Cyber attacks pummel Ukraine
Hacking groups take sides in the Russo-Ukrainian war
A new volley of powerful cyber attacks against Ukrainian government websites and other organizations accompanied Russia’s full-scale military assault on the country, including activating a new data-destroying virus that cybersecurity researchers said infected hundreds of computers.
The latest malware, dubbed “HermeticWiper,” is designed to corrupt data stored in the machines and effectively render them inoperable. Evidence analyzed so far reveals that the the attacks had apparently been in preparation for as much as three months.
What’s more, Ukraine's Computer Emergency Response Team (CERT-UA) warned of Belarusian state-sponsored hackers, tracked as UNC1151, targeting its military personnel and related individuals as part of a phishing campaign.
Besides phishing and malware infections, Ukraine’s cyber infrastructure has also been at the receiving end of distributed denial-of-service (DDoS) attacks, knocking them offline, even as Russian government and banking websites fell victim to follow-on retaliatory attacks.
To make matters worse, Russia’s unprovoked invasion of Ukraine has led hacking groups to increase their activities — in some cases to support a side, or possibly just to capitalize on the chaos to stage opportunistic attacks.
Since the invasion of Ukraine earlier this week, the Anonymous hacker collective and GhostSec expressed their allegiance to the country, while the Conti ransomware gang and a number of lesser known cyber crime groups have rallied their support for Russia.
What’s trending in security?
👉 Chinese cybersecurity company Pangu Lab revealed that the U.S. National Security Agency (NSA) is behind the Equation Group and Bvp47, a backdoor malware in use for the past ten years as part of a long-running covert campaign, marking one of the rare instances where a China-based company has directly called out U.S. cyber operations. [The Hacker News]
🐍 German public broadcasters BR and WDR discovered that one of the world’s most dangerous cyber espionage hacking groups, Snake, also known as Turla or Oroboros, has ties to Russia’s FSB, identifying at least two developers, named Urik and Vlad, and their employers — a company called Center-Inform in the Russian city of Ryazan that once belonged to the domestic intelligence agency. [BR Recherche]
🔻 The TrickBot operation officially shut down after its core developers are said to have folded its undertaking into the Conti ransomware gang to prioritize development on stealthier malware like BazarBackdoor. The development comes as the operators successfully rebuilt the botnet and continued to strike Windows systems despite numerous takedown attempts. That is until late December 2021, when TrickBot distribution campaigns suddenly ceased and attacks ground to a halt, marking an unusual lull in their activities.
TrickBot first drew attention as a banking trojan, in 2016, following the demise of Dyre. In the time since, it’s developed into a full-suite malware ecosystem, replete with tools for spying and stealing data, port scanning, anti-debugging – crashing researchers’ browsers before they have a chance to identify its presence – identifying and wiping firmware, evolving into an all-purpose hacking toolkit.
The dip in recent activity is a sign that the threat actor is focusing on newer business endeavors, including the powerful trojan Emotet, and BazarLoader, while it’s also being suspected that the group had its operations subsumed into the Conti cybercrime cartel altogether, which has used TrickBot as a delivery vehicle in the past. [The Hacker News]
📱 A new Android banking trojan dubbed Xenomorph (named so because of its code-level similarities to an older Android banking trojan known as Alien) has been observed requesting access to Android’s Accessibility service, and then leveraging the permissions to show fake login screens on top of 56 mobile banking apps targeting users in Spain, Portugal, Italy, and Belgium.
Unlike Android trojans that are traditionally spread around using apps offered for download on third-party apps stores or via dedicated phishing websites, Xenomorph distributed via the official Google Play Store, offered as a second-stage payload inside malicious dropper apps that have managed to sneak past Google’s Play Store security checks. [The Hacker News]
⚠️ CryptBot, a Windows malware that steals saved browser credentials, cookies, browser history, cryptocurrency wallets, credit cards, and files from infected devices, continues to be an ever-evolving and constantly changing malicious operation, with its operators routinely shifting their command-and-control servers, dropper sites, and the malware itself. The info-stealer is distributed through malicious websites disguised as download pages that offer free downloads of cracks for games and pro-grade software. The threat actor also uses SEO poisoning techniques to rank the sites at the top of the search results, providing a stable stream of prospective victims. [ASEC]
👀 An Israeli government probe into allegations of police spying on citizens using Pegasus malware said police successfully infiltrated the phone of one individual subject to a court order. The finding represents the first time the Israeli government has confirmed that the deeply controversial spyware, ostensibly developed by Israeli firm NSO Group as a counter-terrorism tool for government clients, has been deployed against a citizen of the Jewish state. [Associated Press]
❌ Following the 2018 public exposure of the VPNFilter malware, the Russia-linked Sandworm threat group has developed a replacement malware framework, which has mainly targeted firewall appliances, government agencies in the U.S. and the U.K. warned. Cyclops Blink is typically deployed post exploitation as part of a firmware “update” and achieves persistence at device reboot, which makes remediation more difficult. [The Hacker News]
🛡️ Software platform provider GitHub published its GitHub Advisory Database under an open-source license, giving contributors the ability to add technical information to the collected security advisories of the open-source projects hosted on the service. [GitHub]
🔐 The Brazilian Congress has enacted an Amendment to the Constitution that makes personal data protection a fundamental citizen right. Under the amendment to article 5 of the country’s Constitution, which relates to individual and collective rights, a new section has been added, noting “the right to protection of personal data, including in digital media, is ensured under the terms of the law.” [ZDNet]
☁️ Apple surrenders information from iCloud backups that are stored on its servers when presented with a legal search warrant, while Google can trace individuals within three feet of a precise location, a leaked recording involving a little-known U.S. surveillance firm PenLink, which works with U.S. law enforcement agencies to track suspects, has now revealed. Reportedly, Facebook reports a suspect’s location to within between 60 feet and 90 feet. [Forbes]
💲 The Cuba (aka COLDDRAW) ransomware operation, known for impacting dozens of organizations globally including critical infrastructure, has been observed exploiting Microsoft Exchange vulnerabilities to gain initial access to corporate networks and encrypt devices. The attacks have been attributed to an uncategorized threat cluster tracked as “UNC2596.” [Mandiant]
💵 By following a complicated trail of crypto transactions and using a previously undisclosed privacy-cracking forensics tool from crypto tracing firm Chainalysis, Forbes identified Austrian programmer and CEO of TenX, Toby Hoenisch, as the person who hacked The DAO in 2016 diverting 3.6 million in ether that’s now worth $11 billion. [Forbes]
🚨 An entire fleet of consumer-grade Android stalkerware apps, which share the same features and the back-end infrastructure, also contains a security flaw a vulnerability that grants any unauthenticated remote attacker near-unfettered remote access to personal information collected from any device with one of the stalkerware variants installed, thereby putting private phone data, messages, and locations at risk. The apps have been been found to link back to a single Vietnam-based company called 1Byte. [TechCrunch / CERT-CC]
💬 In a new form of attack, threat actors are compromising Microsoft Teams accounts to slip into chats and spread malicious executables to participants in the conversation. [Avanan]
💳 The Ukrainian cyber police arrested a group of five phishing actors who managed to steal payment card data from at least 70,000 people after luring them to fake mobile service top-up sites that relied on marketing and advertising services to increase visibility on search engines and social media platforms. The actors used the stolen information to empty their victims’ bank accounts. [Cyberpolice]
⚡ Zero-click attacks, which allows adversaries to break into a phone or computer without requiring their targets to click a malicious link or open an attachment, are being frequently sold by commercial spyware companies like NSO Group and Candiru to government agencies to spy on activists, journalists, and others. The development comes as researchers at Citizen Lab at the University of Toronto found that phones belonging to three individuals in Bahrain were hacked in September 2021 with NSO Group’s Pegasus spyware. [Bloomberg / Citizen Lab]
Tips, Comments, Ideas?
Send them my way by writing replying to this email.
Thanks again for reading. See you in the next edition!