Sunday, January 19, 2025
Home Blog Page 54

Why did Putin Pwn Russian Hacking Group REvil?

By
Steven Black (n0tst3)
-
4

The biggest name in cybercrime was taken completely offline courtesy of the Russian secret service agency the FSB, in quite a surprising plot twist because Russia has over the past few years become a well-known safe haven for Cybercriminals.

It’s become a bit of an unwritten rule that as long as Russian black hats didn’t target Russian citizens or Russian companies, and instead focused their money-making attacks on the rest of the world, usually with ransomware, they were largely allowed to exist by the Russian authorities that were until a one weekend in January 2022, when the rebel ransomware group was stung by Russian authorities, all caught on camera.

REvil members allegedly had their homes raided, stacks of cash were seized as well as crypto wallets, which totalled millions of dollars. In a clip released by Russia, you see an REvil member answer a knock at the door only to be raided by police. In total, 14 members of REvil were arrested Russia say, and these guys are supposedly responsible for some of the biggest cybercrimes in the entire history of the internet.

Some of REvils largest attacks include, exfiltrating and leaking top-secret Apple schematics, hacking U.S Nuclear Weapons contractors, the well-known Colonial Pipeline hack and of course the Cassaya ransomware attack in which the hackers claimed to have ransomed a million computers. Notice how none of these hacks targets Russian’s, if they had well then they probably would have been shut down a long long time ago.

Why did Putin wait to take action

The obvious questions are why have the authorities waited until now to take action. How big of a deal really is this.

Does this takedown signal the end of Russian Cybercrime as we know it. Has Putin developed sympathies for U.S companies falling prey to Ransomware, probably not. The best answer to the question of why, probably goes beyond Cybercrime, the running theory is, that this is purely politically motivated. Russian relations with the U.S have never been amazing, and at the moment they’re really not particularly good.

The fact that Putin has the ability to disarm these Cybercrime gangs is a major card on the negotiation table with the U.S. These Cyberattacks originating from Russian gangs are no joke, take the Colonial hack for example, A Russian Cybercrime gang effectively shut down a major U.S pipeline, causing fuel shortages and a run a gas stations in some U.S states. Through what is probably wilful neglect on the part of the Russians, who knows, maybe it is top tier strategy.

The reality is that this action is largely symbolic even before this takedown, REvil themselves had become largely irrelevant, after the monumental Kasaya ransomware attack, REvil disappeared. They did spring up again a few months later but by disappearing they lost a lot of credibility in the cybercriminal underworld and their affiliates weren’t happy. Some reported that REvil refused to pay them and just ran away with their cut, things were so bad for REvil that this previously famous and respected cybercrime gang was forced to increase the share of commission they offer in a bid to even attract affiliates.

Affiliates are the ones who spread ransomware on behalf of a cybercrime gang, usually, affiliates get 70-80% of the takings but REvil had gone so far as to offer 90%. However, it turns out that in this reboot of their operations, they had restored from a backup which just so happens to have been compromised by the FBI giving the bureau complete access to their infrastructure. The FBI then shut down their operations in October making REvils return rather short-lived.

At the time of the Russian raids just days ago, REvil was no longer even operating, whilst sure the arrests of the 14 rebel members take some experienced cyber criminals off the internet it was more so done for theatre than anything else. Researchers undercover on various BlackHat forums confirmed that in the words of Russian cyber criminals, REvil members were just pawns in a big political game.

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

You may also enjoy reading, Red Cross hit by a Sophisticated Cyber Attack leading to Databreach

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Bookmark
Please login to bookmarkClose

US sanctions former Ukrainian official for helping Russian cyberspies

By
Steven Black (n0tst3)
-
1
whitehouse
whitehouse

The U.S. Treasury Department announced today sanctions against Volodymyr Oliynyk, a former Ukrainian official, for collecting and sharing info on critical Ukrainian infrastructure with Russia’s Federal Security Service (FSB).

“In 2021, Oliynyk worked at the direction of the FSB to gather information about Ukrainian critical infrastructure,” the Treasury Department said.

“As in previous Russian incursions into Ukraine, repeated cyber operations against Ukraine’s critical infrastructure are part of Russia’s hybrid tactics to threaten Ukraine.

According to the Treasury’s Office of Foreign Assets Control (OFAC), the information provided by Oliynyk would help Russian-backed state hackers target Ukraine’s critical infrastructure based on previously observed Russian hybrid war tactics.

“The overall strategy is designed to pull Ukraine into Russia’s orbit by thwarting Ukraine’s efforts at Western integration, especially with the European Union (E.U.) and North Atlantic Treaty Organization (NATO),” the Treasury added.

“As Russia has pursued broad cyber operations against critical infrastructure, it has focused on disrupting one critical infrastructure sector in particular: Ukraine’s energy sector. “

For instance, during and following the Donbass conflict between Ukrainian and pro-Russian forces which started in mid-2014, Russian-backed hackers were believed to be behind several power outages across Ukraine experienced across several regions.

Earlier this month, multiple Ukrainian government agencies and corporate entities were also the targets of coordinated cyberattacks that led to websites being defaced and data-wiping malware being deployed to corrupt data and brick Windows devices.

While Ukraine blames this month’s attacks on Russia, some security experts have attributed them to Ghostwriter, a state-sponsored hacking group linked to Belarus.

Oliynyk has a history of supporting Russia and shares the Russian’s regime anti-Western sentiments, according to OFAC. After fleeing Ukraine to seek refuge in Russia, he currently resides in Moscow, Russia.

“Oliynyk is being designated pursuant to E.O. 14024 for having acted or purported to act for or on behalf of, directly or indirectly, the Government of the Russian Federation,” the Treasury said.

Got to Cybersecurity News

Source

Go to Homepage

Go to Cybersecurity Academy

You may also enjoy reading, Red Cross hit by a Sophisticated Cyber Attack leading to Databreach

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Bookmark
Please login to bookmarkClose

2FA compromise led to $34M Crypto Frim hack

By
Steven Black (n0tst3)
-
0
databreach

Crypto.com shared new details about a recent hack on its platform last weekend in a statement on its website today, saying 483 of its users were affected and that unauthorized withdrawals of over $15 million worth of ETH, $19 million worth of BTC, and $66,200 in “other currencies” occurred. The total losses, worth over $34 million at current cryptocurrency values, are even higher than what analysts had predicted before Crypto.com released its statement.

The company’s post-mortem comes just one day after CEO Kris Marszalek acknowledged the breach in an interview with Bloomberg TV. His confirmation of the breach came after multiple Crypto.com users alleged their funds had been stolen — complaints that had until then been met with vague responses from the company, referring only to an “incident.” Marszalek did not share details on how the breach occurred during the interview, though he did confirm that Crypto.com had reimbursed all the impacted accounts.

Today’s statement said Crypto.com detected the suspicious activity on Monday where “transactions were being approved without the 2FA authentication control being inputted by the user.” The site suspended all withdrawals for 14 hours to investigate the issue. 

Crypto.com did not say how the attacker was able to approve transactions without triggering 2FA, which is mandatory for all users. 

The company “revoked all customer 2FA tokens and added additional security hardening measures” before asking customers to log back into the platform and set up their 2FA tokens again, the company says. The additional measures include a mandatory 24-hour delay between registration of a new withdrawal address and the first withdrawal, so users will be notified and have “adequate time to react and respond” by contacting the Crypto.com team if the withdrawal appears to be unauthorized.

The company conducted an internal audit and engaged third-party security firms to check its platform after the breach, it says. It announced its plans to transition away from 2FA and to “true multi-factor authentication” to bolster security, though it did not provide an expected timeline for this change.

Crypto.com also announced in its statement today that it will be introducing the Worldwide Account Protection Program (WAPP) in select markets” starting on Feb 1, a program that will restore funds up to $250,000 for “qualified users” in cases where an unauthorized withdrawal occurs. To qualify for the program, users must enable multi-factor authentication on all transaction types where it is available, set up an anti-phishing code at least 21 days prior to the reported unauthorized transaction, file a police report and provide it to Crypto.com, complete a questionnaire to support a forensic investigation, and not be using a jailbroken device, according to the company.

While Crypto.com is the world’s fourth-largest crypto exchange, it has been pushing hard into U.S. markets in recent months, with stunts including viral advertisements featuring actor Matt Damon and a $700 million purchase of the naming rights to the Los Angeles Lakers and Clippers Arena. It calls itself the “fastest-growing” crypto exchange and expanded its venture capital arm to $500 million to back early-stage startups in the space earlier this week. The fallout regarding this week’s breach and the company’s delayed response could threaten to stall some of its stateside growth.

source

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

You may also enjoy reading, Red Cross hit by a Sophisticated Cyber Attack leading to Databreach

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Bookmark
Please login to bookmarkClose

Google Details Two Zero-Day Bugs Reported in Zoom Clients and MMR Servers

By
Steven Black (n0tst3)
-
0

An exploration of zero-click attack surface for the popular video conferencing solution Zoom has yielded two previously undisclosed security vulnerabilities that could be exploited to crash the service, execute malicious code, and even leak arbitrary areas of its memory.

Natalie Silvanovich of Google Project Zero, who discovered and reported the two flaws last year, said the issues impact both Zoom clients and Multimedia Router (MMR) servers, which transmit audio and video content between clients in on-premise deployments.

The weaknesses have since been addressed by Zoom as part of updates shipped on November 24, 2021.

The goal of a zero-click attack is to stealthily gain control over the victim’s device without requiring any kind of interaction from the user, such as clicking on a link.

While the specifics of the exploit will vary depending on the nature of vulnerability being exploited, a key trait of zero-click hacks is their ability not to leave behind traces of malicious activity, making them very difficult to detect.

The two flaws identified by Project Zero are as follows —

  • CVE-2021-34423 (CVSS score: 9.8) – A buffer overflow vulnerability that can be leveraged to crash the service or application, or execute arbitrary code.
  • CVE-2021-34424 (CVSS score: 7.5) – A process memory exposure flaw that could be used to potentially gain insight into arbitrary areas of the product’s memory.

By analyzing the RTP (Real-time Transport Protocol) traffic used to deliver audio and video over IP networks, Silvanovich found that it’s possible to manipulate the contents of a buffer that supports reading different data types by sending a malformed chat message, causing the client and the MMR server to crash.

Furthermore, the lack of a NULL check — which is used to determine the end of a string — made it possible to leak data from the memory by joining a Zoom meeting via a web browser.

The researcher also attributed the memory corruption flaw to the fact that Zoom failed to enable ASLR, aka address space layout randomization, a security mechanism designed to increase the difficulty of performing buffer overflow attacks.

“The lack of ASLR in the Zoom MMR process greatly increased the risk that an attacker could compromise it,” Silvanovich said. “ASLR is arguably the most important mitigation in preventing exploitation of memory corruption, and most other mitigations rely on it on some level to be effective. There is no good reason for it to be disabled in the vast majority of software.”

While most video conferencing systems use open-source libraries such as WebRTC or PJSIP for implementing multimedia communications, Project Zero called out Zoom’s use of proprietary formats and protocols as well as its high licensing fees (nearly $1,500) as barriers to security research.

“Closed-source software presents unique security challenges, and Zoom could do more to make their platform accessible to security researchers and others who wish to evaluate it,” Silvanovich said. “While the Zoom Security Team helped me access and configure server software, it is not clear that support is available to other researchers, and licensing the software was still expensive.”

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

You may also enjoy reading, Red Cross hit by a Sophisticated Cyber Attack leading to Databreach

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Bookmark
Please login to bookmarkClose

Interpol Busted 11 Members of Nigerian BEC Cybercrime Gang

By
Steven Black (n0tst3)
-
0
interpol

A coordinated law enforcement operation has resulted in the arrest of 11 members allegedly belonging to a Nigerian cybercrime gang notorious for perpetrating business email compromise (BEC) attacks targeting more than 50,000 victims in recent years.

The disruption of the BEC network is the result of a ten-day investigation dubbed Operation Falcon II undertaken by the Interpol along with participation from the Nigeria Police Force’s Cybercrime Police Unit in December 2021.

Cybersecurity firms Group-IB and Palo Alto Networks’ Unit 42, both of which shared information on the threat actors and their infrastructure, said six of the 11 suspects are believed to be a part of a prolific group of Nigerian cyber actors known as SilverTerrier (aka TMT).

BEC attacks, which began to gain dominance in 2013, are sophisticated scams that target legitimate business email accounts through social engineering schemes to infiltrate corporate networks and subsequently leverage their access to initiate or redirect the transfer of business funds to attacker-controlled bank accounts for personal gain.

“One of the arrested suspects was in possession of more than 800,000 potential victim domain credentials on his laptop,” Interpol said in a statement. “Another suspect had been monitoring conversations between 16 companies and their clients and diverting funds to ‘SilverTerrier’ whenever company transactions were about to be made.”

SilverTerrier has been linked to 540 distinct clusters of activity to date, with the collective increasingly adopting remote access trojans and malware packaged as Microsoft Office documents to mount their attacks. Unit 42, in a report published in October 2021, said it identified over 170,700 samples of malware directly attributed to Nigerian BEC actors since 2014.

The latest arrests constitute the second edition of Operation Falcon, the first of which resulted in the apprehension of three alleged members of the SilverTerrier gang in November 2020 for compromising at least 500,000 government and private sector companies in more than 150 countries since 2017.

“BEC remains the most common and most costly threat facing our customers,” Unit 42 researchers said. “Over half a decade, global losses have ballooned from $360 million in 2016 to a staggering $1.8 billion in 2020.”

To mitigate such financial attacks, it’s recommended for organizations to review network security policies, periodically audit mail server configurations, employee mail settings, and conduct employee training to ensure that wire transfer requests are validated using “verified and established points of contact for suppliers, vendors and partners.”

Source

Go to Homepage

Go to Cybersecurity Academy

You may also enjoy reading, Red Cross hit by a Sophisticated Cyber Attack leading to Databreach

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Bookmark
Please login to bookmarkClose

New DDoS IRC Bot distributed through Korean webHard platforms

By
Steven Black (n0tst3)
-
0

Researchers have spotted an IRC bot written in GoLang that is being used to carry out DDoS attacks targeting users in Korea.

Researchers from AhnLab’s Security Emergency-response Center (ASEC) spotted an IRC bot written in GoLang that is being used to carry out DDoS attacks targeting users in Korea.

Vxers use GoLang because it is easy and allows the development of cross-platform malicious codes.

The DDoS IRC Bot strains are disguised as adult games and are being installed via platforms commonly used for the distribution of malware in Korea, so-called webhards. Webhards were also used in past campaigns to distribute njRAT and UDP Rat.

The attack chain starts with threat actors uploading malware disguised as an adult game to the webhard. Attackers used different games containing the same malware. The malicious code is hosted on a web hard drive or a remote file hosting service in the form of compressed ZIP archives. Upon executing the executable (“Game_Open.exe”) in the archive, the malware is executed while the actual game is launched.

This downloader connects to a remote command-and-control (C&C) server to retrieve additional payloads, including an IRC bot that can perform DDoS attacks.

“But “Game_Open.exe” is not a launcher that runs the game. It is an executable that runs the additional malware. To be more precise, it changes the “PN” file existing in the same path as “scall.dll” and runs it. Then it copies the original game executable “index” to “Game.exe” to run it. As such, users would assume that the game is being run normally.” reads the analysis published by ASEC. “It is also a type of DDoS Bot malware, but it uses IRC protocols to communicate with the C&C server.

Unlike UDP Rat that only supported UDP Flooding attacks, it can also support attacks such as Slowloris, Goldeneye, and Hulk DDoS.”

Once executed, the Golang DDoS IRC Bot connects to a particular IRC server and enters the attacker’s c in order to receive commands, including one that can instruct the bot to perform DDoS attacks.

The report published by ASEC also includes indicators of compromise for this threat.

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

You may also enjoy reading, Red Cross hit by a Sophisticated Cyber Attack leading to Databreach

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Bookmark
Please login to bookmarkClose

Red Cross hit by a Sophisticated Cyber Attack leading to Databreach

By
Steven Black (n0tst3)
-
6
CyberSecurity

A cyberattack on a Red Cross contactor resulted in the theft of personal data for more than 515,000 highly vulnerable people A cyberattack on a Red Cross contactor resulted in the theft of personal data for more than 515,000 highly vulnerable people…

A cyberattack on a Red Cross contactor resulted in the theft of personal data for more than 515,000 highly vulnerable people seeking missing families. The infamous attack was disclosed by the International Committee of the Red Cross (ICRC), which confirmed that the data originated from at least 60 different Red Cross and Red Crescent National Societies worldwide.

Stolen data includes information belonging to individuals separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention.

“An attack on the data of people who are missing makes the anguish and suffering for families even more difficult to endure. We are all appalled and perplexed that this humanitarian information would be targeted and compromised,” said Robert Mardini, ICRC’s director-general. “This cyber-attack puts vulnerable people, those already in need of humanitarian services, at further risk.”

The contractor targeted by the attackers is an external company in Switzerland that stores data for the organization. At this time the organization has yet to discover who is behind the attack and the motivation, it has no indication that the compromised information has been leaked.

“While we don’t know who is responsible for this attack, or why they carried it out, we do have this appeal to make to them,” said Mr Mardini. “Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.”

ICRC shut down the systems and website for the Restoring Family Links program that was hit by the attackers.

“We are working as quickly as possible to identify workarounds to continue this vital work,” it added.

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

You may also enjoy reading, Red Cross hit by a Sophisticated Cyber Attack leading to Databreach

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Bookmark
Please login to bookmarkClose

Cybersecurity Experts Concerns Over 2022 Beijing Olympics app

By
Steven Black (n0tst3)
-
0

A group of cybersecurity experts have voiced their concerns over the Beijing Olympics 2022 App. Security holes have been discovered, the app named “My2022” was developed in China and is a requirement for the event

With less than three weeks ahead of the Beijing 2022 Olympics, February 4th is the opening ceremony, cyber security researchers at the University of Toronto have voiced concerns today about potential risks from the app that all participants of the games are required to have installed.

App Requirement

All participants of the games, including Athletes, Journalists, Sports Officials and even Visitors are expected to download this app and use it before arriving at the people’s republic.

The app is supposed to monitor the health of everyone participating in the winter games in Beijing, for people who will be arriving from abroad like team Canada, they are required to start inputting health data 14 days before arriving in China, the app is allegedly monitoring things like fevers, coughs headaches sore throats and the like.

MY2022 Is more than just a health app, it also has a Visitor Guide and has a Chat Function that allows users to exchange messages and files, this is where the biggest issue lies.

CitizenLab at the University of Toronto, a group of cybersecurity researchers have pointed towards the MY2022’s encryption certificate.

Sensitive Data

The flaw they say, leaves the information of users vulnerable, meaning they could be accessed by a third party and manipulated, users of this application could potentially connect to someone intercepting this traffic. The traffic could be read, modified, responses from the server could be changed.

So-Called Illegal Words

Beyond that, a list of restricted words was found, the text file containing a list of so-called illegal words which includes, “Uyghur” “Tibetan” “Tiananmen” and “Dalai Lama”. A further function was reported that allows other users to expose a chat or message that might be considered politically sensitive in the people’s republic.

What did the IOC and Chinese state media say

The IOC media team said:

The IOC has conducted independent third-party assessments on the application from two cyber-security testing organizations. These reports confirmed that there are no critical vulnerabilities.

IOC Media Team

The Chinese State Media said:

MY2022 has been scrutinized by Google, Apple and Samsung and all personal information they say will be encrypted to ensure privacy.

Chinese State Media

Germany, Australia The UK and The US are all advising their athletes to leave personal electronics like phones and laptops at home, and The Dutch team, they have told their team to not bring any personal phones whatsoever because they are very much concerned about surveillance.

Enjoyed this article? Why not subscribe to our Weekly Cybersecurity Newsletter?

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

You may also enjoy reading, The definitions of “recently” and “discovered” leave a lot to be desired

Bookmark
Please login to bookmarkClose

Beware Of New RDP Exploit, says Avast

By
Steven Black (n0tst3)
-
0
RDP
RDP

The often-exploited Remote Desktop Protocol (RDP) is once again in the news. This time, it has a new attack vector that was discovered by researchers and subsequently patched earlier this month by Microsoft.

Given that all versions of Windows for the past 10 years – for both desktop and server – need to be patched, you should put this on your priority list, especially since this new problem can be easily exploited.

RDP has a valuable function in today’s connectivity. It is used often as a way to provide remote access so that users don’t need to physically sit in front of their computers or servers. However, this utility has brought a dark past to the protocol and made RDP a security sinkhole.  One of the more infamous attacks was called BlueKeep, which we covered when it happened in 2019. That was a full-on remote execution vulnerability that triggered warnings from the US National Security Agency for quick patching. 

As a side note, the response to BlueKeep included help from Marcus Hutchins, who found a way to stop the WannaCry outbreak back in 2017. We also wrote how RDP is one of the more common ways that ransomware attacks can be launched and can also be used to initiate denial of service attacks.

In the latest incarnation of RDP exploits, hackers can gain access to data files using a man-in-the-middle attack across a Windows feature known as Named Pipes. This is a feature of Windows that was created more than 30 years ago to provide application-to-application communication that can connect processes on the same computer or across a network.

RDP needs to be implemented with care, as the protocol itself doesn’t have any inherent security features (such as the secure versions of Domain Name System or email protocols). Indeed, you might say that it has inherent insecurities, including:

  • A well-known TCP/IP port (3389): Easy to track by hackers.
  • Weak sign-in credentials: If users have a weak Windows login, hackers can use credential stuffing or brute force attacks to compromise this password.
  • Numerous ways to exploit remote connections: The latest issue (Named Pipes) is merely one of many ways that attacks can worm their way into your systems. They can bring up “Show Options” or Help menus when first connecting to the remote gateway, both of which could allow for file directory browsing, or to bypass file execution block lists.

All of this makes for challenging implementations of RDP. Here are a few steps that you can take to secure its use:

1. Disable RDP when it isn’t needed. You should try this when you’re patching everything, as is suggested by Microsoft.

2. Use better passwords, especially on your local Windows equipment. Employ password managers and single-sign on tools. You have heard this advice before, no doubt, but it remains key!

3. Lock down port 3389, either through your network firewalls or other security tools. This can be tricky, because so many users might require remote access and all it would take to pull off an RDP exploit would be to compromise a single desktop.

4. Invest in better antivirus. Remote Access Shield is one of the features available in Avast Premium Security that can block RDP exploits.

5. Create more effective Active Directory group policies that block and allow specific applications and remote help options to be run remotely. Also, be sure to audit who has administrative privileges to ensure that the absolute minimum number of people have access.

source

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

You may also enjoy reading, The definitions of “recently” and “discovered” leave a lot to be desired

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Bookmark
Please login to bookmarkClose

Cyberattacks on Ukrainian websites come into clearer focus as Russia tensions escalate

By
Steven Black (n0tst3)
-
0
cybersecurity
cybersecurity

Cybersecurity researchers shed additional light over the weekend on the cyberattacks that disabled Ukrainian government websites, as Kyiv pointed to Russia as the culprit.

Microsoft and ESET both shared details on the nature of the malware that took the Ukrainian sites down.

Microsoft “assesses that the malware, which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom,” the company wrote in a blog post Saturday.

However, Microsoft said it couldn’t yet attribute who was behind the malware, labelled WhisperGate. The Department of Homeland Security’s Cybersecurity and Infrastructure Agency recommended that network defenders review the Microsoft blog post, suggesting the possibility that the attacks could spread to include other targets.

ESET on Sunday elaborated further, saying that the malware the attackers contained code “commonly used by commodity e-crime malware.”

“It is likely that attackers were trying to avoid existing detections at the last moment before the attack, that’s why they used third party criminal services,” ESET said in a tweet thread.

Ukraine was more definitive in placing blame than Microsoft.

“All the evidence points to Russia being behind the cyberattack,” the Ukrainian digital transformation ministry said in a Sunday statement. “Moscow is continuing to wage a hybrid war.”

A Ukrainian official also told Reuters that signs point to the attacks being the work of a Belarusian intelligence-connected group known as Ghostwriter, a group that might have a Russian element.

The Kremlin has denied being involved.

The attacks on the Ukrainian government websites add to that nation’s hostilities with Russia, which U.S. intelligence believes is planning an invasion on the country’s eastern border. The incidents also surfaced around the same time Russia announced it had arrested ransomware gang members on its own soil alleged to be behind the Colonial Pipeline attack, raising suspicions that the Kremlin intends to use the arrests as diplomatic levers with the U.S., which has threatened sanctions should Russia invade Ukraine.

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

You may also enjoy reading, Ukrainian Government Officially Accuses Russia of Recent Cyberattacks

Stay informed of the latest Cybersecurity news, trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Bookmark
Please login to bookmarkClose
1...535455...79Page 54 of 79

Editor Picks

Featured

Cyber Academy

ABOUT US

RiSec represents an autonomous, non-profit alliance comprising of individuals dedicated to enhancing cybersecurity awareness and education. Read more

Contact us: security@realinfosec.net

Social

Subscribe for weekly updates

Copyright © RiSec 2023 All rights reserved.
All trademarks, logos, images and brand names are the property of their respective owners.