Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Russian Hackers. Show all posts

Microsoft’s Breach Notification Emails Wind Up in Spam Folder

 

Midnight Blizzard, a Russian nation-state hacker gang, breached Microsoft's security last year, gaining access to the emails of multiple customers. In late June, Microsoft revealed that more organisations were affected than previously assumed. However, the company's attempts to notify users may not have reached the intended recipients. 

According to Kevin Beaumont, a cybersecurity expert and former senior threat intelligence analyst at Microsoft, the company chose to notify affected victims via email. 

“The notifications aren’t in the portal – they emailed tenant admins instead. The emails can go into spam, and tenant admin accounts are supposed to be secure breakglass accounts without email. They also haven’t informed orgs via account managers,” Beaumont stated on LinkedIn. 

Apart from Beaumont's warnings, there is some evidence that Microsoft customers are genuinely perplexed. In a Microsoft support page, one customer revealed the email their company received in an attempt to determine whether it was a real Microsoft email. 

Others commented on Beaumont's post, alleging that several organisations misunderstood Microsoft's email for a phishing attempt and deleted it or marked it as spam. The breach notification emails allegedly lacked basic email authentication tools including SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). 

“Well, at first glance, this did not inspire trust for the recipients, who started asking in forums or reaching out to Microsoft account managers to eventually confirm that the email was legitimate...weird way for a provider like this to communicate an important issue to potentially affected customers,” the Greece-based cybersecurity consultant noted. 

In January, Microsoft admitted that Midnight Blizzard attempted to hack the tech giant's internal systems. The same hacking group was behind the infamous SolarWinds hack, which caused havoc on US government installations in 2020.

Microsoft Alerts Users as Russian Hackers Target Windows Systems

 

As advancements in AI technology continue to unfold, the specter of cybercrime looms larger each day. Among the chorus of cautionary voices, Microsoft, the eminent IT behemoth, adds its warning to the fray.

Microsoft's Threat Intelligence researchers have issued a stark advisory to Windows users regarding the targeted assaults orchestrated by Russian state-sponsored hackers wielding a sophisticated tool.

These hackers, known in some circles as APT28 or Fancy Bear, but tracked by Microsoft under the moniker Forest Blizzard, have close ties to Russia's GRU military intelligence agency.

GooseEgg, a tool wielded with the aim of siphoning data and surreptitiously establishing backdoors within computer systems. Forest Blizzard, alias APT28, has deployed GooseEgg in a series of calculated strikes targeting governmental entities, educational institutions, and transportation firms across the United States, Western Europe, and Ukraine.

Their modus operandi centers predominantly on the strategic acquisition of intelligence. Evidence suggests that the utilization of GooseEgg may have commenced as early as June 2020, with the possibility of earlier incursions dating back to April 2019.

In response to the threat landscape, a patch addressing a vulnerability identified as CVE-2022-38028 was released by Microsoft in October 2022. GooseEgg, the nefarious tool in the hackers' arsenal, exploits this particular weakness within the Windows Print Spooler service.

Despite its deceptively simple appearance, the GooseEgg program poses an outsized threat, granting attackers elevated permissions and enabling a litany of malicious activities. From the remote execution of malware to the surreptitious installation of backdoors and the seamless traversal of compromised networks, the ramifications are profound and far-reaching.

Microsoft Claims Russian Hackers are Attempting to Break into Company Networks.

 

Microsoft warned on Friday that hackers affiliated to Russia's foreign intelligence were attempting to break into its systems again, using data collected from corporate emails in January to seek new access to the software behemoth whose products are widely used throughout the US national security infrastructure.

Some experts were alarmed by the news, citing concerns about the security of systems and services at Microsoft, one of the world's major software companies that offers digital services and infrastructure to the United States government. 

The tech giant revealed that the intrusions were carried out by a Russian state-sponsored outfit known as Midnight Blizzard, or Nobelium.

The Russian embassy in Washington did not immediately respond to a request for comment on Microsoft's statement, nor on Microsoft's earlier statements regarding Midnight Blizzard activity.

Microsoft reported the incident in January, stating that hackers attempted to break into company email accounts, including those of senior company executives, as well as cybersecurity, legal, and other services. 

Microsoft's vast client network makes it unsurprising that it is being attacked, according to Jerome Segura, lead threat researcher at Malwarebytes' Threatdown Labs. He said that it was concerning that the attack was still ongoing, despite Microsoft's efforts to prevent access. 

Persistent Threat

Several experts who follow Midnight Blizzard claim that the group has a history of targeting political bodies, diplomatic missions, and non-governmental organisations. Microsoft claimed in a January statement that Midnight Blizzard was probably gunning after it since the company had conducted extensive study to analyse the hacking group's activities. 

Since at least 2021, when the group was discovered to be responsible for the SolarWinds cyberattack that compromised a number of U.S. federal agencies, Microsoft's threat intelligence team has been looking into and sharing research on Nobelium.

The company stated on Friday that the ongoing attempts to compromise Microsoft are indicative of a "sustained, significant commitment of the threat actor's resources, coordination, and focus.” 

"It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found," the company added. "Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.”

HP Enterprise Reveals Hack Conducted by State-backed Russian Hackers


Hewlett Packard (HP) enterprise reported on Wednesday that alleged state-backed Russian hackers have attacked its cloud-based email system and stolen security and employees’ data.

In a Security and Exchange filing, the IT product provider noted that the attack occurred on January 12. They suspect that Russia’s foreign intelligence service ‘Cozy Bear’ was behind the attack.

“Based on our investigation, we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions,” HPE, which is based in Spring, Texas, said in the filing.

HP’s spokesperson, Adam R. Bauer, was contacted through his email, however, he did not make it clear who exactly informed HPE of the breach. “We’re not sharing that information at this time,” Bauer noted the compromised email boxes were running Microsoft software.

In the filing, HPE said the intrusion was “likely related to earlier activity by this threat actor, of which we were notified in June 2023, involving unauthorized access to and exfiltration of a limited number of SharePoint files.” SharePoint is a component of Microsoft's Office 365 suite, which also contains word processing, spreadsheet, and email tools.

SharePoint is part of Microsoft’s 365 suite, formerly known as Office, which includes email, word-processing and spreadsheet apps.

HPE is unable to say whether the network compromise was connected to the intrusion that Microsoft revealed last week, since "we do not have the details of the incident Microsoft disclosed," according to Bauer.

Also, he did not specify where the affected employee, whose accounts the hackers had access to, belonged in the company’s hierarchy. 

According to the sources, “The total scope of mailboxes and emails accessed remains under investigation.” 

As per the report, HPE has ascertained that the intrusion has not had any significant effect on the company's financial stability or operations. Both announcements coincide with the implementation one month ago of a new rule by the U.S. Securities and Exchange Commission requiring publicly traded corporations to report security breaches that may hurt their operations. Unless they are granted a national security waiver, they have four days to comply with this.  

Midnight Blizzard: Russian Threat Actors Behind Microsoft Corporate Emails’ Breach


On Friday, Microsoft informed that some of its corporate accounts suffered a breach in which some of its data was compromised. The attack was conducted by a Russian state-sponsored hackers group named “Midnight Blizzard.”

The attack was first detected on January 12th, and Microsoft in its initial investigation attributed the attack to the Russian threat actors, known famously as Nobelium or APT-29.

Microsoft informs that the threat actors launched the attacks in November 2023, in which they carried out a password spray attack in order to access a legacy non-production test tenant account. 

Password Spray Attack

A password spray attack is a type of brute force attack where threat actors collect a list of potential login names and then attempt to log in to all of them using a particular password. If that password fails, they repeat this process with other passwords until they run out or successfully breach the account.

Since the hackers were able to access accounts using a brute force attack, it is clear that it lacked two-factor authentication or multi-factor authentication.

Microsoft claims that after taking control of the "test" account, the Nobelium hackers utilized it to access a "small percentage" of the company's email accounts for more than a month.

It is still unclear why a non-production test account would have the ability to access other accounts in Microsoft's corporate email system unless the threat actors utilized this test account to infiltrate networks and move to accounts with higher permissions.

Apparently, these breached accounts include members of Microsoft’s leadership team and employees assigned to the cybersecurity and legal departments, targeted by hackers to steal emails and attachments. 

"The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself," the Microsoft Security Response Center shared in a report on the incident.

"We are in the process of notifying employees whose email was accessed."

Microsoft reaffirms that the incident was caused by the brute force password attack, rather than a vulnerability in their product services.

However, it seems that Microsoft’s poorly managed security configuration played a major role in the success of the breach.

While this investigation is underway, Microsoft stated that they will release more information when it is appropriate.  

Prior to Cyber Attack, Russian Attackers Spent Months Inside the Ukraine Telecoms Giant

 

Kyivstar experienced a large-scale malfunction in December 2023, resulting in the outage of mobile communications and the internet for about 24 million users for several days. 

How? Russian hackers broke into the Ukrainian telecommunications giant's system in May 2023. Ilya Vityuk, the chief of the Security Service of Ukraine's (SBU) cyber security department, told Reuters that the attack's aim was to inflict a psychological blow on the public and gather intelligence information. 

“This attack is a big message, a big warning, not only to Ukraine, but for the whole Western world to understand that no one is actually untouchable,” stated Vityuk. He said that hundreds of virtual servers and PCs were among the "almost everything" that the attack destroyed. 

Reuters writes this is most likely the first instance of a catastrophic cyberattack that destroyed a telecoms operator's core. This happened despite Kyivstar's significant investment in cyber security. The SBU discovered that hackers attempted to break into Kyivstar in March or earlier. 

“Now we can say [with certainty] that they were in the system at least since May 2023,” Vityuk added. “I cannot say right now, from when they had... full access: probably at least since November.” 

He leaves open the possibility that during the attack, Russian hackers may have located phones, intercepted SMS conversations, stolen personal information, and possibly stolen Telegram accounts. 

Kyivstar disputes the SBU's assessment of potential breaches, claiming that customer data was not exposed. The SBU further revealed that attempts continued to launch additional cyber attacks to inflict greater harm even after the provider's operations were resumed. 

The damage of the provider's system makes it difficult to investigate the situation at this time. However, the SBU thinks that a gang of Sandworm hackers, a cyberwarfare unit of Russian military intelligence, may have been responsible for the attack. 

According to Vityuk, SBU investigators are still trying to figure out how Kyivstar was hacked and what kind of tools or software might have been used to get inside the system. They also indicated that it might have been phishing, insider help, or something else entirely. 

Vityuk claims that because the Ukrainian Armed Forces (AFU) employ "different algorithms and protocols" and do not depend on consumer-level communication carriers, the cyberattack had no effect on them. 

Fortunately, this incident didn't have a significant impact on us in terms of missile and drone detection, he concluded. The SBU issues a warning, stating that there's a chance that Russian hackers might try to attack Ukrainian cell operators again.

Russian FSB Cyber Espionage: Navigating the Threat Landscape


The field of cybersecurity is always changing, and recent developments have refocused attention on Russian hackers and their purported participation in an elaborate cyber-espionage scheme. Russian security chief agency Federal Security Service (FSB) is suspected of leading a hack-and-leak operation that targeted the private communications of high-ranking officials.

The incident, as reported by various news outlets, underscores the persistent challenges faced by governments in safeguarding sensitive information and securing digital infrastructures. The timing of these revelations adds an additional layer of complexity to an already tense geopolitical environment.

The hacking campaign, attributed to the FSB by both UK and US authorities, involves the infiltration of private communications of senior politicians. The information obtained through these breaches is then strategically leaked, creating a potential minefield of diplomatic and political fallout. The targets and methods employed in these cyber-attacks reflect a level of sophistication highlighting the evolving capabilities of state-sponsored hacking entities.

As the world becomes increasingly interconnected, the consequences of cyber espionage extend far beyond individual privacy concerns. The alleged involvement of the FSB in such activities raises questions about the broader implications for international relations, trust between nations, and the need for more robust cybersecurity measures.

The Financial Times reports that Russian hackers may possess a trove of data yet to be leaked, heightening concerns about the potential impact on global affairs. The evolving nature of cyber threats requires constant vigilance and collaborative efforts on a global scale to fortify digital defenses.

"The cyber threat landscape is dynamic and complex, and defending against it requires a comprehensive approach that includes strong cybersecurity policies, advanced technologies, and international cooperation," emphasizes a statement from cybersecurity experts.

The Telegraph sheds light on the gravity of the situation, emphasizing the need for governments to reassess and strengthen their cybersecurity protocols. In an era where information is a valuable currency, protecting sensitive data from malicious actors is a paramount challenge.

As the international community grapples with the aftermath of these alleged FSB-backed cyber-attacks, one thing is clear: the landscape of global security is evolving, and nations must adapt swiftly to the changing nature of cyber threats. The recent events serve as a stark reminder that cybersecurity is not merely a technical challenge but a crucial aspect of modern statecraft, with implications that reverberate across borders.

Elliptic Claims: FTX Hacks Could Have Possible Connection to Russia


In November 2022, the disorderly collapse of the cryptocurrency exchange FTX resulted in a staggering $477 million hack. The previously inactive stolen funds became active just days before Sam Bankman-Fried, the founder and CEO of FTX, went on trial. Elliptic analysts have investigated the event in-depth, following the intricate blockchain trail left by the hackers and finding evidence of Russia's involvement. 

Elliptic’s Insight for the Hack 

According to a report by Elliptic – one of the largest providers of blockchain analytics and crypto compliance solutions – the hackers cleverly masked their activity by moving the stolen assets through a series of intricate transactions. They used private wallets and decentralized exchanges to make it more difficult to trace them. Elliptic was able to track the money, though, and discovered that the hackers distributed a sizable percentage of it to several locations after converting a considerable amount into ether. Potential connections to Russian actors are also revealed by Elliptic's on-chain analysis.

A Possible FTX Hack-Russia Connection 

According to Elliptic, Russia is potentially behind the FTC hack. Apparently, the hacker’s procedures and the subsequent travel of the stolen funds resemble tactics frequently linked to Russian cybercriminals.

The research firm claimed that the laundering tactics used post-theft are strikingly similar to those typically used by Russian hackers. The method they moved money, the private wallets they preferred, and their affinity for decentralized exchanges are all reminiscent of strategies Russian hackers have employed in the past.

The speed and efficiency with which the stolen fund’s laundering is carried out suggested that the campaign was well-planned by an experienced group of hackers. The suspects so far have included everyone from rogue FTX personnel carrying out an inside job to the North Korean hacking collective Lazarus, which has been linked to a number of crypto protocol flaws. While the suspects could be several in number, Russian threat actors check most of the boxes for the ones behind the hack.

Elliptic stated "A Russia-linked actor seems a stronger possibility. Of the stolen assets that can be traced through ChipMixer, significant amounts are combined with funds from Russia-linked criminal groups, including ransomware gangs and darknet markets, before being sent to exchanges.”

Elliptic’s analysis not only emphasize the significance of advanced blockchain analytics in confronting such challenges but also highlights the geopolitical implications present in cybercrime cases. With the swift developments in the digital currency realm, acquiring an insight into the origins and motivations behind these attacks has become important for both security measures and international diplomatic relations.  

FBI Warns Energy Sectors: Chinese and Russian Hackers may Actively Target Energy Sector


According to a recent notification sent by the FBI to the energy industry changes in the global energy supply will most probably result in an increase in the number of Chinese and Russian hackers attacking significant energy infrastructure.   

The notification, released on Thursday, lists several contributing causes, including rising LNG exports from the United States, shifts in the global crude oil supply chain favoring the United States, continued Western pressure on Russia's energy supply, and China's reliance on imported oil. 

The alert, however, did not mention any particular advanced persistent threat (APT) group linked with China or Russia, nor did it cite any cybersecurity incident targeting critical infrastructure. Instead, it makes general mention of how appealing U.S. networks are to foreign hackers and cautions recipients that Chinese and Russian hackers are always looking to examine important systems and improve their capabilities to exploit vulnerabilities they find.

According to Brian Harrell, former assistant secretary for infrastructure protection at the Department of Homeland Security and now an energy sector executive, “Utilities see probing and low-level attempted attacks every day by the Russians and PRC.”

These low-profile attacks help hackers to get an insight into the important aspects of specific systems like where a target has open ports or determine potential firewall restrictions. “China doesn’t make a lot of noise, but the small localized intrusions are helping build their network attack capabilities, likely for future use[…]There’s no doubt that the energy sector is on the front lines of malicious cyber-activity right now as China preps the battlefield,” Harrell added.

As the notification suggests, Chinese hackers have exploited certain US entities by conducting “post-exploitation activity with generic reconnaissance commands using ‘live off the land’ tools.”

“Living off the land,” certainly means an attacker is exploiting tools or features that are already present in the target environment. For instance, sneaky varieties of ransomware like WannaCry and LockBit have covered their tracks and survived inside a network by using a default Windows binary, an existing piece of operating system code. 

The warning states that state-backed Chinese hackers have been targeting common vulnerabilities since 2020, in order to, “target US and allied networks and software/hardware companies to steal intellectual property and develop access into sensitive networks to include critical infrastructure, defense industrial base sectors, and private sector organizations.”

However, the FBI declined to comment on the notification.

The notification further highlights how the Russian invasion of Ukraine altered the world's energy supply chain, citing Western sanctions as a "significant driver" of recent changes in the LNG supply chain. According to the notification, the modification will probably lead to an increase in Russian hackers' targeting of the American energy sector.

In 2022, 74% of Europe’s LNG imports originated in the U.S. the notification said, noting that the US was able to meet European LNG demand. 

It also added that since 2016, Russian hackers have targeted state agencies and several US-based critical infrastructure sectors by, “staging targets networks as pivot points and malware repositories when targeting their final intended victims.”

Russian Cyber-Attacks and the Looming Threat of WW3

Russian cyberattacks have been on the rise alarmingly over the past few years, raising concerns among specialists about the possible repercussions. The threat that these cyberattacks will start a worldwide battle, commonly referred to as World War III, looms menacingly as tensions between Russia and its surrounding nations, particularly Ukraine, continue to simmer.

An alarm has been raised by the persistent nature of these Russian cyberattacks. Government officials and cybersecurity experts have frequently sounded the alarm and urged countries to strengthen their digital defenses. These assaults are a new kind of warfare that has the potential to develop into a major global disaster since they target vital infrastructure, governmental organizations, and private businesses.

Ukraine's vulnerability to sophisticated cyberattacks is one of the main worries. The majority of these digital offensives have targeted the nation, which has been in conflict with Russia over territorial concerns. Numerous high-profile cyberattacks against Ukraine have been linked to Russian hackers, including data leaks and devastating power outages. In addition to causing regional instability, these attacks attract other people.

The situation is exacerbated by Russia's evolving cyber capabilities. Russian state-sponsored hacking groups are constantly evolving and improving their tactics, making it increasingly challenging for cybersecurity experts to defend against them. These groups often operate with the support and protection of the Russian government, further complicating the issue.

While the term World War III may conjure images of a large-scale military conflict, it's essential to recognize that modern warfare has evolved. Cyber-attacks have become a potent tool in international disputes, capable of causing significant damage without traditional military engagement. The interconnectedness of our world means that a cyber-attack can have far-reaching consequences, affecting not only the target nation but also its allies and even neutral parties.

Nations must make significant investments in cybersecurity measures to reduce the prospect of World War III provoked by these unrelenting Russian cyberattacks. This involves enhancing information exchange and international cooperation, protecting vital infrastructure, and creating cutting-edge cybersecurity tools. Additionally, it is important to employ diplomacy to address the underlying reasons behind the hostilities between Russia and its neighbors while fostering communication and dispute resolution.

The persistent Russian cyberattacks pose a serious threat to world security and have sparked worries about the possibility of a third world war starting. Nations must work proactively to protect themselves from these attacks and look for peaceful ways to settle the underlying problems. The world must adjust to the blurring of the lines between peace and conflict in this digital age.

This Threat Actor Targeted NATO Summit Attendees

 

A Russia-linked threat actor known as RomCom has been targeting entities supporting Ukraine, including guests at the 2023 NATO Summit. The summit is taking place in Vilnius, Lithuania, and will discuss the war in Ukraine and new memberships in NATO, including Sweden and Ukraine itself.

RomCom has created malicious documents that are likely to be distributed to supporters of Ukraine. The threat actor appears to have dry-tested the delivery of these documents on June 22, a few days before the command-and-control (C&C) domain used in the campaign went live, BlackBerry explained.

The malicious documents are likely distributed via spear-phishing. They contain an embedded RTF file and OLE objects that initialize an infection chain that garners system information and delivers the RomCom remote access trojan (RAT).

At one stage in the infection chain, a flaw in Microsoft's Support Diagnostic Tool (MSDT) – CVE-2022-30190, also known as Follina – is exploited for remote code execution (RCE).

BlackBerry has identified the C&C domains and victim IPs used in this campaign. All of these were accessed from a single server that has been observed connecting to known RomCom infrastructure.

"Based on the nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine,” BlackBerry says.

BlackBerry has alerted relevant government agencies of this campaign. RomCom is also known as Void Rabisu and Tropical Scorpius, and is associated with the Cuba ransomware. The group was previously believed to be financially motivated, but recent campaigns have shown a shift in tactics and motivation, suggesting that they are now working for the Russian government.

Since at least October 2022, the RomCom backdoor has been used in attacks targeting Ukraine. These attacks have targeted users of Ukraine's Delta situational awareness program and organizations in Ukraine's energy and water utility sectors.

Outside Ukraine, RomCom attacks have targeted a provincial local government helping Ukrainian refugees, a parliament member of a European country, attendees of the Munich Security Conference and the Masters of Digital conference, and a European defense company.

Ransomware Attack Forces Major Japanese Port to Halt its Operation

 

A ransomware attack was launched against Japan's biggest and busiest trading port by a cybercriminal outfit believed to be based in Russia. 

Following the incident, the Port of Nagoya paused all cargo operations, including the loading and unloading of containers onto trailers. The Port of Nagoya handles some vehicle exports for businesses like Toyota and represents 10% of Japan's total trade volume. Multiple Japanese media outlets were informed by the port authorities of Nagoya that it intended to quickly restore operations. 

The attack was attributed by the Nagoya Harbour Transportation Association to the LockBit ransomware group, which is thought to be the most active ransomware gang at the moment. According to the FBI and the U.S. Cybersecurity and Infrastructure Security Agency, LockBit was the cause of one out of every six ransomware incidents in 2022. The organisation has not made a formal admission of guilt for the Nagoya attack.

The five cargo terminals in the port's computer system were impacted by the event. According to the Japanese television network FNN, which cited the port's administration, some terminals are currently running manually without the system, but if it is not repaired, ship entry into the port may be banned.

Toyota told Japanese media that the cyber attack has made it impossible to load or unload auto parts, but that car manufacturing has not been affected.

The incident was discovered early on Tuesday, according to the port authority, when a port employee couldn't start a computer. According to reports, hackers remotely delivered an English-language ransom letter to a printer, demanding payment in exchange for the system's restoration. 

Series of attacks

This is not the port of Nagoya's first cyber attack; in September, a distributed denial-of-service (DDoS) attack by the Russian group Killnet temporarily took down the website of the port.

And the attack on the Port of Nagoya is only the most recent incident to have an impact on the shipping industry. A major ship software supplier was the target of a ransomware attack in January that affected around 1,000 vessels. In 2022, LockBit targeted the Port of Lisbon, and throughout the year, ports throughout Europe were the victim of several ransomware attacks. 

Alejandro Mayorkas, secretary of the U.S. Department of Homeland Security, stated to Congress in November that cyber attacks pose the greatest threat to U.S. ports.

Russian Hackers use WinRAR as Cyberweapon

Russian hackers are known for their notorious cyber-attacks. They have once again been accused of using a popular file compression software, WinRAR, to launch an attack on a state agency in Ukraine. The attack wiped out the agency’s data, resulting in the loss of important information.

According to reports, the hackers used a malicious version of WinRAR that contained a Trojan horse to infiltrate the agency’s system. Once the software was installed, the Trojan horse allowed the hackers to access sensitive data and execute commands remotely.

It’s not the first time Russian hackers have been accused of using WinRAR as a cyberweapon. In 2018, the group was found to be using a similar tactic to launch a cyber attack on a Ukrainian company.

The incident highlights the growing threat of cyber attacks and the importance of having strong security measures in place. Businesses and organizations need to ensure that they are taking steps to protect their systems from such attacks.

One of the key measures that can be taken is to ensure that all software is updated regularly, as this can help to patch any vulnerabilities that may be present. Additionally, organizations should have a robust backup and disaster recovery plan in place to ensure that they can recover from an attack quickly and with minimal disruption.

It’s also important for organizations to have an incident response plan in place to ensure that they can quickly and effectively respond to a cyber attack. This should include identifying and containing the attack, notifying relevant stakeholders, and taking steps to prevent the attack from spreading further.

As cyber-attacks become increasingly common and sophisticated, it’s important for organizations to take steps to protect their systems and data. By implementing strong security measures and being prepared for the worst-case scenario, businesses can reduce their risk of falling victim to an attack and minimize the impact if it does occur.

Russian SolarWinds Attackers Launch New Wave of Cyber Espionage Attacks

 

Russian intelligence has once more employed hacker outfit Nobelium/APT29 as part of its ongoing invasion of Ukraine, this time to spy on foreign ministries and diplomats from NATO-member states as well as additional targets in the European Union and Africa. 

The time also coincides with a wave of attacks against Canadian infrastructure that are thought to have a Russian connection. 

The possible targets of the espionage campaign were alerted to the threat on April 13 by the Polish Military Counterintelligence Service and the CERT team in Poland, along with indicators of compromise. The organisation known by Microsoft as Nobelium, also known by Mandiant as APT29, is not new to the game of nation-state espionage; it was responsible for the infamous SolarWinds supply chain attack over three years ago. 

The Polish military and CERT alert said that APT29 is now back with a completely new set of malware tools and reported marching orders to infiltrate the diplomatic corps of nations that support Ukraine. 

APT29 returns with fresh orders

According to the Polish notice, the advanced persistent threat (APT) always starts its attack with a clever spear-phishing email. 

"Emails impersonating embassies of European countries were sent to selected personnel at diplomatic posts," authorities explained. "The correspondence contained an invitation to a meeting or to work together on documents." 

The recipient would next be instructed to follow a link or download a PDF in order to view the ambassador's calendar or obtain meeting information. Both actions would direct the targets to a malicious website that was loaded with the threat group's "signature script," which the report refers to as "Envyscout".

"It utilizes the HTML-smuggling technique — whereby a malicious file placed on the page is decoded using JavaScript when the page is opened and then downloaded on the victim's device," Polish officials added. "This makes the malicious file more difficult to detect on the server side where it is stored." 

The malicious site also informs its victims through a message that they downloaded the right file. 

"Spear-phishing attacks are successful when the communications are well written, use personal information to demonstrate familiarity with the target, and appear to come from a legitimate source," Patrick Harr, CEO of SlashNext, stated. "This espionage campaign meets all of the criteria for success." 

For instance, one phishing email claimed to be from the Polish embassy. The Polish authorities also noticed that the Envyscout programme had been modified three times using better obfuscation techniques during the period of the observed campaign. 

The organisation, once infiltrated, employs modified versions of the Snowyamber downloader, Halfrig, which has Cobalt Strike as embedded code, and Quarterrig, which shares code with Halfrig, according to the Polish alert. 

In light of this and other Russian espionage activities, governments, diplomats, international organisations, and non-governmental organisations (NGOs) should be on high alert. 

Along with warnings from Polish cybersecurity authorities, Canadian Prime Minister Justin Trudeau has recently spoken out publicly about a recent wave of cyberattacks linked to Russia that targeted Canadian infrastructure. These attacks included denial-of-service assaults on the websites of Hydro-Québec, an electric utility, his office, the Port of Québec, and Laurentian Bank. According to Trudeau, Canada's backing for Ukraine is a factor in the cyberattacks. 

Although there was no harm to Canada's infrastructure, Sami Khoury, the director of the Canadian Centre for Cyber Security, emphasised during a news conference last week that "the threat is real.""You must protect your systems," said Khoury, "if you run the critical systems that power our communities, provide Internet access to Canadians, provide health care, or generally operate any of the services Canadians can't live without." "Watch your network traffic. Implement mitigations."

Winter Vivern Hackers Exploit Zimbra Flaw to Siphon NATO Emails

 

Since February 2023, a Russian hacking group known as TA473, also identified as "Winter Vivern," has been actively stealing the emails of NATO leaders, governments, soldiers, and diplomats by taking advantage of flaws in unpatched Zimbra endpoints.

Sentinel Labs published a report on 'Winter Vivern's' recent operation two weeks ago, detailing how the group propagated malware that poses as a virus scanner by imitating websites run by European organisations that fight online crime. 

The threat actor used Zimbra Collaboration servers to exploit CVE-2022-27926, according to a new report released by Proofpoint today. This vulnerability allowed the threat actor to access the communications of individuals and organisations that are NATO allies.

Taking aim at Zimbra 

Before launching a Winter Vivern attack, the threat actor first uses the Acunetix tool vulnerability scanner to look for unpatched webmail platforms. 

After there, the hackers send a phishing email from a compromised account that is faked to look like it is from a person the target knows or is somehow connected to their business. A link in the emails uses the CVE-2022-27926 vulnerability in the target's compromised Zimbra infrastructure to inject additional JavaScript payloads into the webpage. 

When cookies are received from the hacked Zimbra endpoint, these payloads are then exploited to steal usernames, passwords, and tokens. These details give the threat actors unrestricted access to the targeted' email accounts. 

"These CSRF JavaScript code blocks are executed by the server that hosts a vulnerable webmail instance," the Proofpoint report reads. Further, this JavaScript replicates and relies on emulating the JavaScript of the native webmail portal to return key web request details that indicate the username, password, and CSRF token of targets.In some instances, researchers observed TA473 specifically targeting RoundCube webmail request tokens as well."

This particular aspect illustrates the diligence of the threat actors in pre-attack reconnaissance, ascertaining which portal their target utilises before constructing the phishing emails and establishing the landing page function. 

In addition to the three layers of base64 obfuscation used to obfuscate the malicious JavaScript to complicate analysis, "Winter Vivern" also incorporated pieces of the legal JavaScript that runs on a native webmail interface, blending in with regular activities and lowering the risk of detection. 

Ultimately, the threat actors have access to confidential data on the compromised webmails or can keep their hold in place to watch communications over time. In addition, the hackers can utilise the compromised accounts to conduct lateral phishing attacks and further their penetration of the target companies. 

Researchers claim that "Winter Vivern" is not very sophisticated, but they nonetheless employ a successful operating strategy that is effective even against well-known targets who are slow to deploy software updates. In this instance, Zimbra Collaboration 9.0.0 P24, which was released in April 2022, corrected CVE-2022-27926.

The delay in implementing the security update is estimated to have been at least ten months long given that the earliest assaults were discovered earlier this year in February.

Data Theft Feature Added by Russian Nodaria APT

An updated piece of information-stealing malware is being used against targets in Ukraine by the Nodaria spy organization, also known as UAC-0056. The malware was created in Go and is intended to gather a variety of data from the infected computer, including screenshots, files, system information, and login passwords.

The two-stage threat known as graphiron consists of a downloader and a payload. The downloader has the addresses of command-and-control (C&C) servers hardcoded in. It will look for active processes when it is executed and compare them to a blacklist of malware analysis tools.

If no processes on the blacklist are discovered, this will connect to a C&C server, download the payload, and then decrypt it before adding it to autorun. The downloader is set up to run only once. It won't try again or send a signal if it is unable to download and run the payload.

Graphiron shares several characteristics with earlier Nodaria tools like GraphSteel and GrimPlant. Advanced features allow it to execute shell commands, gather system data, files, login passwords, screenshots, and SSH keys. Further, it uses port 443 to communicate with the C2 server, and all communications are encrypted using an AES cipher.

Attacks against Georgia and Kyrgyzstan have been carried out by Nodaria since at least March 2021. The recognized tools used by the group include WhisperGate, Elephant Dropper and Downloader, SaintBot downloader, OutSteel information stealer, GrimPlant, and GraphSteel information stealer.



Cybercrime Utilizes Screenshotter to Find Targets in US

Organizations in Germany and the United States are targets of a new threat actor identified as TA886 that requires new, proprietary malware to spy on users and steal their data from affected devices. Proofpoint reported that it initially identified the previously unidentified cluster of activity in October 2022 and that it persisted into 2023.

Malicious Microsoft Publisher (.pub) attachments with macros, URLs leading to.pub files with macros, or PDFs with URLs that download risky JavaScript files are some of the ways the threat actor targets victims.

According to the researchers, which gave the operation the name Screentime, it is being carried out by a brand-new malicious attacker known as TA866. Although it is possible that the group is well-known to the larger cybersecurity sector, no one has been able to connect to any other groups or initiatives.

According to Proofpoint, TA866 is an "organized actor capable of performing well-planned attacks at scale based on their availability of custom tools, ability and connections to buy tools and services from other vendors, and increasing activity volumes."

As a result of some variable names and phrases in their stage-two payloads being written in Russian, the researchers further speculate that the threat actors may be Russian. In Screentime, TA866 would send phishing emails in an effort to get victims to download the harmful WasabiSeed payload. According to the stage-two payloads that the threat actors deem appropriate at the time, this malware develops persistence on the target endpoint.

AHK Bot has been seen downloading and loading the Rhadamanthys information thief into memory while also deploying a script to inspect the victim's computer's Active Directory (AD) domain. According to Proofpoint, the AD profile may result in the compromising of additional domain-joined hosts.

As per Proofpoint, the activity continued into 2023 after the first indications of Screentime advertisements appeared in October 2022. The campaigns have an indiscriminate impact on all industries in terms of verticals.


eSentire: Golden Chickens Malware's Attacker Uncovered

The Threat Response Unit (TRU) of eSentire has been monitoring one of the most effective and covert malware families, Golden Chickens, for the past 16 months. The malware of choice for FIN6 and Cobalt, two of the most established and prosperous online crime organizations in Russia, who have collectively stolen an estimated $1.5 billion US, is Golden Chickens. 

The creator of a comprehensive toolkit that includes SKID, VenomKit, and Taurus Loader is Golden Chickens, widely known as VENOM SPIDER. Since at least 2012, the adversary has participated actively in Russian underground forums under the alias 'badbullzvenom,' where they have developed tools for exploiting vulnerabilities as well as for getting and retaining access to victim machines and ticketing services.

The 'Chuck from Montreal' identity used by the second threat actor Frapstar allows the cybersecurity company to link together the criminal actor's online trail.

The malware-as-a-service (MaaS) provider Golden Chickens is associated with several tools, including the JavaScript downloader More Eggs and the malicious document creator Taurus Builder. Previous More eggs efforts, some of which date back to 2017, involved spear-phishing executives on LinkedIn with phony job offers that gave threat actors remote control over victim devices, allowing them to use them to gather data or spread more malware.

By using malware-filled resumes as an infection vector, the same strategies were used last year to target corporate recruiting supervisors. The first known instance of Frapster's activities dates back to May 2015, at which point Trend Micro referred to him as a 'lone criminal' and a luxury automobile fanatic.

According to eSentire, one of the two threat actors believed to be behind the badbullzvenom account on the underground forum Exploit.in maybe Chuck, with the other person probably residing in Moldova or Romania. Recruiters are being duped into downloading a malicious Windows shortcut file from a website that poses as a résumé in a new assault campaign that targets e-commerce businesses, according to a Canadian cybersecurity company.

By highlighting Golden Chickens' multi-layer architecture and the MaaS's multi-client business model, researchers stress the challenges of performing accurate attribution for cyberattacks.


Russian Hackers Targeted an Oil Refinery in a NATO Nation

 

A hacker gang with Russian ties attempted to enter a petroleum refining business in a NATO member state in late August, the latest report by Palo Alto’s Unit 42 revealed. 

According to the report, the attempted intrusion, which appears to have been unsuccessful, took place on August 30 by a hacking group called “Trident Ursa" and was executed through spear phishing emails using English-named files with words like "military assistance." 

The news of Trident Ursa's most recent moves came just after National Security Agency Cyber Director Rob Joyce issued a warning that Russian state-sponsored hackers may target NATO nations' energy sectors in the upcoming months. 

According to Joyce, these attacks could have "spillover" effects on Ukraine's neighbors, such as Poland, where Microsoft recently issued a warning that Russian-backed hackers had intensified their operations on the nation's logistics sector, a crucial supporter of the Ukrainian military effort. 

Triton Ursa, also known as "Gamaredon" or "Armageddon," has connections to Russia's Federal Security Service and has been operating since at least 2014. It is primarily recognized for its phishing operations that gather intelligence. Since the commencement of the war in Ukraine, the gang has been quite active, and it has previously attempted to phish Ukrainian entities. 

The infiltration of a petroleum refining company was likely done to boost "intelligence gathering and network access against Ukrainian and NATO partners," according to the Unit 42 assessment. 

Trident Ursa is still one of the most "pervasive, intrusive, continually active and targeted APTs targeting Ukraine," according to Unit 42 researchers, who told CyberScoop, a cybersecurity portal, in an email that they don't think it has more than 10 members. 

“This group’s operations are regularly caught by researchers and government organizations, and yet they don’t seem to care. They simply add additional obfuscation, new domains, and new techniques and try again — often even reusing previous samples,” the report reads. 

Researchers claim that Trident Ursa is not technically advanced and instead relies on enticements and freely accessible resources. The gang uses geo-blocking to restrict their assaults, allowing users to download infected files only in selected nations. This lowers the visibility of their attacks and makes it harder to spot their efforts. 

The Russian hacker organization also exhibits some unusual preferences for choosing domain names that make pop culture references. According to Unit 42's analysts, some of the domains contain names of American basketball teams, well-known rock bands like Metallica and Papa Roach, and characters from the hit TV programme "The Big Bang Theory." 

The gang also has a pattern of harassing and abusing its rivals online. A Trident Ursa member going by the name "Anton" issued a warning on Twitter shortly after the Russian invasion of Ukraine, saying, "I'm coming for you." The gang appears to have named their subdomains after a Ukrainian cybersecurity expert.

Beware of this Lethal Malware that Employs Typosquatting to Siphon Banking Data

 

Disneyland Team, a Russian-speaking financial hacking group was identified using lethal info-stealing malware with confusing typosquatted domains to siphon login data for banking sites. 

The malicious campaign was discovered by Alex Holden, the founder of cybersecurity consulting firm Hold Security, and reported on by KrebsOnSecurity. 

According to the report, the hacking group specifically targets individuals compromised with a powerful banking malware called Gozi 2.0 (AKA Ursnif), which can siphon the data of internet-linked devices, and install additional malware.  

But Gozi is not as powerful as it used to be because search engine designers have launched multiple security measures over the years to nullify the threat of banking malware. But this is where typosquatting plays an important role by designing phishing websites with domain names that are common misspellings of websites. 

Take U.S. financial services company Ameriprise for example. Ameriprise employs the domain ameriprise.com. The Disneyland Team's domain for Ameriprise users is ạmeriprisẹ[.]com (the way it displays in the browser URL bar). The brackets are added to defang the domain.  

On observing carefully, you can make out small dots under the "a" and the second "e," and if you thought them to be specs of dust on your screen, you wouldn’t be the first one to fall for the visually confusing scam. These are not specs, though, but rather Cyrillic letters that the browser renders as Latin. 

So, when an individual falls into the trap laid by scammers and visits these bogus bank websites, it gets overlaid with the malware, which forwards anything the victim types into the legitimate bank’s website, while keeping a copy for itself. That way, when the real bank website returns with a multi-factor authentication (MFA) request, the fake website will request it too, effectively making the MFA useless.

“In years past, crooks like these would use custom-made “web injects” to manipulate what Gozi victims see in their Web browser when they visit their bank’s site, KrebsOnSecurity reported. “These could then copy and/or intercept any data users would enter into a web-based form, such as a username and password. Most Web browser makers, however, have spent years adding security protections to block such nefarious activity.”