Threat Researchers Newsletter – Issue #1
Welcome to Radware’s first Threat Researchers Newsletter! The newsletter aims to give our followers a summary of the notable cyber events that happen every month. If there is an event that we missed or one you want us to cover, please reach out via the Telegram channel; Radware Research Chat
Quarterly DDoS & Application Threat Analysis Hub
Radware Researchers proudly announce the launch of Radware’s new Quarterly DDoS & Application Threat Analysis Hub. This publicly accessible, mobile-friendly, online resource provides a comprehensive, in-depth analysis of network and application attack activity, quarter over quarter, year by year. The Hub analyzes attack activity and provides insights on the geographical and industry distributions, the characteristics of attack vectors, and much more.
Learn more at: https://www.radware.com/resources/ddosappreport/
Cyber Legions
Killnet continues to target those that support Ukraine
The threat actors behind Killnet, a pro-Russian hacktivist group, continue to escalate their actions as the Russian/Ukrainian conflict enters its fifth month. Notable attacks launched by Killnet in July include Latvia, which claims it suffered its biggest cyber-attack in history, and the website for the United States Congress. Norwegian businesses were also targeted by waves of DDoS attacks from Killnet.
Suggested Articles:
Russian ‘Hacktivists’ Are Causing Trouble Far Beyond Ukraine
Pro-Kremlin hackers Killnet hit Latvia with biggest cyberattack in its history
Norway accuses pro-Russian hackers of launching wave of DDoS attacks
Pro-Russia hackers claim disruption of US Congress website
IT Army and the new face of cyberwar
The IT Army has been an amazing resource for the Ukrainian government, but their unprecedented actions have come at a cost. Their guerrilla cyber warfare techniques have given us all a better idea of what future global conflicts will look like and what we will have to defend against. Nationalized IT forces will become a predominant threat as the global internet slowly comes to an end. Even South Korean president, Yoon Suk-yeol, vowed to establish their own reserve forces for future cyber conflict leaving many in the community wondering if other countries will begin to create their own versions of an IT Army.
Suggested Articles:
Inside Ukraine’s decentralized cyber army
The IT Army of Ukraine: Structure, Tasking and Ecosystems
How one Ukrainian ethical hacker is training ‘cyber warriors’ in the fight against Russia
DDoS attacks surge in popularity in Ukraine — but are they more than a cheap thrill?
S.Korean Prez vows to establish cyber warfare reserve forces
Confronting reality in cyberspace: foreign policy for a fragmented internet
Hacktivist Campaigns
Update: DragonForce Malaysia
DragonForoce Malaysia continues to dominate headlines this month after releasing an LPE exploit and threatening ransomware attacks. In combination with other hacktivists, the threat group has successfully filled the void left by Anonymous while remaining independent during the resurgence of hacktivists related to the Russian/Ukrainian war. The recent operations by DragonForce Malaysia should remind organizations worldwide to remain vigilant during these times and aware that threats exist outside the current cyber conflict in Eastern Europe.
Suggested Articles:
DragonForce Malaysia releases LPE exploit, threatens ransomware
alTahrea vs Israel
A Group of pro-Iranian hackers based in Iraq have targeted several services and websites in Israel this month. Targets have included NTA metropolitan transit system, Tel Aviv municipality websites, the Information technology sector, e-commerce companies, and the Israel Health Ministry.
Suggested Articles:
GhostSec Mafia – Fake it till you make it
This month GhostSec Mafic, a group claiming association with GhostSec, proved they are uneducated skids that are only out for attention. Earlier in the month, the group began posting several target lists under the battle tag #OpIsraehell, an operation aimed at targeting organizations in Israel. The targets listed were not impacted, and it’s believed that the group does not possess the ability to launch an attack. The group also retroactively claimed they were responsible for blowing up a Russian power station via an ICS attack, but no evidence has been provided to back up their claims.
Suggested Articles:
GhostSec claims its cyber-attack resulted in an explosion
Nation-State
Russian APT’s active in the Russian/Ukrainian conflict
Google TAG researchers observed Turla, a group attributed to Russia’s FSB, recently hosting Android apps on a domain spoofing the Ukrainian Azov Regiment. The app was distributed under the guise of performing a DoS attack against Russian websites and distributed via links in third-party chats. This is the first instance of Turla distributing Android-related malware.
Suggested Articles:
Russia Released a Ukrainian App for Hacking Russia That Was Actually Malware
Continued cyber activity in Eastern Europe observed by TAG
The United States is preparing for the midterm elections
Following last month’s alert about vulnerabilities affecting Dominion voting systems ImageCastX, the FBI and NSA are warning of an evolving foreign interference threat ahead of the US midterms. Stating that an unremarkable cyber incident could sow panic or create a lack of confidence in our election infrastructure. While both parties in the United States continue to argue over the current lack of confidence in prior elections, the stage is set for threat actors to cause chaos and prove one of them right.
Suggested Articles:
FBI and NSA directors warn of evolving foreign interference threat ahead of US midterms
Botnets
8220 Gang
A low-skill crimeware gang called 8220 has expanded its cloud-based botnet to over 30,000 infected hosts. The group uses the IRC botnet PwnRig to run its cryptocurrency mining operation. The group leverages known vulnerabilities and brute force attacks for their infection vectors. The threat actors have been observed targeting Docker, Confluence, Apache WebLogic, and Redis deployment and believe to be Chinese speaking.
Suggested Articles:
8220 Gang expands cloud botnet
Notable Outages
Canada suffers from a major outage
Service provider Rogers experienced a near-total outage impairing communication across Canada after a coding error caused a cascade of events. The outage disrupted cellphone and internet services for over 24 hours. During this time, four emergency alerts could not be delivered, the Interac debit system was impacted, and The Weekend had to postpone his concert at Rogers Center.
Suggested Articles:
Rogers outage knocks out Canadian internet service
Heatwave causes data center outage
A heatwave in the United Kingdom caused serious issues this month when a cooling system in a south London data center experienced a failure, knocking Oracles Cloud services offline.
Suggested Articles:
DDoS attacks target Zenith
Zenith: The Last City, an online VR MMORPG game, experienced a nearly weeklong DDoS attack after announcing it would be closing half of its servers to promote a healthier population among users.
Suggested Articles:
Zenith brought down by DDoS attacks after announcing server closures
DDoS attacks target Final Fantasy 14
Final Fantasy 14 suffered from a DDoS attack before the 4th of July weekend that impacted North American players.
Suggested Articles:
Final Fantasy 14 is experiencing technical difficulties due to DDoS attacks
Going Rogue
Crema Finance: Everything is a negotiation
A hacker on June 3rd stole 69,422.9 SOL and 6,497,738 USDC worth around $9 million from Crema Finance. Crema was able to locate the hacker’s identity and sent an on-chain message offering them a bounty vs legal action. Days after the major exploit, Crema finance announced they had negotiated the return of the funds for a $1.6 million dollar bounty.
Suggested Articles:
Crema exploit: Hacker returns stolen funds
HackerOne employee stole bug reports
HackerOne Employee stole bug bounty reports and disclosed them to the affected customers for financial rewards. The investigation started when a customer reported a suspicious disclosure. HackerOne discovered a new hire had abused their platform over a two-month period. In total, the rogue worker stole and collected 7 bug bounties.
Suggested Articles:
Rogue HackerOne employee steals bug reports to sell on the side
Raids and Seizures
DoJ seizes ransom payments to the Maui threat group
The DoJ recovered ransomware payments made by healthcare facilities last year in Colorado and Kansas. $500,000 was recovered from the Maui ransomware group, a North Korean threat group using a known laundering service in China.
Suggested Articles:
DOJ seized ransoms paid by health centers in Kansas, Colorado after 2021 attacks
Dutch police returned the ransom payment to the university
Maastricht University doubled its money thanks to a ransomware attack 3 years ago. A ransom payment in Bitcoin made by the university was successfully recovered by Dutch police. The money was traced to a bank account belonging to a money launderer in Ukraine. Due to an increase in value in Bitcoin over 3 years, the ransom payment is now worth 500,000 euros. The school announced it would help struggling students with the recovered funds.
Suggested Articles:
Dutch university wins big after Bitcoin ransom returned
The operator behind Gozi hosting service extradited
A Romanian man accused of distributing malware has been extradited to the United States. Mihai Paunescu (37) is accused of running the bulletproof hosting service that distributed the Gozi virus. He was arrested in Colombia and is now being extradited to the United States. Gozi, a form grabber designed to steal personal banking information, was first discovered in 2007 and had infected 40,000 computers in the United States.
Suggested Articles:
Romanian extradited for operating bulletproof hosting service
Suggested Newsletters
Are you looking for additional resources and news related to the current threat landscape? Check out these security newsletters suggested by our researchers at Radware.
· Risky Business – https://risky.biz/
· This week in security – https://this.weekinsecurity.com/
· Zero Day – https://zetter.substack.com/
· The Info Op – https://grugq.substack.com/
· SANS @RISK – https://www.sans.org/newsletters/at-risk/
Join the conversation!
Do you have additional insight or comments? Join the conversation with our researchers at Radware on Telegram.
https://t.me/RadwareResearchChat
*** This is a Security Bloggers Network syndicated blog from Threat Researchers Newsletter authored by Radware Research. Read the original post at: https://radware.substack.com/p/threat-researchers-newsletter-issue-1-1242136
