Search This Blog

Showing posts with label War. Show all posts

Ukraine War: Major Internet Provider Suffers Cyber-Attack

 

A cyber-attack was launched against a significant Ukrainian internet provider. Ukrtelecom is working to restore service after it believes it was the victim of an attack. The network was shut down to "safeguard the vital network infrastructure." 

Ukrtelecom JSC is Ukraine's monopolist telephone company, also active in Internet service providing and mobile markets. Yuriy Kurmaz, the CEO of the company stated in a statement: “In order to protect the critical network infrastructure and not interrupt services to the Armed Forces, other military bodies and users of critical infrastructure, we were forced to temporarily restrict internet access to most private users and business customers.” 

Netblocks, an international internet monitoring organisation, stated it was the company's biggest outage since the beginning of the Russian invasion last month, with connectivity down to 13% of what it was before President Vladimir Putin announced the war. 

They said on Twitter: “Update: Ukraine's national internet provider Ukrtelecom has confirmed a cyberattack on its core infrastructure. Real-time network data show an ongoing and intensifying nation-scale disruption to service, which is the most severe registered since the invasion by Russia.” 

According to the BBC, other people in Ukraine using various internet providers had no problems. In terms of geographical coverage, Ukrtelecom is the largest internet provider, although Kyivstar is the largest in terms of customer numbers. 

The United Nations has confirmed 1,179 civilian deaths and 1, 860 civilian injuries since the war began in late February, but the total is believed to be substantially higher. Furthermore, the attack has triggered a humanitarian crisis, with more than 10 million people forced to evacuate their homes, with 3.8 million of them seeking refuge in neighbouring nations.

FBI Witnesses Rising Russian Hacker Interest in US Energy Firms

 

Since the outbreak of Russia's war against Ukraine, the FBI has detected an uptick in Russian hackers' interest in energy firms, though it gives no evidence that a specific attack is planned. 

According to an FBI advisory received by The Associated Press on Tuesday, Russian hackers have assessed at least five energy businesses and at least 18 other companies in sectors such as military and financial services for vulnerabilities. None of the companies is identified in the advisory. 

Scanning a network for vulnerabilities or flaws is widespread, and it does not always mean that an assault is on the way, though it can be a sign of one. Nonetheless, the FBI's Friday warning highlights the Biden administration's increased cybersecurity concerns as a result of Russia's war in Ukraine. The White House said on Monday that there was "evolving intelligence" suggesting Russia was planning cyberattacks against critical infrastructure in the United States. 

At a White House press briefing, Anne Neuberger, the White House's deputy national security advisor for cyber and emerging technologies, expressed disappointment that some critical infrastructure firms have failed to repair known software vulnerabilities that Russian hackers may exploit. The FBI advisory lists 140 internet protocol, or IP addresses it claims have been linked to critical infrastructure scans in the United States since at least March 2021. 

According to the alert, scanning has grown since the beginning of the war last month, leading to a greater likelihood of future incursions. The FBI acknowledges that scanning activity is frequent, but the IP addresses have been linked to the active exploitation of a foreign victim, which resulted in the victim's systems being destroyed, according to the advisory.

Ukraine’s “IT Army” Struck with Info-stealing Malware

 

Pro-Ukrainian actors should be cautious of downloading DDoS tools to attack Russia, according to security experts, because they could be booby-trapped with data-stealing malware. 

Mykhailo Fedorov, Ukraine's vice prime minister, called for a volunteer "IT army" of hackers to DDoS Russian targets in late February. Cisco Talos, on the other hand, claims that opportunistic cyber-criminals are attempting to take advantage of the subsequent outpouring of support for the Eastern European country. It specifically detected Telegram posts offering DDoS tools that were actually malware-loaded. An organisation calling itself "disBalancer" offers one such tool, named "Liberator,". Although authentic, has been spoofed by others, according to Cisco. 

It explained, “The file offered on the Telegram page ended up being malware, specifically an infostealer designed to compromise unwitting users. The malware, in this case, dumps a variety of credentials and a large amount of cryptocurrency-related information, including wallets and metamask information, which is commonly associated with non-fungible tokens (NFTs).” 

Since none of the malicious spoofs is digitally signed, there is no way to distinguish them apart from the real DDoS tool, according to the vendor. Because the perpetrators of this harmful behaviour have been disseminating infostealers since November, Cisco concluded that it is not the work of fresh people, but rather those aiming to profit from the Ukraine conflict. 

However, Cisco warned that if Russia is subjected to a continuous DDoS attack, such techniques could proliferate. 

It concluded, “In this case, we found some cyber-criminals distributing an infostealer, but it could have just as easily been a more sophisticated state-sponsored actor or privateer group doing work on behalf of a nation-state. We remind users to be wary of installing software whose origins are unknown, especially software that is being dropped into random chat rooms on the internet.” 

The discovery comes as the Russian government revealed this week that hackers targeted an externally loaded widget used to collect visitor statistics and caused temporary disruptions on numerous agency websites. 

Pro-Ukrainian hacktivists have also been seen searching for and deleting Russian cloud databases, according to security researchers.

New RURansom Wiper Targets Russia

 

The new RURansom malware, according to Trend Micro researchers, is not what it appears to be. Initially assumed to be a new strain of ransomware, the bug's developers appear to have reasons other than financial gain, as the name implies. 

So far, no active targets have been discovered, according to security experts. However, this could be as the wiper is targeting specific Russian companies. The malware's creators are open about their motivations for distributing it. A message is stored in the RURansom code variable that is responsible for the ransom note. 

"On February 24, President Vladimir Putin declared war on Ukraine. To counter this, I, the creator of RU_Ransom, created this malware to harm Russia. You bought this for yourself, Mr President. There is no way to decrypt your files. No payment, only damage," reads the note in Russian. 

The malware, as per Trend Micro, was written in the .NET programming language. The worm transmits by copying itself under the name "Russia-Ukraine war update" in Russian. To have the most impact, the file replicates itself to all removable media and mapped network shares. The malware encrypts the files once it has been deployed. The encryption is applied to all files and even though .bak files are not encrypted, the malware deletes them. Each file is given a unique encryption key by the encryption algorithm. There's no way to decrypt the files because the keys aren't kept anywhere, therefore the malware is classified as a wiper rather than ransomware. Some variants of the malware, according to researchers, first check if the user's IP address is in Russia. 

"In cases where the software is launched outside of Russia, these versions will stop the execution, showing a conscious effort to target only Russian-based computers," the authors claimed in the report. 

Wiper Warfare: 

This isn't the first time a wiper malware has been used in this war. Just before Russian soldiers invaded Ukraine, security experts discovered a disk-wiping malware. The wiper contains driver files that gradually corrupt the infected computer's Master Boot Record (MBR), rendering it inoperable. The attackers allegedly utilized official EaseUS Partition Master drivers to acquire raw disc access and modify the disc to render the machine inoperable, according to Crowdstrike. 

Since the malware's certificate was issued to Hermetica Digital Ltd., a legitimate Cyprus-based company, the wiper was dubbed HermeticWiper. The new malware has been dubbed 'DriveSlayer' by other researchers. CISA issued a warning about malware that was targeting Ukrainian businesses, along with tips and strategies for preparing and responding to the attack. Later, security researchers fleeing Ukraine claimed that the wiper software was used to hinder refugees fleeing Ukraine's civil war, forcing officials to resort to pen and paper.

Ukrainian CERT Alerts Citizens of Phishing Attacks Using Hacked Accounts

 

The Computer Emergency Response Team of Ukraine (CERT-UA) has cautioned of new phishing attacks directed at Ukrainian citizens, which use hijacked email accounts belonging to three separate Indian businesses to infiltrate their inboxes and steal sensitive data. 

The emails arrive with the subject line "" (meaning "Attention") and pretend to be from a domestic email service named Ukr.net, but the sender's email address is "muthuprakash.b@tvsrubber[.]com," according to the agency. The messages allegedly alert recipients of an unauthorised attempt to log in to their accounts from an IP address based in Donetsk, Ukraine, and urge them to change their passwords immediately by clicking on a link. 

CERT-UA noted in a Facebook post over the weekend, "After following the link and entering the password, it gets to the attackers. In this way, they gain access to the email inboxes of Ukrainian citizens." 

The fact that TVS Rubber is an automotive company situated in the Indian city of Madurai suggests that the phishing emails were distributed through an already compromised email account. In a further update, CERT-UA stated that it had discovered an additional 20 email addresses used in the attacks, some of which belonged to sysadmins and faculty members at the Ramaiah University of Applied Sciences, an academic institution in Bengaluru, India. 

An email address from Hodek Vibration Technologies Pvt. Ltd., an India-based automotive company that designs and manufactures dampers for cars, light and heavy commercial vehicles, and other industrial equipment, is also featured in the list. 

"All these mailboxes have been compromised and are being used by the Russian Federation's special services to carry out cyberattacks on Ukrainian citizens," the agency said. 

The news comes as NATO states unanimously approved to admit Ukraine as a "Contributing Participant" to the Cooperative Cyber Defence Centre of Excellence (CCDCOE), as Russia's military invasion of the country entered its second week and cyber strikes poured down on government and commercial targets. 

"Ukraine's presence in the Centre will enhance the exchange of cyber expertise, between Ukraine and CCDCOE member nations. Ukraine could bring valuable first-hand knowledge of several adversaries within the cyber domain to be used for research, exercises and training," Col Jaak Tarien, director of CCDCOE, said in a statement.

Report: Telegram's New Battleground for Cybercriminals Amid Russia-Ukraine War

 

Telegram messenger has become increasingly crucial in the ongoing crisis between Russia and Ukraine, since it is widely used by both hackers and cybercriminals. 

According to a survey by cybersecurity firm Check Point, the number of Telegram groups has surged sixfold since February 24, and some of them, dedicated to certain issues, have grown in size, with over 250,000 members in some cases.

The following three categories are the most popular ones that have exploded in popularity as a direct result of Russia's invasion of Ukraine: 
• Various "news feeds" that claim to provide credible reports from Ukraine 
• Volunteering hackers that engage in DDoS and other types of assaults against Russian organisations 
• Fundraising groups that collect cryptocurrency donations reportedly for Ukrainian support 

The "IT Army of Ukraine," which presently has 270,000 members, stands out among those who lead the anti-Russia cyber-warfare activities. Ukraine's IT Army was formed by cyber-specialists in the country, and the results of its operations were evident rapidly. 

Apart from launching DDoS attacks against important Russian websites, the group also publishes the personal information of Russian decision-makers and other key players in the conflict. The majority of Telegram groups that claim to be "donation support" are scammers that take advantage of the circumstance to steal people's money. 

Similar operations based on phishing emails have been reported, but the same thing is happening on Telegram as well, with some of these groups having up to 20,000 members. 

Unverified news

News streams that bypass mainstream outlets and publish unedited, uncensored feeds from the battle zone 24/7, are the third category that is rising. Apart from the fact that exposing unedited battle scenes is against journalistic ethics, many of the stories shared on these sites are unchecked or unverified, and might easily be made up. 

As geopolitical expert Michael Horowitz revealed while sharing footage of a realistic-looking computer-generated air dogfight based on a video game engine, this is a concern even for approved social media platforms.

According to Check Point, these channels continue to attract a high number of users. 'Ukraine War Report,' for example, has 20,000 members, while 'Russia vs. Ukraine Live News,' has 110,000. 'Ukrainian Witness' (видетел крaин), another news programme dedicated to exposing Russian war crimes, has achieved 100,000 subscribers. The goal of groups that actively propagate false material on Telegram channels is to demoralise the opponent, with the hope that the content would be shared on other platforms as well. While some of these channels may provide genuine information, it's practically impossible for users to tell the difference between true and fake news. 

To protect from fraud and cyber-crime when using Telegram, the researchers advised users to be cautious of the information they share on the network. Users should avoid clicking on links with unknown origins, to be wary of strange requests, and to avoid donating money to unknown sources.