UnitedHealth Hacked, Department Leaks Huge Amounts of Data

In February 2024, UnitedHealth Group experienced a massive cyberattack that compromised the data security of Change Healthcare. This division of the corporation processes medical claims and payments. As a result, systems responsible for processing prescriptions, medical claims and electronic payments were affected. This caused major problems for healthcare providers, pharmacies and payment systems across the country.

UnitedHealth Group responded quickly to the incident. They announced their intention to work with law enforcement to investigate the attack and strengthen security measures to protect patient data. The company also began notifying affected customers and offered them free credit history monitoring and fraud protection services as a compensation.

On Wednesday, UnitedHealth Group announced that it has made significant progress in restoring various core systems that were hit in the attack. It in particular caused an outage during the company’s response and impacted more than 100 Change Healthcare IT products and services.

Government Response

Size of UnitedHealth and its importance for the national healthcare industry could not keep the government silent. The U.S. Department of Health and Human Services has opened an investigation into the incident for a violation of the Health Information Protection and Accountability Act (HIPAA). The investigation is aimed at determining whether a breach of patient protection occurred. It also seeks to ascertain whether the relevant legal requirements for confidentiality of information were met.

UnitedHealth Group’s response was quick. They announced their intention to work with law enforcement to investigate the attack. Additionally, they vowed to strengthen security measures to protect patient data. The company also began notifying affected customers and offered them free credit history monitoring and fraud protection services.

BlackCat/ALPHV Claims Responsibility

ALPHV/BlackCat ransomware gang claimed responsibility for this attack earlier this year. Hackers announced that it was able to expropriate 6 terabytes of “highly selective data” regarding Change Healthcare customers. This information covers a wide range of data, including Tricare, Medicare, CVS Caremark, MetLife, and other large companies. It highlights the potential scale of the damage.

According to their story, UnitedHealth Group paid a $22 million ransom for a decryption key and a promise not to distribute the stolen data. This is a forced measure where the company is forced to pay huge sums to regain access to its own data and prevent further dissemination of stolen information. However, questions remain open as to whether BlackCat actually held the full ransom amount as claimed. Additionally, there are concerns about what assurances there are that the data will not be distributed or used in the future.

At the end of 2023, BlackCat’s infrastructure was seized in a coordinated law enforcement action. This severely disrupted the group’s operations for a period. Though as you can see BlackCat’s continued operations in defiance of law enforcement efforts. Disruption definitely slowed them down, but did not stop the operation entirely.

What stopped though is an exit scam, that group admins managed to pull in early March 2024. Hackers defrauded their partners, quitting the business with all the money of their affiliates. The said UnitedHealth subdivision appears to be one of their last targets – at least under this name. I expect them to resurface in this form or another.

The post UnitedHealth Hack Leaks 6 TB of User Data appeared first on Gridinsoft Blog.

PyPI Malware Spreading Causes Registrations Halt

Python Package Index, commonly known as PyPI, closes the registration of new users due to the wave of malware spreading through the platform. Such trouble is nothing new, as similar infestations happened in the past. Each time in the past the platform was implementing changes targeted on prevention of malware uploading in future, but the protection likely failed this time. The research from CheckPoint uncovers the entire flow of the attack.

Under the latest attack course, cybercriminals uploaded not the final payload, but a malicious script that further loads the malware. Exact repositories with these scripts were generally uploaded on March 27, with user accounts created the day before. Overall, the research unveils 576 malignant repositories.

Another thing that unites all these uploads is the use of typosquatting in their naming. Frauds were purportedly aiming at spoofing the names of popular packages. They particularly used symbol-numeric substitution (request5 instead of requests), popular typos (requestss) and slight changes like -sdk or -v1 endings. While looking as obvious fakes, they may still work out when users are in haste or distracted.

Package indexes for different programming languages are often a target of cybercriminals’ attention. Ones of the size of PyPI, which boasts of over 800,000 users, are literally Mekkas for hackers. By spreading malware in packages, they can infect both users and developers, potentially gaining a starting point for a cyberattack on a corporation, or even for a supply chain attack. Considering the wide use of Python in machine learning, this can also be leveraged for attacks on ML clusters. The latter appears to be a new point of interest for cybercriminals.

Malware in PyPI: How It Works?

Despite the scale of the attack, the way the attack works is nothing special. As I’ve said, malicious repositories contained not the exact malware, but an obfuscated loader script. The latter invoked the connection to the command server – funcaptcha[.]ru – and pulled the payload.

All the repos were spreading the same script, which deployed the same malware, regardless of the region. Those were an infostealer malware and a cryptojacker, both in a form of obfuscated code. None of them, however, belong to any of the known malware families, likely being developed for this specific attack campaign.

Infostealer targets passwords stored in browser files and session tokens of popular desktop applications. Additionally, it grabs browser cookies – another valuable source of user information. Cryptojacking malware modifies the desktop crypto wallets it detects, so they most likely change the recipient of all transactions to the frauds’ wallet. Following the action, both malware samples communicate the same C2 server as the loader script did.

Disclosure and Remediation

Shortly after uncovering the attack chain, PyPI administrators claimed the suspension of all new user registration. Consequently, they started searching for exact repositories and deleting them, which corresponds to the tactics they used before. Still, this does not solve the problem of exclusively reactive actions towards such threats.

Despite being well-known and trusted, all large package repositories suffer from the very same problem. It is too hard to track all the uploads, and strict premoderation will queue the new packages for weeks. The only variable here is which one will be the next to get the attention of adversaries. This eventually raises the question of self-defense from the developers who rely on these repos in daily tasks.

An obvious advice here is to double-check all the packages, regardless of their source. Malware receives more and more sophisticated disguises, becoming effective even against savvy and aware users. A good anti-malware software will be on hand as well: a proper one will easily detect and prevent the execution of a malicious script before it starts its mischievous job.

The post PyPI Malware Spreading Outbreak Exploits Typosquatting appeared first on Gridinsoft Blog.

Short About STRRAT and Vcurms

STRRAT is a Java-based RAT, notorious for its ability to steal information. It’s primarily used to gather credentials from browsers and email clients, log keystrokes, and provide backdoor access to infected systems. Same as other remote access trojans, STRRAT also relies on stealthiness of its operations and detection evasion.

Vcurms, is another Java-based RAT, but with distinct operational tactics. It communicates with its command-and-control server via a Proton Mail email address and executes commands received through specific email subject lines. This malware carries the functionality of infostealer, capable of extracting data from various applications like Discord and Steam. Aside from this, it can grab credentials, cookies, and autofill data from multiple web browsers. It shares similarities with another malware known as Rude Stealer.

Attack Overview

ANY.RUN researchers say the attack begins with a phishing email convincing recipients to click a button to verify payment information. This action leads to the download of a malicious JAR file masquerading as a payment receipt. The downloaded file then launches two additional JAR files that activate both Vcurms and STRRAT trojans.

Both malware samples try to remain stealthy, using detection and analysis evasion techniques. Researchers found them using these specific tricks:

• Using legitimate services and tools – when attackers can use legitimate cloud platforms such as AWS and GitHub to store or distribute malware. Such a trick also complicates filtering network requests of malicious origin.
• Code Obfuscation – in which the source code of a program is converted into a form that makes it difficult to read. This is used to hide malicious functions from antivirus scanners and analysts. (By the way, the first JAR file received via email is obfuscated and downloads malware using a PowerShell command).
• Packing – where malicious code is compressed or “packed” together with some type of unpacking mechanism. This makes it difficult to analyze the code without executing the malware.

This is not the first time malware actors abuse GitHub or other developer platforms. Unfortunately, there are not a lot of options to mitigate this proactively: it is easy to masquerade the code and make it look innocent. GitLab administrators reacted to user complaints and removed the malicious repository, but this does not guarantee that there won’t be a comeback.

Sandbox attack analysis

A phishing campaign begins by spreading the initial loader via phishing emails. The goal of these emails is to convince the user to download and run a malicious JAR file. This file acts as a primary loader that initiates a series of malicious actions on the infected machine.

Primary Loader

Once launched, the primary loader downloads a secondary malicious file from the aforementioned repository on GitHub. The file is launched using a command pointing to the Java file execution:

"C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\64e8cb522a3a4664791c27512d94a911bc2fbcbae09b625976ff8ac6809819d3.jar"

Persistence and disguise

Then, malware creates a copy of itself in the AppData\Roaming directory and registers a task in the Windows scheduler to automatically restart every 30 minutes. Interestingly enough, malware tries to mimic the Skype application, judging by the name of the task it creates. This ensures the permanence of the malware on the system.

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\admin\AppData\Roaming\64e8cb522a3a4664791c27512d94a911bc2fbcbae09b625976ff8ac6809819d3.jar"

Collecting information about the system

Next, the malware gathers information about the system, including a list of disks and the presence of installed security programs, using the following commands:

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"

One of the malware programs, in this case Vcurms, uses PowerShell command to dump the passwords kept in Windows, rather than in the third party tool. Obviously, it gathers data from browsers, too, but in a different manner – by accessing their data directly.

powershell.exe "[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ }"

I assume this command is related to Vcurms as STRRAT does not exhibit password stealing functionality.

Strengthening cybersecurity

This case shows vigilance and cooperation in cybersecurity. This phishing attack showed that even trusted platforms like GitHub can be used as a tool to spread malware. Cybersecurity experts offer the following tips to protect against such threats:

• Firstly, always verify the sender and avoid opening attachments or clicking on links in emails that seem suspicious or unexpected. If an email asks you to confirm payment details or personal information, it is better to contact the sender directly through another channel.
• Then, enable spam filters on your email to reduce the number of phishing and junk emails reaching your inbox.
• Make sure your antivirus software and all systems are updated to the latest versions. Regular updates help protect against known threats and vulnerabilities.
• Also, regularly monitor systems for suspicious activity and respond quickly to cybersecurity incidents. Use analytics and intelligent detection tools.
• And last, back up important data regularly and store it in a safe place. This will help you recover information in the event of a successful attack.

The post STRRAT and Vcurms Malware Abuse GitHub for Spreading appeared first on Gridinsoft Blog.

Fujitsu Hacked, Company Publishes Report

The first to discover Fujitsu hack was the company’s IT specialists who were performing the scanning. The first signs of compromised systems were noticed earlier in March 2023, which immediately raised concerns among the technical team. The company’s management was immediately notified of the possible threat, leading to an extensive internal investigation.

The said investigation is still ongoing, and is now targeted at determining the amount and types of leaked data. The company says it has not received any reports of personal information being misused as a result of the hack. However, the attack could have affected important databases containing customers’ personal data, including names, addresses, contact information and details of contractual relationships.

Initial steps taken by Fujitsu included isolating the infected systems to prevent the malware from spreading further. The company also engaged external cybersecurity experts to conduct a detailed analysis of the situation and determine the source of the attack.

Analysis of Malware

Preliminary analysis showed that the malware was specifically designed to steal sensitive information. Experts noted that it was not a “common” malware sample but a one crafted for this specific attack. The program acted selectively, targeting particularly sensitive data, such as employees’ personal data, financial information and details of internal company research.

Most interestingly, the attack targeted specific systems and used sophisticated methods to bypass standard security measures. It is a common tactic for attackers to use custom malware builds for targeted attacks on corporate networks, but it is not usual to see them using a yet unseen sample.

Fujitsu Was Hacked Before

In June 2023, Fujitsu Cloud Technologies, a subsidiary of Fujitsu Limited, received a public reprimand from Japan’s Ministry of Internal Affairs and Communications. The ministry demanded that both Fujitsu Cloud Technologies and Fujitsu Limited take immediate action to implement security measures to safeguard communications privacy and enhance cybersecurity. Fujitsu Limited is set to merge with its subsidiary in the near future.

In 2022, a breach affected Fujitsu Limited’s cloud-based internet service used by governments and large corporations. Attackers accessed the system and leaked sensitive information. Around the late 2022, the company uncovered the hack in one of their divisions, FENICS Internet.

This company was also implicated in the May 2021 supply chain attack. Its Fujitsu ProjectWEB project management suite was accessed by an unauthorized third party and the incident resulted in a data leak affecting several Japanese government agencies. The data was allegedly sold on the darknet. The company later discontinued the ProjectWEB portal/tool.

What then?

Well, despite best efforts, even technologically advanced companies like Fujitsu are not immune to cyberattacks and subsequent data breaches. Even with advanced defense systems, attackers are finding ways to bypass defenses, resulting in serious consequences for companies and their customers. Hopefully, the measures taken and lessons learned from this experience contribute to strengthening data protection.

The post Fujitsu Hacked, Warns of Data Leak Possibility appeared first on Gridinsoft Blog.

BianLian Exploits TeamCity vulnerabilities

Recent research uncovered a new trend in BianLian’s modus operandi. They revealed that threat actors behind the ransomware have been observed exploiting security flaws in JetBrains TeamCity software to conduct their attacks. Leveraging known vulnerabilities such as CVE-2024-27198 or CVE-2023-42793, attackers gained initial access to the environment, paving the way for further infiltration. By creating new users and executing malicious commands within the TeamCity infrastructure, threat actors orchestrated post-exploitation maneuvers and lateral movement, expanding their foothold in the victim’s network.

Backdoor Deployment via PowerShell

The original report from GuidePoint Security says that despite initial success, BianLian fell back to a PowerShell version of their backdoor. This happened due to the surprising detection from Microsoft Defender. At the same time, hackers managed to deploy the network reconnaissance tools and use them before going for a PS backdoor.

The PowerShell backdoor version, obfuscated to hinder analysis, exhibited a multi-layered encryption scheme. Still, it was possible to understand what was going on and analyze the adversaries’ actions. Malware established a tunnel connection to the command server, waving ready for further actions. And while using PS in cyberattacks is not something unusual, entire backdoors based on PS, that also incorporates high levels of obfuscation, is a new tactic.

Functionality and Capabilities of Backdoor

The PowerShell backdoor described above mainly aims at facilitating covert access and control over compromised systems. Research summary reveals several features of this malware to be aware of.

The backdoor incorporates functionality to resolve IP addresses based on provided parameters, establishing TCP sockets for communication with remote command-and-control (C2) servers. Also, this enables bidirectional data exchange between the compromised system and the attacker-controlled infrastructure. Here is the code recovered by analysts:

#Function to Resolve IP address
function cakest{
param($Cakes_Param_1)
IF ($Cakes_Param_1 -as [ipaddress]){
return $Cakes_Param_1
}else{
$Cakes_Resolved_IP = [System.Net.Dns]::GetHostAddresses($Cakes_Param_1)[0].IPAddressToString;
}
return $Cakes_Resolved_ IP
}

Leveraging asynchronous execution techniques, the backdoor optimizes performance and evades detection by utilizing Runspace Pools. This allows multiple PowerShell instances to run concurrently, enhancing operational efficiency during post-exploitation activities.

Also, to ensure secure communication, the backdoor establishes SSL streams between the compromised system and C2 servers, encrypting data exchanged over the network. By employing encryption, threat actors mitigate the risk of interception and detection by network monitoring tools. Overall, the C2 communication bears on this code:

function cookies{
param (
#Default IP in parameter = 127.0.0.1
[String]$Cookies_Param1 - "0x7F000001",
[Int]$Cookies_Param2 - 1080,
[Switch]$Cookies_Param3 - $false,
[String]$Cookies_Param4 - "",
[Int]$Cookies_Params - 200,
[Int]$Cookies_Param6 - 0
)

Mimicking tactics observed in advanced malware, the backdoor validates SSL certificates presented by C2 servers, verifying the authenticity of remote endpoints. This authentication mechanism enhances the resilience of the communication channel against potential interception or infiltration attempts.

How to stay safe?

The BianLian threat group continues to evolve, and in light of their recent attacks, it is important to take appropriate security measures. Fortunately, they are more or less the same even for protecting against high-profile cybercrime groups.

• First and foremost, it is recommended to regularly update and patch externally facing applications. This helps mitigate known vulnerabilities that threat actors may exploit to infiltrate your systems.
• Ensure your team is well-versed in incident response procedures. Every member of your team should have a thorough understanding of how to respond effectively to security incidents. Regular drills should be conducted to refine response strategies and minimize the impact of potential security breaches.
• Conduct penetration tests informed by threat intelligence to proactively identify and address weaknesses in your defenses. Penetration tests involve simulated attacks on your systems to uncover vulnerabilities that could be exploited by malicious actors. By using threat intelligence to inform these tests, you can focus on the most impactful threats facing your organization.

• Additionally use advanced security solutions. EDR and XDR are a must, when we talk about corporate-grade cybersecurity. They can cover large networks of computers, orchestrating the response and detecting even sophisticated attacks like the one I’ve described above.

The post BianLian Exploits TeamCity Vulnerability to Deploy Backdoors appeared first on Gridinsoft Blog.

MIT Hacked, Data Leaked in the Darknet

The post on infamous BreachForums discloses the recent data leak that happened in the #2 universities in the world. As the leak is exquisitely fresh, posted only 2 hours prior to this blog post being written, there is no reaction from MIT yet. Though it should be, as the fact of such a leak raises a lot of questions.

As I’ve mentioned in the introduction, the fact that it is posted “as is”, accessible to everyone without any pay, means that there are no really valuable things inside. But if so, maybe the hackers have got something valuable enough to just publish a lean dataset? Massachusetts university is one involved in different government-backed programs, including ones related to aerospace and defense. Hence, there is definitely enough valuable stuff to put the eye on.

Each row in the leaked database consists of 4 parts: faculty (or department), surname, name of a student, and email address. Occasionally, a “No Student” value is added, potentially meaning a graduate. Not much, sure, but already enough to arrange a phishing campaign – the typical way such data is used by frauds. As the total number of entries – 27,961 – exceeds the number of students currently studying in MIT, there could be either duplicates or data about the students from previous years.

Should Students be Worried?

If I were in the students’ hat, I would have my worries. Even though there are a lot of other ways to retrieve one’s personal information, especially things like email and name, the source is what matters here. Being a student of a certain university is a perfect identifier for further scam campaigns targeting. And be sure they will come: a free database like this pushes the margin for frauds even higher.

In the near future, I’d recommend the students present in the database to be exceptionally careful with any email messages. Even if this leak will not be used for spamming, precautions will not be excessive. Email phishing is too widespread nowadays to ignore such a threat.

The post MIT Hacked, Students’ Data Sold on the Darknet appeared first on Gridinsoft Blog.

Ivanti SSRF Vulnerability Exploited

Ivanti, a renowned corporate VPN appliance provider, has issued a warning regarding a new zero-day vulnerability under active exploitation. This announcement comes in the wake of two previously disclosed vulnerabilities, CVE-2023-46805 and CVE-2024-21887. These two have already been targeted by Chinese state-backed hackers since early December 2023. The latest vulnerability, identified as CVE-2024-21893, is a server-side issue allowing unauthorized access to restricted resources, and it looks like adversaries take advantage of it as well.

Shadowserver reported over 22,000 instances of Connect Secure and Policy Secure. To authenticate an Ivanti VPN, the doAuthCheck function in an HTTP web server binary located at /root/home/bin/web is used. It is important to note that the endpoint /dana-ws/saml20.ws does not require authentication.

The flow CVE-2024-21893 involves server-side request forgery in the SAML component of Ivanti’s products, compromising authentication protocols. These vulnerabilities affect Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA, with an estimated 1,700 devices already compromised worldwide, spanning various industries including aerospace, banking, defense, government, and telecommunications​​.

Impact of Ivanti VPN SSRF Vulnerability

VPN devices are highly attractive to cyber attackers who aim to penetrate deeply into organizational networks. These devices facilitate secure remote access for employees by encrypting their connections to company resources. Positioned at the network’s periphery, they handle incoming connections from any external device with the right settings. Once a hacker gains initial access through a VPN, they can maneuver to access more critical and sensitive areas within the network infrastructure.

The situation was exacerbated by Ivanti’s delayed response in patching the vulnerabilities, missing their own set deadline by a week. This delay left organizations vulnerable for a longer period, challenging security professionals to mitigate the risks amid the ongoing attacks. Furthermore, the attackers’ ability to bypass Ivanti’s initially provided mitigations for the first two vulnerabilities added to the difficulties faced by security teams.

CISA Calls to Disable Ivanti VPN

CISA issued Emergency Directive 24-01, requiring Federal Civilian Executive Branch agencies to take immediate action to this zero-day vulnerability. These measures include implementing mitigations, reporting any signs of compromise, removing affected products from networks, applying Ivanti’s updates within 48 hours of release, and providing a detailed report of actions taken to CISA.

Additionally, CISA’s guidance includes performing a factory reset and rebuilding of the Ivanti appliances before bringing them back online, underscoring the need for a clean slate to ensure the devices are free from compromise.

All this looks like an ideal storm around Ivanti. It will be rather challenging to clean up the reputation of their software solution after all this mess. Vulnerabilities happen in any software, though this much of them in one software solution, in a short period of time, and lacking proper response from the vendor – that’s a proper nightmare.

The post Third Ivanti VPN Vulnerability Under Massive Exploitation appeared first on Gridinsoft Blog.

Claro Telecom Hacked, Services Disrupted

Since January 25, 2024 Claro Telecom customers have suffered from significant network issues. But only on February 2, they published the first notification regarding the situation, from the name of their Claro Nicaragua subsidiary. Despite the note being published by the Nicaraguan branch, the issues were also reported in other Latin American countries, namely El Salvador, Costa Rica, Guatemala and Honduras.

Original Claro Company's note regarding ransomware attack

English translation of a Claro Company's note regarding ransomware attack

As the note explains, the company suffered from a ransomware attack that inflicted damage to some of its network elements. The same release shares the company’s hopes on the soon restoration of all the services. Among typical issues that are still not completely resolved, are problems with Internet connectivity, video calls and payments processing.

By the ransom note that analysts managed to get from the company, it becomes clear that Claro was attacked by Trigona ransomware. The double-extortion group likely managed to get into some of the system and exfiltrate the files. And while file encryption is recoverable, data exfiltration is extremely dangerous considering the amount of user data stored on telecom provider servers.

What is Trigona ransomware?

Trigona is a ransomware group that started its activity in October 2022. Despite being relatively new to the cybercrime scene, they already gained both fame and complexity, boasting a Linux version of their main payload. Malware analysts name this group the successor of CryLock ransomware, and point at its possible association with ALPHV/BlackCat ransomware.

This ransomware gang is known for practicing double-extortion, meaning that aside from file encryption, they also leak significant amounts of data from the attacked environment. Further, attackers ask to pay a separate ransom to prevent this data from being published or sold to the third party.

Back in October 2023, Trigona was hacked by Ukrainian Cyber Alliance, the white hat hacker organization. UCA managed to wipe the entirety of server infrastructure, along with the backups. White hats reportedly managed to get their hands on all the tools in ransomware group’s collection, so there is a possibility of a ransomware decryptor being released in future. Nonetheless, this hack did not stop the frauds from getting back in business.

Is Hacking Telecom Corporation a New Trend?

Attack on Claro Company is yet another episode of a telecom company being struck by ransomware – a rather unusual sight in years prior to 2024. Yes, there were known cases of T-Mobile US hacks that led to extensive data breaches, but none of them ended up with severe network disruptions. But 2024 exploded with attacks on telecommunication companies, starting with Ukrainian Kyivstar. All such breaches led to significant connectivity issues and even complete outages of all the services provided by the target company.

Considering the amount of personal data that typically circulates in telecom organizations, the advanced multi-layer security measures are the must. Security tools should be accompanied by network architecture that makes it harder to hack the entire network all at once and data protection. The latter is especially important, since the aforementioned double extortion tactic is more of a tradition than a novelty nowadays.

The post Claro Company Hit by Trigona Ransomware appeared first on Gridinsoft Blog.

Carbanak is Back, Using New Distribution Methods

Carbanak’s return is marked by a significant shift in its distribution methods. Compromised websites now host malicious installer files, cunningly disguised as legitimate utilities, to facilitate the deployment of Carbanak. This development coincides with a surge in ransomware attacks, with 442 incidents reported in November 2023 alone, a notable increase from the 341 cases in October.

The latest data shows that industrials, consumer cyclicals, and healthcare are the primary targets for this malware. In total, they constituted 33%, 18%, and 11% of the attacks, respectively. Geographically, North America, Europe, and Asia are the most affected, with 50%, 30%, and 10% of the attacks occurring in these regions​.

Carbanak Threat Actor Profile

Carbanak, also known as Anunak, emerged around 2013 as a cybercrime group specializing in financial theft. Notoriously known for targeting banks and financial institutions, they have stolen an estimated $1 billion from banks globally. Carbanak’s sophisticated methods include spear phishing, malware deployment, and network infiltration.

They are closely linked to FIN7, another cybercrime group; however, these are distinct entities. The connection between the two groups lies in their methods and objectives. Both groups used advanced techniques and software to carry out their attacks. For a long time, FIN7 members have used the Carbanak Backdoor toolkit for reconnaissance purposes and to gain a foothold on infected systems.

What to Expect From Carbanak Return?

The repercussions of Carbanak’s resurgence are far-reaching. Financial institutions, as primary targets, face an increased risk of data breaches and financial losses. However, the collateral damage extends to individuals, as compromised software can potentially expose personal information and sensitive data.

Staying Vigilant

In light of these developments, it is imperative for organizations and individuals alike to remain vigilant. Here are some essential steps to enhance cybersecurity posture:

• Employ multi-factor authentication wherever possible to add an extra layer of security to your accounts.
• Provide cybersecurity awareness training to employees, emphasizing the importance of not clicking on suspicious links or downloading files from unknown sources.
• Continuously monitor network traffic for any unusual or suspicious activities that may indicate a compromise.

The post Carbanak is Back with a New Spreading Tactic appeared first on Gridinsoft Blog.

I considered delaying writing this post to gather more facts regarding the situation. On day 1, nothing but speculation and suppositions were available. Today, some of the facts appear, allowing me to make a comprehensive analysis of the case.

Ukrainian Mobile Operator Kyivstar Hacked by Russians

Early on December 12, Kyivstar services stopped working. As the company operates not only in the cell carrier segment, but also provides home Internet and connectivity services for businesses, these were down as well. The “national roaming” option, that allows switching between operators with certain limitations, was unresponsive, meaning that the network structure is severely disrupted.

At around 12:00, the first official comments from the company appeared. They claimed a cyberattack disrupting their services, and told about a rather long recovery process ahead. Further statements specified that the estimated time of major services recovery is not earlier than on December 13.

Until the evening of the same day, the details were lean. Some analysts tried to make conclusions, though they were at best blurred. Certain sources of information also supposed that Kyivstar suffered outages due to the DDoS attack, but that was likely just a confusion due to the simultaneous launch of a DDoS attack on one of Ukrainian banks. Meanwhile, the company succeeded with recovering part of its services, particularly the home Internet service to the end of the day.

On the morning of December 13, 2023, some facts and even more rumors began to surface. Among the latter, the brightest was the responsibility claim from a previously unknown Solntsepek threat actor. The gang published their statement along with the screenshots of what they claim to be insight into the hacked network. Nonetheless, I heavily doubt credibility of both claims and screenshots, since no one heard of the group before, and no identifiable details are present on those pictures.

Unpredicted outcomes

As Kyivstar is the biggest cellular operator in Ukraine, the outage caused obvious troubles for over 24 million users. Considering the population of the country is around 40 million in total, the outage touched every second citizen to a certain extent. That obviously uncovered how hard people are dependent on technology nowadays, but some of the issues caused by the Kyivstar hack were not that clear.

For instance, the air raid alarms – a heavily needed thing in a belligerent country – were reliant on the Kyivstar’s cell network. As a result, numerous cities across the country did not hear air raid alarms, and even online air raid maps were not able to work properly. That is especially unfortunate as rocket and UAV strikes happen on a daily basis.

What is less unfortunate for Ukraine though is that Russian troops who reside in the occupied areas of Kherson and Zaporizhzhia regions experienced cell coverage issues as well. Since invaders used stolen SIM cards of Ukrainian operators, their phones stopped working once the attack happened. Pay day for stolen SIM-cards, one may say.

Kyivstar Hack – Who is Responsible?

Well, all symptoms aside, let’s think of what exactly happened and figure out who is responsible for the hack. The character of destruction and the way the recovery goes supposes that hackers managed to establish persistence in the majority of infrastructural elements of the corporate network. Further, they destroyed all they could reach. That was not just a “DROP DATABASE”, as someone supposed before – in that case the recovery would not take that much time. Moreover, Kyivstar themselves claim that they are forced into recovering the network “piece by piece”.

The executor is, most likely, one of Russian APT groups. Sure enough, there is no confirmation, but there is no one to hack Ukrainian companies for pure vandalism except for Russians. Even though I doubt the claims of a no-name hack group, the nationality of hackers is almost certain.

Another edge of responsibility lies on the Kyivstar itself. Having such a large number of users creates significant responsibility, not only in the matter of service availability, but also data safety. Addresses, passport info, phone numbers, emails – all this was successfully leaked. Bad luck for a country in peacetime, culpable negligence for a country at war.

If the screenshots shared by the Solntsepek group are real, things can be much worse. An analyst under the nickname of Sean Townsend shares his thoughts regarding what the pics say. Spoiler – things may be extremely bad, and the security was non-existent at all.

Update 12/13 (21:00 GMT)

Olexandr Komarov, CEO of Kyivstar, uncovered some of the details regarding the beginning of the hack. The initial access was gained through a compromised account of an employee.

Are Other Companies in Danger?

What is the conclusion from such a situation? This is what all Ukrainian companies should be ready to counteract. And not only Ukrainian – Russian hackers are now naught on limitations in attacks on countries “rival” to Russia. Since hackers aim only for vandalism and do not try to monetize their job, the effects may be rapid and irreversible. A sturdy, well-engineered security system should be mandatory for all companies.

The post Kyivstar, Ukraine’s Biggest Cell Carrier, Hacked appeared first on Gridinsoft Blog.