Search This Blog

Showing posts with label Russian Hackers. Show all posts

Russian Hackers use WinRAR as Cyberweapon

Russian hackers are known for their notorious cyber-attacks. They have once again been accused of using a popular file compression software, WinRAR, to launch an attack on a state agency in Ukraine. The attack wiped out the agency’s data, resulting in the loss of important information.

According to reports, the hackers used a malicious version of WinRAR that contained a Trojan horse to infiltrate the agency’s system. Once the software was installed, the Trojan horse allowed the hackers to access sensitive data and execute commands remotely.

It’s not the first time Russian hackers have been accused of using WinRAR as a cyberweapon. In 2018, the group was found to be using a similar tactic to launch a cyber attack on a Ukrainian company.

The incident highlights the growing threat of cyber attacks and the importance of having strong security measures in place. Businesses and organizations need to ensure that they are taking steps to protect their systems from such attacks.

One of the key measures that can be taken is to ensure that all software is updated regularly, as this can help to patch any vulnerabilities that may be present. Additionally, organizations should have a robust backup and disaster recovery plan in place to ensure that they can recover from an attack quickly and with minimal disruption.

It’s also important for organizations to have an incident response plan in place to ensure that they can quickly and effectively respond to a cyber attack. This should include identifying and containing the attack, notifying relevant stakeholders, and taking steps to prevent the attack from spreading further.

As cyber-attacks become increasingly common and sophisticated, it’s important for organizations to take steps to protect their systems and data. By implementing strong security measures and being prepared for the worst-case scenario, businesses can reduce their risk of falling victim to an attack and minimize the impact if it does occur.

Russian SolarWinds Attackers Launch New Wave of Cyber Espionage Attacks

 

Russian intelligence has once more employed hacker outfit Nobelium/APT29 as part of its ongoing invasion of Ukraine, this time to spy on foreign ministries and diplomats from NATO-member states as well as additional targets in the European Union and Africa. 

The time also coincides with a wave of attacks against Canadian infrastructure that are thought to have a Russian connection. 

The possible targets of the espionage campaign were alerted to the threat on April 13 by the Polish Military Counterintelligence Service and the CERT team in Poland, along with indicators of compromise. The organisation known by Microsoft as Nobelium, also known by Mandiant as APT29, is not new to the game of nation-state espionage; it was responsible for the infamous SolarWinds supply chain attack over three years ago. 

The Polish military and CERT alert said that APT29 is now back with a completely new set of malware tools and reported marching orders to infiltrate the diplomatic corps of nations that support Ukraine. 

APT29 returns with fresh orders

According to the Polish notice, the advanced persistent threat (APT) always starts its attack with a clever spear-phishing email. 

"Emails impersonating embassies of European countries were sent to selected personnel at diplomatic posts," authorities explained. "The correspondence contained an invitation to a meeting or to work together on documents." 

The recipient would next be instructed to follow a link or download a PDF in order to view the ambassador's calendar or obtain meeting information. Both actions would direct the targets to a malicious website that was loaded with the threat group's "signature script," which the report refers to as "Envyscout".

"It utilizes the HTML-smuggling technique — whereby a malicious file placed on the page is decoded using JavaScript when the page is opened and then downloaded on the victim's device," Polish officials added. "This makes the malicious file more difficult to detect on the server side where it is stored." 

The malicious site also informs its victims through a message that they downloaded the right file. 

"Spear-phishing attacks are successful when the communications are well written, use personal information to demonstrate familiarity with the target, and appear to come from a legitimate source," Patrick Harr, CEO of SlashNext, stated. "This espionage campaign meets all of the criteria for success." 

For instance, one phishing email claimed to be from the Polish embassy. The Polish authorities also noticed that the Envyscout programme had been modified three times using better obfuscation techniques during the period of the observed campaign. 

The organisation, once infiltrated, employs modified versions of the Snowyamber downloader, Halfrig, which has Cobalt Strike as embedded code, and Quarterrig, which shares code with Halfrig, according to the Polish alert. 

In light of this and other Russian espionage activities, governments, diplomats, international organisations, and non-governmental organisations (NGOs) should be on high alert. 

Along with warnings from Polish cybersecurity authorities, Canadian Prime Minister Justin Trudeau has recently spoken out publicly about a recent wave of cyberattacks linked to Russia that targeted Canadian infrastructure. These attacks included denial-of-service assaults on the websites of Hydro-Québec, an electric utility, his office, the Port of Québec, and Laurentian Bank. According to Trudeau, Canada's backing for Ukraine is a factor in the cyberattacks. 

Although there was no harm to Canada's infrastructure, Sami Khoury, the director of the Canadian Centre for Cyber Security, emphasised during a news conference last week that "the threat is real.""You must protect your systems," said Khoury, "if you run the critical systems that power our communities, provide Internet access to Canadians, provide health care, or generally operate any of the services Canadians can't live without." "Watch your network traffic. Implement mitigations."

Winter Vivern Hackers Exploit Zimbra Flaw to Siphon NATO Emails

 

Since February 2023, a Russian hacking group known as TA473, also identified as "Winter Vivern," has been actively stealing the emails of NATO leaders, governments, soldiers, and diplomats by taking advantage of flaws in unpatched Zimbra endpoints.

Sentinel Labs published a report on 'Winter Vivern's' recent operation two weeks ago, detailing how the group propagated malware that poses as a virus scanner by imitating websites run by European organisations that fight online crime. 

The threat actor used Zimbra Collaboration servers to exploit CVE-2022-27926, according to a new report released by Proofpoint today. This vulnerability allowed the threat actor to access the communications of individuals and organisations that are NATO allies.

Taking aim at Zimbra 

Before launching a Winter Vivern attack, the threat actor first uses the Acunetix tool vulnerability scanner to look for unpatched webmail platforms. 

After there, the hackers send a phishing email from a compromised account that is faked to look like it is from a person the target knows or is somehow connected to their business. A link in the emails uses the CVE-2022-27926 vulnerability in the target's compromised Zimbra infrastructure to inject additional JavaScript payloads into the webpage. 

When cookies are received from the hacked Zimbra endpoint, these payloads are then exploited to steal usernames, passwords, and tokens. These details give the threat actors unrestricted access to the targeted' email accounts. 

"These CSRF JavaScript code blocks are executed by the server that hosts a vulnerable webmail instance," the Proofpoint report reads. Further, this JavaScript replicates and relies on emulating the JavaScript of the native webmail portal to return key web request details that indicate the username, password, and CSRF token of targets.In some instances, researchers observed TA473 specifically targeting RoundCube webmail request tokens as well."

This particular aspect illustrates the diligence of the threat actors in pre-attack reconnaissance, ascertaining which portal their target utilises before constructing the phishing emails and establishing the landing page function. 

In addition to the three layers of base64 obfuscation used to obfuscate the malicious JavaScript to complicate analysis, "Winter Vivern" also incorporated pieces of the legal JavaScript that runs on a native webmail interface, blending in with regular activities and lowering the risk of detection. 

Ultimately, the threat actors have access to confidential data on the compromised webmails or can keep their hold in place to watch communications over time. In addition, the hackers can utilise the compromised accounts to conduct lateral phishing attacks and further their penetration of the target companies. 

Researchers claim that "Winter Vivern" is not very sophisticated, but they nonetheless employ a successful operating strategy that is effective even against well-known targets who are slow to deploy software updates. In this instance, Zimbra Collaboration 9.0.0 P24, which was released in April 2022, corrected CVE-2022-27926.

The delay in implementing the security update is estimated to have been at least ten months long given that the earliest assaults were discovered earlier this year in February.

Data Theft Feature Added by Russian Nodaria APT

An updated piece of information-stealing malware is being used against targets in Ukraine by the Nodaria spy organization, also known as UAC-0056. The malware was created in Go and is intended to gather a variety of data from the infected computer, including screenshots, files, system information, and login passwords.

The two-stage threat known as graphiron consists of a downloader and a payload. The downloader has the addresses of command-and-control (C&C) servers hardcoded in. It will look for active processes when it is executed and compare them to a blacklist of malware analysis tools.

If no processes on the blacklist are discovered, this will connect to a C&C server, download the payload, and then decrypt it before adding it to autorun. The downloader is set up to run only once. It won't try again or send a signal if it is unable to download and run the payload.

Graphiron shares several characteristics with earlier Nodaria tools like GraphSteel and GrimPlant. Advanced features allow it to execute shell commands, gather system data, files, login passwords, screenshots, and SSH keys. Further, it uses port 443 to communicate with the C2 server, and all communications are encrypted using an AES cipher.

Attacks against Georgia and Kyrgyzstan have been carried out by Nodaria since at least March 2021. The recognized tools used by the group include WhisperGate, Elephant Dropper and Downloader, SaintBot downloader, OutSteel information stealer, GrimPlant, and GraphSteel information stealer.



Cybercrime Utilizes Screenshotter to Find Targets in US

Organizations in Germany and the United States are targets of a new threat actor identified as TA886 that requires new, proprietary malware to spy on users and steal their data from affected devices. Proofpoint reported that it initially identified the previously unidentified cluster of activity in October 2022 and that it persisted into 2023.

Malicious Microsoft Publisher (.pub) attachments with macros, URLs leading to.pub files with macros, or PDFs with URLs that download risky JavaScript files are some of the ways the threat actor targets victims.

According to the researchers, which gave the operation the name Screentime, it is being carried out by a brand-new malicious attacker known as TA866. Although it is possible that the group is well-known to the larger cybersecurity sector, no one has been able to connect to any other groups or initiatives.

According to Proofpoint, TA866 is an "organized actor capable of performing well-planned attacks at scale based on their availability of custom tools, ability and connections to buy tools and services from other vendors, and increasing activity volumes."

As a result of some variable names and phrases in their stage-two payloads being written in Russian, the researchers further speculate that the threat actors may be Russian. In Screentime, TA866 would send phishing emails in an effort to get victims to download the harmful WasabiSeed payload. According to the stage-two payloads that the threat actors deem appropriate at the time, this malware develops persistence on the target endpoint.

AHK Bot has been seen downloading and loading the Rhadamanthys information thief into memory while also deploying a script to inspect the victim's computer's Active Directory (AD) domain. According to Proofpoint, the AD profile may result in the compromising of additional domain-joined hosts.

As per Proofpoint, the activity continued into 2023 after the first indications of Screentime advertisements appeared in October 2022. The campaigns have an indiscriminate impact on all industries in terms of verticals.


eSentire: Golden Chickens Malware's Attacker Uncovered

The Threat Response Unit (TRU) of eSentire has been monitoring one of the most effective and covert malware families, Golden Chickens, for the past 16 months. The malware of choice for FIN6 and Cobalt, two of the most established and prosperous online crime organizations in Russia, who have collectively stolen an estimated $1.5 billion US, is Golden Chickens. 

The creator of a comprehensive toolkit that includes SKID, VenomKit, and Taurus Loader is Golden Chickens, widely known as VENOM SPIDER. Since at least 2012, the adversary has participated actively in Russian underground forums under the alias 'badbullzvenom,' where they have developed tools for exploiting vulnerabilities as well as for getting and retaining access to victim machines and ticketing services.

The 'Chuck from Montreal' identity used by the second threat actor Frapstar allows the cybersecurity company to link together the criminal actor's online trail.

The malware-as-a-service (MaaS) provider Golden Chickens is associated with several tools, including the JavaScript downloader More Eggs and the malicious document creator Taurus Builder. Previous More eggs efforts, some of which date back to 2017, involved spear-phishing executives on LinkedIn with phony job offers that gave threat actors remote control over victim devices, allowing them to use them to gather data or spread more malware.

By using malware-filled resumes as an infection vector, the same strategies were used last year to target corporate recruiting supervisors. The first known instance of Frapster's activities dates back to May 2015, at which point Trend Micro referred to him as a 'lone criminal' and a luxury automobile fanatic.

According to eSentire, one of the two threat actors believed to be behind the badbullzvenom account on the underground forum Exploit.in maybe Chuck, with the other person probably residing in Moldova or Romania. Recruiters are being duped into downloading a malicious Windows shortcut file from a website that poses as a résumé in a new assault campaign that targets e-commerce businesses, according to a Canadian cybersecurity company.

By highlighting Golden Chickens' multi-layer architecture and the MaaS's multi-client business model, researchers stress the challenges of performing accurate attribution for cyberattacks.


Russian Hackers Targeted an Oil Refinery in a NATO Nation

 

A hacker gang with Russian ties attempted to enter a petroleum refining business in a NATO member state in late August, the latest report by Palo Alto’s Unit 42 revealed. 

According to the report, the attempted intrusion, which appears to have been unsuccessful, took place on August 30 by a hacking group called “Trident Ursa" and was executed through spear phishing emails using English-named files with words like "military assistance." 

The news of Trident Ursa's most recent moves came just after National Security Agency Cyber Director Rob Joyce issued a warning that Russian state-sponsored hackers may target NATO nations' energy sectors in the upcoming months. 

According to Joyce, these attacks could have "spillover" effects on Ukraine's neighbors, such as Poland, where Microsoft recently issued a warning that Russian-backed hackers had intensified their operations on the nation's logistics sector, a crucial supporter of the Ukrainian military effort. 

Triton Ursa, also known as "Gamaredon" or "Armageddon," has connections to Russia's Federal Security Service and has been operating since at least 2014. It is primarily recognized for its phishing operations that gather intelligence. Since the commencement of the war in Ukraine, the gang has been quite active, and it has previously attempted to phish Ukrainian entities. 

The infiltration of a petroleum refining company was likely done to boost "intelligence gathering and network access against Ukrainian and NATO partners," according to the Unit 42 assessment. 

Trident Ursa is still one of the most "pervasive, intrusive, continually active and targeted APTs targeting Ukraine," according to Unit 42 researchers, who told CyberScoop, a cybersecurity portal, in an email that they don't think it has more than 10 members. 

“This group’s operations are regularly caught by researchers and government organizations, and yet they don’t seem to care. They simply add additional obfuscation, new domains, and new techniques and try again — often even reusing previous samples,” the report reads. 

Researchers claim that Trident Ursa is not technically advanced and instead relies on enticements and freely accessible resources. The gang uses geo-blocking to restrict their assaults, allowing users to download infected files only in selected nations. This lowers the visibility of their attacks and makes it harder to spot their efforts. 

The Russian hacker organization also exhibits some unusual preferences for choosing domain names that make pop culture references. According to Unit 42's analysts, some of the domains contain names of American basketball teams, well-known rock bands like Metallica and Papa Roach, and characters from the hit TV programme "The Big Bang Theory." 

The gang also has a pattern of harassing and abusing its rivals online. A Trident Ursa member going by the name "Anton" issued a warning on Twitter shortly after the Russian invasion of Ukraine, saying, "I'm coming for you." The gang appears to have named their subdomains after a Ukrainian cybersecurity expert.

Beware of this Lethal Malware that Employs Typosquatting to Siphon Banking Data

 

Disneyland Team, a Russian-speaking financial hacking group was identified using lethal info-stealing malware with confusing typosquatted domains to siphon login data for banking sites. 

The malicious campaign was discovered by Alex Holden, the founder of cybersecurity consulting firm Hold Security, and reported on by KrebsOnSecurity. 

According to the report, the hacking group specifically targets individuals compromised with a powerful banking malware called Gozi 2.0 (AKA Ursnif), which can siphon the data of internet-linked devices, and install additional malware.  

But Gozi is not as powerful as it used to be because search engine designers have launched multiple security measures over the years to nullify the threat of banking malware. But this is where typosquatting plays an important role by designing phishing websites with domain names that are common misspellings of websites. 

Take U.S. financial services company Ameriprise for example. Ameriprise employs the domain ameriprise.com. The Disneyland Team's domain for Ameriprise users is ạmeriprisẹ[.]com (the way it displays in the browser URL bar). The brackets are added to defang the domain.  

On observing carefully, you can make out small dots under the "a" and the second "e," and if you thought them to be specs of dust on your screen, you wouldn’t be the first one to fall for the visually confusing scam. These are not specs, though, but rather Cyrillic letters that the browser renders as Latin. 

So, when an individual falls into the trap laid by scammers and visits these bogus bank websites, it gets overlaid with the malware, which forwards anything the victim types into the legitimate bank’s website, while keeping a copy for itself. That way, when the real bank website returns with a multi-factor authentication (MFA) request, the fake website will request it too, effectively making the MFA useless.

“In years past, crooks like these would use custom-made “web injects” to manipulate what Gozi victims see in their Web browser when they visit their bank’s site, KrebsOnSecurity reported. “These could then copy and/or intercept any data users would enter into a web-based form, such as a username and password. Most Web browser makers, however, have spent years adding security protections to block such nefarious activity.”

Evolution of LilithBot Malware and Eternity Threat Group

A variant of the versatile malware LilithBot was recently uncovered by ThreatLabz in its database. This was connected to the Eternity group, also known as the Eternity Project, a threat entity affiliated with the Russian Jester Group, which has been operating since at least January 2022, according to further investigation.

In the darknet, Eternity disseminates many malware modules bearing the Eternity name, such as a stealer, miner, botnet, ransomware, worm+dropper, and DDoS bot.

LilithBot Malware

The distribution channels for the LilithBot that were found were a specialized Telegram group and a Tor connection that offered one-stop shopping for these multiple payloads. It included built-in stealer, clipper, and miner capabilities in addition to its primary botnet activity. 

The LilithBot multipurpose malware bot was discovered by Zscaler's ThreatLabz threat research team in July 2022 and was being offered as a subscription by the Eternity organization. In this campaign, the threat actor adds the user to its botnet and then steals files and user data by sending it via the Tor network to a command-and-control (C2) server. The malware in this campaign performs the functions of a stealer, miner, clipper, and botnet while using false certificates to avoid detection.

This malware-as-a-service (MaaS) is unusual because, in addition to using a Telegram channel to share updates on the latest features, it also uses a Telegram Bot to let customers create the binary. Common cryptocurrencies accepted by Eternity for payments include BTC, ETH, XMR, USDT, LTC, DASH, ZEC, and DOGE. Eternity often conducts business via Telegram.

If the buyer requests it, hackers will construct viruses with add-on functionality and offer customized viruses. The infection costs from $90 and $470 in USD. The Eternity Telegram channel demonstrates the frequent upgrades and improvements the team makes to its services.

The Eternity gang frequently refers users to a dedicated Tor link where a detailed description of their various viruses and their features may be found. The Tor link takes you to the homepage, where you can learn more about the different products and modules you may buy. The targeted user's files and documents are encrypted by the malware. A specific video explaining how to create the ransomware payload is available on the Tor page. Their Ransomware is the most expensive item on sale. For yearly membership, Eternity Stealer costs $260.
  • Eternity Miner as a yearly subscription costs $90.
  • Eternity Miner ($90 )as an annual subscription 
  • Eternity Clipper ($110 )
  • Eternity Ransomware ($490)
  • Eternity Worm ($390)
  • Eternity DDoS Bot (N/A) 

It is adaptable to the unique needs of clients and can constantly be updated at no further cost. They also provide their clients with numerous additional discounts and perks.

It is possible that the organization is still carrying out these tasks as the LilithBot malware has developed, but doing so in more complex ways, for as by completing them dynamically, encrypting the tasks like other areas of code, or employing other cutting-edge strategies.

The 'Microsoft Code Signing PCA' certificate authority issues a valid Microsoft-signed file, and it will also show a countersignature from Verisign. But as research is seen, LilithBot's bogus certificates lack a countersignature and appear to have been granted by the unverified Microsoft Code Signing PCA 2011.

Ukraine Neutralizes Pro-Russian Hacking Group for Selling Data of 30 million Accounts

 

The cyber department of Ukraine‘s Security Service (SSU) has dismantled a hacking group acting on behalf of Russian interests operating from Lviv, the largest city in western Ukraine. 

The malicious group sold 30 million accounts belonging to residents from Ukraine and the European Union on the dark web accumulating a profit of $372,000 via banned electronic payment systems YuMoney, Qiwi, and WebMoney, in Ukraine. 

As per the SSU’s press release, the hackers were pro-Kremlin propagandists who primarily targeted Ukrainian citizens and people in Europe to exfiltrate the private details of unsuspecting users. 

The malicious actors exploited these accounts to spread chaos and panic in the region through disinformation campaigns and to encourage wide-scale destabilization in Ukraine through fake news.

“Their wholesale customers were pro-Kremlin propagandists. It was they who used the received identification data of Ukrainian and foreign citizens to spread fake news from the front and create panic. The goal of such manipulations was large-scale destabilization in countries,” the Security Service of Ukraine (SSU) stated. “It was also established that hacked accounts were allegedly used on behalf of ordinary people to spread disinformation about the socio-political situation in Ukraine and the EU.”

During the searches, the law enforcement agencies seized magnetic disks containing private data as well as computer equipment, mobile phones, SIM cards, and flash drives containing evidence of illegal activities from the searches carried out at the hackers’ homes. 

“Currently, the organizer has been notified of the suspicion under Part 1 of Art. 361-2 (unauthorized sale or distribution of information with limited access, which is stored in electronic computing machines (computers), automated systems, computer networks or on media of such information) of the Criminal Code of Ukraine,” SSU concluded. 

Ukrainian organizations facing the heat 

Multiple hackers from across the globe have tried to capitalize on the ongoing conflict between Russia and Ukraine to launch a barrage of cyberattacks. Earlier this year in June, the malicious actors targeted the Ukrainian streaming service Oll.tv and replaced the broadcast of a football match between Ukraine and Wales with Russian propaganda. 

One month later in July, the anonymous hacking group targeted Ukrainian radio operator TAVR Media to spread fake news that Ukrainian President Volodymyr Zelensky was hospitalized and in critical condition. 

The hackers broadcasted reports that the Ukrainian President was in an intensive care ward and that his duties were being temporarily performed by the Chairman of the Ukrainian parliament Ruslan Stefanchuk, the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) stated.

Ransomware Exposed Stolen Data From Cisco on Dark Web

Yanluowang ransomware Gang has published Cisco Systems' stolen data on the dark web and following the data leak, Cisco confirmed that the data was stolen from its network during an intrusion that took place in May. 

Cisco Security Incident Response (CSIRT) conducted an investigation wherein it was found that the attackers acquired control of a personal Google account that had the credentials saved in the browser. The threat actors compromised these credentials to launch voice phishing attacks. The idea behind the attacks was to lure the targeted employee into accepting the MFA notification. 

Cisco revealed in a report published in August that the firm's networks had been infiltrated by the Yanluowang ransomware after hackers gained access to an employee's VPN account. The company further asserted that the only information taken was employee login information from Active Directory and non-sensitive files saved in a Box account.

Once the threat actors obtained the employee's Cisco credentials, the hackers employed social engineering and other techniques to get beyond multi-factor authentication (MFA) and gather more data.

After gaining initial access, the hackers registered a list of new devices for MFA, authenticated effectively to the Cisco VPN, and dropped multiple tools in the victim network including RATs such as LogMeIn, TeamViewer, Cobalt Strike, PowerSploit, Mimikatz, and Impacket, as per Security Affairs. 

Over the weekend, Cisco said in an update that "the content of these files matched what we have detected and released.  We continue to see no effect on the business, including Cisco goods or services, confidential customer data or sensitive employee data, copyrights, or supply chain activities, which is consistent with our previous examination of this incident."

The researchers at the cybersecurity firm eSentire linked Yanluowang with "Evil Corp" (UNC2165), the Lapsus$ gang, and FiveHands malware (UNC2447).

The hacked Google account of an employee that had enabled password synchronization through Google Chrome and saved their Cisco details in the browser allowed the thieves to initially access the Cisco VPN.

The leader of Yanluowang ransomware told BleepingComputer that they had stolen thousands of files totaling 55GB from a cache that contained sensitive information including technical schematics and source code. The hacker did not offer any evidence. The only thing they provided was a screenshot showing access to what seemed like a development system. 

Erich Kron, security awareness advocate at security awareness training company KnowBe4 implies that it goes unsaid that Cisco decided against paying the ransom demanded by the ransomware group, which resulted in the stolen data being posted. 


Conti Gang Doppelganger Adopts Recycled Code 

A ransomware attack from a brand-new gang dubbed 'Monti,' which primarily exploits Conti code has come to the surface. 

The Monti ransomware was found and revealed by MalwareHunterTeam on Twitter on June 30, but Intel471 and BlackBerry independently announced their study into Monti on September 7th.

The malware's developers constitute a well-known ransomware group that has launched numerous attacks. They operate under "Wizard Spider" and could be linked with the global Trickbot cybercrime ring. 

Reportedly, the cybercrime group that has a base in Russia, supports the Russian government's goals, particularly the Ukraine conflict. 

In return for a portion of the ransom money collected, the Conti gang offers 'its members' access to its software. The group's ability to scale operations is a direct result of the aforementioned. The group resorts to the ransomware as a service (RaaS) approach to disseminate the infection.

According to Intel471, "Monti might be a rebranded version of Conti or even a new ransomware version that has been developed utilizing the disclosed source code," it was published on February. It really doesn't appear like Monti has been involved in enough activities for the security company to establish a connection to Conti." 

Since the Conti disclosures in February effectively handed Monti malicious actors a step-by-step roadmap to mimicking Conti's notoriously successful actions, BlackBerry appears to be more certain that Monti is a copycat than a legitimate successor to its namesake.

Apart from one, Monti threat actors used the Action1 Remote Monitoring and Maintenance (RMM) agent, and the majority of Indicators of Compromise (IOCs) discovered by the BlackBerry IR team in the Monti attack were also detected in prior Conti ransomware attacks. 

Experts want to highlight a useful technique that was made feasible by our awareness of the code repetition before  Monti's reuse of Conti's encryptor code. 

The BlackBerry IR team was aware that Conti encryptor payloads do not always completely encrypt each file because we were familiar with Conti v2 and v3 encryptor payloads. Source code research reveals that Conti payloads combine a file's location, type, and size to decide which encryption techniques to employ. 

The BlackBerry IR team was able to recover completely, unencrypted strings from encrypted log files because of this information.

Conti's activities have slowed down recently, some experts have proposed that Conti's reduced activity is the consequence of a rebranding effort similar to those undertaken by various ransomware strains in the past, perhaps involving several members of the Conti gang. Other sources claim that other RaaS firms, like Karakurt and BlackByte, have engaged former Conti operators.

Whether Conti is being dubbed Monti to spoof the earlier strain or it is simply another new ransomware variety remains unclear, we will probably continue to see this new version have an impact on organizations all around the world. However, utilizing publicly accessible binaries to develop fresh ransomware or relaunch an old one would potentially offer defenders a head start as Monti develops.





Killnet Targets Japanese Government Websites

According to investigation sources on Wednesday, the Tokyo Metropolitan Police Department intends to look into the recent website outages of the Japanese government and other websites that may have been brought on by cyberattacks by a Russian hacker organization.  

As per Chief Cabinet Secretary Hirokazu Matsuno, the government is apparently investigating if issues with the aforementioned sites were brought on by a denial-of-service (DDoS) attack. 

As per experts, access to the government's e-Gov portal website, which provides a wealth of administrative information, temporarily proved challenging on Tuesday.  

The pro-Russian hacker collective Killnet claimed responsibility for the attack and alleged it had attacked the electronic system of the tax authority and Japan's online public services in a post on the messaging app Telegram. Furthermore, it appeared that the hacker collective wrote that it was an uprising over Japan's 'militarism' and that it kicked the samurai. 
 
However, as per Sergey Shykevich, manager of Check Point Software's threat intelligence group, Killnet was likely responsible for these attacks.  

Killnet's justification for these strikes, according to Shykevich, "is owing to Japan's support of Ukraine in the ongoing Russia-Ukraine war, as well as a decades-long dispute over the Kuril Islands, which both sides claim control over."

As per the sources, the MPD will look into the cases by gathering specific data from the affected businesses and government bodies. The National Police Agency will assess whether the hack on the e-Gov website qualified as a disruption that materially impairs the operation of the government's primary information system as defined by the police statute, which was updated in April.

The cybersecurity expert added that firms in nations under attack by Killnet should be aware of the risks because the group employs a variety of tactics, such as data theft and disruptive attacks, to achieve its objectives. 

Following a recent large-scale attack by Killnet on websites in Italy, Lithuania, Estonia, Poland, and Norway, there have been allegations of attacks targeting Japanese government websites.





Hacker's Spread ModernLoader, XMRig Miner Malware

 


During March and June 2022, Cisco Talos researchers discovered three distinct but connected campaigns that were spreading various malware to victims, including the ModernLoader bot, RedLine info-stealer, and cryptocurrency miners.

The hackers spread over a targeted network via PowerShell,.NET assemblies, HTA, and VBS files before releasing further malware, like the SystemBC trojan and DCRat, to enable different stages of its exploits, according to a report by Cisco Talos researcher Vanja Svajcer.

Cisco Talos further said that the infections were caused by a previously unidentified but Russian-speaking spyware, that used commercial software. Users in Bulgaria, Poland, Hungary, and Russia were among the potential targets. 

The first stage payload is an HTML Application (HTA) file that executes a PowerShell script stored on the command-and-control (C2) server to start the deployment of interim payloads that eventually use a method known as process hollowing to inject the malware.

ModernLoader (also known as Avatar bot), a straightforward.NET remote access trojan, has the ability to download and run files from the C2 server, run arbitrary instructions, acquire system information, and alter modules in real-time. 

Additionally, the actors dispersed across a targeted network using PowerShell,.NET assemblies, HTA, and VBS files before releasing additional malware, such as the SystemBC trojan, and DCRAT, to carry out various operations related to their activities.

It is challenging to identify a specific adversary behind this behavior because the attackers used various commercially available tools, according to Cisco Talos.

Despite the lack of clarity surrounding attribution, the business reported that threat actors used ModernLoader as the final payload in all three campaigns. This payload then functioned as a remote access trojan (RAT) by gathering system data and delivering further modules.

In addition, two older attacks from March 2022 were discovered by Cisco's analysis. These campaigns use ModerLoader as its principal malware C2 communication tool and also spread other malware, such as XMRig, RedLine Stealer, SystemBC, DCRat, and a Discord token stealer, among others. 

Days prior to the publication of the piece, the corporation hosted a webinar in which it reaffirmed its cybersecurity support for Ukraine in honor of the nation's Independence Day.

Russian-Linked Hackers Target Estonia

 

In response to the government's removal of a monument honoring Soviet World War II veterans, a pro-Kremlin hacker group launched its greatest wave of cyberattacks in more than ten years, which Estonia successfully repelled.

Luukas Ilves, Estonia's under-secretary for digital transformation at the Ministry of Economic Affairs and Communications, stated that "yesterday saw the most significant cyberattacks against Estonia since 2007".

According to reports, the former Soviet state removed a Red Army monument from Tallinn Square this week, and the eastern city of Narva also got rid of a Soviet-era tank. After Russia invaded Ukraine, the authorities vowed to remove hundreds of these monuments by the end of the year.

On Wednesday, the Russian hacker gang Killnet claimed responsibility for the attacks and stated a wave of DDoS attacks have allegedly been launched against the 200 websites of public and private sector organizations in response, including an online citizen identity system. 

A replica Soviet Tu-34 tank from World War II was taken off the public display on Tuesday in the town of Narva, close to Estonia's border with Russia, and brought to the Estonian War Museum in Viimsi, according to Killnet, which claimed responsibility for a similar attack against Lithuania in June.

It's worth noting as based on sources, that the DDoS attacks timed with a Russian media fake news campaign alleging that the Estonian government was destroying Soviet war graves. The country's ethnic Russians reportedly rioted as a result of this.

Estonia's Cybersecurity 

According to the National Cyber Security Index, the nation has a 17 percentage point advantage over the average for Europe and is placed third in the ITU Global Cybersecurity Index 2020. 

After experiencing significant DDoS attacks on both public and private websites in 2007, Estonia, a country that is a member of the European Union and NATO, took steps to strengthen its cybersecurity. It attributed these attacks to Russian actors who were enraged over the removal of another Soviet-era monument at the time.

The nation's e-government services, along with other industries including banking and the media, were significantly disrupted throughout the weeks-long campaign. The dismantling of a monument honoring the Soviet Red Army also sparked the attacks.

The Tallinn memorial served as a grim reminder of Estonia's 50 years of Soviet captivity to the government and many Estonians, while other ethnic Russians saw its removal as an attempt to obliterate their past. 

The incident did, however, motivate the government to step up its cybersecurity efforts, and as a result, it is today thought to have one of the best defensive positions of any international government.











Microsoft: Phishing Alert Over Russian-Related Threats

As part of the cybercrime gang's illegal surveillance and data theft operations, Microsoft claims to have banned accounts used by the Seaborgium troupe, which has ties to Russia, to spam and exploit login information.

In order to identify employees who work for the victims, the hackers exploited bogus LinkedIn profiles, email, OneDrive, and other Microsoft cloud services accounts.

Microsoft is keeping tabs on the cluster of espionage-related activities under the chemical element-themed moniker SEABORGIUM, which it claims is associated with a hacker organization also known as Callisto, COLDRIVER, and TA446.

Coldriver, alias Seaborgium, was accused of running a hack-and-leak campaign resulting in the publication of documents that were purportedly obtained from high-ranking Brexit supporters, including Richard Dearlove, a former British agent. 

Targets &Tactics

Microsoft reported that it had seen "only very modest changes in their social engineering tactics and in how they deliver the initial malicious URL to their targets."

The main targets are think tanks, higher education institutions, non-governmental and intergovernmental organizations (IGOs), defense and intelligence consulting firms, and to a lesser extent, nations in the Baltics, Nordics, and Eastern Europe.

Former secret services, Russian affairs experts, and Russian nationals living abroad are further subjects of interest. It is estimated that more than 30 businesses and individual accounts were infected.

The process begins with the reconnaissance of potential targets using fictitious personas made on social media sites like LinkedIn, and then contact is established with them through neutral email messages sent from recently registered accounts that have been set up to match the names of the fictitious subjects.

If the target falls prey to the malicious code tactic, hackers launch the attack sequence by sending a weaponized message that contains a PDF document that has been compromised or a link to a file stored on OneDrive. 

According to Microsoft, "SEABORGIUM also abuses OneDrive to host PDF files that contain a link to the malicious URL.  Since the start of 2022, The actors have included a OneDrive link in the email body that, when clicked, takes the subscriber to a PDF file held within a SEABORGIUM-controlled OneDrive account."

Additionally, it has been discovered that the adversary conceals its operational network using open redirects which appear to be innocent to drive visitors to the malicious server, which then asks them to input their credentials in order to view the material.

The last stage of the attack involves leveraging the victim's email accounts with the stolen login information, exploiting the illegal logins to exfiltrate emails and attachments, setting up email forwarding rules to assure ongoing data gathering, and executing other key work.

Caution

According to Redmond, "SEABORGIUM has been spotted in a number of instances employing their impersonation accounts to encourage dialog with certain people of interest and, as a result, were involved in conversations, sometimes unintentionally, involving several users."

The enterprise security firm Proofpoint noted the group's propensity for reconnaissance and skilled impersonation for the delivery of malicious links. Proofpoint records the actor under the moniker TA446.

As per Microsoft, there are steps that may be taken to counter Seaborgium's strategies. This entails turning off email auto-forwarding and configuring Office 365 email settings to stop fake emails, spam, and emails containing viruses.

The security team also suggests utilizing more secure MFA techniques, such as FIDO tokens or authenticator tools with number matching, in place of telephony-based MFA and demanding multi-factor authentication (MFA) for all users from all locations, even those that are trusted.

14 Account's Email System Targeted the Green Party of Germany

 

The foreign minister Annalena Baerbock and the economy minister Robert Habeck's email accounts were both compromised last month, according to the German Green party, which is a member of the coalition government of the nation. 

The party acknowledged a revelation published on Saturday by the German magazine Der Spiegel, but claimed that the two had stopped using official party accounts since January.

According to a report on a German magazine Der Spiegel on Thursday, the Green Party said that a total of 14 accounts, including the party's co-leaders' Omid Nouripour and Ricarda Lang, were also hacked and that certain messages were sent to other servers. The article further read that the attack also had an impact on the party's "Grüne Netz" intranet IT system, where private information is exchanged.

The party declined to acknowledge Der Spiegel's claim that an electronic trace suggested the cyberattack may have originated in Russia because of the current investigation by German authorities.

"More than these email accounts are affected," the party official claimed. The topic concerns emails using the domain "@gruene.de." The representative stated that it was yet unknown who had hacked in. The first indication of the attack came on May 30 and since June 13, when specialists determined that there had been a breach, access to the system has been restricted. 

Authorities blamed the unauthorized access on Russian state-sponsored hackers. Baerbock has consistently taken a harsh approach in response to Russia's abuse of human rights and aggression against Ukraine. Since taking office in December, Habeck has been in charge of Germany's initiatives to wean itself off of Russian energy sources.

Network logs, according to the Greens, did not reflect any signs of the increased traffic levels that would indicate the theft of a significant amount of data.

Millions of Loan Applicant's Data is Leaked via an Anonymous Server

The security team at SafetyDetectives, led by Anurag Sen, revealed the specifics of a misconfigured Elasticsearch server that exposed the personal information of millions of loan applicants. The information primarily came from individuals who applied for microloans in Ukraine, Kazakhstan, and Russia. 

The server was identified randomly on December 5th, 2021, while monitoring specific IP addresses. Since the anonymous server lacked authentication mechanisms, it was left vulnerable and unprotected, resulting in the loss of over 870 million records and 147GB of data. 

SafetyDetectives couldn't identify the server's host. Customers' logs from a variety of microloans providers' websites were stored on a server, however, the majority weren't financial services like lenders or banks, but rather third-party intermediates who operate as a link between the loan firm and the applicant. The majority of the data in the server's logs were in Russian which led experts to conclude that the server is owned by a Russian corporation. 

Different types of personal information (PII) and sensitive user data were revealed in this leak, according to SafetyDetectives researchers, including details of users' "internal passports" and other types of data. Internal passports are used to substitute for national IDs in Russia and Ukraine. They are only valid within the country's borders. 

The internal passport details revealed in the exposed data include Marital status Gender, Birthdate, location, physical address, full name, including first, middle, and patronymic names. Number of passports, issue/expiration dates, and serial number. Some of the disclosed information, including cities, names, addresses, and issued by places, was written in Cyrillic script, which is generally utilized in Asia and Europe.

This vulnerability is estimated to affect around 10 million users. Most INNs belonged to Ukrainians, but several server logs and passport numbers belonged to Russians. The server was based in the Dutch city of Amsterdam. 

On December 14th, 2021, SafetyDetectives contacted the Russian CERT, and the Dutch CERT on December 30th, 2021. Both, though, declined to assist. On January 13th, 2022, the server's hosting company was informed, and the server was secured the same day. Given the scope and type of the data exposed, the event might have far-reaching consequences.

Caramel Credit Card Theft is Proliferating Day by Day

 

A credit card stealing service is gaining traction, providing a simple and automated option for low-skilled threat actors to enter the sphere of financial fraud. Credit card skimmers are malicious scripts that are put into compromised e-commerce websites and wait patiently for customers to make a purchase. 

Following a purchase, these malicious scripts capture credit card information and transport it to remote sites, where threat actors can collect it. Threat actors then use these cards to make online purchases for themselves or sell the credit card information to other threat actors on dark web markets for as little as a few dollars. Domain Tools found the new service, which claims that it is run by a Russian criminal outfit called "CaramelCorp." 

Subscribers receive a skimmer script, deployment instructions, and a campaign management panel, which includes everything a threat actor needs to start their own credit card stealing campaign. Caramel only sells to Russian-speaking threat actors after a first verification procedure that weeds out individuals who use machine translation or are new to the sector. 

A lifetime subscription costs $2,000, which isn't cheap for aspiring threat actors, but it includes complete customer service, code upgrades, and growing anti-detection methods for Russian-speaking hackers. 

The "setInterval()" technique, which exfiltrates data between preset periods, is used to acquire credit card data. While it may not appear to be an efficient strategy, it can be used to collect information from abandoned carts and completed purchases. Finally, the campaigns are managed through a panel that allows the subscriber to monitor the affected e-shops, configure the gateways for obtaining stolen data, and more. 

While Caramel isn't new, and neither are skimming campaigns. In December 2020, Bleeping Computer discovered the first dark web posts offering the kit for sale. Caramel has grown in popularity in the underground scene thanks to continued development and advertising. The existence of Caramel and other similar skimming services lowers the technical barrier to starting up and managing large-scale card skimming campaigns, potentially increasing the prevalence of skimmer operations. 

One can defend themself from credit card skimmers as an e-commerce platform user by utilising one-time private cards, putting up charging limitations and prohibitions, or just using online payment methods instead of cards.

Data Stolen From Parker Hannifin was Leaked by the Conti Gang

 

Several gigabytes of data allegedly taken from US industrial components major Parker Hannifin have been leaked by a known Conti gang. Parker Hannifin is a motion and control technology business which specializes in precision-built solutions for the aerospace, mobile, and industrial industries. 

The Fortune 250 business said in a legal statement on Tuesday, the compromise of its systems was discovered on March 14. Parker shut down several systems and initiated an inquiry after detecting the incident. Law enforcement has been alerted, and cybersecurity and legal specialists have been summoned to help. Although the investigation is ongoing, the company announced some data, including employee personal information, was accessed and taken. 

"Relying on the Company's early evaluation and currently available information, the incident has had no major financial or operational impact, and the Company does not think the incident will have a significant impact on its company, operations, or financial results," Parker stated. "The Company's business processes are fully operating, and it retains insurance, subject to penalties and policy limitations customary of its size and industry." 

While the company has not shared any additional details regarding the incident, cybersecurity experts have learned the infamous Conti gang has taken credit for the Parker breach. More than 5 GB of archive files supposedly comprising papers stolen from Parker have been leaked by the hacker group. However, this could only be a small percentage of the data they've obtained; as per the Conti website, only 3% of the data theft has been made public. Usually, hackers inform victims they must pay millions of dollars to restore encrypted files and avoid stolen information from being leaked. 

Conti ransomware is a very destructive malicious actor because of how quickly it encrypts data and transfers it to other computers. To gain remote access to the affected PCs, the organization is using phishing attempts to deploy the TrickBot and BazarLoader Trojans. The cyber-crime operation is said to be led by a Russian gang operating under the Wizard Spider moniker and members of Conti came out in support of Russia's invasion of Ukraine in February.

Conti data, such as malicious source code, chat logs, identities, email addresses, and C&C server details, have been disclosed by someone pretending to be a Ukrainian cybersecurity researcher. Conti works like any other business, with contractors, workers, and HR issues, as revealed by the released documents. Conti spent about $6 million on staff salaries, tools, and professional services in the previous year, according to a review conducted by crisis response firm BreachQuest.

Conti and other ransomware organizations continue to pose a threat to businesses and ordinary services, and measures should be taken to help prevent a severe cyberattack.