaving users in Ukraine and other European countries without internet services for several days. Many other attacks also damaged ICS and SCADA systems used to control and supervise industrial plants.

Exploiting trust to scam the user

A novel Browsing-in-the-Browser (BITB) attack technique appeared in Q2 2022. It comes under the heading of phishing – a technique through which an attacker tries to scam the victim into providing personal information, financial data or access codes by pretending to be a trustworthy party in a digital exchange. This technique is used to simulate single sign-on access windows and to replicate legitimate domains in an attempt to obtain access credentials.

Familiar techniques such as web skimming and Hertzbleed were also very prevalent. The former involves malicious activities designed to collect the payment details of visitors to a website during check-out. By exploiting vulnerabilities in e-commerce platforms, attackers can exfiltrate victims’ credentials and bank account or credit card information.

The second technique involves a side-channel attack, i.e. an attack aimed at a device with the objective of collecting information that can be used to hack the same. This allows a malicious user to obtain complete cryptographic keys from remote servers regarded as trustworthy.

New malware: from embryonic to modular

The quarterly report identifies a variety of new forms of malware:

• The Malware-as-a-Service (MaaS) Eternity Project is a toolkit sold on Telegram in six different modules, depending on the type of attack the perpetrator intends to perform: Stealer, Miner, Clipper, Ransomware, Worm and DDoS Bot.
• Quantum LNK Builder, marketed within underground communities and used to create files (LNK format), which, once opened, trigger the download of other malicious software packages.
• A new Traffic Direction System (TDS) tool, called Parrot TDS. Attackers use TDS to obfuscate the distribution of malicious content so that programmes analysing web content, web crawlers, and security providers fail to detect malicious activity when, in reality, the user is redirected to dangerous vulnerabilities and malware.
• ZingoStealer is a new threat first seen in March and still under development. It spreads via YouTube channels – with the pretext of installing software, such as key generators and game chats, which harvest confidential information – or through special Telegram and Discord channels.

For further information: cyberandsecurity@leonardo.com

Follow our Twitter, LinkedIn and Instagram social media channels to keep up to date on Leonardo initiatives.