Ukraine Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/ukraine/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 05 Jan 2024 03:19:04 +0000 en-US hourly 1 https://wordpress.org/?v=89972 200474804 Kyivstar, Ukraine’s Biggest Cell Carrier, Hacked https://gridinsoft.com/blogs/kyivstar-hacked/ https://gridinsoft.com/blogs/kyivstar-hacked/#respond Wed, 13 Dec 2023 16:38:44 +0000 https://gridinsoft.com/blogs/?p=18297 On Tuesday, December 12, 2023, Ukraine’s largest cellular operator Kyivstar got its network infrastructure ruined. This is a result of a hack that was most likely executed by a Russian threat actor. I considered delaying writing this post to gather more facts regarding the situation. On day 1, nothing but speculation and suppositions were available.… Continue reading Kyivstar, Ukraine’s Biggest Cell Carrier, Hacked

The post Kyivstar, Ukraine’s Biggest Cell Carrier, Hacked appeared first on Gridinsoft Blog.

]]>
On Tuesday, December 12, 2023, Ukraine’s largest cellular operator Kyivstar got its network infrastructure ruined. This is a result of a hack that was most likely executed by a Russian threat actor.

I considered delaying writing this post to gather more facts regarding the situation. On day 1, nothing but speculation and suppositions were available. Today, some of the facts appear, allowing me to make a comprehensive analysis of the case.

Ukrainian Mobile Operator Kyivstar Hacked by Russians

Early on December 12, Kyivstar services stopped working. As the company operates not only in the cell carrier segment, but also provides home Internet and connectivity services for businesses, these were down as well. The “national roaming” option, that allows switching between operators with certain limitations, was unresponsive, meaning that the network structure is severely disrupted.

At around 12:00, the first official comments from the company appeared. They claimed a cyberattack disrupting their services, and told about a rather long recovery process ahead. Further statements specified that the estimated time of major services recovery is not earlier than on December 13.

Kyivstar official claim
Company’s claim on the situation in Twitter

Until the evening of the same day, the details were lean. Some analysts tried to make conclusions, though they were at best blurred. Certain sources of information also supposed that Kyivstar suffered outages due to the DDoS attack, but that was likely just a confusion due to the simultaneous launch of a DDoS attack on one of Ukrainian banks. Meanwhile, the company succeeded with recovering part of its services, particularly the home Internet service to the end of the day.

On the morning of December 13, 2023, some facts and even more rumors began to surface. Among the latter, the brightest was the responsibility claim from a previously unknown Solntsepek threat actor. The gang published their statement along with the screenshots of what they claim to be insight into the hacked network. Nonetheless, I heavily doubt credibility of both claims and screenshots, since no one heard of the group before, and no identifiable details are present on those pictures.

Unpredicted outcomes

As Kyivstar is the biggest cellular operator in Ukraine, the outage caused obvious troubles for over 24 million users. Considering the population of the country is around 40 million in total, the outage touched every second citizen to a certain extent. That obviously uncovered how hard people are dependent on technology nowadays, but some of the issues caused by the Kyivstar hack were not that clear.

UA telecom market stats
Stats of Ukrainian telecom market. Source: Telegeography

For instance, the air raid alarms – a heavily needed thing in a belligerent country – were reliant on the Kyivstar’s cell network. As a result, numerous cities across the country did not hear air raid alarms, and even online air raid maps were not able to work properly. That is especially unfortunate as rocket and UAV strikes happen on a daily basis.

What is less unfortunate for Ukraine though is that Russian troops who reside in the occupied areas of Kherson and Zaporizhzhia regions experienced cell coverage issues as well. Since invaders used stolen SIM cards of Ukrainian operators, their phones stopped working once the attack happened. Pay day for stolen SIM-cards, one may say.

Russian troops no kyivstar
Occupants complain about being hit by the Kyivstar takedown, too

Kyivstar Hack – Who is Responsible?

Well, all symptoms aside, let’s think of what exactly happened and figure out who is responsible for the hack. The character of destruction and the way the recovery goes supposes that hackers managed to establish persistence in the majority of infrastructural elements of the corporate network. Further, they destroyed all they could reach. That was not just a “DROP DATABASE”, as someone supposed before – in that case the recovery would not take that much time. Moreover, Kyivstar themselves claim that they are forced into recovering the network “piece by piece”.

Network accessbility stats
Kyivstar network accessbility stats. Source: NetBlocks

The executor is, most likely, one of Russian APT groups. Sure enough, there is no confirmation, but there is no one to hack Ukrainian companies for pure vandalism except for Russians. Even though I doubt the claims of a no-name hack group, the nationality of hackers is almost certain.

Another edge of responsibility lies on the Kyivstar itself. Having such a large number of users creates significant responsibility, not only in the matter of service availability, but also data safety. Addresses, passport info, phone numbers, emails – all this was successfully leaked. Bad luck for a country in peacetime, culpable negligence for a country at war.

If the screenshots shared by the Solntsepek group are real, things can be much worse. An analyst under the nickname of Sean Townsend shares his thoughts regarding what the pics say. Spoiler – things may be extremely bad, and the security was non-existent at all.

Worst case scenario Kyivstar

Update 12/13 (21:00 GMT)

Olexandr Komarov, CEO of Kyivstar, uncovered some of the details regarding the beginning of the hack. The initial access was gained through a compromised account of an employee.

“We have to admit that this attack breached our defense. This happened because the account pool was compromised, the account of one of our employees was compromised, and the enemy was able to get inside the company’s infrastructure. The investigation is ongoing.”

Are Other Companies in Danger?

What is the conclusion from such a situation? This is what all Ukrainian companies should be ready to counteract. And not only Ukrainian – Russian hackers are now naught on limitations in attacks on countries “rival” to Russia. Since hackers aim only for vandalism and do not try to monetize their job, the effects may be rapid and irreversible. A sturdy, well-engineered security system should be mandatory for all companies.

Kyivstar, Ukraine’s Biggest Cell Carrier, Hacked

The post Kyivstar, Ukraine’s Biggest Cell Carrier, Hacked appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/kyivstar-hacked/feed/ 0 18297
Microsoft CVE-2023-36884 Vulnerability Exploited in the Wild https://gridinsoft.com/blogs/microsoft-cve-2023-36884-vulnerability/ https://gridinsoft.com/blogs/microsoft-cve-2023-36884-vulnerability/#respond Mon, 17 Jul 2023 17:11:08 +0000 https://gridinsoft.com/blogs/?p=15957 On July 11, 2023, Microsoft published an article about addressing the CVE-2023-36884 vulnerability. This breach allowed for remote code execution in Office and Windows HTML. Microsoft has acknowledged a targeted attack that exploits a vulnerability using specifically designed Microsoft Office documents. The attacker can gain control of a victim’s computer by creating a malicious Office… Continue reading Microsoft CVE-2023-36884 Vulnerability Exploited in the Wild

The post Microsoft CVE-2023-36884 Vulnerability Exploited in the Wild appeared first on Gridinsoft Blog.

]]>
On July 11, 2023, Microsoft published an article about addressing the CVE-2023-36884 vulnerability. This breach allowed for remote code execution in Office and Windows HTML. Microsoft has acknowledged a targeted attack that exploits a vulnerability using specifically designed Microsoft Office documents. The attacker can gain control of a victim’s computer by creating a malicious Office document, but the victim must participate by opening it.

Microsoft discovered a phishing campaign conducted by a Threat Actor named Storm-0978. The targets were government and defense entities in Europe and North America. The Threat Actor used lures related to the Ukraine World Congress and exploited the vulnerability known as CVE-2023-36884.

Who is Storm-0978?

The cybercriminal group known as Storm-0978, based in Russia, is infamous for engaging in various illegal activities. These activities include conducting ransomware and extortion operations, targeted campaigns to collect credentials, developing and distributing the RomCom backdoor, and deploying the Underground Ransomware.

Who is Storm-0978(RomCom)?
Overall RomCom architecture

Underground ransomware is associated with Industrial Spy Ransomware, detected in the wild in May 2022. Microsoft identified a recent campaign in June 2023 that exploited CVE-2023-36884 to distribute a RomCom-like backdoor. This was done by a group known as Storm-0978, who use a phishing site masquerading as legitimate software to infect users. The impersonated products include Adobe products, SolarWinds Network Performance Monitor, SolarWinds Orion, Advanced IP Scanner, KeePass, and Signal. Users unwittingly download and execute files that result in the infection of the RomCom backdoor by visiting these phishing sites.

CVE-2023-36884 Exploitation

Storm-0978 conducted a phishing campaign in June 2023, using a fake OneDrive loader to deliver a backdoor similar to RomCom. The phishing emails targeted defense and government entities in Europe and North America, with lures related to the Ukrainian World Congress, and led to exploitation via CVE-2023-36884 vulnerability.

CVE-2023-36884 Exploitation
Storm-0978 email operates NATO themes and the Ukrainian World Congress

During a phishing attempt, Microsoft detected that Storm-0978 used an exploit to target CVE-2023-36884.

BlackBerry documented the attacks on guests for the upcoming NATO Summit on July 8, but the use of the zero-day in the attacks was unknown at the time.

The attackers used the RomCom variant for espionage, and Underground Ransomware was deployed for ransomware operations. The campaign indicates that Storm-0978 is a highly sophisticated group that seems to be also targeting multiple organizations in the future.

How do you avoid vulnerability?

Organizations should adopt all possible mitigation strategies until a patch is released. The vulnerability has been used in targeted attacks, and news of its existence will doubtlessly lead other attackers to attempt to replicate the exploit.

Microsoft offers performing the registry trick in order to prevent exploitation. In Regedit, go by the following path and find there FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION key.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\

There, create REG_DWORD values with data 1 with the names of exploitable applications:

  • Excel.exe
  • Graph.exe
  • MSAccess.exe
  • MSPub.exe
  • Powerpnt.exe
  • Visio.exe
  • WinProj.exe
  • WinWord.exe
  • Wordpad.exe

Though, patching the breach in such a way is not always enough. Hackers know about the offered fix and can find a way to revert it or exploit the breach by circumventing any registry blocks. For that reason, I also recommend having proactive and reactive security measures.

  • Activate cloud-delivered protection in your antivirus software to defend against constantly changing attacker methods. Cloud-based machine learning can detect and block most new and unknown threats.
  • Back up your data and store those backups offline or on a separate network for added protection. Backups are the ransomware attacks’ kryptonite, as they can do nothing if you just recover everything back.
  • Wherever possible and practical, enable automatic software updates on all connected devices, including your computer and mobile phone.
  • To stay safe online, it’s crucial to always verify the authenticity of links and email attachments before opening them, especially if they’re from an untrusted source.
  • Use CDR solutions. CDR, or Content Disarm and Reconstruction, is the name of a content management system that aims particularly at document security. It removes active content from the document, making it impossible to exploit.

Patch CVE-2023-36884

Microsoft still needs to release a patch for CVE-2023-36884. This section will be updated as more information becomes available. However, even after a patch is found, it pays to be cautious, watch your every move on the Internet, and always follow the Zero Trust rule.

The post Microsoft CVE-2023-36884 Vulnerability Exploited in the Wild appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-cve-2023-36884-vulnerability/feed/ 0 15957
APT28 Attacked Ukrainian and Polish Organizations https://gridinsoft.com/blogs/apt28-attacked-ukrainian-organizations/ https://gridinsoft.com/blogs/apt28-attacked-ukrainian-organizations/#respond Thu, 22 Jun 2023 09:23:34 +0000 https://gridinsoft.com/blogs/?p=15519 Recorded Future, in collaboration with CERT-UA researchers, has unveiled a recent cyber offensive orchestrated by Russian-speaking hackers affiliated with the APT28 Group (also known as Fancy Bear, BlueDelta, Sednit, and Sofacy). Their target: Roundcube mail servers of various Ukrainian organizations, including government entities. As a reminder, we previously reported on the divergence of hacker groups,… Continue reading APT28 Attacked Ukrainian and Polish Organizations

The post APT28 Attacked Ukrainian and Polish Organizations appeared first on Gridinsoft Blog.

]]>
Recorded Future, in collaboration with CERT-UA researchers, has unveiled a recent cyber offensive orchestrated by Russian-speaking hackers affiliated with the APT28 Group (also known as Fancy Bear, BlueDelta, Sednit, and Sofacy). Their target: Roundcube mail servers of various Ukrainian organizations, including government entities.

As a reminder, we previously reported on the divergence of hacker groups, some siding with Russia and others with Ukraine. Additionally, Microsoft accused Russia of cyberattacks against Ukraine’s allies.

Recent media coverage also highlighted the arrest of two members of the DoppelPaymer Group by law enforcement in Germany and Ukraine.

The report details that the attackers, employing spear phishing and bait emails, capitalized on the Russian invasion of Ukraine. The hackers crafted spear-phishing emails with news topics related to Ukraine, appearing as legitimate media content.

The campaign demonstrated a high level of readiness by hackers who quickly turned news content into bait for recipients. The spear-phishing emails contained news topics related to Ukraine, with topics and content reflecting legitimate media sources.

Recipients were compelled to open the malicious messages, exploiting old vulnerabilities in Roundcube (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) to compromise unpatched servers—requiring no user interaction with malicious attachments.

The attachment contained JavaScript code that executed additional JavaScript payloads from BlueDelta controlled infrastructure.

APT28 attacked Ukrainian organizations

If the compromise succeeded, the attackers deployed malicious scripts redirecting incoming messages to an email address under their control. These scripts were also employed to locate and pilfer victims’ address books, session cookies, and other data stored in the Roundcube database.

Researchers suggest that the infrastructure used in these attacks has been active since around November 2021, with APT28‘s activities focused on “gathering military intelligence.”

We have identified BlueDelta activity, most likely targeted at the regional Ukrainian prosecutor’s office and the [unnamed] central executive body of the country, and also found intelligence activities associated with other Ukrainian state structures and organizations, including those involved in the modernization and repair of infrastructure for the Ukrainian military aviation.

This collaboration between Recorded Future and CERT-UA emphasizes the crucial role of partnerships between organizations and governments in ensuring collective defense against strategic threats—particularly in the context of Russia’s ongoing conflict with Ukraine.

The post APT28 Attacked Ukrainian and Polish Organizations appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/apt28-attacked-ukrainian-organizations/feed/ 0 15519
One Year of Russian-Ukrainian War in Cybersecurity https://gridinsoft.com/blogs/russian-ukrainian-war-cybersecurity/ https://gridinsoft.com/blogs/russian-ukrainian-war-cybersecurity/#respond Sun, 26 Feb 2023 20:15:33 +0000 https://gridinsoft.com/blogs/?p=13491 February 24, 2022, will be a turning point in history. It was the day of the full-scale Russian invasion of Ukraine and the most significant geopolitical event of the past year. This war was, without exaggeration, the bloodiest military conflict in Europe in decades. However, it is the first major hybrid war that uses cyberspace… Continue reading One Year of Russian-Ukrainian War in Cybersecurity

The post One Year of Russian-Ukrainian War in Cybersecurity appeared first on Gridinsoft Blog.

]]>
February 24, 2022, will be a turning point in history. It was the day of the full-scale Russian invasion of Ukraine and the most significant geopolitical event of the past year. This war was, without exaggeration, the bloodiest military conflict in Europe in decades. However, it is the first major hybrid war that uses cyberspace as a full-fledged battlefield in addition to the main kinetic fronts. Of all of this, several important points can be made about the collateral cyber damage, viz:

  • The effectiveness of destructive malware
  • The attribution of cyber activity in wartime
  • The distinction between nation-state, hacktivism, and offensive cybercriminal activity
  • Cyber warfare and its impact on defense pacts
  • The ability of cyber operations to engage in tactical warfare and necessary training

The impact on global cyberspace is already visible in some areas.

Wipers comeback

Wiper is a malware that disrupts the operation of target systems as it can delete or corrupt important files, though its use is relatively rare. However, wiper malware has become much more widespread over the past year, not just in Eastern Europe. For example, at the beginning of the Russian-Ukrainian war, the number of cyber attacks on Ukraine by malicious actors affiliated with Russia increased dramatically. Before the full-scale ground invasion, pro-Russian hackers used three wipers – HermeticWiper, HermeticWizard, and HermeticRansom – and a little later, in April, hackers used Industroyer. This is an updated version of the same malware used in a similar attack in 2016. Thus, at least nine wipers have been deployed in Ukraine in less than a year. They were developed by Russian secret services and use different wiping and evasion mechanisms.

Ukraine cyberattacks timeline

Multi-pronged Cyberattacks

Let’s look at the vector of cyberattacks in the Russian-Ukrainian war. Same as any other attack within the war course, they can be divided into two types – strategical and tactical. The first type of cyber attack is aimed at causing widespread damage and disrupting the daily lives of civilians. In turn, the second type of attack is more targeted, coordinated with real combat operations, and aimed at achieving tactical goals. Such goals may include:

  • Disabling or disrupting critical military infrastructure systems
  • Hacking into and infiltrating military organizations’ networks
  • Launching a disinformation campaign
  • Cyber espionage

Strategical attacks

A few hours before the ground invasion of Ukraine, hackers launched a cyber attack on Viasat. This attack aimed to interfere with satellite communications, which provide services to both military and civilian organizations in Ukraine. In this attack, hackers used a wiper called AcidRain, designed to destroy modems and routers and disable Internet access for tens of thousands of systems.

Result of attack
The attack affected most previously active modems in Ukraine and other parts of Europe. Eventually, tens of thousands of modems disconnected from the network, and attempts by these modems to re-enter the network were not observed.

In addition, even before the full-scale invasion, Ukrainian government agencies, such as Diia, and some banks were subjected to cyberattacks. The purpose of these attacks was to cause the Ukrainian population to distrust the government. Another curious incident took place on November 3, 2022. At that time, a certain “Joker DNR” hacked into the Instagram page of Valery Zaluzhny, the commander-in-chief of the AFU, installing a photo of the Russian dictator on his profile photo. Later, an image appeared on the page with the caption, “So, I confirm that Joker DNR infiltrated DELTA“. However, Ukrainians ridiculed the incident rather than taking it seriously. This is far from the only case of hacking into Ukrainians’ social networks. Since the start of the full-scale Russian-Ukrainian war, Ukrainian users have periodically received phishing emails asking them to click a link.

Tactical cyberattacks

Any tactical, high-precision cyber attack requires careful preparation and planning. Prerequisites include accessing target networks and creating customizable tools for different attack stages. One example of a coordinated tactical attack occurred on March 1. That day, Russian missiles struck the Kyiv TV tower, causing television broadcasts in the city to stop. Next, hackers orchestrated a cyber attack to amplify the effect.

Adaptive cyberattacks

According to the available data, the Russians were not preparing for a lengthy campaign—the abrupt change in the characterization of cyber attacks in April evidence this. They shift from fairly precise attacks with clear tactical objectives to less elaborate ones. Similar to the change of tactics on the battlefield, where Russian troops were rebuffed with dignity and decided to fight civilians, the hackers also changed their vector – they tried to harm Ukrainian civilians. The use of multiple new tools and wipers was replaced by detected capabilities using already-known attack tools and tactics, such as Caddywiper and FoxBlade.

The head of Britain’s intelligence, cybersecurity, and security agency called Ukraine’s response “the most effective defensive cyber activity in history. This is not surprising, as part of Ukraine’s success is because it has been repeatedly subjected to cyber attacks since 2014. The impact of the Indistroyer2 attack on the energy sector in March 2022 is evidence of this because compared to the first deployment of Industroyer in 2016, the effect in March was negligible. In addition, Ukraine has received significant external assistance to repair the damage caused by these cyberattacks. For example, foreign governments and private companies helped Ukraine quickly move its IT infrastructure to the cloud. As a result, data centers were physically removed from combat zones and received additional layers of protection from service providers.

Shift in the focus

Since September, data show a gradual but significant decrease in cyber-attacks against Ukrainian targets. Instead, the number of attacks on NATO members has increased significantly. Moreover, while the number is negligible in some countries, in others, the number of attacks has increased by almost half:

  • U.S. by 6 percent
  • United Kingdom by 11%
  • Poland by 31%
  • Denmark by 31%
  • Estonia by 57%.

This suggests that Russia and related groups have shifted their attention from Ukraine to NATO countries that support Ukraine.

The New Era of Hacktivism

A new era of hacktivism began with the creation and leadership of the “IT Army of Ukraine,” composed of volunteer IT specialists. Whereas hacktivism used to be characterized by free cooperation between individuals in ad hoc interactions, new-era hacktivist groups have significantly increased their organization and control and now conduct military-like operations. The new mode of operation includes recruitment and training, intelligence and target allocation, tool sharing, etc. Nevertheless, anti-Russian hacktivist activity continued throughout the year, affecting infrastructure, financial, and government organizations. Since September 2022, the number of attacks on organizations in Russia has increased significantly, especially in the government and military sectors.

Not all hacktivists are good

Unfortunately, not all hacktivists have good intentions. For example, while groups such as Team OneFist rigorously enforce the rules of war and take steps to avoid potential damage to hospitals and civilians, the pro-Russian group Killnet carried out targeted DDoS attacks on critical infrastructure in the United States. Predictably, their primary targets were not military installations but U.S. medical organizations, hospitals, and airports. In addition, most new hacktivist groups have a clear and consistent political ideology tied to government narratives.

As a result, pro-Russian hacktivists have shifted their focus from Ukrainian targets to NATO member states and other Western allies. For example, another Russian-linked hacktivist group, NoName057(16), attacked the Czech presidential election. In addition, the hacktivist group From Russia with Love (FRwL), also known as Z-Team, deployed Somnia ransomware against Ukrainian targets. In turn, the CryWiper malware was deployed against municipalities and courts in Russia.

Hacking Russia was off-limits before Russian-Ukrainian War

Some cybercrime organizations have been forced to join the nationwide effort and curtail their criminal activities. Attacks on Russian enterprises, once considered impregnable by many cybercriminal organizations, are now on the rise. Russia is struggling with hacking attacks caused by the government and its criminal activities. In addition, other countries have also stepped up their spying activities in Russia to attack Russian state defense institutions. For example, Cloud Atlas constantly attacks Russian and Belarusian organizations.

War impact to other regions and domains

Against the backdrop of the Russian-Ukrainian war, wiper activity began to spread to other countries. For example, Iranian-linked groups have attacked facilities in Albania, and the Azov ransomware has spread worldwide. However, Azov is more of a destructive wiper than a ransomware program because it does not provide for decrypting and restoring encrypted data. Various state actors have also taken advantage of the war to advance their interests. For example, several campaigns by different APT groups have used the ongoing battle between Russia and Ukraine to intensify their activities. The Russian-Ukrainian war has dramatically affected cyber tactics in many areas. Undoubtedly, as long as the war continues, its events will affect other regions and locations.

The post One Year of Russian-Ukrainian War in Cybersecurity appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/russian-ukrainian-war-cybersecurity/feed/ 0 13491
Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites https://gridinsoft.com/blogs/ukraine-was-hit-by-ddos-attacks/ https://gridinsoft.com/blogs/ukraine-was-hit-by-ddos-attacks/#respond Sun, 01 May 2022 20:02:24 +0000 https://gridinsoft.com/blogs/?p=7665 Ukrainian Computer Emergency Response Team (CERT-UA) said that Ukraine was hit by large-scale DDoS attacks. CERT-UA has published a report on ongoing DDoS attacks on Ukrainian websites and a government web portal. Unknown attackers compromise WordPress sites and inject malicious JavaScript code into the HTML structure. The script is base64 encoded to avoid detection like… Continue reading Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites

The post Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites appeared first on Gridinsoft Blog.

]]>
Ukrainian Computer Emergency Response Team (CERT-UA) said that Ukraine was hit by large-scale DDoS attacks.

CERT-UA has published a report on ongoing DDoS attacks on Ukrainian websites and a government web portal.

Unknown attackers compromise WordPress sites and inject malicious JavaScript code into the HTML structure. The script is base64 encoded to avoid detection like in this picture.

Ukraine hit by DDoS attacks

The Ukrainian Government Computer Emergency Response Team CERT-UA, in close cooperation with specialists from the National Bank of Ukraine (CSIRT-NBU), has taken measures to investigate DDoS attacks, for which attackers place malicious JavaScript code (BrownFlood) in the structure of web pages and files of compromised websites (primarily those running WordPress), whereby the computing resources of the computers of visitors to such websites are used to generate an abnormal number of requests to attack targets whose URLs are statically defined in malicious JavaScript code.CERT-UA specialists reported.

The code is executed on the visitor’s computer and generates a huge number of requests in order to stop the websites from working. Cyberattacks occur without the knowledge of the owners of compromised sites and create subtle performance disruptions for users.

By the way, we talked about the State Department Offers $1 million for Info on Russian Hackers.

CERT-UA works closely with the National Bank of Ukraine to implement protective measures against DDoS campaigns and numerous previous cyberattacks. In their report, the CERT-UA team provided instructions for removing malicious JavaScript code and added a threat detection tool to scan sites for hacking.

To detect such activity in the web server log files, you should look for events with a 404 response code and, if they are non-standard, correlate them with the values of the “Referer” HTTP header, which indicates the address of the web resource that created the request.advises CERT-UA.

In addition, it is important to keep the content management systems (Content Management Systems, CMS) of the site up to date, update plugins and restrict access to site management.

We also note that it seems that the Chinese comrades do not support Russian hackers: we wrote that Chinese Mustang Panda Cyberspies Attack Russian Officials.

The post Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ukraine-was-hit-by-ddos-attacks/feed/ 0 7665
Hacker groups split up: some of them support Russia, others Ukraine https://gridinsoft.com/blogs/hacker-groups-split-up-some-of-them-support-russia-others-ukraine/ https://gridinsoft.com/blogs/hacker-groups-split-up-some-of-them-support-russia-others-ukraine/#comments Thu, 10 Mar 2022 11:47:41 +0000 https://gridinsoft.com/blogs/?p=7149 Amid the backdrop of the barbaric invasion of the Russian army into the territory of Ukraine, hacker groups split into two camps: some declared that they supported the actions of the Russian authorities, while others, on the contrary, sided with Ukraine. Bleeping Computer says that there has been a serious split in the hacker community.… Continue reading Hacker groups split up: some of them support Russia, others Ukraine

The post Hacker groups split up: some of them support Russia, others Ukraine appeared first on Gridinsoft Blog.

]]>
Amid the backdrop of the barbaric invasion of the Russian army into the territory of Ukraine, hacker groups split into two camps: some declared that they supported the actions of the Russian authorities, while others, on the contrary, sided with Ukraine.

Bleeping Computer says that there has been a serious split in the hacker community.

For example, the administrator of the database and trading platform RaidForums openly stated that he was imposing his own sanctions and blocking access for users from Russia. He made his position clear, saying that he opposes the Kremlin’s actions.

The hacker groups split up

Another RaidForums participant posted an even harsher message as a warning to the “Russians”. He also posted on the forum a database with e-mail addresses and hashed passwords and the fsb.ru domain. Although the authenticity of this information has not yet been verified, the same user previously hosted similar databases for US .mil domains.

The hacker groups split up

Let me remind you that we also said that Anonymous hackers declared war on the Russian government.

At the same time, extortionist groups also took up the opposite sides of the conflict. For example, members of one of the most aggressive hacker groups, Conti, declared “the full support of the Russian government” and threatened to retaliate with cyberattacks against anyone who attacks Russia, promising to use all their resources “to strike back at the enemy’s critical infrastructures.”

A little later, the hackers changed the statement, noting that in doing so they “do not ally with any government, and condemn the ongoing war”.

Another far less well-known hack group, CoomingProject, has also said it will support the Russian government if cyberattacks are directed against the country.

The hacker groups split up

Interesting statistics about the “political position” of various hacker groups are also collected by journalists from The Record. According to them, two more groups have publicly declared their position.

UNC1151, allegedly based in Minsk, supports Russia. This hack group is considered to be Belarusian “government hackers” and is allegedly already working on hacking the emails of Ukrainian military personnel.

The Red Bandits also took the side of Russia. Back on February 22, the group announced on Twitter:

We have hacked the @UkrainePolice DVRs and are monitoring them. If Ukraine does not do what #Russia wants, we will intensify attacks against Ukraine to provoke panic. We will also consider spreading #ransomeware in #UkraineRussiaCrisis #RussiaUcraina #Ukraine.

We also said that the FBI and NSA release a statement about attacks by Russian hackers.

The post Hacker groups split up: some of them support Russia, others Ukraine appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hacker-groups-split-up-some-of-them-support-russia-others-ukraine/feed/ 1 7149
Microsoft discovered the WhisperGate wiper attacking Ukrainian users https://gridinsoft.com/blogs/microsoft-discovered-the-whispergate-wiper-attacking-ukrainian-users/ https://gridinsoft.com/blogs/microsoft-discovered-the-whispergate-wiper-attacking-ukrainian-users/#respond Mon, 17 Jan 2022 22:06:45 +0000 https://gridinsoft.com/blogs/?p=6927 Microsoft says it discovered a destructive attack on Ukrainian users using the WhisperGate wiper, which tried to impersonate a ransomware, but in fact did not provide victims with data recovery options. In fact, the detected threat is a classic wiper, that is, malware designed to deliberately destroy data on an infected host. WhisperGate wiper Such… Continue reading Microsoft discovered the WhisperGate wiper attacking Ukrainian users

The post Microsoft discovered the WhisperGate wiper attacking Ukrainian users appeared first on Gridinsoft Blog.

]]>
Microsoft says it discovered a destructive attack on Ukrainian users using the WhisperGate wiper, which tried to impersonate a ransomware, but in fact did not provide victims with data recovery options.

In fact, the detected threat is a classic wiper, that is, malware designed to deliberately destroy data on an infected host.

WhisperGate wiper

Such malware is usually used either to mask other attacks and remove important evidence of a hack, or to perform sabotage in order to inflict maximum damage on the victim and prevent it from performing its usual activities, as was the case with the Shamoon, NotPetya or Bad Rabbit attacks.

Currently, our investigation teams have identified malware on dozens of affected systems, but this number may increase as the investigation continues.Microsoft experts said.

According to the company, the attacks began on January 13, and the affected systems belonged to several Ukrainian state institutions, as well as non-profit organizations and information technology companies. Similarly to cases of NotPetya and BadRabbit wipers, the new malware also comes with a component that overwrites the MBR and prevents infected systems from booting.

The researchers have not yet been able to determine the vector of malware distribution, and therefore it is unclear whether the attack affected anyone else besides Ukrainian targets.

WhisperGate replaces the usual boot screen with a ransom note, which researchers say contains an amount, a bitcoin address, and a Tox ID to contact the attackers. So far, no payments have been made to the wallet of criminals.

However, experts note that it is useless to pay: even if the victims manage to restore the MBR, the malware deliberately damages files with certain extensions, overwriting their contents with a fixed number of bytes 0xCC, bringing the total file size to 1 MB. The affected extensions are listed below.

3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF .DIP .DJVU.SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO .GZ .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX .KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP .ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3 .PHP4 .PHP5 .PHP6 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK .SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM .SXW .TAR .TBK .TGZ .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM .VMSD .VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .XLW .YML .ZIP file

Microsoft experts have said that so far, they have not been able to link these attacks to any specific hack group, and they are currently tracking the attackers under the ID DEV-0586.

Attacks on Ukrainian sites

At the end of last week, we already wrote that many Ukrainian sites suffered from cyberattacks and were defaced.

As the Ukrainian authorities have now said, Russian hackers are responsible for this attack:

All the evidence points to Russia being behind this cyberattack. Moscow continues a hybrid war and is actively building up its forces in the information and cyberspace.- the ministry said in a statement.

The ministry says that the purpose of this attack is “not only to intimidate the public,” but also “to destabilize the situation in Ukraine by shutting down the public sector and undermining confidence in the government on the part of Ukrainians.”

I also recall that I reported that Russian-speaking hackers attacked the government infrastructure of Poland.

The post Microsoft discovered the WhisperGate wiper attacking Ukrainian users appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-discovered-the-whispergate-wiper-attacking-ukrainian-users/feed/ 0 6927
Most likely russian hackers defaced Ukrainian government websites https://gridinsoft.com/blogs/russian-hackers-defaced-ukrainian-government-websites/ https://gridinsoft.com/blogs/russian-hackers-defaced-ukrainian-government-websites/#respond Fri, 14 Jan 2022 16:15:10 +0000 https://gridinsoft.com/blogs/?p=6923 Hackers defaced several Ukrainian government websites: the attack occurred on the night of January 13-14 and affected the websites of the Ukrainian Foreign Ministry, the Ministry of Education and Science, the Ministry of Defense, the State Emergency Service, the website of the Cabinet of Ministers, and so on. The Record notes that all resources have… Continue reading Most likely russian hackers defaced Ukrainian government websites

The post Most likely russian hackers defaced Ukrainian government websites appeared first on Gridinsoft Blog.

]]>
Hackers defaced several Ukrainian government websites: the attack occurred on the night of January 13-14 and affected the websites of the Ukrainian Foreign Ministry, the Ministry of Education and Science, the Ministry of Defense, the State Emergency Service, the website of the Cabinet of Ministers, and so on.

The Record notes that all resources have been deleted and their contents replaced with a statement published in Russian, Ukrainian and Polish.

hackers defaced government websites

Ukrainian! All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered. All information about you stab (public, fairy tale and wait for the worst. It is for you for your past, the future and the future. For Volhynia, OUN UPA, Galicia, Poland and historical areas.the hackers said in a statement.

The fact of the attack was officially confirmed by the country’s authorities by posting relevant messages on official websites, as well as on Facebook and Twitter. All affected resources have been temporarily down and some sites are still down, reporting that they are under maintenance.

Officials say they are investigating the attack and so far everything points to Russian hackers.

According to security researcher Gary Warner, the distortions appear to have been aimed at creating divisions between various ethnic groups, especially between native Ukrainians and the Polish minority.

The last sentence is meant to remind the people of the region about the ethnic cleansing of Poles in Volhynia and Galicia.Warner said.

Information security journalist Kim Zetter writes that sources in the Ukrainian government told her that a vulnerability in CMS October was used for the attack, which was used by all affected resources.

Sources tell me ~15 sites in Ukraine – all using October content management system – have been defaced, incl Min of Foreign Affairs, Cabinet of Ministers, Min of Ed, Emergency Services, Treasury, Environmental Protection. Attackers apparently used CVE-2021-32648.Kim Zetter tweeted.

Later, this information was confirmed in the Ukrainian CERT.

Let me remind you that we recently wrote that Russian-speaking hackers attacked the government infrastructure of Poland, and also that the FBI and NSA release a statement about attacks by Russian hackers.

The post Most likely russian hackers defaced Ukrainian government websites appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/russian-hackers-defaced-ukrainian-government-websites/feed/ 0 6923
Ukrainian law enforcement officers arrested members of the hacker group Phoenix https://gridinsoft.com/blogs/ukrainia-arrested-members-of-the-hacker-group-phoenix/ https://gridinsoft.com/blogs/ukrainia-arrested-members-of-the-hacker-group-phoenix/#respond Thu, 25 Nov 2021 06:26:00 +0000 https://blog.gridinsoft.com/?p=6262 The Security Service of Ukraine (SBU) announced the arrest of five members of the international hacker group Phoenix, which specializes in remote hacking of mobile devices and collection of personal data. Law enforcement officers report that the group included five citizens of Ukraine (residents of Kyiv and Kharkiv), and all of them had a higher… Continue reading Ukrainian law enforcement officers arrested members of the hacker group Phoenix

The post Ukrainian law enforcement officers arrested members of the hacker group Phoenix appeared first on Gridinsoft Blog.

]]>
The Security Service of Ukraine (SBU) announced the arrest of five members of the international hacker group Phoenix, which specializes in remote hacking of mobile devices and collection of personal data.

Law enforcement officers report that the group included five citizens of Ukraine (residents of Kyiv and Kharkiv), and all of them had a higher technical education. The group’s activity lasted at least two years, and during this time the hackers managed to break into the accounts of several hundred people.

The goal of the Phoenix hack group was to gain remote access to user accounts of mobile devices, and then monetize this access by hacking e-wallets and bank accounts, as well as by selling victims’ personal information to third parties.

To gain access to other people’s accounts, hackers used phishing resources – copies of Apple, Samsung, and so on. If the victim downloaded an application from such a fake site, they had to provide the attackers with their credentials. Then the attackers copied the information stored on the broken phone.

This activity went on for at least two years, during which Phoenix hacked several hundred people’s accounts. representatives of Ukrainian law enforcement agencies said.

Also, hackers offered their services of remote hacking of mobile phones at prices ranging from $100 to $200. In addition, the group was also involved in unlocking stolen or lost Apple devices. Subsequently, such gadgets were sold in a network of stores controlled by criminals in Kyiv and Kharkiv.

As a result, law enforcement officers conducted five searches at each place of detention, seizing computer equipment, mobile phones that were being prepared for sale, specialized software and equipment.

The attackers were charged under Article 361 of the Criminal Code of Ukraine (illegal interference in the operation of electronic computers (computers), systems and computer networks).

While the five arrested individuals are most likely all the ‘Phoenix’ group members, the authorities will continue the investigations to potentially identify more conspirators.the Bleeping Computer reports.

Let me remind you that we reported that the Cyber police of Ukraine arrested persons linked with the Clop ransomware and that the Ukrainian cyber police arrested the author of uPanel phishing kit.

The post Ukrainian law enforcement officers arrested members of the hacker group Phoenix appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ukrainia-arrested-members-of-the-hacker-group-phoenix/feed/ 0 6262
Ukrainian fighters against pirates asked Google to block 127.0.0.1 https://gridinsoft.com/blogs/ukrainian-fighters-against-pirates-asked-google-to-block-127-0-0-1/ https://gridinsoft.com/blogs/ukrainian-fighters-against-pirates-asked-google-to-block-127-0-0-1/#respond Tue, 10 Aug 2021 16:37:34 +0000 https://blog.gridinsoft.com/?p=5802 The TorrentFreak media reports that Vindex, Ukrainian fighters against pirates, representing the interests of TRC Ukraine, sent Google a strange request to remove content from search results. One of the addresses violating the rights of TRC Ukraine pointed to 127.0.0.1, that is, the anti-pirates found prohibited content in their own systems. Journalists note that under… Continue reading Ukrainian fighters against pirates asked Google to block 127.0.0.1

The post Ukrainian fighters against pirates asked Google to block 127.0.0.1 appeared first on Gridinsoft Blog.

]]>
The TorrentFreak media reports that Vindex, Ukrainian fighters against pirates, representing the interests of TRC Ukraine, sent Google a strange request to remove content from search results.

One of the addresses violating the rights of TRC Ukraine pointed to 127.0.0.1, that is, the anti-pirates found prohibited content in their own systems.

This week we saw yet another problematic DMCA notice, which is perhaps even worse. TV channel TRK Ukraine asked Google to remove content hosted on the IP-address 127.0.0.1. The TV company’s anti-piracy partner Vindex asked the search engine to remove a search result that points to 127.0.0.1. Tech-savvy people will immediately recognize that the anti-piracy company apparently found copyright-infringing content on its own server.TorrentFreak reports.

Journalists note that under the DMCA (Digital Millennium Copyright Act) Google processes requests to remove approximately five million URLs every week, and in total, the search giant has already removed more than 5 billion links.

But in efforts to combat piracy, companies often make mistakes and “shoot themselves in the foot”, for example, recently the service Toomics asked Google to remove dangerous URLs of its own website from the results.

A similar situation has now occurred with the request of the Ukrainian anti-piracy company Vindex. The link violating the copyright of TRK Ukraine to broadcast football matches pointed to 127.0.0.1:6878/ace/manifest.m3u. That is, the pirated playlist file was found on Vindex’s own computer.

The publication writes that this file can be a playlist for the Ace Stream P2P platform, which is often used for pirated content.

Ukrainian fighters against pirates

Since 127.0.0.1 refers to the host computer, Google is technically asked to remove a file from its servers. A file that doesn’t exist. Needless to say, Google hasn’t taken any action in response.TorrentFreak explained.

TorrentFreak writes that Vindex should set up its bots properly. The fact is that the company previously had vague reputation: from all links that Vindex demanded from Google to be removed, a little more than 10% were removed.

Let me remind you that I also talked about the fact that Ukrainian law enforcement discovered a mining farm consisting of thousands of PlayStation 4 consoles.

The post Ukrainian fighters against pirates asked Google to block 127.0.0.1 appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ukrainian-fighters-against-pirates-asked-google-to-block-127-0-0-1/feed/ 0 5802