Thursday, July 21st, 2022
Cybersecurity Week in Review
– Ukrainian Radio Stations Hacked to Broadcast Fake News About Zelenskyy’s Health
Fake messages regarding the health of President Volodymyr Zelenskyy were broadcast on Thursday as Ukrainian radio operator TAVR Media became the latest victim of a cyberattack.
An update from the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) informed that cybercriminals had spread false information that the President was in intensive care and his duties had been taken on by the Chairman of the Verkhovna Rada, Ruslan Stefanchuk.
TAVR Media released a statement on social media that their servers and networks had also been targeted but that they were working on resolving the issue. The company also emphasized that “no information about the health problems of the President of Ukraine Volodymyr Zelenskyy is true.”
Zelenskyy himself took to Instagram, stating, “I have never felt as healthy as I do now.”
In a related development, the Computer Emergency Response Team of Ukraine (CERT-UA) also warned of macro-laden PowerPoint documents being used to deploy Agent Tesla malware targeting state organizations of the country.
– Hackers Target Ukrainian Software Company Using GoMet Backdoor
New research from a Cisco Talos report has identified an ‘’uncommon’’ piece of malware that targeted a large software development company whose software is used by different state entities in Ukraine.
First observed on the 19th May this year, the new malware is designed for maintaining persistent access to the network and is a variant of the GoMet backdoor. The access could be leveraged to go deeper or launch additional attacks. Despite no concrete evidence of being linked to a single group the firm’s assessment points to Russian activity.
Two GoMet attacks have been documented in recent years. Firstly, the disclosure of CVE-2020-5902, a critical remote code execution flaw in F5’s BIG-IP networking devices in 2020. Followed by the successful exploitation of CVE-2022-1040, a remote code execution vulnerability in Sophos Firewall, by an unnamed APT group earlier this year. Whilst this suggests selected targeting, it could also be used in attacks that have remained undetected.
GoMet is written in Go and allows the attacker to remotely commandeer the system, including uploading and downloading files, running arbitrary commands, and using the initial foothold to propagate to other networks and systems via a daisy chain. The modified version of the backdoor is built to run cron jobs every two seconds and ascertain if the malware is connected to a command-and-control server.
This report coincides with the indicators of compromise shared by US Cyber Command this week pertaining to different types of malwares such as GrimPlant, GraphSteel, Cobalt Strike Beacon, and MicroBackdoor targeting Ukrainian networks in recent months.
– Russian hackers use Google Drive, Dropbox to evade detection
In order to evade detection; hackers backed by Russia’s Federation Foreign Intelligence Service (SVR) have started using Google Drive legitimate cloud storage service.
Unit 42 analysts spotted the trend stating that “The ubiquitous nature of Google Drive cloud storage services – combined with the trust that millions of customers worldwide have in them..’’ makes the attacks to exfiltrate data and deploy their malware and malicious tools very difficult or even impossible to detect and block.
The group known as APT29 (aka Cozy Bear or Nobelium) have deployed this tactic when targeting Western diplomatic missions and foreign embassies worldwide between early May and June 2022. Mandiant reported on similar tactics being used when tracking one of the groups phising campaigns back in April showing a consistency in Russian geopolitical strategic interests and previous APT29 targeting.
APT29 have previously been credited with high profile attacks such as the SolarWinds supply-chain attack, which led to the compromise of multiple U.S. federal agencies in 2020. Other organisations have been targeted by the group in the following years using stealthy malware that remained undetected for years, including a variant of the GoldMax Linux backdoor and a new malware tracked as TrailBlazer. Adversarial attack simulation tool Brute Ratel was observed by Unit 42 in many of these attacks.
– Russian hackers tricked Ukranians with fake DoS android apps to target Russia
In the immediate aftermath of Russia’s invasion of Ukraine, an IT army was formed by Ukraine to stage counter-DDoS attacks against Russian websites.
Russian threat actors have capitalised on this to distribute Android malware camouflaged as an app for pro-Ukrainian hacktivists to launch their DDoS attacks. The malware has been attributed to Turla by Google Threat Analysis Group (TAG). Turla is an advanced persistent threat also known as Krypton, Venomous Bear, Waterbug, and Uroburos, and linked to Russia’s Federal Security Service (FSB).
Rather than being distributed on Google Play Store the decoy app was hosted on a domain masquerading as the Azov Regiment, a unit of the National Guard of Ukraine, drawing inspiration from another Android app distributed through a website named “stopwar[.]pro”. That said, the actual number of times the malicious Cyber Azov app was installed is minuscule, posing no major impact on Android users.
This only adds to other malicious activities recently seen such as the Sandworm group and UAC-0098 leveraging the Follina vulnerability as well as credential phishing attacks from a group referred to as COLDRIVER (aka Callisto) aimed at government and defence officials, politicians, NGOs and think tanks, and journalists. These all highlight the continued sophistication of Russian threat actors and their evolving techniques.
– Fake cryptocurrency apps defrauded investors out of more than $42 million
The FBI announced this week that at least 244 victims have been scammed out of $43 million through fraudulent cryptocurrency investment apps. This is the latest example of how the growing interest in cryptocurrency investment is attracting cybercriminals.
Impersonating legitimate banks, the rogue apps urged investors to deposit funds before then telling them they couldn’t withdraw funds unless they first paid alleged taxes on their investments. Even after paying the compensation, the victims could not access the money.
One of the fraudulent firms named, Yibit, defrauded at least four victims of approximately $5.5 million between October 2021 and May 22. Supayos, the other fraudulent exchange named in the alert, signed one victim up to a fake subscription to an account with a minimum balance of $900,000 without his consent and said if he didn’t comply his assets would be frozen.
Losses to crypto currency scams have steadily risen in the last year or two with over half a billion of losses between Jan 2021 and March 2022 being traced to investment scams such as those flagged in the FBI alert.
– Hackers impersonate journalists and media organisations to deploy ransomware
In the past few years many journalists and media organisations have been targeted or impersonated by state-aligned actors due to their access to non-public information. Many of these APT threat groups have originated from the likes of China, North Korea, Iran, and Turkey.
Due to the fact that journalists often communicate with unknown and semi anonymous parties they are at an increased risk of being scammed. It is possible to gain sensitive information from a journalist’s email account if an attack is well timed and successful. An example of this is the cyber threat Zirconium (TA412), linked to China, which was used on an American journalist last year. Their emails contained trackers, which alerted them if a message was viewed, and they used these tools to track them. The targets public IP address was also obtained enabling the attackers to gain more information such as the victims location.
Similar tactics were used by Zirconium in February of this year, targeting journalists covering the Russia-Ukraine conflict. Other groups employing similar tactics are TA459 of China, TA404 of North Korea and TA482 in Turkey.
In the future, it is expected that APTs will continue to target journalists with various social engineering techniques, phishing tricks, and malware droppers.
– Hacking group ‘8220’ grows cloud botnet to more than 30000 hosts
8220, a cryptomining gang, has grown their botnet to more than 30,000 infected hosts by exploiting Linux and cloud app vulnerabilities.
The group is a low-skilled, financially motivated actor that infects AWS, Azure, GCP, Alitun, and QCloud hosts after targeting publicly available systems running vulnerable versions of Docker, Redis, Confluence, and Apache.
Once initial access has been gained, the attackers use SSH brute forcing to spread further and hijack available computational resources to run cryptominers pointing to untraceable pools.
The gang has been active since 2017 but has never been considered particularly sophisticated. The sudden explosion in infection numbers, however, shows how dangerous these lower tier actors can still be.
The dropping crypto prices will make cryptojacking less alluring as threat groups will have to scale up their operations to maintain the same profits. However, it will remain a revenue source for many. Monero, in particular, has lost over 20% of its value over the past six months.
– New custom-created ‘Redeemer’ ransomware offered for free
A new version of free to use ransomware builder, ‘’Redeemer’’ is being promoted on hacker forums. According to its author, the new version 2.0 release was written entirely in C++ and works on Windows Vista, 7, 8, 10, and 11, featuring multi-threaded performance and a medium AV detection rate.
Unlike many Ransomware-as-a-service operations Redeemer is free to download and only when a victim decides to pay the ransom the author receives 20% by sharing the master key to be combined with the private build key held by the affiliate for decryption. This offers unskilled threat actors an easy entry to the world of encryption-backed extortion attacks.
The new version features a new graphical user interface with instructions on how to use it enclosed in the ZIP. This allows the affiliate to build the ransomware executable and decryption tool themselves. Similar to what happened with Redeemer 1.0, the author says the project will go open source if they lose interest. A page on the dark web site Dread has been created for affiliates to acquire the kit, establish communication, access instructions, and receive support.
The new ransomware builder version features several additions like support for Windows 11, GUI tools, and more communication options such as XMPP and Tox Chat. Moreover, there’s now a campaign ID tracking system, adding the data into the executable, allowing threat actors to track various campaigns they may be conducting.
The adoption of this new ransomware doesn’t appear very high and the lack of skills of these lower tier hackers means they struggle to find initial access points on valuable corporate networks. However, significant damage can be caused on inadequately protected entities like healthcare and small businesses. The promise of releasing the source code could also lead to new projects forming.
– Hackers Use Evilnum Malware to Target Cryptocurrency and Commodities Platforms
In a report shared by security firm Proofpoint, APT actor Evilnum has shown recent signs of renewed activity aimed at European financial and investment entities.
Used for data theft or to load additional payloads Evilnum is a backdoor malware that includes multiple components to evade detection and modify infection paths based on identified antivirus software. Evilnum is tracked by the wider cybersecurity community using the names TA4563 and DeathStalker
The latest attacks are said to have commenced towards the end of 2021 and have been laregly targeted at organizations with operations supporting foreign exchanges, cryptocurrency, and decentralized finance (DeFi). This dovetails in with a report last month from Zscaler detailing low volume targeted attacks against companies in Europe and the UK.
Whichever distribution vector was utilised the attacks all lead to the execution of the Evilnum backdoor. Although no next-stage malware executables were identified, the backdoor is known to act as a conduit to deliver payloads from the malware-as-a-service (MaaS) provider Golden Chickens.