Picus Cyber Threat Intelligence Report May 2023: Key Threat Actors, Vulnerable Regions, and Industries at Risk

Welcome to Picus Security's monthly cyber threat intelligence roundup! 

Each month, we aim to provide a comprehensive yet digestible analysis of the evolving threat landscape, including insights into the most targeted and at-risk sectors, industries, and regions by cybercriminals in the wild.

Our research is conducted throughout the entire month, utilizing a diverse range of resources that span across threat intelligence and malware dump platforms, blogs, exploit databases, sandboxes, and network data query results. We draw upon this wealth of information to provide you with a holistic understanding of the cyber threat environment, with a particular focus on dissecting, attack campaigns conducted by threat actors and advanced persistent threat (APT) groups, and new malware samples observed in the wild.

By following our monthly threat report, you'll be able to ascertain which threat actors or malware could potentially impact your sector, gauge if your country is being specifically targeted, and understand if there is a surge in threat activity correlated with geopolitical events or state-backed actions. 

Executive Summary

• In May, the most targeted regions for cyber attacks were Northern America (U.S.), South East Asia, South Asia, East Asia, and Eastern Europe. These regions faced severe cyber threats from various malicious actors, with geopolitical tensions appearing to drive the motivation and geographical targeting of major cyber threat actors. The escalation of cyber threats in these regions underscores the importance of robust security measures and geopolitically informed cybersecurity defenses.

• The Manufacturing, Technology, Education, Government, and Transport sectors remain prime targets for cyber attacks. The significant distress experienced within the Manufacturing sector indicates the potential socio-economic impact of these threats, heightening the need for comprehensive protections across all targeted industries. 

• The most active threat actors in May, including Earth Longzhi APT (a subgroup of APT 41), Lazarus APT, Volt Typhoon APT, SideWinder APT, BianLian Ransomware Gang, Void Rabisu APT, Camaro Dragon APT, Kimsuky APT, APT 28 (Fancy Bear), and Bl00dy Ransomware Gang, demonstrated a concerning evolution in the cybersecurity landscape, with political motivations appearing to drive their diverse global targets. This highlights the pressing need for comprehensive, context-aware cybersecurity protection strategies against these evolving threats.

• Chinese APT Earth Longzhi targeted Asia-Pacific and U.S. sectors, reflecting their strategic interests, while North Korean groups Lazarus APT and Kimsuky APT groups exploited U.S. servers and focused on South Korea, indicating persistent state-level hostilities. Additionally, Russian-affiliated actors VoidRabisu APT and APT28 escalated their attacks on Ukraine and Eastern Europe, mirroring the heightened physical conflict in these regions.

Top 10 Most Targeted Regions in May

In this section, we are going to talk about the top five regions at risk of cyber attacks.

The gravity of cyber threats in North America (U.S), especially ransomware attacks from various groups, is disturbingly high, posing a real and persistent threat to both corporate entities and the civil society. The high-activity APTs in South East and South Asia, particularly SideWinder APT, exhibit an unsettling potential for large-scale infrastructural damage. In East Asia, the multiplicity of sophisticated APTs and GobRAT malware underlines a tense cyber warfare landscape. The extensive list of threats in Eastern Europe, including the notorious APT 28, alongside a variety of destructive tools, paints a worrying picture of the cyber threat landscape, reinforcing the pressing need for robust security measures.

The following table delineates the five most frequently targeted regions, accompanied by a list of the primary threat actors and malware specifically targeting these regions.

Top 5 Most Targeted Sectors in May

In this section, we are going to talk about the top five industries and sectors at risk of cyber attacks.

The Manufacturing sector is under significant distress, as high-impact APTs and ransomware groups persistently deploy a variety of disruptive malware. Security experts in the Technology sector face an unnerving landscape, navigating sophisticated APTs and menacing Phishing-as-a-Service tools employing advanced RATs. The Education sector, traditionally viewed as less threatened, now confronts an escalating threat level, signaling an alarming expansion in the attackers' scopes. The Governmental organizations continue to be a prime target, causing unease among cyber defenders who must counter a wide range of well-coordinated APTs using stealthy backdoors. The Transportation industry’s vulnerability to complex APTs is a matter of considerable concern, as disruptions here can have widespread socio-economic consequences.

The following table delineates the five most frequently targeted sectors, accompanied by a list of the primary threat actors and malware specifically targeting these regions.

Top 10 Most Active Threat Actors in May

In May, the top 10 most active threat actors displayed varying motivations and geo-targeting strategies, often reflecting underlying geopolitical tensions. This overview underscores their diverse tactics while emphasizing the critical role geopolitically-informed cybersecurity defenses play in navigating this evolving threat landscape.

1. Earth Longzhi (A Subgroup of APT 41)

Earth Longzhi, a subgroup of the Chinese state-sponsored APT41, was among the active cyber threat actors in May.

The group initially infiltrated networks through DLL side-loading and subsequently exfiltrated the sensitive data via credential dumping. Attackers utilized a tool called Roxwrapper, which dropped multiple malicious components to facilitate their attack. As the most significant part of their attack campian, Earth Longzhi employed “Stack Rumbling” to disable security defenses [15], impairing running security products via a vulnerable driver in a “Bring Your Own Vulnerable Driver” attack [16]. 

As for geographical distribution of the Earth Longzhi attacks, their recent campaign has targeted the Philippines, Thailand, Taiwan, and Fiji. Researchers also suggest that Vietnam and Indonesia may be potential targets in the near future.

2. Lazarus APT 

Lazarus Group, a North Korean threat actor, was focusing on exploiting Windows IIS web servers for cyber-espionage in May. 

The Lazarus APT group leverages a DLL side-loading attack, compromising vulnerable servers, and then deploying additional malware for credential theft and lateral movement. Their expanding repertoire of attack vectors, like Log4Shell and public certificate vulnerabilities, underscores their increasing threat. 

Recent U.S. sanctions against North Korean entities associated with Lazarus, including the Technical Reconnaissance Bureau and the Chinyong Information Technology Cooperation Company, further spotlight the group's significant global risk [17]. Constant vigilance and proactive security are crucial in mitigating this threat.

3. Volt Typhoon APT

The China-based APT group Volt Typhoon continues to pose a considerable threat to critical U.S. infrastructure [18]. 

Volt Typhoon mainly leverages living-off-the-land techniques and hand-on-keyboard activity, targeting sectors like communication, manufacturing, and government, among others. Adversaries initially gain access through internet-facing devices, moving laterally within networks using valid credentials, often harvested from compromised servers. By routing traffic through small office and home network equipment, they maintain stealth and blend into normal network activity. 

A notable shift suggests they're developing capabilities to disrupt critical communications infrastructure between the U.S. and Asia, revealing their potential to cause severe disruptions in future crises.

4. SideWinder APT 

APT SideWinder, also known as Rattlesnake, is a South Asia-origin cyber threat actor. The group actively targeted sectors like military, government, education, healthcare, and cryptocurrency in May [19].

Their attack chain often begins with a sophisticated spear-phishing campaign or exploiting public-facing applications. After gaining initial access, they utilize both custom malware and living-off-the-land techniques to navigate networks, maintain persistence, and gather valuable data. 

Victim statistics show that SideWinder APT group focuses their operations on Pakistan, China, Nepal, Afghanistan, Bangladesh, Myanmar, the Philippines, Qatar, and Singapore, signifying a significant global threat. Their ability to stay undetected makes them a formidable adversary.

5. BianLian Ransomware Gang

BianLian is a ransomware and data extortion cybercriminal group active since June 2022, notably targeting U.S. and Australian critical infrastructure, professional services, and property development sectors [20]. 

They primarily gain access through compromised Remote Desktop Protocol (RDP) credentials, utilize open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrate data via FTP, Rclone, or Mega. Initially employing a double-extortion model, they shifted in January 2023 towards mostly exfiltration-based extortion. 

The group threatens data release for ransom, increasingly applying pressure tactics like direct threatening phone calls to victims. Security advisories recommend limiting use of RDP, disabling command-line and scripting activities, and regularly updating PowerShell to mitigate threats.

6. Void Rabisu

Void Rabisu is an advanced cybercrime group, likely of Russian origin, known for launching sophisticated cyber attacks against Ukraine, Eastern Europe, and NATO countries [21]. They mainly target governmental organizations and the defense industry. 

Void Rabisu employs deceptive tactics by utilizing fake or hijacked legitimate companies, creating seemingly credible certificates and websites, then exploiting them to distribute trojanized applications, notably the RomCom 3.0 malware. 

Their methods blur the line between traditional cybercrime and advanced persistent threats, indicating a concerning evolution in the cybersecurity landscape.

7. Camaro Dragon APT

Camaro Dragon, a Chinese state-sponsored APT group, primarily targets Southeast Asian countries like Myanmar and Indonesia, along with East Asian embassies, focusing on foreign affairs matters. 

Camaro Dragon employs the Horse Shell router implant, enabling remote shell access, file transfer, and network tunneling. This implant infects TP-Link routers, creating a chain of infected nodes. The attack path of Camaro Dragon involves compromising routers, establishing a command and control infrastructure, and conducting operations to maintain persistence and exfiltrate sensitive information. 

It is important to note that although the precise relationship between Camaro Dragon and Mustang Panda is uncertain, there are significant overlaps between the two groups.

8. Kimsuky APT 

Kimsuky, a North Korean APT group, targets information services, human rights groups, and defector support organizations, mostly in South Korea [22]. 

The group uses phishing emails, often impersonating South Korean entities. These emails contain malicious Microsoft Compiled HTML Help files which, when opened, deploy a variant of the RandomQuery malware. The malware facilitates system reconnaissance, file enumeration, and information exfiltration, preparing ground for subsequent, more precise attacks. 

Simultaneously, Kimsuky sets up deceptive digital infrastructure using new top-level domains, mimicking legitimate ones, to obfuscate their malicious activities and to dupe targets and network defenders.

9. APT 28

APT28, tied to the Russian GRU, targets Ukrainian civil society using diverse phishing techniques [23]. 

This includes "Man in the Browser" attacks with decoy HTML attachments, use of HTTP webhook services like Pipedream and Webhook.site for data exfiltration, and compromising Ubiquiti routers for 2FA bypass and automated data exfiltration. Typically, the group impersonates local entities, tricking victims into disclosing credentials. They specifically target the UKR.NET webmail service, but these techniques could potentially be used against other webmail services supporting Ukraine. Their attack path shows a sophisticated, multi-step process to ensure successful, concealed data theft.

10. Bl00dy Ransomware Gang

The Bl00dy is a cybercriminal group originating from Eastern Europe, primarily targeting healthcare and finance sectors in North America, Western Europe, and Asia [24]. 

Using spear-phishing emails embedded with malicious URLs and attachments, they exploit human vulnerabilities to penetrate systems, then deploy ransomware, steal sensitive data, and disrupt services. Their modus operandi includes advancing through networks using lateral movements and credential harvesting. The group's activities have severe implications on international cyber-security.

References 

[1] B. Jamila, K. Seznec, and M. Charles, “Bluenoroff’s RustBucket campaign,” Sekoia.io Blog, May 22, 2023. [Online]. Available: https://blog.sekoia.io/bluenoroffs-rustbucket-campaign/. [Accessed: Jun. 07, 2023]

[2] “AuKill: A ‘defense evasion tool’ disables EDR software via BYOVD attack,” SISA, May 19, 2023. [Online]. Available: https://www.sisainfosec.com/threat-a-licious/aukill-defense-evasion-tool-disables-edr-software-via-byovd-attack/. [Accessed: Jun. 09, 2023]

[3] V. Telychko, “Merdoor Malware Detection: Lancefly APT Uses a Stealthy Backdoor in Long-Running Attacks Against Organizations in South and Southeast Asia,” SOC Prime, May 17, 2023. [Online]. Available: https://socprime.com/blog/merdoor-malware-detection-lancefly-apt-uses-a-stealthy-backdoor-in-long-running-attacks-against-organizations-in-south-and-southeast-asia/. [Accessed: Jun. 07, 2023]

[4] “Chinese Threat Actor Used Modified Cobalt Strike Variant to Attack Taiwanese Critical Infrastructure.” [Online]. Available: https://blog.eclecticiq.com/chinese-threat-actor-used-modified-cobalt-strike-variant-to-attack-taiwanese-critical-infrastructure. [Accessed: Jun. 09, 2023]

[5] L. Bezvershenko, “CloudWizard APT: the bad magic story goes on,” Kaspersky, May 19, 2023. [Online]. Available: https://securelist.com/cloudwizard-apt/109722/. [Accessed: Jun. 07, 2023]

[6] “Chameleon: A New Android Malware Spotted In The Wild,” Cyble, Apr. 13, 2023. [Online]. Available: https://blog.cyble.com/2023/04/13/chameleon-a-new-android-malware-spotted-in-the-wild/. [Accessed: Jun. 07, 2023]

[7] “How DCRat (AKA Dark Crystal) Works,” BlackBerry, May 09, 2022. [Online]. Available: https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains. [Accessed: Jun. 07, 2023]

[8] B. Toulas, “New RA Group ransomware targets U.S. orgs in double-extortion attacks,” BleepingComputer, May 15, 2023. [Online]. Available: https://www.bleepingcomputer.com/news/security/new-ra-group-ransomware-targets-us-orgs-in-double-extortion-attacks/. [Accessed: Jun. 07, 2023]

[9] gygy, “Tonto Team Using Anti-Malware Related Files for DLL Side-Loading,” ASEC BLOG, Apr. 25, 2023. [Online]. Available: https://asec.ahnlab.com/en/51746/. [Accessed: Jun. 07, 2023]

[10] “AlienVault - Open Threat Exchange,” AlienVault Open Threat Exchange. [Online]. Available: https://otx.alienvault.com/pulse/642d624ccd3a7cca31c9e252. [Accessed: Jun. 07, 2023]

[11] “Bl00dy Ransomware Gang Strikes Education Sector with Critical PaperCut Vulnerability,” The Hacker News, May 12, 2023. [Online]. Available: https://thehackernews.com/2023/05/bl00dy-ransomware-gang-strikes.html. [Accessed: Jun. 07, 2023]

[12] I. Arghire, “Microsoft: Iranian APTs Exploiting Recent PaperCut Vulnerability,” SecurityWeek, May 09, 2023. [Online]. Available: https://www.securityweek.com/microsoft-iranian-apts-exploiting-recent-papercut-vulnerability/. [Accessed: Jun. 07, 2023]

[13] “‘Lancefly’ espionage group targeting organizations across Asia with custom malware.” [Online]. Available: https://therecord.media/lancefly-espionage-malware-backdoor-asia-apt. [Accessed: Jun. 07, 2023]

[14] O. Rosengren, “The Five Bears: Russia’s Offensive Cyber Capabilities,” Grey Dynamics, May 12, 2023. [Online]. Available: https://greydynamics.com/the-five-bears-russias-offensive-cyber-capabilities/. [Accessed: Jun. 07, 2023]

[15] A. Mascellino, “Earth Longzhi Uses ‘Stack Rumbling’ to Disable Security Software,” Infosecurity Magazine, May 03, 2023. [Online]. Available: https://www.infosecurity-magazine.com/news/earth-longzhi-disable-security/. [Accessed: Jun. 02, 2023]

[16] “Attack on Security Titans: Earth Longzhi Returns With New Tricks,” Trend Micro, May 02, 2023. [Online]. Available: https://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html. [Accessed: Jun. 02, 2023]

[17] K. Poireault, “US Sanctions North Korean Entities Training Expat IT Workers in Russia, China and Laos,” Infosecurity Magazine, May 24, 2023. [Online]. Available: https://www.infosecurity-magazine.com/news/us-sanctions-north-korea-entities/. [Accessed: Jun. 02, 2023]

[18] M. T. Intelligence, “Volt Typhoon targets US critical infrastructure with living-off-the-land techniques,” Microsoft Security Blog, May 24, 2023. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/. [Accessed: Jun. 02, 2023]

[19] “The distinctive rattle of APT SideWinder.” [Online]. Available: https://www.group-ib.com/blog/hunting-sidewinder/

[20] “#StopRansomware: BianLian Ransomware Group,” Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a. [Accessed: Jun. 02, 2023]

[21] “Void Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors’ Goals,” Trend Micro, May 30, 2023. [Online]. Available: https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html. [Accessed: Jun. 02, 2023]

[22] A. Milenkoski, “Kimsuky,” SentinelOne, May 23, 2023. [Online]. Available: https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/. [Accessed: Jun. 02, 2023]

[23] F. Aimé, “APT28 leverages multiple phishing techniques to target Ukrainian civil society,” Sekoia.io Blog, May 17, 2023. [Online]. Available: https://blog.sekoia.io/apt28-leverages-multiple-phishing-techniques-to-target-ukrainian-civil-society/. [Accessed: Jun. 02, 2023]

[24] “Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG,” Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a. [Accessed: Jun. 02, 2023]