Threat Researchers Newsletter – Issue #4
Threat Researchers Newsletter – Issue #4
Hello everyone, and once again, thank you to all our subscribers. As a reminder, if there is an event that we missed or one that you want us to cover on the next Threat Researchers Live, please reach out via our Telegram chat channel, Radware Research Chat
We would also like to take this time to announce some upcoming changes. The Threat Researchers Newsletter is moving to Substack at the end of the year. For subscribers, the only thing that will change is the delivery address. We will provide more information in the following newsletter.
Cyber Legions
The Rise of Killnet
Killnet is a pro-Russian DDoS threat group that continues to rise and gain media attention as the Russian/Ukrainian war escalates. This month, the threat group targeted civilian infrastructure in the United States and Bulgaria, including government and airport websites. While these attacks are notable, they had no impact on services. The objective of the DDoS attacks is to undermine public confidence in civilian infrastructure.
Suggested Articles:
Cyberattack on Colorado state website follows Russian hacktivist threat
Killnet targets US civilian network infrastructure
Cyberattack disrupts Bulgarian government websites over ‘betrayal to Russia’
XakNet Targets Israel
XakNet Team, a threat group, reported to be working in coordination with the Russian Main Intelligence Directorate, GRU, targeted the Israeli parliament this month after rumors surfaced that Israel was providing Ukraine with Intelligence necessary to combat drones. Nation-states leveraging hacktivists as a proxy for DDoS attacks have been a critical feature of the current threat landscape.
Suggested Articles:
Updates from Ukraine
CERT-UA published a report this month about cyberattacks targeting state organizations in Ukraine. The attack involved a phishing campaign allegedly sent on behalf of the Press Service of the General Staff of the Armed Forces of Ukraine. The phish linked to 3rd party resources requiring victims to download an infected PDF reader. Once installed, the user’s device would become infected by RomCom malware. A backdoor is known to be leveraged by Cuba Ransomware. In addition to this activity, the IT Army of Ukraine, a pro-Ukrainian DDoS group, announced that they had launched a joint operation with Ukraine’s Special Operations Forces.
Suggested Articles:
Cyberattack on state organizations of Ukraine using the RomCom malware
Hacktivist Campaigns
A Lesson in Wartime Looting
Here is a lesson in wartime looting. If you steal an electronic device, reset the password! Thieves stole IP cameras from Lyman, Ukraine residents this month and installed them in homes across Buryatia, Russia. Over 4000 miles away! The Russians who installed the devices did not reset the passwords, allowing the Ukrainian owners the ability to log back into their devices to watch the users.
Suggested Articles:
Nation-State Activity
Iranian False-Flag Operation
The United States government reports that the Iranian cyber threat group Emennet Pasargad is conducting a hack and leak operation using the personas, Hackers of Savior and Deus. The threat group’s primary target is Israel, intending to undermine the public’s confidence in the country. Previously, the threat group targeted the 2020 US presidential election using a mixture of computer intrusions and exaggerated claims.
Suggested Articles:
Iranian cyber group Emennet Pasargad conducting hack-and-leak operations using false-flag personas
NSA’s Six Takeaways from Ukraine
Infosecurity Magazine covered a presentation by NSA cybersecurity director Rob Joyce at Mandiant’s Worldwide Information Security Exchange in a must-read. In the presentation, the NSA’s director covered his six takeaways from the war in Ukraine.
Suggested Articles:
NSA cybersecurity director’s six takeaways from the war in Ukraine
Building Cyber Armies
Since the start of the Russian/Ukrainian war, many countries have taken note of the threat landscape and have begun to build their own cyber commands, IT armies, and red teams. For example, this month, Belgium announced that they will have their cyber command up and running by 2024. And the Minister of Digital Development of Taiwan argued that the country needs to build a national red team in order to assess the security posture of national businesses and government organizations through simulated attacks.
Suggested Articles:
Taiwan training’ red team’ to counter hackers
Vulnerabilities
BlueBleed
SOCRadar detected sensitive data coming from a misconfigured cloud server. In total, they found six publicly accessible data buckets in Azure Blob Storage that were leaking data. This data included information from more than 65,000 companies in 111 different countries. Upon disclosure, Microsoft quickly addressed and fixed the issue and notified affected customers.
Suggested Articles:
Sensitive data of 65000 entities in 111 countries leaked
Text4Shell
This month an RCE vulnerability in Apache Commons Text rated CVSS 9.8 was disclosed. CVE-2022-42889 allows an unauthenticated attacker to execute arbitrary code on targeted devices. The exploit is not as widespread as Log4j, and users are recommended to upgrade to 1.10.0 ASAP. Organizations should not panic; the threat level is not the same as Log4Shell.
Suggested Articles:
Gaming
Targeting Gamers
Square Enix this month warned about potential unauthorized account access after they noticed a credential stuffing attack targeting their account management system. Credential Stuffing attacks leverage email addresses and passwords obtained from other data leaks in order to gain access to valid accounts on a different service. This attack can be so resource-intensive that it can cause denial-of-service conditions for targeted organizations. In other gaming news, Overwatch 2 was released on October 4th. Demand for the game resulted in a server queue of over 40,000 users who reported waiting nearly 3 hours to download the game. To make matters worse, a malicious threat actor decided to launch a DDoS attack against Overwatch 2 during its release, further frustrating players.
Suggested Articles:
Square Enix advising Final Fantasy 14 players to change passwords due to a hacking attempt
Ransomware
Dutch Police Trick Deadbolt
The Dutch Police this month tricked the Deadbolt ransomware group into releasing 150 decryption keys with a simple Bitcoin trick. The trick was submitted to authorities by security company Responders.NU. The maneuver allowed authorities to send a payment to the threat group to receive the decryption keys, then withdraw the payments from the systems after the devices were unlocked.
Suggested Articles:
Dutch police obtain Deadbolt decryption keys
Educational Attacks
SwatNet 2022
The swatting spree targeting schools across the United States continued this month with 16 states impacted and a total of 90 false reports called in. Unfortunately, these Swatting attacks run parallel to a series of school shootings in the United States, adding further frustration to the growing problem.
Suggested Articles:
A swatting spree is terrorizing schools across the US
Rough Start to the Year
This month, Radware Researcher reported a wave of cyberattacks targeting schools worldwide. Malicious events included credential stuffing and defacement campaigns, denial-of-service, business email compromise, ransom denial-of-service and ransomware attacks. Needless to say, it’s been a rough start to the year for the educational vertical.
Suggested Articles:
A rough start to the school year
Midterm Elections
Warnings from the FBI
The FBI has issued several warnings this month regarding the upcoming midterm elections. The FBI reports that malicious cyber activity against election infrastructure is unlikely to disrupt or prevent voting and that foreign actors will likely use information manipulation tactics for the upcoming midterm elections.
Suggested Articles:
Malicious cyber activity against election infrastructure unlikely to disrupt or prevent voting
Foreign actors likely to use information manipulation tactics for 2022 midterm election
Raids and Takedowns
Lapsus$ Member Arrested
Federal police in Brazil arrested a man believed to be a member of Lapsus$. The arrest results from an investigation following a breach of the Brazilian Ministry of Health. Operation Dark Cloud is a federal initiative to collect information about attacks against the Brazilian government this year.
Suggested Articles:
Brazil Federal police arrest Lapsus$ member
Takedowns in Ukraine
Ukrainian authorities took down two bot farm networks this month. In both farms, threat actors were paid by the Russian Federation to create fake social media accounts to aid in subversive activities inside Ukraine.
Suggested Articles:
More Than Packets
Finally, A name many of us thought we would never hear again appears in a recent United States Department of Justice publication. Daniel Kaye, formally arrested for launching a series of DDoS attacks, was released by authorities in cypress and extradited to the United States, where he will face additional charges related to him operating a darknet marketplace called The Real Deal and working with the threat group, TheDarkOverlord.
Suggested Articles:
Hacker and Dark Market operator arraigned on federal charges
Suggested Newsletters
Are you looking for additional resources and news related to the current threat landscape? Check out these security newsletters suggested by our researchers at Radware.
· Risky Business – https://risky.biz/
· This week in security – https://this.weekinsecurity.com/
· Zero Day – https://zetter.substack.com/
· The Info Op – https://grugq.substack.com/
· SANS @RISK – https://www.sans.org/newsletters/at-risk/
· Masafumi Negishi – https://www.getrevue.co/profile/masafuminegishi
Join the conversation!
Do you have additional insight or comments? Join the conversation with our researchers at Radware on Telegram.
https://t.me/RadwareResearchChat
*** This is a Security Bloggers Network syndicated blog from Threat Researchers Newsletter authored by Radware Research. Read the original post at: https://radware.substack.com/p/threat-researchers-newsletter-issue-4-1388711
