Russian Hackers Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/russian-hackers/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Sat, 09 Mar 2024 10:08:13 +0000 en-US hourly 1 https://wordpress.org/?v=66980 200474804 Microsoft is Hacked, Again by Midnight Blizzard https://gridinsoft.com/blogs/microsoft-hacked-again-midnight-blizzard/ https://gridinsoft.com/blogs/microsoft-hacked-again-midnight-blizzard/#respond Sat, 09 Mar 2024 10:08:13 +0000 https://gridinsoft.com/blogs/?p=20282 Microsoft acknowledges being hacked for the second time this year, by the same Russia state-sponsored group Midnight Blizzard. The company confirms that this new breach is the outcome of the previous one, as hackers were able to get their hands on access secrets. Microsoft Hacked, Source Code Leaked In its K-8 filing to SEC, Microsoft… Continue reading Microsoft is Hacked, Again by Midnight Blizzard

The post Microsoft is Hacked, Again by Midnight Blizzard appeared first on Gridinsoft Blog.

]]>
Microsoft acknowledges being hacked for the second time this year, by the same Russia state-sponsored group Midnight Blizzard. The company confirms that this new breach is the outcome of the previous one, as hackers were able to get their hands on access secrets.

Microsoft Hacked, Source Code Leaked

In its K-8 filing to SEC, Microsoft claims the relation of the latest hack to the one that was uncovered in January 2024. A Russian threat actor known as Nobelium/Midnight Blizzard managed to hack into Microsoft systems. The hack happened around November, with hackers staying inside for until January. This eventually resulted in adversaries gaining access to the emails of executives and certain authentication tools. And it turns out that attackers managed to take away some of the authentication secrets even after being discovered.

In the latest attack, Midnight Blizzard used these leaked auth secrets to get into the Microsoft internal networks once again. The same K-8 filing discloses the facts of hackers getting access (or at least attempting to) using the said leaked keys. Among particular systems under attack are source code repositories and some of the internal systems. Microsoft warns that the unauthorized access may happen repeatedly in future, meaning that they do not know the exact scale of auth secrets leak.

The threat actor’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus. Our active investigations of the threat actor’s activities are ongoing, findings of our investigations will continue to evolve, and further unauthorized access may occur.
Microsoft in K-8 filing

One fortunate thing though is that customer-facing assets and their data was not compromised. And this is most likely true, as the previous attacks mainly concentrated on top-tier executives, who barely have access to customer data. And this is a big relief: the scale of consequent attacks due to the data leaked from Azure, Outlook or other cloud services could have been tremendous. Still, no excuses for such a large company to fall victim to hackers.

Who is Midnight Blizzard?

Nobelium/APT29/Fancy Bear or Midnight Blizzard, by the new Microsoft classification, is a Russian state-sponsored threat actor. It mainly aims at cyber espionage, being led by the Russian External Intelligence Agency (SVR). The group is known for picking loud targets for its attacks, particularly government agencies, military contractors and the like.

Microsoft became their point of interest back in 2022, when they managed to hack an auxiliary SSO system for Windows Server. 2023 though has become a year of a “proper” hack. Back in November 2023, APT29 managed to stay in the network for quite some time, compromising a lot of different internal systems. Considering the uncertainity regarding the amount of compromised elements, they will certainly repeat.

Microsoft is Hacked, Again by Midnight Blizzard

The post Microsoft is Hacked, Again by Midnight Blizzard appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-hacked-again-midnight-blizzard/feed/ 0 20282
JetBrains Vulnerability Exploited by CozyBear Hackers https://gridinsoft.com/blogs/jetbrains-vulnerability-exploited-cozybear/ https://gridinsoft.com/blogs/jetbrains-vulnerability-exploited-cozybear/#respond Mon, 18 Dec 2023 22:03:15 +0000 https://gridinsoft.com/blogs/?p=18339 JetBrain’s TeamCity servers became a target to a Russian-backed attacker CozyBear. Using a vulnerability discovered back in March 2023, hackers were able to execute arbitrary code without any authorization. TeamCity Vulnerability Exploited by CozyBear JetBrains TeamCity servers, a crucial solution in the software development lifecycle, have recently been targeted in a cyberattack similar to the… Continue reading JetBrains Vulnerability Exploited by CozyBear Hackers

The post JetBrains Vulnerability Exploited by CozyBear Hackers appeared first on Gridinsoft Blog.

]]>
JetBrain’s TeamCity servers became a target to a Russian-backed attacker CozyBear. Using a vulnerability discovered back in March 2023, hackers were able to execute arbitrary code without any authorization.

TeamCity Vulnerability Exploited by CozyBear

JetBrains TeamCity servers, a crucial solution in the software development lifecycle, have recently been targeted in a cyberattack similar to the infamous SolarWinds hack. The Russian Foreign Intelligence Service (SVR)-backed group CozyBear exploited a severe vulnerability in these servers, tracked as CVE-2023-42793. This vulnerability allowed unauthorized attackers to bypass security measures and execute code remotely without user interaction. As a result, this poses a significant risk to over 30,000 JetBrains customers globally.

The aforementioned exploit was discovered in September and has been used to compromise an extensive array of companies and over a hundred devices worldwide, affecting organizations in the United States, Europe, Asia, and Australia. The victims come from various sectors, from billing and finance to gaming and medical devices. The widespread impact underlines the critical nature of the flaw and the tactics employed by CozyBear, previously known for the SolarWinds supply chain attack in 2020.

CozyBear Tactics and Techniques

CozyBear used various tactics and techniques around Mimikatz in the cyberattack on JetBrains TeamCity servers. This is a well-known tool for extracting credentials from the Windows Registry. It helped them steal information and escalate their access privileges within the compromised systems. CozyBear gained more profound and extensive control over the affected systems by elevating their access rights.

To further enhance their stealth and efficacy, CozyBear deployed the GraphicalProton backdoor. This backdoor uses standard cloud storage services such as OneDrive and Dropbox for command-and-control operations. Specifically, he used a randomly generated BMP file to save the information. This allowed CozyBear to mask its malicious communications amidst regular traffic, significantly reducing the likelihood of detection.

Another SolarWinds Attack?

The SolarWinds attack in 2020 was due to the company’s credentials being publicly available on GitHub. Cybersecurity researcher Vinoth Kumar discovered in 2018 that SolarWinds’ update server credentials were openly accessible on their GitHub repository. However, no one seems to be paying attention then. The attack compromised high-profile targets and affected about 18,000 SolarWinds clients.

In addition, prompt action is crucial in responding to security lapses. Overall, the SolarWinds attack underscores cybersecurity’s ongoing and evolving challenge in a highly interconnected digital world, where vigilance and proactive defense are essential. However, the reality we are seeing today suggests otherwise.

Mitigation and Response

JetBrains has released a patch to address security issues and recommends applying it immediately to reduce risks. The fixes are included in TeamCity servers version 2023.05.4 or later. Despite these efforts, Shadowserver reports show that about 800 instances worldwide still have not been patched, with over 230 located in the United States. It looks like a flash mob of ignoring installing updates and subsequent asspain is becoming a trend.

The post JetBrains Vulnerability Exploited by CozyBear Hackers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/jetbrains-vulnerability-exploited-cozybear/feed/ 0 18339
Kyivstar, Ukraine’s Biggest Cell Carrier, Hacked https://gridinsoft.com/blogs/kyivstar-hacked/ https://gridinsoft.com/blogs/kyivstar-hacked/#respond Wed, 13 Dec 2023 16:38:44 +0000 https://gridinsoft.com/blogs/?p=18297 On Tuesday, December 12, 2023, Ukraine’s largest cellular operator Kyivstar got its network infrastructure ruined. This is a result of a hack that was most likely executed by a Russian threat actor. I considered delaying writing this post to gather more facts regarding the situation. On day 1, nothing but speculation and suppositions were available.… Continue reading Kyivstar, Ukraine’s Biggest Cell Carrier, Hacked

The post Kyivstar, Ukraine’s Biggest Cell Carrier, Hacked appeared first on Gridinsoft Blog.

]]>
On Tuesday, December 12, 2023, Ukraine’s largest cellular operator Kyivstar got its network infrastructure ruined. This is a result of a hack that was most likely executed by a Russian threat actor.

I considered delaying writing this post to gather more facts regarding the situation. On day 1, nothing but speculation and suppositions were available. Today, some of the facts appear, allowing me to make a comprehensive analysis of the case.

Ukrainian Mobile Operator Kyivstar Hacked by Russians

Early on December 12, Kyivstar services stopped working. As the company operates not only in the cell carrier segment, but also provides home Internet and connectivity services for businesses, these were down as well. The “national roaming” option, that allows switching between operators with certain limitations, was unresponsive, meaning that the network structure is severely disrupted.

At around 12:00, the first official comments from the company appeared. They claimed a cyberattack disrupting their services, and told about a rather long recovery process ahead. Further statements specified that the estimated time of major services recovery is not earlier than on December 13.

Kyivstar official claim
Company’s claim on the situation in Twitter

Until the evening of the same day, the details were lean. Some analysts tried to make conclusions, though they were at best blurred. Certain sources of information also supposed that Kyivstar suffered outages due to the DDoS attack, but that was likely just a confusion due to the simultaneous launch of a DDoS attack on one of Ukrainian banks. Meanwhile, the company succeeded with recovering part of its services, particularly the home Internet service to the end of the day.

On the morning of December 13, 2023, some facts and even more rumors began to surface. Among the latter, the brightest was the responsibility claim from a previously unknown Solntsepek threat actor. The gang published their statement along with the screenshots of what they claim to be insight into the hacked network. Nonetheless, I heavily doubt credibility of both claims and screenshots, since no one heard of the group before, and no identifiable details are present on those pictures.

Unpredicted outcomes

As Kyivstar is the biggest cellular operator in Ukraine, the outage caused obvious troubles for over 24 million users. Considering the population of the country is around 40 million in total, the outage touched every second citizen to a certain extent. That obviously uncovered how hard people are dependent on technology nowadays, but some of the issues caused by the Kyivstar hack were not that clear.

UA telecom market stats
Stats of Ukrainian telecom market. Source: Telegeography

For instance, the air raid alarms – a heavily needed thing in a belligerent country – were reliant on the Kyivstar’s cell network. As a result, numerous cities across the country did not hear air raid alarms, and even online air raid maps were not able to work properly. That is especially unfortunate as rocket and UAV strikes happen on a daily basis.

What is less unfortunate for Ukraine though is that Russian troops who reside in the occupied areas of Kherson and Zaporizhzhia regions experienced cell coverage issues as well. Since invaders used stolen SIM cards of Ukrainian operators, their phones stopped working once the attack happened. Pay day for stolen SIM-cards, one may say.

Russian troops no kyivstar
Occupants complain about being hit by the Kyivstar takedown, too

Kyivstar Hack – Who is Responsible?

Well, all symptoms aside, let’s think of what exactly happened and figure out who is responsible for the hack. The character of destruction and the way the recovery goes supposes that hackers managed to establish persistence in the majority of infrastructural elements of the corporate network. Further, they destroyed all they could reach. That was not just a “DROP DATABASE”, as someone supposed before – in that case the recovery would not take that much time. Moreover, Kyivstar themselves claim that they are forced into recovering the network “piece by piece”.

Network accessbility stats
Kyivstar network accessbility stats. Source: NetBlocks

The executor is, most likely, one of Russian APT groups. Sure enough, there is no confirmation, but there is no one to hack Ukrainian companies for pure vandalism except for Russians. Even though I doubt the claims of a no-name hack group, the nationality of hackers is almost certain.

Another edge of responsibility lies on the Kyivstar itself. Having such a large number of users creates significant responsibility, not only in the matter of service availability, but also data safety. Addresses, passport info, phone numbers, emails – all this was successfully leaked. Bad luck for a country in peacetime, culpable negligence for a country at war.

If the screenshots shared by the Solntsepek group are real, things can be much worse. An analyst under the nickname of Sean Townsend shares his thoughts regarding what the pics say. Spoiler – things may be extremely bad, and the security was non-existent at all.

Worst case scenario Kyivstar

Update 12/13 (21:00 GMT)

Olexandr Komarov, CEO of Kyivstar, uncovered some of the details regarding the beginning of the hack. The initial access was gained through a compromised account of an employee.

“We have to admit that this attack breached our defense. This happened because the account pool was compromised, the account of one of our employees was compromised, and the enemy was able to get inside the company’s infrastructure. The investigation is ongoing.”

Are Other Companies in Danger?

What is the conclusion from such a situation? This is what all Ukrainian companies should be ready to counteract. And not only Ukrainian – Russian hackers are now naught on limitations in attacks on countries “rival” to Russia. Since hackers aim only for vandalism and do not try to monetize their job, the effects may be rapid and irreversible. A sturdy, well-engineered security system should be mandatory for all companies.

Kyivstar, Ukraine’s Biggest Cell Carrier, Hacked

The post Kyivstar, Ukraine’s Biggest Cell Carrier, Hacked appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/kyivstar-hacked/feed/ 0 18297
Outlook Vulnerability Exploited by Russian Hackers https://gridinsoft.com/blogs/outlook-vulnerability-russian-hackers/ https://gridinsoft.com/blogs/outlook-vulnerability-russian-hackers/#respond Tue, 05 Dec 2023 15:39:43 +0000 https://gridinsoft.com/blogs/?p=18168 A vulnerability in Microsoft Outlook is under active exploitation – that is the worrying notification from Microsoft. World largest software developer warns about Russian state-sponsored hackers using this breach to perform cyberattacks. Despite the fix for the issue being released over 8 months ago, there is still a concerning amount of unpatched instances. Microsoft Outlook… Continue reading Outlook Vulnerability Exploited by Russian Hackers

The post Outlook Vulnerability Exploited by Russian Hackers appeared first on Gridinsoft Blog.

]]>
A vulnerability in Microsoft Outlook is under active exploitation – that is the worrying notification from Microsoft. World largest software developer warns about Russian state-sponsored hackers using this breach to perform cyberattacks. Despite the fix for the issue being released over 8 months ago, there is still a concerning amount of unpatched instances.

Microsoft Outlook Vulnerability Used by Kremlin-Backed Hackers

Being a privilege escalation bug, CVE-2023-23397 received almost the highest CVSS score of 9.8. The rating was set back in March 2023, when the vulnerability was originally uncovered. And well, the flow of attacks commenced with this vulnerability exploitation confirms every bit of this score.

By its essence, the vulnerability consists of the ability to leak the Net-NTLMv2 hash by sending a specially-crafted email message. It is possible due to the features of the specific transfer format Microsoft uses in the Outlook. Through playing with the PidLidReminderFileParameter settings, adversaries can leak the hash and send it to its command server. That’s it for this exploit, but the main course of actions happens afterwards.

Forest Blizzard Exploits MS Outlook in Attacks on Poland

Microsoft researchers noticed one main threat actor using the CVE-2023-23397 in its cyberattacks – Forest Blizzard a.k.a. APT28/Fancy Bear. This threat actor has a proven connection to the Russian government, particularly to the Main Intelligence Directorate (GRU). In the campaign that exploited the described Outlook vulnerability, hackers primarily targeted Poland.

Outlook exploit scheme
Scheme of MS Outlook exploitation, used by APT28

Upon receiving the Net-NTLMv2 hash, adversaries were able to manipulate the access permissions to specific mailbox folders. This, in turn, ended up with the ability to read all of the contents. Hackers specifically aimed at ones that could store any valuable and potentially sensitive information.

Such a targeting is rather obvious – Poland has had its relations with Russia ruined since February 2023. And its participation in supplies delivery to Ukraine is a point of interest for Russian intelligence. While such espionage bears on the same tactics as cybercriminals use in attacks on corporations, the final target is what is different. Though, nothing stops hackers from applying the same tactics in attacks on other countries.

Install the Patch, Microsoft Insists

As I have mentioned at the beginning, the patch for the CVE-2023-23397 was available all the way back in March 2023. Microsoft released it almost immediately after disclosing it. And since it is a vulnerability in the protocol, there is not much you can do to temporarily mitigate the issue. Even though it may be troublesome to update all the instances soon after the patch, it was plenty of time to arrange the update.

Outlook Vulnerability Exploited by Russian Hackers

The post Outlook Vulnerability Exploited by Russian Hackers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/outlook-vulnerability-russian-hackers/feed/ 0 18168
The FBI Disrupted the Cyberspyware “Snake” that the Russian FSB Used for 20 Years https://gridinsoft.com/blogs/fsb-cyberspyware/ https://gridinsoft.com/blogs/fsb-cyberspyware/#respond Wed, 10 May 2023 08:19:59 +0000 https://gridinsoft.com/blogs/?p=14466 The US Federal Bureau of Investigation on Tuesday reported the disruption of a massive spying program by the Russian Federal Security Service (FSB) using cyberspyware codenamed “Snake”. This is stated in a press release from the US Department of Justice. Let me remind you that we also talked about the fact that Europe’s largest private… Continue reading The FBI Disrupted the Cyberspyware “Snake” that the Russian FSB Used for 20 Years

The post The FBI Disrupted the Cyberspyware “Snake” that the Russian FSB Used for 20 Years appeared first on Gridinsoft Blog.

]]>

The US Federal Bureau of Investigation on Tuesday reported the disruption of a massive spying program by the Russian Federal Security Service (FSB) using cyberspyware codenamed “Snake”.

This is stated in a press release from the US Department of Justice.

Let me remind you that we also talked about the fact that Europe’s largest private hospital operator Fresenius was attacked with an eponymous Snake ransomware. Don’t be confused – now we talk about a completely different malware.

Matthew J. Olsen
Matthew J. Olsen

US law enforcers believe that the spy tool was used by the hacker unit of the 16th FSB center, codenamed “Turla” for almost 20 years. We also reported that Fake DDoS App from Turla Targets Pro-Ukrainian Hacktivists.

For 20 years, the FSB has relied on the Snake malware for cyber espionage against the United States and our allies – that ends today.said Assistant Attorney General Matthew J. Olsen of the Justice Department's Homeland Security Division.

The Snake program was designed to steal confidential documents from hundreds of computer systems in at least 50 countries that belonged to the governments of NATO member countries, in particular the United States, as well as journalists and other persons of interest to the Russian Federation.

Russia used sophisticated malware to steal sensitive information from our allies, laundering it through a network of infected computers in the United States in a cynical attempt to conceal their crimes. Meeting the challenge of cyberespionage requires creativity and a willingness to use all lawful means to protect our nation and our allies.said U.S. Attorney Breon Peace for the Eastern District of New York.

To eliminate the “Snake”, the FBI developed an operation code-named “Medusa“. Within its framework, the spy application was forced to rewrite its own code, which disabled it. A senior FBI official said the Bureau’s tool was only designed to communicate with Russian spyware.

He speaks the Snake language and communicates using Snake’s custom protocols without accessing the victim’s private files.the official said.

At a briefing ahead of the announcement, a US official involved in the operation called the Snake the “prime tool” of Russia’s cyber-espionage, Reuters reported.He expressed the hope that as a result of the liquidation of the program, Moscow could be “eradicated from the virtual battlefield.”

The media also reported that the FBI and NSA discovered Drovorub malware, created by Russian Intelligence services.

The post The FBI Disrupted the Cyberspyware “Snake” that the Russian FSB Used for 20 Years appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/fsb-cyberspyware/feed/ 0 14466
Companies Manage to Bargain With Ransomware Racketeers https://gridinsoft.com/blogs/companies-bargain-ransomware/ https://gridinsoft.com/blogs/companies-bargain-ransomware/#respond Fri, 17 Jun 2022 17:02:05 +0000 https://gridinsoft.com/blogs/?p=8661 Revelations of the Ransom-Negotiator In May, the racketeer-bargaining specialist (the negotiator) at a European production company had received an unexpected chat message from a malefactor who had hacked the specialist’s client. Ransom negotiations, aimed at lowering the demands of racketeers, are the realm totally dominated by lawyers, consulting, and information security companies who know the… Continue reading Companies Manage to Bargain With Ransomware Racketeers

The post Companies Manage to Bargain With Ransomware Racketeers appeared first on Gridinsoft Blog.

]]>
Revelations of the Ransom-Negotiator

In May, the racketeer-bargaining specialist (the negotiator) at a European production company had received an unexpected chat message from a malefactor who had hacked the specialist’s client.

Ransom negotiations, aimed at lowering the demands of racketeers, are the realm totally dominated by lawyers, consulting, and information security companies who know the nuts and bolts of working with hacker groups. The Palo Alto Networks Research shows that ransoms in 2021 grew to $2.2 million, becoming twice larger compared to the previous year. Palo Alto Networks state that the victims usually pay less than half of the initial ransom amount (around $541 000.)

The negotiator has shared this information on conditions of anonymity since he is not at liberty to discuss details of his work. The specialist’s job is to soften the demands of the extortionists.

“We need to know that you are honest with us,” – said the criminals, demanding a copy of the expert’s contract with the victims as proof of the legality of the specialist’s work after getting startled and nervous during the conversation.

The expert said that the crooks feared he would get an additional sum of money taken from the ransom amount.

After that, the hackers unexpectedly offered the negotiator to share the rest of their victims’ details with him to work for them. The crooks even offered the man to pay him a fee for each client; however, he refused.

As the expert concludes, the racketeers who contacted him were part of the Haron ransomware group, whose attack on Colonial Pipeline facilities stalled the supply of gas to the USA, eventually leading to arrests of the Russia-related hacking groups.

The post Companies Manage to Bargain With Ransomware Racketeers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/companies-bargain-ransomware/feed/ 0 8661
The US Department of Justice Reports a Russian Botnet Dismantled https://gridinsoft.com/blogs/russian-botnet-dismantled/ https://gridinsoft.com/blogs/russian-botnet-dismantled/#respond Fri, 17 Jun 2022 14:19:36 +0000 https://gridinsoft.com/blogs/?p=8649 RSOCKS Russian Botnet Is No More as a Result of a Joint Operation According to the June 16 report by the US Department of Justice, the activity of a Russian botnet RSOCKS has been stopped in a joint operation by the US, German, Dutch, and British law enforcement agencies. RSOCKS is responsible for hacking millions… Continue reading The US Department of Justice Reports a Russian Botnet Dismantled

The post The US Department of Justice Reports a Russian Botnet Dismantled appeared first on Gridinsoft Blog.

]]>
RSOCKS Russian Botnet Is No More as a Result of a Joint Operation

According to the June 16 report by the US Department of Justice, the activity of a Russian botnet RSOCKS has been stopped in a joint operation by the US, German, Dutch, and British law enforcement agencies.

RSOCKS is responsible for hacking millions of network-connected devices. Initially, the botnet targeted IoT devices. The latter group includes industrial control systems, which makes the threats like the one in question highly important. The group, however, infected the Android devices and regular PCs too.

Law enforcement was long aware of RSOCKS activity. The Russian botnet got in the spotlight of police attention back in 2017 when over 300 000 devices in the San Diego district were hacked.

The malefactors monetized their hackings through a website where visitors could rent the segment of the botnet for different periods: days, weeks, months. The price varied from $30 per day (for 2000 proxies) to $200 per day (for 90000 hacked IPs.) Clients then could use bots for whatever they could be used: DDoS attacks, traffic routing, fake commentaries, etc.

The operation involved the undercover purchase of proxies with subsequent reverse inquiry into the Russian botnet back end and its victims. Eventually, the authorities managed to dismantle the infrastructure of the botnet. The Department appreciated the contribution of the foreign colleague agencies and the Black Echo private sector cybersecurity group.

The current operation is a part of a war on cybercrime consistently conducted by the US and Interpol, obviously concentrated around Russia-originating threats.

The post The US Department of Justice Reports a Russian Botnet Dismantled appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/russian-botnet-dismantled/feed/ 0 8649
Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites https://gridinsoft.com/blogs/ukraine-was-hit-by-ddos-attacks/ https://gridinsoft.com/blogs/ukraine-was-hit-by-ddos-attacks/#respond Sun, 01 May 2022 20:02:24 +0000 https://gridinsoft.com/blogs/?p=7665 Ukrainian Computer Emergency Response Team (CERT-UA) said that Ukraine was hit by large-scale DDoS attacks. CERT-UA has published a report on ongoing DDoS attacks on Ukrainian websites and a government web portal. Unknown attackers compromise WordPress sites and inject malicious JavaScript code into the HTML structure. The script is base64 encoded to avoid detection like… Continue reading Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites

The post Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites appeared first on Gridinsoft Blog.

]]>
Ukrainian Computer Emergency Response Team (CERT-UA) said that Ukraine was hit by large-scale DDoS attacks.

CERT-UA has published a report on ongoing DDoS attacks on Ukrainian websites and a government web portal.

Unknown attackers compromise WordPress sites and inject malicious JavaScript code into the HTML structure. The script is base64 encoded to avoid detection like in this picture.

Ukraine hit by DDoS attacks

The Ukrainian Government Computer Emergency Response Team CERT-UA, in close cooperation with specialists from the National Bank of Ukraine (CSIRT-NBU), has taken measures to investigate DDoS attacks, for which attackers place malicious JavaScript code (BrownFlood) in the structure of web pages and files of compromised websites (primarily those running WordPress), whereby the computing resources of the computers of visitors to such websites are used to generate an abnormal number of requests to attack targets whose URLs are statically defined in malicious JavaScript code.CERT-UA specialists reported.

The code is executed on the visitor’s computer and generates a huge number of requests in order to stop the websites from working. Cyberattacks occur without the knowledge of the owners of compromised sites and create subtle performance disruptions for users.

By the way, we talked about the State Department Offers $1 million for Info on Russian Hackers.

CERT-UA works closely with the National Bank of Ukraine to implement protective measures against DDoS campaigns and numerous previous cyberattacks. In their report, the CERT-UA team provided instructions for removing malicious JavaScript code and added a threat detection tool to scan sites for hacking.

To detect such activity in the web server log files, you should look for events with a 404 response code and, if they are non-standard, correlate them with the values of the “Referer” HTTP header, which indicates the address of the web resource that created the request.advises CERT-UA.

In addition, it is important to keep the content management systems (Content Management Systems, CMS) of the site up to date, update plugins and restrict access to site management.

We also note that it seems that the Chinese comrades do not support Russian hackers: we wrote that Chinese Mustang Panda Cyberspies Attack Russian Officials.

The post Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ukraine-was-hit-by-ddos-attacks/feed/ 0 7665
State Department Offers $1 million for Info on Russian Hackers https://gridinsoft.com/blogs/state-department-reward/ https://gridinsoft.com/blogs/state-department-reward/#respond Wed, 27 Apr 2022 11:09:41 +0000 https://gridinsoft.com/blogs/?p=7598 The US State Department has announced a reward amounting up to 10 million dollars for the information about six presumably Russian intelligence agents accused by the US authorities of involvement in the 2017 NotPetya virus hacker attacks. The announcement states that the reward is intended for anyone who can provide information to help identify and… Continue reading State Department Offers $1 million for Info on Russian Hackers

The post State Department Offers $1 million for Info on Russian Hackers appeared first on Gridinsoft Blog.

]]>
The US State Department has announced a reward amounting up to 10 million dollars for the information about six presumably Russian intelligence agents accused by the US authorities of involvement in the 2017 NotPetya virus hacker attacks.

The announcement states that the reward is intended for anyone who can provide information to help identify and locate any of the people who, acting under command or on behalf of foreign nation-states, participated in attacks on objects of the US critical infrastructure.

The notification specifies that the wanted people are the members of a hacker group known as Sandworm Team, Telebots, Iron Viking, and Voodoo Bear. DC ties the named groups with the infection of computers in the US and other countries with the malware known as NotPetya on June 17, 2017.

Earlier, the FBI has made statements about the hackers’ increased attention to American companies from the start of the Russian invasion of Ukraine. According to information from the Bureau, presumed Russian hackers scanned the networks of five American energy companies and at least 18 US financial and defense-related companies.

Although the US authorities don’t have any direct evidence of Russian threat actors committing an attack on the US, US President Joe Biden said on March 18 that Russia would most likely use its cyber warfare tools, but it was still exploring an attack.

In the context of the Russian invasion of Ukraine, the United States’ war on ransomware has gained features of the international cyber-war. The US has decisively joined forces with European law enforcement to seize servers of Hydra in Germany and arrest the RaidForums administrator Diogo Santos Coelho in Britain. Hydra, the Russian-language darknet black market, and RaidForums, one of the world’s largest hackers’ forum, stopped working.

RELATED: CISA and several other US agencies has made a joint warning about the nation-state threat actors jeopardizing American energy industry using PIPEDREAM malware.

The post State Department Offers $1 million for Info on Russian Hackers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/state-department-reward/feed/ 0 7598
Shuckworm hackers attack Ukrainian organizations with new variant of Pteredo backdoor https://gridinsoft.com/blogs/shuckworm-hackers-attack-ukrainian-organizations/ https://gridinsoft.com/blogs/shuckworm-hackers-attack-ukrainian-organizations/#comments Wed, 20 Apr 2022 21:03:35 +0000 https://gridinsoft.com/blogs/?p=7407 Specialists from the cybersecurity company Symantec reported attacks by the cybercriminal group Shuckworm (Armageddon or Gamaredon) on Ukrainian organizations using a new version of the Pteredo (Pteranodon) custom backdoor. The group, linked by experts to Russia, has been carrying out cyber-espionage operations against Ukrainian government organizations since at least 2014. According to experts, the group… Continue reading Shuckworm hackers attack Ukrainian organizations with new variant of Pteredo backdoor

The post Shuckworm hackers attack Ukrainian organizations with new variant of Pteredo backdoor appeared first on Gridinsoft Blog.

]]>
Specialists from the cybersecurity company Symantec reported attacks by the cybercriminal group Shuckworm (Armageddon or Gamaredon) on Ukrainian organizations using a new version of the Pteredo (Pteranodon) custom backdoor.

The group, linked by experts to Russia, has been carrying out cyber-espionage operations against Ukrainian government organizations since at least 2014.

Attacks of Shuckworm have continued unabated since the Russian invasion of the country. While the group’s tools and tactics are simple and sometimes crude, the frequency and persistence of its attacks mean that it remains one of the key cyber threats facing organizations in the region. Symantec specialists say.

According to experts, the group carried out more than 5 thousand cyberattacks on 1.5 thousand public and private enterprises in the country.

By the way, we talked about the fact that hacker groups split up: some of them support Russia, others Ukraine.

Pteredo has its origins in hacker forums, where it was acquired by Shuckworm in 2016. Hackers began active development of the backdoor, adding DLL modules to it for data theft, remote access, and penetration analysis.

In addition to Pteredo, Shuckworm has also used the UltraVNC remote access tool and Microsoft’s Process Explorer to process DLL processes in recent attacks.

Note: Let me remind you that even before the escalation of hostilities, Microsoft discovered the WhisperGate wiper attacking Ukrainian users.

If we compare Shuckworm attacks on Ukrainian organizations since January 2022, we can conclude that the group has hardly changed its tactics. In previous attacks, variants of Pteredo were downloaded to the attacked systems using VBS files hidden inside the document attached to the phishing email.

The Symantec Threat Hunter team has identified four different Pterodo variants that have been used in recent attacks. They are all Visual Basic Script (VBS) droppers with similar functionality. They dump the VBScript file, use scheduled tasks (shtasks.exe) for persistence, and download additional code from the C&C server. All built-in VBScripts were very similar to each other and used similar obfuscation techniques.Bleeping Computer journalists told

7-Zip files are unzipped automatically, which minimizes user interaction (the same files were used in the January attacks).

For example, one variant of Pteredo is a modified self-extracting archive containing obfuscated VBScripts that can be decompressed with 7-Zip. It then adds them as a scheduled task to ensure persistence:

Shuckworm and the Pteredo backdoor

The script also copies itself to [USERPROFILE]\ntusers.ini file.

The two newly created files are more obfuscated VBScripts.

  • The first is designed to gather system information, such as the serial number of the C: drive, and sends this information to a C&C server.
  • The second adds another layer of persistence by copying the previously dropped ntusers.ini file to another desktop.ini file.

Although Shuckworm is a highly professional group, its infection tools and tactics have not improved over the past few months, making it easier to detect and simplify methods of protection.

Currently, Pteredo is still actively developed, which means that hackers can work on a more advanced, powerful and undetectable version of the backdoor, as well as modify their attack chain.

The post Shuckworm hackers attack Ukrainian organizations with new variant of Pteredo backdoor appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/shuckworm-hackers-attack-ukrainian-organizations/feed/ 1 7407