Threat Researchers Newsletter – Issue #5
Threat Researchers Newsletter – Issue #5
Hello everyone, and welcome to our 5th and final edition of the year! We hope you all are settling in comfortably for the seasonal slowdown and wish you all a happy holiday. We would also like to give a special shoutout and thank you to everyone we met over the last few weeks in Australia, Israel, the Netherlands, and the United States. The best part about this job is speaking face-to-face with other community members to understand each other’s perspectives. We look forward to more productive events in the future! And, as always, if there is an cyber-attack that we didn’t cover this month or one that you want us to cover after the holidays, please reach out via our Telegram chat channel, email, or social media!
We would also like to highlight an upcoming webinar about the digital underground economy related to credential access. On December 15th at 12 pm EST and 4 pm JST, join Radware and Cybersixgill for a special webinar where we will dive into the forums and marketplaces that sell information stealers and compromised valid credentials while exploring possible impacts down range related to the theft of compromised valid credentials.
Sign up below!
BrightTALK: NAM + EMEA
BrightTALK: APAC
Table of Content
-
Hacktivist Campaigns
-
Australia Under Attack
-
Government Alerts
-
Extortion Campaigns
-
Midterm Elections
-
2022 FIFA World Cup
-
Vulnerabilities
-
Internet Noise
-
Credential Access
-
Raids and Arrests
Hacktivist Campaigns
IT Army’s Defacement Campaign
As the Russian/Ukrainian war escalates, so do the digital threat actors. More notably, the IT Army of Ukraine, a state-sponsored pro-Ukrainian hacktivist group comprised of local and international volunteers, has recently been seen running campaigns outside the traditional DDoS narrative. These attacks have included hack & leak operations with Ukrainian special forces and alleged ransomware/wiper campaigns. Over the last several weeks, the threat group has been defacing many public-facing government websites in Russia. On November 21st, they defaced government websites in Russia to celebrate the Day of Dignity and Freedom in Ukraine and again on November 25th to protest Putin’s speech at the Artificial Intelligence Journey (AIJ) conference in Moscow.
Telegram Channel – IT Army of Ukraine
XakNet Begins Training New Attackers
XakNet, a pro-Russian hacktivist group that coordinates its operations with the Russian Main Intelligence Directorate (GRU) per Mandiant, has begun teaching volunteers who wish to join the threat group how to launch DDoS attacks in support of Russia. Intake is separated into two groups. Those that know how to launch DDoS attacks and those that do not. Those who know how to launch DDoS attacks will immediately launch attacks for XakNet. Those that do not know how to launch DDoS attacks will receive free training “from professionals in the business,” …. Aka threat actors, under the instruction of the Russian Main Intelligence Directorate.
Telegram Channel – XakNet DDoS Team
Killnet Still Targeting US Airport
In October, Radware issued an advisory on a pro-Russian threat group named Killnet and their campaign against US civilian infrastructure. During the campaign, the group conducted DDoS attacks on government websites and airports across the United States. But this wasn’t their first operation. The group was also observed carrying out a similar campaign in March. The threat group has continued its campaign targeting US civilian infrastructure into November by launching additional DDoS attacks against public-facing websites of US airports. These DDoS attacks are not designed to impact air traffic. They are intended to undermine the public confidence in the system and to gain national attention for the attack. Specifically, Killmilk, the operator behind Killnet, often uses the attention generated from successful DDoS attacks to make false claims about larger targets.
Telegram Channel – Killnet
Australian Under Attack
Ransomware Groups Targeting Australian
Over the last several months, Australia has been rocked by cyber-attacks, resulting in emotional scenes in parliament discussing the distress it’s causing Australians. First Optus and now Medibank, one of Australia’s largest private health insurance providers, have been hit with highly publicized Ransomware attacks. In the case of Medibank, 9.7 million records related to Australian citizens have been stolen from a threat group going by the name BlogXX. Information includes medical claims related to abortions, alcohol-related illnesses, and other personal matters. The ransom was set at $10 million or $1 per record. Medibank refused to pay the extortion demand, and the records have since been posted by BlogXX online. As a result, Australia is now moving to set up a permanent operation designed to hack the hackers. Dedicating up to 100 personnel from the Australian Federal Police and Australian Signal Directorate to “hunt down the scumbags who are responsible for these malicious crimes against innocent people.”
Suggested Articles:
Australia tells Medibank hackers : ‘We know who you are’
Government Alerts
FBI and CISA Publish Advisories Related to DDoS Attacks
During November, the CISA and the FBI issued advisories on preparing for and mitigating DDoS attacks. Both are excellent reads and provide organizations with proactive steps to take to reduce the likelihood and impact of a DDoS attack.
Recommendations before a DDoS attack include:
-
Auditing your network.
-
Enrolling in DDoS protection services.
-
Building relationships with your service providers.
-
Regularly conducting tabletop exercises.
Recommendations during a DDoS attack include:
-
Confirming if the outage is related to a DDoS attack.
-
Contacting your ISP.
-
Deploying mitigation techniques.
-
Monitoring other network assets since attackers target other devices once they encounter mitigation services.
The FBI advisory also highlights that launching a DDoS attack requires little technical knowledge and often leverage publicly available tools such as stresser service to disrupt public-facing websites. With these services, hacktivists typically aim at high-profile targets, including financial institutions, health, and medical facilities, emergency services, airports, and government facilities.
Suggested Articles:
Understanding and Responding to Distributed Denial-of-Service Attacks
Hacktivist Use of DDoS Activity Causes Minor Impacts
Extortion Campaigns
Team Montesano Extorting Website Owners Worldwide
This month Bleeping Computer reported a new extortion scam targeting website owners and administrators with threats of reputation damage and leaking data. The threat actors, via email, claimed to have compromised the victim’s server and requested $2,500 not to leak the alleged data or spam their site. In all known events, the victim’s servers were not compromised, but as Bleeping Computer reported, some may have paid the extortion demand already. In general, we at Radware suggest never paying a ransom demand. This is because we often see fake Ransom Denial-of-Service (RDoS) campaigns where threat actors spam extortion demands via email hoping that someone will fall for it. Even when faced with competent threat actors, it is still advised not to pay extortion demands.
Suggested Articles:
New extortion scam threatens to damage sites’ reputation, leak data
Killnet Launches Extortion Campaigns
In what appears to be a shift in TTPs, the pro-Russian hacktivist group, Killnet appears to have launched an extortion-based campaign against Latvia—explicitly targeting the Latvian State Revenue department at the end of November. The threat group in their Telegram channel posted unredacted screenshots showing their alleged access to Latvia’s State Revenue network. The threat actors apparently gained access to the network via a vulnerable employee credentials. In addition, Killnet appears to have used the employee’s email address to send an extortion demand for 10 BTC to multiple email addresses associated with the Latvian State Revenue office. If these documents are accurate, it will confirm that nationalized state hacktivists are looking for more impactful tactics and techniques following a year of DDoS attacks.
Telegram Channel – Killnet
Midterm Elections
Subversion from Within the United States
As the midterm election comes and goes in the United States, there is one clear threat actor that we must pay attention to. Ourselves. Widespread attempts to subvert the election process from inside the United States poses a more significant threat to the democracy of the United States than those that originate from foreign state-sponsored threat actors. If one thing is clear, it’s easier to manipulate humans than to compromise election infrastructure. And the worst part is that the average citizen is learning this plus they are learning how to use the tactics, techniques, and procedures from past campaigns run by foreign state-sponsored threat actors to manipulate their social circles. Adding to this complexity of internal threats are biased social media platforms that censor and bury information as seen fit.
Suggested Articles:
The biggest threat to America’s election system? Ourselves
In elections, it’s easier to hack a human than a device
Election Day DDoS Attacks
While the midterm election came and went without significant disruption, several DDoS attacks did target government websites across the United States; pro-Russian hacktivists, the Cyber Army of Russia, launched these attacks. Following weeks of DDoS attacks targeting airport and government websites in the United States, pro-Russian hacktivists turned their attention to the midterm election in an attempt to disrupt the process. The group was only able to successfully target two public-facing government websites in Mississippi and Illinois. These websites were not part of the election infrastructure though. The outages, at best, only prevented voters from finding local voting polls the day of the election. DDoS attacks like this, targeting informative public-facing websites are only designed to undermine public confidence, create drama, and gain media attention for the threat actor.
Suggested Articles:
Mississippi election websites knocked out by DDoS attack
2022 FIFA World Cup
Threat Landscape of a Large Sporting Event
This month Radware released an advisory on the current FIFA World Cup in Qatar. While there have not been any significant attacks like the ones seen during the 2018 Winter Olympics, there have been a few notable attacks. Before the World Cup, Anonymous launched DDoS and defacement attacks against FIFA and the government of Qatar in an attempt to get the Iranian soccer team removed from the tournament. Hacktivists typically use DDoS, defacement, and disinformation attacks to undermine public confidence through minor hacks and outages. More advanced threat actors will normally target organizations and sponsors related to major sporting events before the games begin with malware designed to harvest compromised valid credentials. During the event, organized criminals and opportunists will attempt to harvest personally identifiable information from fans via World Cup-related scams. For example, those related to tickets, gambling, and streaming services.
Suggested Articles:
Radware Threat Advisory – World Cup Qatar
Surge of Fake FIFA World Cup Streaming Sites Target Virtual Fans
Email Cyberattacks on Arab Countries Rise in Lead to Global Football Tournament
United States Soccer Federation Defaces Iranian Flag
Would you consider this a defacement? In the lead-up to the United States soccer match against Iran at the World Cup in Qatar, the United States Soccer Federation removed the Islamic Republic emblem from the Iranian flag in content across all social media platforms. The United States Soccer Federation said they removed the symbol to show support for the women in Iran. The State Department has also publicly stated this was not a coordinated effort against Iran. But is this considered a self-published defacement, or just political trolling at high levels? How would the United States have reacted to such an action?
Suggested Articles:
Vulnerabilities
OpenSSL Vulnerabilities
After a week of speculation about OpenSSL vulnerabilities, the OpenSSL project disclosed two new CVEs to address buffer overrun vulnerabilities in its cryptographic library that could trigger crashes or lead to remote code execution (RCE). In a Radware advisory issued this month, we reported that any application or device, from messaging clients and web browsers on desktop and mobile, network attached storage (NAS) devices and security gateways, up to server software and online services that leverage OpenSSL 3.x and provided certificate-based authentication are impacted. To mitigate, update to OpenSSL version 3.0.7. If no certificate validation is required, disabling certificate validation will mitigate the vulnerability. And if timely updating is not possible, the following steps will alleviate the urgency of patching
-
Fronting the affected services
-
Disabling certificate validation in the service
-
Moving the certificate validation to a reverse proxy running an unaffected or patched version of OpenSSL
Suggested Articles:
Radware Threat Advisory – OpenSSL CVE-2022-3786 and CVE-2022-2602
Malicious Ducker Hub Images
Supply chain attacks related to high-dependency software are becoming an all-too-common attack vector. This month, researchers at Sysdig discovered over 1,000 images with malicious software and embedded secrets on Docker Hub. Docker Hub is a hosted repository service allowing users to share container images with others. Researchers at Sysdig discovered that users had mistakenly downloaded the malicious typo-squatted images nearly 17,000 times! Further highlighting the need to audit and verify the origin of your company’s 3rd party dependencies.
Suggested Articles:
Analysis on Docker Hub malicious images: Attacks through public container images
Internet Noise
The Grey Noise of the Internet
The ‘grey noise of the internet refers to the scanning activity for vulnerabilities and exposed services performed by white and black hats. Scanning is beneficial, but it should be done responsibly, with moderation, and with respect to the infrastructure. Unfortunately, this is only sometimes the case, and some scanners generate such amounts of load that they can almost be considered DDoS attacks. To learn more about how Radware’s ERT Active Attackers Feed (EAAF) can help detect and block the grey noise of the internet, check out Radware’s latest advisory below!
Suggested Articles:
Radware Threat Advisory – Internet Noise is Taxing Online Service and Businesses
Credential Access
Credential Access and Impacts Down Range
Information stealers that harvest valid user credentials are a major component of the underground cyber-crime economy. With nearly a dozen information stealers currently in operation, and potential log buyers ranging from ransomware affiliates to corporate spies, organizations need to extract and leverage actionable intelligence from recent events. Learning from breaches like the one that affected Uber is a great example of how to reinforce your organization’s defensive posture. If you want to learn more about the digital underground economy related to credential access, join Radware and CyberSixGill for a special webinar on December 15. In it, we’ll dive into the known forums and marketplaces that sell information stealers and compromised valid credentials.
Suggested Articles:
Radware Blog – Credential Access via Information Stealers
TikTok-as-a-Lure
Teenagers are undoubtedly very impressionable and are consistently seeking approval by participating in the latest internet trends. Unfortunately, this is all that threat actors need to target the young and impressionable. Recently disclosed in a blog from CheckMarx, a TikTok challenge called the “Invisible Challenge” has been leveraged by threat actors to distribute the W4SP information stealers. The “Invisible Challenge” requires users to use the “Invisible Body” filter on TikTok to record a nude video that blurs out their body. The lure for the attack is a piece of software on GitHub called “unfliter,” which claims to be able to remove the TikTok filter from all the videos related to the “Invisible Challenge”. W4SP Stealer is a polymorphic piece of malware with reboot persistence and uses steganography to hide code inside packages. The information stealer os designed to grab victims’ discord accounts, passwords, crypto wallets, credit cards, and other personally identifiable information.
Suggested Articles:
Attackers Uses a Popular TikTok Challenge to Lure Users into Installing Malicious Package
Raids and Arrests
How Not to Properly Lizard
Julius “ZeeKill” Kivimaki, a hacker affiliated with Lizard Squad and HTP, has reached new heights and is officially on the run after making Europe’s most wanted list. ZeeKill was one of the most savage and entertaining hackers of the last decade. His notable campaigns range from DDoS attacks targeting PlayStation and Xbox networks during the holiday season to targeting gaming executives with bomb threats. At 17, he was finally arrested and convicted in Finland for over 50,000 aggravated cybercrimes related to his activities with Lizard Squad and HTP. ZeeKill was given only two years of suspended sentencing for his crimes, which ultimately had no impact on his digital activities. Unfortunately, as the threat landscape progressed, so did ZeeKill. Eventually, ZeeKill would transition during the pandemic from lulz-based operations to more profitable ones. ZeeKill is currently on the run from authorities after failing to appear and for extort a psychotherapy center for 450,000 euros.
Suggested Articles:
Hacker Charged with Extortion Online Psychotherapy Service
Suggested Newsletters
Are you looking for additional resources and news related to the current threat landscape? Check out these security newsletters suggested by our researchers at Radware.
· Risky Business – https://risky.biz/
· This week in security – https://this.weekinsecurity.com/
· Zero Day – https://zetter.substack.com/
· The Info Op – https://grugq.substack.com/
· SANS @RISK – https://www.sans.org/newsletters/at-risk/
· Masafumi Negishi – https://www.getrevue.co/profile/masafuminegishi
Join the conversation!
Do you have additional insight or comments? Join the conversation with our researchers at Radware on Telegram.
https://t.me/RadwareResearchChat
*** This is a Security Bloggers Network syndicated blog from Threat Researchers Newsletter authored by Radware Research. Read the original post at: https://radware.substack.com/p/threat-researchers-newsletter-issue-5-1436471
