Threat Researchers Newsletter – Issue #2
Threat Researchers Newsletter – Issue #2
Welcome to all our new subscribers. We thank you for your support! As mentioned, this newsletter aims to give our followers a summary of the notable cyber events that happen every month. If there is an event that we missed or one you want us to cover, please reach out via our Telegram chat channel; Radware Research Chat
We would also like to take this time to announce that Radware has released its First Half 2022 Global Threat Analysis Report. The mid-year report leverages intelligence provided by network and application attack activity sourced from Radware’s Cloud and Managed Services, Global Deception Network, and Cyber Threat Intelligence team.
Discover more at the 2022 H1 Global Threat Analysis Report by Radware
Cyber Legions
Ego’s Led to Expiration
A once notorious pro-Ukrainian hacktivist group, Network Battalion 65, aka NB64, has called it quits, claiming to be working outside the public eye now. The popular group with associations with Anonymous, known for launching DDoS attacks, leaking data, and deploying ransomware, posted the encrypted message days after claiming an insider was damaging their ability to operate.
Pro-Russian Hacking
This month we have seen an increase in activity from a pro-Russian hacktivist group called NoName057. This group operates with Killnet and is known to launch DDoS attacks. Most recently, NoName057 targeted Finland Parliament over their recent NATO application. Banks, payment systems, and government websites in Estonia were also targeted by DDoS attacks launched by Killnet in retaliation for removing the soviet monument. Killnet also launched a series of DDoS attacks against RuTor and the Republic of Moldova for being sympathetic to Ukraine.
Suggested Articles:
Russian hackers target Finland parliament’s websites
Estonia repels cyberattacks claimed by Russian hackers
Making sense of the Killnet, Russia’s favorite hacktivist
80 information systems of state importance attacks in Moldova
Trouble in Montenegro
After a vote of no confidence against Prime Minister Dritan Abazovic’s pro-Western government, the country has experienced two large-scale cyber-attacks that have targeted the Ministry of Finance and other critical infrastructure, including electrical and water systems. France sent their Information Systems Security Agency (ANSSI) to investigate the attacks. The US embassy is warning that additional attacks may include disruption to public utilities, transportation, and telecommunications. The attack has been claimed by the Cuba ransomware group.
Suggested Articles:
Montenegro sees “sufficient evidence” for Russian cyberattack
Pro-Ukrainian Hacking
The information war related to the Russian invasion of Ukraine continues to escalate into the year’s second half. Earlier this month, Amnesty International posted a controversial piece accusing Ukraine of leveraging fighting tactics that endanger civilians. A week later, Victor Zhora, Deputy Director of Ukraine’s SSSCIP, was a special guest at BlackHat USA, the world’s largest hacking conference in Las Vegas, Nevada, to speak about Industryer2 and how Russia has committed cyber war crimes. In addition to the information war, hacktivists continue waging cyber war against Russia, most notably hacking IoT cameras on Ukrainian Independence Day and playing patriotic music on compromised devices located in Russia, Crimea, and Donbas. The IT Army also defaced Crimean ISP Miranda-Media to celebrate Independence Day.
Suggested Articles:
Ukrainian fighting tactics endanger civilians
Head of Ukraine’s cybersecurity @ Blackhat
UA Independence Day hack of IoT cameras
Taiwan vs. China
Taiwanese websites experienced outages just ahead of House Speaker Nancy Pelosi’s arrival. Impacted websites included the National Defense Ministry, Foreign Affairs Ministry, the Presidential website, and Taoyuan Airport. In addition to the DDoS attacks, several 7-11 stores in Taiwan had their in-store monitors defaced with anti-Pelosi messaging. Anonymous, in response, defaced a Chinese government website to welcome Nancy Pelosi to Taiwan.
Suggested Articles:
Taiwanese websites hit with DDoS attacks as Pelosi begins visit
7-11 in Taiwan defaced for Pelosi visit
Chinese disinformation group targeted Pelosi’s Taiwan visit
Anonymous Welcomes Nancy Pelosi to Taiwan on hacked Chinese government website
Interested in Becoming a Nation State Hacker?
The US Army Chief of Cyber tweeted a link soliciting people to join the US Army for cyber and technology with the line “Interested in becoming a nation-state hacker?” That Cyber Army trend is so hot right now!
Suggested Articles:
Hacktivist Campaigns
Charging my Laser! Again?
Since the first quarter of 2022, there has been a significant increase in hacktivism worldwide. This year we have already seen notable cyber conflicts arise in Eastern Europe due to Russia invading Ukraine and the Middle East due to the escalating tit-for-tat war. We are also now seeing increased activity in Asia related to geo-political escalations in Taiwan. Along with the renewed growth in hacktivism this year, we have also seen a tremendous spike in the use of decade-old denial-of-service tools in lockstep.
Suggested Article:
ALtahrea is Going for a High Score
Iraqi hackers have been conducting several campaigns across the threat landscape during the month of August. In the first wave of attacks, ALtahrea defaced several Israeli websites in response to recent physical escalations in the region. In the second wave of attacks, ALtahrea working with the 1877 team, defaced several Ukrainian websites in response to the assassination of Darya Dugin, daughter of Alexander Dugin, Putin’s ally.
JavaScript Injection Pushes Fake Cloudflare Alert
A recent campaign targeted vulnerable WordPress websites with a JavaScript injection attack that presented visitors with a fake Cloudflare DDoS protection pop-up. The pop-up prompted users to download a malicious .iso file that concealed a remote access trojan.
Suggested Article:
WordPress sites hacked with fake Cloudflare DDoS alert pushing malware
Elections
Midterm Meltdown
As the midterm elections approach in the United States, The NSA, US Cyber Command, and the private industry begin to pop up their election security groups. We have been warned for months about the possibility of foreign interference by Russia, China, and Iran. We have also been told to look for new and unique ways that threat actors might disrupt or influence the United States election process. Most recently, pro-Trump supporters have begun to flood local election offices in multiple states with copy/paste public record requests related to the 2020 election. The requests are a form of a denial-of-service attack designed to overwhelm staff ahead of the midterm elections. These requests under current law must be fulfilled before the midterm election.
Suggested Articles:
Elections officials say recent influx of records requests could be a ‘denial-of-service’ attack
Cyber Command, NSA tout election security group ahead of midterms
Botnet
For Research Purposes Only
Earlier this month, Fortinet published a report about RapperBot. RapperBot, named after references to rappers/entertainers, is a simple botnet based on Mirai source code that targets and brute forces devices over SSH vs. Telnet. It has limited DDoS capabilities and targets ARM, MIPS, SPARC, and x86. 360 Netlab also returned this month from a hiatus to report on the Orchard botnet, a Monroe coin miner. This botnet generates DGA domains with Satoshi Nakamoto’s BTC transaction, which is more unpredictable than time-generated DGA’s. Finally, ThirllQuk published source code to the Pitraix botnet on GitHub. This botnet is an advanced HTTP-based P2P botnet over TOR that is cross-platform and loaded with tons of built-in services such as a cryptor, RDP, keylogger, and ransomware.
Suggested Articles:
So RapperBot, what ya bruting for?
Researchers Beware!
360 Netlab reported this month that some malware authors are watching for people who download malware from their download servers and that if a device is not connected to their botnet, they will DDoS the IP address.
Suggested Article:
Bot herders attacking researcher
Vulnerabilities
More Devices for the Bot Herders
Researchers from Trellix Threat Labs Vulnerability Research team found an unauthenticated, remote code execution vulnerability in 29 DrayTek routers. CVE-2022-32548 impacts over 200,000 exposed devices. The good news is that DrayTek has released a patch. The bad news is that most users don’t patch promptly. Case and point? CYFIRMA discovered that over 80,000 Hikvision cameras used by 2,300 organizations across 100 counties have still not applied the security update for CVE-2021-36260. How long does it take your organization to patch disclosed vulnerabilities?
Suggested Articles:
Over 80,000 exploitable Hikvision cameras exposed online
Government Warnings
US Cybersecurity and Infrastructure Security Agency (CISA) has added Palo Alto Networks PAN-OS to the catalog of known exploitable vulnerabilities. CVE-2022-0028 is considered a high-risk vulnerability that allows remote threat actors to deploy reflected and amplified denial-of-services attacks without authentication. In other news, the pentagon may soon require vendors to certify that their software is free from known flaws, but the community is split on the topic. Some think this is an impossible request while others believe this will hold software vendors accountable.
Suggested Articles:
CISA is warning of high-severity PAN-OS DDoS flaw used in attacks
The Pentagon may require vendors certify their software is free of known flaws. Experts are split
Records
Yet Another Record-Breaking DDoS Attack
Google has reported that it has blocked yet another record-breaking HTTPS DDoS attack, peaking at 46 million requests per second (mrps). Before this attack, Cloudflare reportedly blocked a 26mrps attack in June and a 15.3mrps attack in April.
Suggested Article:
How Google Cloud blocked the largest layer 7 DDoS attack
Ransomware
Threat Actors Swing and Miss
Cisco confirmed this month that Yanluowang breached its corporate network data when posted on the ransomware group’s dedicated leak site. The hack happened in late May when an employee’s credentials were stolen and used to breach the network. The ransomware group failed to extort Cisco because the harvested information was non-sensitive data. In other ransomware news, LockBit got a taste of its own medicine following the publication of Entrust’s stolen data. The ransomware group suffered from an HTTP attack on LockBit’s dedicated leak sites. The attack payload read, “Delete_Entrustcom_Motherf*****s”
Suggested Articles:
Cisco hacked by Yanluowang ransomware gang, 2.8GB allegedly stolen
Lockbit DDoS’d following Entrust leak
Attacks in Latin America and the Caribbean
The National Cybersecurity Center (CNCS) of the Caribbean nation said it is in the process of helping the Dominican Agrarian Institute (IAD) recover from a ransomware attack. The IAD was compromised by Quantum ransomware group and has refused to pay the $600,000 ransom demand. This is just another victim in what is shaping up to be a wave of cyberattacks targeting Latin America and the Caribbean. Trinidad, Brazil, and Costa Rica have all suffered notable cyberattacks this year.
Suggested Article:
Dominican Republic refuses to pay ransom after attack on Agrarian Institute
Gaming
Somethings Will Never Change
A threat actor recently uploaded a dozen malicious Python packages to the PyPi repository. The typo squatted packages when downloaded installed a malicious package with malware designed to launch DDoS attacks against Russian Counter Strike servers. In addition to this attack, Final Fantasy was still suffering from a persistent DDoS campaign that began in July. Will targeting shift from games to educational institutions with the start of the new school year?
Suggested Articles:
Malicious PyPi packages aim DDoS attacks at Counter-Strike servers
Raids and Takedowns
Web 3.0, LOL
Things are not going well for Web 3.0 as chaos spreads around Ethereum. Virgil Griffith, former Ethereum developer and owner of eth.link, the Ethereum Name Service for the .eth domain, is currently unable to renew the domain. Griffith, is currently in jail for speaking at a cryptocurrency conference in Pyongyang and helping North Koreans use cryptocurrencies to evade sanctions. As a result, him nor his lawyers can renew the domain, and GoDaddy will be returning it to the registry on September 5th, when someone else can buy, and control the domain.
Suggested Article:
Ukraine Strikes Back
This month the Security Service of Ukraine (SSU) has taken down two malicious threat actors operating inside the country. In the first raid, SSU took down a million bots that were part of a mobile social/political disinformation campaign. The botnet was used to destabilize the social and political situation in Ukraine by spreading information about the activities of Ukrainian military and political leaders. In the second raid, SSU took down 100 malicious dedicated services used in cyberattacks against Ukraine. The servers were used to breach networks, steal credentials and carry out DDoS attacks. Both threat actors were supporting pro-Russian hackers as well as Russian Special Services.
Suggested Articles:
SSU shuts down million strong bot farm
SSU shuts down clandestine server center in Kyiv
Tornado Cash
Following the US Treasury sanctioning Tornado Cash, Dutch authorities arrested a suspected developer of the laundry service. Tornado Cash is accused of mixing, laundering, more than $7 billion worth of cryptocurrency, including $455 million for Lazarus. The 29-year-old man attest in Amsterdam is likely the first of many arrests related to Tornado Cash.
Suggested Articles:
US Treasury sanctions notorious virtual currency mixer Tornado Cash
Arrest of suspected developer of Tornado Cash
Josh Maunder to Face Trial
Josh Maunder will face trial this year for launching DDoS attacks in 2017 and 2018. His targets included Nationwide Building Society, UK and Czech police, Nuclear Fallout gaming services, and the Logan Paul boxing match. Maunder faces 13 counts of unauthorized acts impairing the operation of a computer. 2 counts of making an article intended to be used for computer misuse. 1 count of obtaining an article to commit an offense and 1 count of possessing articles in connection with fraud. Is DDoS a crime? Ask Josh!
Suggested Article:
Co Down teen accused of cyber-attacks on major institutions worldwide to face trial
Suggested Newsletters
Are you looking for additional resources and news related to the current threat landscape? Check out these security newsletters suggested by our researchers at Radware.
-
Risky Biz – https://risky.biz/
-
This Week in Security – https://this.weekinsecurity.com/
-
Zero Day – https://zetter.substack.com/
-
The Info Op – https://grugq.substack.com/
-
SANS @RISK – https://www.sans.org/newsletters/at-risk/
-
Masafumi Negishi – https://www.getrevue.co/profile/masafuminegishi
Join the conversation!
Do you have additional insight or comments? Join the conversation with our researchers at Radware on Telegram.
https://t.me/RadwareResearchChat
*** This is a Security Bloggers Network syndicated blog from Threat Researchers Newsletter authored by Radware Research. Read the original post at: https://radware.substack.com/p/threat-researchers-newsletter-issue-2-1286724
