Search This Blog

Showing posts with label Russia. Show all posts

Medibank's Hackers will be Hacked in Australia

 


Threat actors behind the Medibank hack that compromised nearly 10 million customers' private information are being hunted by the Australian government, cyber security minister Clare O'Neil said. 
A hack on Medibank's computer, which was attributed to Russian cybercriminals, was announced by the Australian Federal Police on Friday afternoon. 

AFP identified Russian criminals as the culprits without contacting Russian officials before the public announcement, as the embassy in Australia has expressed disappointment that the AFP has identified Russian-based criminals as the culprits without contacting Russian officials. 

In the statement released by the Consulate on Friday evening, the consulate mentioned that it encouraged the AFP to promptly contact the respective Russian law enforcement agencies to seek assistance. 

Combating cybercrime that adversely affects the lives of citizens and damages businesses is a complex task that demands a cooperative, non-political and responsible approach from all members of the international community. 

It was announced on Saturday that the Australian Federal Police (AFP) and the Australian Signals Directorate (ASD) have signed an agreement on the creation of a comprehensive policing model which will take into account both the Optus and Medicare data breaches and effectively deal with the criminals behind them. 

"Around 100 officers from these two organizations will be a part of this joint standing operation, and many of these officers will be physically co-located with the Australian Signals Directorate," she said.

As Ms. O'Neil pointed out, officers report to work every day of the week. The goal is to deal with these gangs and thugs in the most effective manner possible. 

Ms. Saunders explained, With this partnership, the Australian Government has formalized a standing body which will be responsible for the day-to-day pursuit and prosecution of the con men responsible for these malicious crimes against innocent people and who will, day in and day out, hunt them down. 

A group of the smartest and most determined people in Australia will be collaborating to track down the hackers. 

A New Permanent Policing Model 

In a statement, Attorney General Mark Dreyfus described the situation as "extremely distressing."

In response to the attack, the government released a statement stating that it would do everything it could to limit the impact of this horrible crime. It would also provide support and comfort to the families and friends of those who are affected. 

Dreyfus said in his remarks that the updated partnership between the AFP and the ASD aimed at fighting cyber criminals will be a permanent and formal agreement. 

The AFP, he explained, works full-time on this issue, and they are working with international partners, such as the FBI, which has done great work on this problem, with the assistance of their international partners, including the United Nations. 

As part of the investigation, AFP Commissioner Reece Kershaw on Friday said officers were also working with Interpol to track down the perpetrators of the crime. 

"We know who you are," he said. In the area of bringing overseas offenders back to Australia to face the justice system, it has been noted that the AFP has been doing a good job on the scoreboard. 

A Review of Australia's Diplomatic Relations With Russia is Currently Taking Place

There will be no slowdown in the work of the national security agencies because diplomatic channels with Russia will remain open concerning extradition, according to Mr. Dreyfus. 

According to the president of the Russian Federation, Russia should do all that it can to protect its citizens from engaging in these kinds of crimes, while within its borders. 

In a statement, Mr. Dreyfus said that his government is taking a close look at the options available to it. This is because it wants to maintain Russia's diplomatic profile in Australia. 

In regards to our diplomatic channels, we would like to maintain them as long as they are appropriate for our national interests. However, diplomatic profiles must always be consistent with that. 

A spokesman for the opposition's cyber security wing, James Paterson, said that the disclosure could have broad implications for Australia's Magnitsky regime. Those who violate the law are subject to this.

With the passage of the regime with bipartisan support, which was passed with the support of the Republican and Democratic Parties, it becomes possible to impose targeted financial sanctions and travel bans in response to serious corruption and significant cyberattacks. 

At a press conference earlier today, Prime Minister Albanese told reporters he was dismayed and disgusted by the actions of those who committed this crime. He authorized AFP officials to release the details as a matter of public interest. 

In the recent past, hackers have released more information about some of the medical records of their customers on the dark web, including information about abortions and alcoholism. 

A ransomware attack was carried out by a criminal group targeting Medibank's data, which resulted in close to 500,000 health claims, along with personal information, being stolen. 

There are several mental health and other support services available through Medibank's Resources Page, which is available to affected customers.

Battling the Russian Disinformation War

 

Over the years, the US- Russian ties have been in fluctuation mode. Donald Trump, the former US president was lenient towards Kremlin from 2017-2020 during which the White House seemed to take a backseat to cybersecurity issues. 

However, the Joe Biden regime is ready to take on Russia on every possible front. After Russia invaded Ukraine last February, the American-led European Union moved blocked RT and Sputnik, two of the Kremlin’s top channels for spreading misinformation about the war. 

Blake Dowling, CEO at Florida- based Aegis Business Technologies blamed Russian-backed hackers for staging cyberattacks against American infrastructure (Colonial Pipeline), businesses and government (SolarWinds and others), and elections. 

According to Dowling, Russian Internet Research Agency has also played in propagating disinformation around the globe.

The IRA is an army of internet trolls based in an old arms factory in St Petersburg founded by Yevgeny Prigozhin. The internet operatives in IRA work as regular employees during their shifts of 8 hours per day. 

During their shifts employees must meet quotas which would be something like designing a dozen social media accounts, and posting five political posts and 10 nonpolitical posts. At the same time, they must comment and like hundreds of their colleague’s posts. 

One IRA employee published a blog about a new video game in the U.S. that had a theme of slavery, aiming to stir up anti-U.S. feelings in Russia. In reality, there was no such game, but that is what the job was. 

Apart from social media trolls, a Russian hacktivist group called Killnet is also playing a major role in disrupting services in the United States. They are looking to cause chaos to the enemies of Russia, specifically those entities that side with Ukraine. 

The standard modus operandi of the hacking group is to launch distributed denial of service attacks (DDoS) toward their victims, causing their web presence to break down. Earlier targets include the European song contest Eurovision and this month fourteen airports in the United States. 

To counter this cyber onslaught, the Department of Homeland Security and Cyber Security and Infrastructure Security Agency recommends a Shields Up approach for American citizens. 

The Shield Up technique refers to a heightened cyber defensive posture when protecting data and technical assets. This includes updating your network and hardware for known exploits and vulnerabilities and using robust passwords that are changed regularly.

Security Experts Raise Concern Regarding Fairness of Conservative Leadership Contest

 

Malicious actors from rogue nations could try to discredit the Tory online vote with false narratives regarding the fairness of an online members’ vote, cybersecurity experts warned. 

After the controversial exit of Liz Truss, Conservative MPs will vote for their preferred candidate in a series of ballots. But if there are still two candidates remaining in the race after Monday, Tory party members will take part in an online vote to decide the new UK prime minister. 

Online voting concerns 

During the last Tory leadership election, held over the summer, the online publication Tortoise managed to register four bogus conservative members to demonstrate how the leadership contest is open to potential exploitation. 

The website signed up two foreign nationals, a person who did not exist, and a pet tortoise as members of the Conservative Party. Shockingly, the party accepted its payments of £25 for each registration, and the bogus recruits were issued membership numbers and invited to hustings. 

According to James Harding, the editor of Tortoise, the incident had raised serious concerns regarding the safety of the vote. He condemned the secrecy surrounding the ballot, with the Conservatives refusing to provide real insights regarding the modus operandi of their membership or the security arrangements. 

 “I think that it’s reasonable if you live in a democracy to try and know who’s voting the prime minister into power,” Harding stated. If you want to have confidence in your democracy you have to have some understanding of how the election works and that someone is supervising it. We could find ourselves in a position where we go to another membership contest and the membership is doing that online and how do we know that’s secure?” 

However, Conservative Party chairman Jake Berry insisted that the web ballot will be “secure” even though it had to be ditched for the last contest because of concerns regarding the system loopholes. Jake Berry "Without going into the security measures we will take, for reasons I'm sure you will understand, we are satisfied that the online voting system will be secure,” Berry stated. 

The concerns are raised amid warnings from threat analysts that hostile states like Russia could attempt to hijack the poll and influence who becomes the next Prime Minister. 

Previously in 2016, Russia was accused of attempting to interfere in key elections including the US presidential race and the Brexit referendum. 

According to Peter Ryan, a professor of applied security at Luxembourg University, KGB hackers could exploit the rules that allow Tory members living abroad to vote. 

“We don't know that much about the electorate that is putting in place the leader of a G7 country,” he said. For all we know, the KGB could have signed up a significant number of stooges. The margin last time was low - it would not take much to swing it.”

KillNet: Pro-Russian Threat Actors Claims Responsiblity for 14 DDoS Attacks on U.S. Airports

 

On Monday, a pro-Russian hackers group ‘KillNet reportedly claimed to be behind the DDoS attacks, that temporarily took down the websites of several U.S. airports.
 
A similar case was witnessed by Atlanta International Airport. Consequently, users were unable to access the websites for a few hours during the campaign. Though, the attacks did not have any impact on flight operations.
 
The Los Angeles International Airport (LAX) authority informed about a threat on their website to the Transportation Security Administration and the FBI.
 
"The service interruption was limited to portions of the public facing FlyLAX.com website only. No internal airport systems were compromised and there were no operational disruptions," a spokesperson stated in an emailed statement. Adding to the statement, she said the airport’s IT Team has restored all services and is investigating the cause.
 
Later, the hacker group apparently posted the list of the hacked airport websites on Telegram that included 14 targeted domains, urging hackers to participate in the DDoS attack.
 
The Airport websites impacted by the group include Los Angeles International, Chicago O’Hare, Hartsfield-Jackson Atlanta International Airport, the Los Angeles International Airport (LAX), the Chicago O’Hare International Airport (ORD), the Orlando International Airport (MCO), the Denver International Airport (DIA), the Phoenix Sky Harbor International Airport (PHX), and the sites of airports in Kentucky, Mississippi, and Hawaii.
 
In a Telegram post on Monday, Killnet listed other U.S. sites that could be the next potential victims of similar DDoS attacks, such as sea terminals and logistics facilities, weather monitoring centers, health care systems, subway systems, and exchanges and online trading systems.
 
Apparently, this DDoS attack was not the first attack by KillNet as KillNet has previously targeted many other countries that were against the Russian invasion of Ukraine. These NATO countries include Italy, Romania, Estonia, Lithuania, and Norway.
 
KillNet's DDoS attacks and those urging other threat actors to carry out are an example of what security experts determine is the tendency in recent years of geopolitical tensions, to be permeated the cyber world. As per the speculations, this campaign against the US and other NATO countries, for instance, instigates days after an explosion demolished a section of a major bridge connecting Russia to the Crimean Peninsula.

Void Balaur Targets Russian Entities

A hacker-for-hire company that was originally revealed in 2019 has extended its scope to target victims with links to Russia in the political and corporate sector. 

Reported to attack a variety of known target groups worldwide, Void Balaur is a very active hacker-for-hire cyber mercenary gang. Since at least 2016, people have seen their services available for purchase online. Private data collection and access to particular online email and social media sites, including Gmail, Outlook, Telegram, Yandex, Facebook, Instagram, and corporate emails, are among the services offered. 

Google claims Since 2012, TAG has been keeping tabs on a diverse group of Indian hackers-for-hire, many of whom have worked briefly for Indian security companies Appin and Belltrox.

The gang often conducts attacks that are both general and opportunistic with the goal of getting illegal access to popular email services, social networks, communications, and corporate accounts.

According to reports, the hack-for-hire service provided by the gang is offered using a variety of guises, including Hacknet and RocketHack. The operators have offered additional services over the years, including real-time location tracking, SMS logs, and remote device access.

Furthermore, the assault infrastructure run by Void Balaur includes more than 5,000 distinct domains that present themselves as portals for public services, authentication services, and email websites.

A wide range of industries, frequently with specific political or business ties to Russia, are among the new targets. Additionally, Void Balaur hunts out targets useful for positioning or assisting upcoming assaults. They have the United States, Russia, Ukraine, and a number of other nations as their targets.

However, in early 2022, one of the group's managed domains resolved to an IP address that belongs to and is run by the Russian Federal Guard Service (FSO), indicating what appears to be an operating oversight and raising the possibility of a connection.

Despite the fact that Void Balaur targets persons and organizations all over the world, ads launched in 2022 have targeted individuals who are active in political and business circumstances that are important to Russia.

The use of highly repeatable phishing emails that look like they are from banks or local governments is common in order to deceive recipients into clicking a malicious link and divulging their account information.

In September 2021, one of the group's most infamous efforts featured attacks that targeted the personal email accounts of lawmakers and government leaders of an Eastern European nation.

In accordance with its reputation as a cyber mercenary, Void Balaur does not confine itself to the geopolitical sphere. Nonetheless,  employing and adopting the proper security measures will help in repelling cyber mercenary attacks.

Anonymous Hacker Targets Cobalt Strike Servers Linked to Former Conti Gang Members

 

An anonymous hacking group launched DDoS assaults on Cobalt Strike servers handled by former Conti ransomware members with anti-Russian texts to halt their operation. 

Earlier this year in May, the Conti ransomware gang permanently switched off its operation but its members joined other groups, such as Quantum, Hive, and BlackCat. However, former Conti members continued employing the same Cobalt Strike infrastructure to launch new attacks. 

The hackers flooded the CS servers employed by Conti hackers to control the Cobalt Strike (CS) with anti-Russian texts such as “Stop the war!,” “15000+ dead Russian soldiers!,” and “Be a Russian patriot!” 

According to Vitali Kremez, the CEO of cyber intelligence company Advanced Intelligence (AdvIntel), the hackers targeted at least four Cobalt Strike servers by former Conti gang members. 

The messages are flooding the servers at a rapid rate of nearly two every second resulting in the disruption of Conti ransomware operations. Kremez says whoever is behind this activity constantly targeting Cobalt Strike servers is believed to be operated by previous Conti ransomware members, resuming the flood whenever a new server is discovered. 

“Red teamers operating Cobalt Strike infrastructure to help identify gaps for organizations need to ensure that they are properly protecting their infrastructure,” stated Jerrod Piker, threat analyst at Deep Instinct. “DoS/DDoS protection is necessary as evidenced by the recent Conti group attacks, as well as advanced malware prevention, identity protection, and access control. Attackers will always look for and eventually discover low-hanging fruit, so we have to ensure that we make their discovery process as difficult as possible.” 

Conti is one of the most prolific ransomware groups of the last year along with LockBit 2.0, PYSA, and Hive, and has blocked hospital, corporate, and government agency networks while demanding ransom for sharing the decryption key as part of their name-and-shame scheme. 

After the ransomware gang sided with Russia in February to invade Ukraine, an anonymous pro-Ukraine hacktivist under the Twitter handle ContiLeaks released the malware source code, credentials, chat logs, and operational workflows.

Hackers getting the taste of their own medicine 

It remains unclear who is behind these messages but for the moment they’re keeping the hackers busy. Last month, the LockBit ransomware gang suffered a DDoS attack disrupting its operation. The attack was launched after the gang claimed responsibility for a hack on security firm Entrust earlier this year. 

The hackers blamed the DDoS on Entrust since the HTTPS requests came with the message to delete the company’s data. However, the halt was temporary and the ransomware gang came online with enhanced infrastructure allowing them to keep the stolen data intact even when facing distributed denial-of-service (DDoS) attacks.

UK Agency Publishes New Guidelines for Crypto Exchanges to Stop Sanctions Evaders

 

Crypto exchanges are now required to report suspected sanctions breaches to UK authorities under new rules introduced amid concerns that digital currencies such as Bitcoin, Ether, and Tether, or non-fungible tokens (NFTs) are being used to evade Russian sanctions. 

On August 30, the Treasury’s Office of Financial Sanctions Implementation (OFSI) updated official guidelines to specifically include "crypto assets" among the things that must be blocked if sanctions are imposed on an individual or enterprise. 

According to the regulations established by the Treasury's Office of Financial Penalties Implementation, cryptocurrency exchanges will be breaking the law if they fail to report customers who are subject to sanctions. 

The regulations mean that exchanges now have the same legal obligations as professionals like estate agents, accountants, lawyers, and jewelers. The breach of guidelines will mean crypto exchanges are committing a criminal offense if they fail to report customers designated for sanctions. 

“It is vital to address the risk of crypto-assets being used to breach or circumvent financial sanctions,” a Treasury spokesperson stated. “These new requirements will cover firms that either record holdings of, or enable the transfer of, crypto-assets and are therefore most likely to hold relevant information.”

Financial sanctions on Russian business tycoons, politicians, and firms have been among the UK’s most prominent responses to the invasion of Ukraine. 

Earlier this year in April, Binance, the cryptocurrency exchange giant, blocked the accounts of relatives of Russian politicians, including Polina Kovaleva, the stepdaughter of the foreign minister, Sergei Lavrov, and Elizaveta Peskova, the daughter of Putin’s spokesperson, Dmitry Peskov. 

Employing crypto assets to bypass sanctions and shift money across the globe was already illegal in the UK under laws that cover all “economic resources”. However, the latest guidelines underline authorities’ concern regarding the new assets, which could be employed for circumventing sanctions because customers do not rely on regulated exchanges to make transactions. 

Anna Bradshaw, a partner in Business Crime Department at Peters & Peters, a London law firm, supported the UK’s move by stating the new guidelines were “in line with the more general expansion of financial services and anti-financial crime regulation to the crypto sector”.

“Crypto and virtual assets are treated no differently than any other type of assets for the purposes of an asset freeze. Having said that, reliance on crypto or virtual currencies could potentially make it more difficult to detect that a sanctioned party is involved, or that it relates to sanctioned trade or other sanctioned activity – at least in time for steps to be taken to prevent it.”

Anonymous Attacks Russian Taxi Company, Causes Traffic Jam


Yandex Taxi Hacked

Russia has been one of the main targets of hackers since the country launched a war against Ukraine. The most recent attack was targeted against Yandex Taxi, a ride hailing service. 

The news first came out on reddit.com. Yandex Taxi belongs to Yandex, Russia's leading IT corporation, also known as Russian Google. 

One should note that the EU sanctioned the company's co-founder Arkady Volozh for “de-ranking and removing,” any info related to Russian attacks against Ukraine.

About the incident

Once Yandex Taxi app was hacked, the anonymous threat actors made a massive traffic jam in Moscow, Russia. 

On 1st September 2022, the drivers complained after they saw an unusual gathering of Taxis in Moscow's western area. 

It happened because the hackers booked all the available taxis to a same address, and a massive traffic jam happened as various Yandex Taxi drivers got stuck due to being trapped in a particular location. 

The cabs were directed towards Kutuzovsky Prospekt, one of the main avenues in Moscow, it is also famous for the Stalinist-era building known as Hotel Ukraina (Hotel Ukraine).

The traffic jam was there for three hours. Yandex's security team immediately looked into the issue and promised to better the algorithm to avoid such incidents from happening again in the future. 

Who is behind the attack?

The online hacktivist group Anonymous claims responsibility for the attack. Someone compromised the Yandex app and did a frustrating mix-up of taxis. 

The hackers avoided the company's security mechanisms and made multiple fake orders, directing all the drivers to a single location. 

In a similar incident that happened last year, Yandex in its blog post said:

"This is just one of many attacks aimed not only at Yandex but also at many other companies in the world. The attacks have been going on for several weeks, their scale is unprecedented, and their source is a new botnet about which little is known so far."


FBI Cyber Experts to Examine Attacks on Montenegro Government Infrastructure

 

The U.S. Federal Bureau for Investigation (FBI) will deploy a team of cyber experts to Montenegro to examine a massive, coordinated attack on the Balkan nation's digital infrastructure, the interior ministry announced on Wednesday. 

The rapid deployment of the FBI cyber team suggests "the excellent cooperation between the United States of America and Montenegro and proof that we can count on their support in any situation," said Montenegro's Ministry of Internal Affairs. 

Last week, a combination of ransomware and DDoS attacks disrupted government services and prompted the nation's electrical utility to switch to manual control. Montenegro's Agency for National Security accused Russia of being responsible for them and has said that up to €2.5mn were invested to launch cyber-attacks. 

“Coordinated Russian services are behind the cyber attack,” the ANB stated. “This kind of attack was carried out for the first time in Montenegro and it has been prepared for a long period of time.” 

According to Dusan Polovic, the Director of the Directorate for Information Security, twelve state entities had 150 computers laced with malware following the assault, and while there was no permanent damage to Ministry of Public Administration data, certain retail tax collection was affected. 

The infected stations have been removed from the network and hard drives have been removed from them for further forensics, he said, adding that the priority is to put the tax system into operation, but this will be done only when it is completely secure. 

Government officials have confirmed that National Security Agency (ANB) suspected that Kremlin was behind the attacks, saying they could be retaliation after Montenegro joined NATO in 2017 despite strong opposition from Russia. It also joined Western sanctions against Moscow because of its invasion of Ukraine in February. 
 
On Friday, the U.S. Embassy in Podgorica recommended U.S. citizens restrict movement and travel in the country to the necessities and have travel documents up to date and easily accessible, fearing that the attack could disrupt transportation (including border crossings and airport), and telecommunication sectors. 

Recently, Russia has also targeted multiple Eastern European nations including Moldova, Slovenia, and Bulgaria, via denial-of-service campaigns, which render websites unreachable by flooding them with junk data packets but don't damage data. But the assault against Montenegro's infrastructure seemed more coordinated, with targets including water supply systems, transportation services, and online government services, among many others.

Montenegro's State Infrastructure Struck by Cyber Attack Officials

 

An unprecedented cyber attack on Montenegro's government digital infrastructure occurred, and the government promptly implemented measures to mitigate its impact. Montenegro immediately reported the attack to other NATO members. 

“Certain services were switched off temporarily for security reasons but the security of accounts belonging to citizens and companies and their data have not been jeopardised,” said Public Administration Minister Maras Dukaj. 

The attack, according to the Minister, began on Thursday night. The US embassy in Montenegro recommended US citizens limit their movement and travel within the country to the necessities and keep their travel documents up to date and easily accessible, fearing that the attack would disrupt government infrastructure for identifying people living in Montenegro and transportation. The National Security Agency issued a warning to critical infrastructure organisations.

“A persistent and ongoing cyber-attack is in process in Montenegro,” reported the website of the U.S. Embassy in the capital Podgorica. 

“The attack may include disruptions to the public utility, transportation (including border crossings and airport), and telecommunication sectors.” 

EPCG, the state-owned power utility, has switched to manual handling to avoid any potential damage, according to Milutin Djukanovic, president of EPCG. The company decided to temporarily disable some of its clients' services as a safety measure. The government believes the attack was carried out by a nation-state actor.

“Outgoing Prime Minister Dritan Abazovic called a session of the National Security Council for Friday evening to discuss the attack. Abazovic said it was politically motivated following the fall of his government last week,” reported Reuters.

Previous Attacks

Montenegro was targeted by the Russia-linked hacker group APT28 in June 2017 after it officially joined the NATO alliance, amidst strong opposition from the Russian government, which threatened retaliation.

Montenegro experienced massive and prolonged cyberattacks against government and media websites in February 2017, for the second time in a few months. FireEye researchers who analysed the attacks discovered malware and exploits associated with the notorious Russia-linked APT group known as APT28 (aka Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit, and Tsar Team).

Another massive attack was launched against the country's institutions during the October 2016 elections, sparking speculation that the Russian Government was involved. At the time, hackers launched spear phishing attacks against Montenegro, using weaponized documents related to a NATO secretary meeting and a visit by a European army unit to the country.

The hackers distributed the GAMEFISH backdoor (also known as Sednit, Seduploader, JHUHUGIT, and Sofacy), a malware used only by the APT28 group in previous attacks. Marshal Sir Stuart Peach, Chairman of NATO's Military Committee (MC), announced the Alliance's effort to counter Russian hybrid attacks in January 2020.

The term "hybrid warfare" refers to a military strategy that combines political warfare, irregular warfare, and cyberwarfare with other methods of influencing, such as fake news, diplomacy, lawfare, and foreign electoral intervention.

Russian Entities Hit by New Woody RAT Malware

 

Malwarebytes researchers discovered an unidentified malicious actor who has been victimizing Russian organizations with a brand new remote access trojan named Woody RAT for at least a year as part of a spear-phishing campaign. 

The Malware was being delivered via two methods: archive files and Microsoft Office documents compromising the Follina Windows Flaw (CVE-2022-30190). 

Like other state sponsors of cyber operations, Woody RAT facilitates a wide range of features that allows the group of threat actors to take full remote control of the system and steal important data from the infected systems. 

The team said that the attackers mainly focused on Russian organizations based on a fake domain they have registered, Malwarebytes is well aware of the fact that the attackers tried to target a Russian aerospace and defense entity known as OAK. 

“The earliest versions of this Rat were typically archived into a zip file pretending to be a document specific to a Russian group. When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload, as identified by @MalwareHunterTeam.” states the report published by Malwarebytes. 

As per the technical data, the RAT is advanced malware that is equipped with multiple backdoor capabilities including writing arbitrary files to the machine, capturing screenshots, executing additional malware, enumerating directories, deleting files, and gathering a list of running processes. 

Also, the malware has two malicious codes; NET DLLs embedded inside named WoodySharpExecutor and WoodyPowerSession. WoodySharpExecutor allows the malware to run the NET code received from the C2, while WoodyPowerSession enables the malware to execute PowerShell commands and scripts received from the C2. 

Once the command threads are created the malware removes itself from the disk with the help of the ProcessHollowing technique. 

“This very capable Rat falls into the category of unknown threat actors we track. Historically, Chinese APTs such as the Tonto team as well as North Korea with Konni have targeted Russia. However, based on what we were able to collect, there weren’t any solid indicators to attribute this campaign to a specific threat actor,” concludes the report. 

ABCsoup Adware Campaign Employs 350 Browser Extension Variants to Target Russian Users

 

Zimperium researchers have identified an adware campaign targeting Russian users of Google Chrome, Opera, and Mozilla Firefox browsers. The campaign employs more than 350 versions of malicious browser extensions using the Google Translate extension ID to fool victims into downloading the malicious files.

"The extensions are installed onto a victim's machine via a Windows-based executable, bypassing most endpoint security solutions, along with the security controls found in the official extension stores," researchers explained. 

The malicious browser add-ons come with an identical extension ID as that of Google Translate to trick users into believing that they have installed a legitimate extension. However, the extensions are not available on the official browser web stores. 

The hackers deliver them via multiple Windows executables that install the add-on on the victim's web browser. If the targeted user already has the Google Translate extension installed, it replaces the original version with the malicious variant owing to their higher version numbers (30.2.5 vs. 2.0.10). 

"Furthermore, when this extension is installed, Chrome Web Store assumes that it is Google Translate and not the malicious extension since the Web Store only checks for extension IDs," Zimperium researcher Nipun Gupta stated. 

According to Zimperium, the malicious extensions are geared towards serving pop-ups, siphoning private details to deploy target-specific ads, fingerprinting searches, and injecting malicious JavaScript that can further act as spyware to capture keystrokes and monitor web browser activity. 

The primary motive of this malicious campaign is to scan for Russian social networking services like Odnoklassniki and VK among the current websites opened in the browser, and if so, collect the victims' first and last names, dates of birth, gender, and transfer the data to a remote server. 

The malicious extension does not utilize the stolen details to serve personalized ads but also has the capability to inject custom JavaScript code based on the websites opened. This includes YouTube, Facebook, ASKfm, Mail.ru, Yandex, Rambler, Avito, Brainly's Znanija, Kismia, and rollApp, indicating a heavy Russia focus. 

The researchers attributed the campaign to the threat actors based in Russia or Eastern Europe. The extensions were created to single out Russian users given the wide range of local domains featured.

"This malware is purposefully designed to target all kinds of users and serves its purpose of retrieving user information," Gupta said. "The injected scripts can be easily used to serve more malicious behavior into the browser session, such as keystroke mapping and data exfiltration."

Dark Web Selling Alleged Western Weapons Sent to Ukraine

 

According to the recent reports, various weapon marketplaces on the dark websites have been listing military-grade firearms that are coming from Western countries to support the Ukrainian army in its fight against Russian aggression. 

These weapons were illegally put aside from the received supplies and are now made available to terrorists who are looking to buy rocket launchers and other deadly attack systems. 

This data has been released by Israeli cyber-intelligence specialist KELA who found military weapons listed by Ukrainians on various dark web markets. The report further read that one marketplace was tracked as “Thief,” which had a total number of 9 listings from three sellers associated with Ukraine.

Another seller named “Weapons Ukraine,” sells rifles, grenades, and bulletproof vests for amounts ranging from $1,100 to $3,600, and promises delivery in Ukraine. As per the statistics of the website, 32 users have completed purchases from the site however no user has left a review yet. 

Subsequently, another market that is supplying weapons allegedly to Ukraine by NATO countries is the "Black Market Guns," which offers U.S.-made Switchblade 600 Kamikaze Drone for $7,000 and NLAW anti-tank missiles for $15,000. 

However, the coordination of the publication on various platforms increases the chances of this being a part of a large disinformation scam campaign to take advantage of the current political situation of the county for profit. 

While the listings of these weapons seem genuine with the price of weapons also being offered realistically, the chances of them being created by pro-Russian malicious actors for propaganda purposes are high. If that is the case, pro-Russian media houses could use this information as real to serve their purposes. And at this time, the authenticity of these listed weapons from Ukraine on the dark market websites cannot be verified.

Anonymous Hacktivists Leak 1TB of Top Russian Law Firm Data

The unidentified malicious actors have hit hard Russia again by leaking 1TB of sensitive data from a leading Russian law firm identified as Rustam Kurmaev and Partners (RKP Law). 

Rustam Kurmaev and Partners has been operating in Russia for over 20 years and represent around 500 clients, including the Volkswagen Group Russia, Toyota, Ikea, Jones Lang LaSalle, ChTPZ PJSC, Abbott Laboratories, Mechel PJSC, Panasonic, Baker Hughes, ING Bank, Yamaha Motor, Caterpillar, Mars, Gilette, VimpelCom, 2×2 Channel, Citibank, and Sberbank. 

The group of malicious actors resorted to their Twitter handles, @DepaixPorteur and @B00daMooda to announce the cyber attack. “We are Anonymous – We have hacked RKPLaw (rkplawru) and leaked 1TB of files, emails, court files, client files, backups, and more! They have a very large (220 clients) and an interesting client list which I will post in the comments,” the tweet read.

Following this attack, it is to be noticed that cyber threats against Russian establishments have become the new normal since the war between Russia and Ukraine. Since February 2022 cyber war against Russia was dubbed #OpRussia after the country invaded Ukrainian territories, referring it to “special military operation” to denazify and demilitarize Ukraine. 

Also, @YourAnonNews, and @YourAnonTV, two of the largest social media representatives of the Anonymous movement also tweeted about the data leak: “Once again, #Anonymous delivers Many thanks to @DepaixPorteur, tweeted @YourAnonNews. Just In: #Anonymous released a terabyte of data and emails from Rustam Kurmaev and Partners (RKP Law), a Russian law firm that works with major banking, media, oil, and industrial firms and state interests, including American companies. #OpRussia,” said @YourAnonTV. 

According to DDoSecrets, this cyber attack could be devastating for the company considering that it specializes in resolving real estate, corporate, construction, and commercial sector disputes. Also, firms facilitate the criminal defense of business and create a systematic defense strategy for corporate managers and top management in various stages of criminal proceedings. Furthermore, the company deals in anti-corruption law as well.

Chinese Hackers are Targeting Russian Aerospace Industry

 

Space Pirates, a Chinese cyberespionage group is targeting businesses in the Russian aerospace industry with phishing emails to deploy a novel strain of malware. 

The APT group started operating in 2017, and researchers believe it is associated with other China-linked APT groups, including APT41 (Winnti), Mustang Panda, and APT27. Russian security researchers at Positive Technologies named the group "Space Pirates" due to their espionage operations focusing on stealing confidential information from companies in the aerospace field. 

Malicious actors targeted government agencies, IT departments, and aerospace and power enterprises in Russia, Georgia as well as Mongolia. However, the majority of victims were spotted to be in Russia. Out of those, several victims operated specifically within the partially state-owned aerospace industry of the Russian Federation. 

The researchers first uncovered signs of Space Pirates' activity last summer during incident response and quickly confirmed that the malicious actors employed the same malware and infrastructure against at least four more domestic organizations since 2019. 

According to researchers, at least two attacks on Russian organizations were successful. In one instance, Space Pirates accessed at least 20 servers on the corporate network and stayed there for ten months; 1,500 internal documents were stolen, together with information about all employee accounts in one of the network domains. 

In the second assault, the Chinese attackers stayed in the network of the compromised firms for over a year, exfiltrating confidential information and deploying their malware to 12 corporate network nodes in three distinct regions. 

The Space Pirates’ unique toolkit contains a wide range of malware, including unique loaders and multiple previously undetected backdoors tracked as MyKLoadClient, BH_A006, and Deed RAT. The arsenal also includes the Zupdax backdoor along with well-known malware such as PlugX RAT, ShadowPad backdoor, Poison Ivy RAT, a modified version of PcShare, and the public ReVBShell shell. The APT group also leverages the dog-tunnel utility to tunnel traffic. 

The threat analysts believe that the overlaps between various Chinese APTs are due to tool exchanges, a common phenomenon for hackers in the region. 

“APT groups with Asian roots continue to attack Russian companies, which is confirmed by the activity of the Space Pirates group. Attackers both develop new malware that implements non-standard techniques (such as Deed RAT) and uses modifications of existing backdoors. Sometimes such modifications can have many layers of obfuscation added to counteract protections and complicate the analysis procedure – as in the case of BH_A006, built on the code of the popular Gh0st backdoor,” researchers explained. 

“A separate difficulty in the case of APT groups in the Asian region is the exact attribution of the observed activity: the frequent exchange of tools used, as well as the joint activity of various groups in some cases, significantly complicate this task.”

Russian Group Attack on Bulgarian Refugee Agency

 

A ransomware group that shares strong ties with Russia warned on Wednesday that it will publicly post the files it has stolen from the Bulgarian government agency that is responsible for the refugee management.

LockBit 2.0 published a notice on the dark website saying it had files from the Bulgarian State Agency for Refugees under the Council of Ministers. “All available data will be published!” the notice read under the group’s trademark bright red countdown clock, which has a May 9 publication date. It's worth noting that there was no specific post for a ransom demand. 

According to the Sofia Globe, a news organization in the country’s capital, nearly 5.7 million Ukrainian refugees have fled their country since February and approximately 230,000 fled to Bulgaria, while 100,700 are remaining in the country. 

The official website of the agency remains active, however, a notice on the site’s home page reads, “due to network problems, the e-addresses of the State Agency for Refugees at the Council of Ministers are temporarily unavailable.”

Press contacted an official for a comment on the same matter but the agency didn’t immediately respond to the email. Later, a spokesperson at the Bulgarian embassy in Washington, D.C., said that he did not have information on the incident and would look into the matter. 

LockBit 2.0 is an updated version of LockBit, a ransomware variant that first was spotted in September 2019, as per the cybersecurity firm Emsisoft. Originally known as ABCD ransomware, LockBit is famous for the file extension appended to encrypted files, with the extension later updating to “LockBit”.  Moreover, in September, the group made headlines for launching its own leak website. 

“This is simply the latest in a very long list of hits on organizations which provide critical services...,” said Brett Callow, a threat analyst at Emsisoft. 

“...Hospitals, [search and rescue], fire departments, and charities for the disabled have all been targeted. The individuals involved with ransomware are conscienceless scumbags and the sooner we find a way to deal with the problem, the better.”

Russian Groups are Plagued by OldGremlin Ransomware Threat

 

The new cyber-crime squad, known as OldGremlin, is actively targeting banks, medical institutions, software developers, and industrial firms, among other targets. The gang differentiates from all other ransomware groups by launching a limited number of campaigns – just under five since early 2021 – which solely target Russian firms and employ proprietary backdoors developed in-house.

OldGremlin has claimed ransoms as large as $3 million from one of its victims, despite being less active, which may indicate the ransomware business is approaching moonlighting. Two phishing attacks that were conducted near the end of March 2022 constitute the most current OldGremlin activities. It might be too early to say how many organizations were attacked, but security experts say roughly one Russian mining corporation is on the list of victims. The adversary did not deviate from its previously observed strategy of exploiting trending news topics to gain initial access. 

As per cybersecurity experts at Singapore-based cybersecurity firm Group-IB, this time OldGremlin scammed a senior auditor at a Russian financial organization, advising that the Visa and Mastercard payment service systems will be suspended due to recent sanctions placed on Russia.

The email directed recipients to a malicious Dropbox document that downloads TinyFluff, a backdoor that opens the Node.js interpreter and grants the attacker remote access to the target system. The email then allowed OldGremlin remote access to the machine via a malicious file that used a backdoor known as "TinyFluff," which the gang upgraded from a prior backdoor known as "TinyNode." The target receives a ransom note once the attacker has gained access to the system and has access to system data. A mining business, according to Group-IB, is one of the possible victims. 

Another well-known ransomware group, NB65, has been trying to frustrate Russian operations, including the alleged theft of 900,000 emails and 4,000 files from the state-owned television and radio broadcasting network VGTRK. In March, the organization exploited released source code from the Conti Ransomware gang – a Russia-linked threat actor — to create distinct ransomware for the first time. 

The researchers can study the directives for these steps of the assault using a traffic sniffer because they are provided in cleartext.
  • Gathering data on the infected system or device. 
  • Collecting information about the drives that are connected.
  • Executing a command in the cmd.exe shell and passing the output to the command and control server (C2) 
  • Receiving information about the system's installed plugins.
  • Obtaining information about files on the system drive's specified folders puts an end to the Node.js interpreter.
  • Before executing the last step of the assault, TinyCrypt/TinyCryptor, the group's proprietary ransomware payload, OldGremlin can spend months within the infiltrated network. 
The gang only ran one phishing effort in 2021, but it was enough to keep them occupied for the entire year as it gave them initial access to a network of various firms. Apart from the target Russian mining company, Group-IB believes that a higher number of OldGremlin victims will be discovered this year as a result of the group's March phishing operation. 
 
The researchers believe OldGremlin has Russian-speaking members based on the evidence they collected and after examining the quality of the phishing emails and decoy papers. They called the group's understanding of the Russian terrain "astonishing." OldGremlin defies the mold by focusing solely on Russian businesses including banks, industrial corporations, medical institutions, and software producers.

US Agencies Disables Russia-linked "Cyclops Blink" Botnet

 

The US Department of Justice (DoJ), working alongside the FBI and various other authorities, has successfully neutralized Cyclops Blink, a modular botnet operated by a malicious group known as Sandworm, which has been linked to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). 

In the court-authorized operation, the US agencies copied and removed malware from susceptible internet-linked firewall devices that Sandworm used for command and control (C2) of the underlying botnet. Although the operation did not involve access to the Sandworm malware on the thousands of underlying compromised devices worldwide, the DoJ said the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices' control. 

 Cyclops Blink, which is believed to be the successor to VPNFilter, a botnet largely neglected after it was exposed by security experts in 2018 primarily targeted WatchGuard firewall appliances and ASUS routers, with the Sandworm group exploiting a previously discovered security loophole in WatchGuard's Firebox firmware as an initial access vector. 

"These network devices are often located on the perimeter of a victim's computer network, thereby providing Sandworm with the potential ability to conduct malicious activities against all computers within those networks," the DoJ added. 

WatchGuard Technologies issued a statement confirming it worked with the U.S. Justice Department to disrupt the botnet but did not disclose the number of devices affected - saying only that they represented "less than 1 percent of WatchGuard appliances.” 

The device manufacturer has published detection and remediation tools alongside recommendations for device owners to remove any malware infection and patch their devices to the latest versions of available firmware. 

The company has also updated its Cyclops Blink FAQs to provide details regarding CVE-2022-23176 (CVSS score: 8.8), which could "allow an unprivileged user with access to Firebox management to authenticate to the system as an administrator" and gain unauthorized remote access. Device manufacturer ASUS has also released firmware patches as of April 1, 2022, to mitigate the threat, recommending users to update to the latest version.

Biden Prolongs National Emergency Amid Increasing Cyber Threats

 

In the backdrop of the Russia-Ukraine conflict, the increasing risk of cybersecurity threats against U.S. national security, economy, and foreign policy has prompted President Joe Biden to extend the state of national emergency which was originally declared by former President Barack Obama in April 2015. 

The national emergency period has been extended after the Cybersecurity and Infrastructure Security Agency has published a warning regarding possible Russian state-sponsored cyberattacks against U.S. organizations following the invasion of Ukraine. 

The war between Russia and Ukraine will be the main topic at Thursday's NATO meeting, in which Biden's administration will rally western allies and announce a new round of financial sanctions against the Russian government, and Biden is expected to announce sanctions on hundreds of Russians serving in the country's lower legislative body, it is being observed that further sanctions will increase cybersecurity threats against U.S government. 

Last month, U.S. organizations have been altered by the CISA and the FBI regarding the potential spillover of data wiping attacks against Ukraine. 

"Significant malicious cyber-enabled activities originating from or directed by persons located, in whole or in substantial part, outside the United States continue to pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States. Therefore, I have determined that it is necessary to continue the national emergency declared in Executive Order 13694 with respect to significant malicious cyber-enabled activities," said Biden. 

On Tuesday, Biden's national security adviser Jake Sullivan said that the administration believes that right now "they have effective posture today for what's necessary today," but further he said that Biden and NATO allies will discuss "longer-term adjustments to NATO force posture on the eastern flank."

NCSC Suggests to Reconsider Russian Supply Chain Risks

 

One of the UK's top security agencies has encouraged the public sector, critical infrastructure (CNI), and other institutions to rethink the hazards of any "Russian-controlled" elements of their supply chain. 

There is no evidence that the Russian government is preparing to compel private providers to harm UK interests, according to Ian Levy, technical director of the National Cyber Security Centre (NCSC). That doesn't rule out the possibility of it happening or happening in the future, he continued. 

"Russian law already contains legal obligations on companies to assist the Russian Federal Security Service (FSB), and the pressure to do so may increase in a time of war. We also have hacktivists on each side, further complicating matters, so the overall risk has materially changed. The war has proven many widely held beliefs wrong and the situation remains highly unpredictable. In our view, it would be prudent to plan for the possibility that this could happen. In times of such uncertainty, the best approach is to make sure your systems are as resilient as you can reasonably make them,” Levy argued. 

All UK public sector organisations, those supplying services to Ukraine, CNI enterprises, organisations performing the activity that could be regarded as being in opposition to Russian interests, and high-profile institutions whose compromise would be a PR success for the Kremlin are all covered by the new NCSC guidelines. 

Levy continued, “You may choose to remove Russian products and services proactively, wait until your contract expires (or your next tech refresh), or do it in response to some geopolitical event. Alternatively, you may choose to live with the risk. Whatever you choose, remember that cybersecurity, even in a time of global unrest, remains a balance of different risks. Rushing to change a product that’s deeply embedded in your enterprise could end up causing the very damage you’re trying to prevent.” 

Even those companies which aren’t likely to be a target should remember that global sanctions could impact the availability of any Russian technology services. There was some good news from the NCSC. Levy said individuals using Kaspersky products could continue to do so relatively safely. He claimed that “massive, global cyber-attacks” are unlikely to be launched due to the conflict.