Home » Security Bloggers Network » Threat Researcher Newsletter – Issue #6

Threat Researcher Newsletter – Issue #6

by Radware Research on January 31, 2023

Happy New Year, and welcome to the latest edition of our monthly Threat Researchers newsletter! As the world becomes increasingly digitized, protecting our online assets and personal information becomes paramount. This edition will discuss the latest trends in cyber threats, provide tips on staying safe online, and highlight recent incidents that have made headlines. Whether you are a business owner, an individual, or a member of the IT community, this newsletter is designed to keep you informed and equipped to defend against cyber-attacks.

As always, please do not hesitate to reach out to us via our Telegram chat channel, email, or social media if there is a cyber-attack that we did not cover this month or one that you would like us to cover in the future.

Table of Content

Hacktivist Campaigns
Russian/Ukrainian War
Darknet
Botnets
InfoStealers
Card Testing
Supply Chain
Raids and Arrests

Hacktivist Campaigns

OpSerbia

The Serbian government has reported massive DDoS attacks amid heightened tensions in the Balkans. The attacks were reported to be coordinated and sophisticated, targeting multiple government websites and online platforms. The attacks also caused significant disruption to government services, including online portals for citizens to access information and services.

The hacktivist group Anonymous, known for its cyber activism and targeting of governments and organizations it perceives as corrupt or oppressive, has taken responsibility for the recent DDoS attack on the Serbian government’s online platforms. The group announced its involvement through its social media channels and cited the launch of the campaign “OpSerbia” in late December as the reason for the attack. The campaign was launched in response to Serbia’s political positioning in the Balkans and has targeted dozens of Serbian websites with DDoS and defacement attacks over the last month.

Suggested Article:

Serbian government reports ‘massive DDoS attack’ amid heightened tensions in Balkans

OpSafeWinter

International hacker group, Anonymous, has claimed responsibility for a cyberattack on the official website of Shibuya Ward in Tokyo. The ward first alerted the public to the issue on its Twitter account. Ward officials have stated that the disruption appears to have been caused by a DDoS attack. A Twitter account associated with Anonymous posted a message saying that the group had taken down the ward’s website in retaliation for the closing of homeless shelters in the area. The post also included hashtags referencing increased threats of forced evictions against the homeless in encampments in Mitake Park ahead of a planned redevelopment project. In response, the ward has stated that it is making arrangements for homeless people to stay in rented apartments.

Suggested Article:

Tokyo Shibuya Ward’s website likely was hacked

Russian/Ukrainian War

Patriotic Hacktivism

Last year, the question of whether DDoS attacks are a crime was raised. This topic has since sparked debate and received attention in news outlets, particularly regarding hacktivism and its role in the Russian/Ukrainian conflict. Some hackers may view their actions as patriotic, but they can also cause harm and damage a country’s reputation. The Ukrainian government acknowledges the issue with the IT Army but may not take decisive action to prevent non-Ukrainians from launching attacks on their behalf. The escalating cyber-warfare between Russia and Ukraine, specifically using hacktivism as a tactic, emphasizes the importance of international cooperation in addressing this growing problem. Unfortunately, the crisis and escalation in Ukraine have inspired other countries to begin shoring up their offensive capabilities, leaving many wondering what the future holds for the threat landscape.

Suggested Articles:

Should Ukraine rein in its patriotic hackers?

Hacktivism Is a Risky Career Path

IT Army of Ukraine

The IT Army of Ukraine, established by the Ukrainian government, is a group of pro-Ukrainian hackers from around the world who mainly target Russian organizations with DDoS and defacement attacks. They use defacement attacks typically to spread pro-Ukrainian messaging, such as the attack over the holidays where the IT Army posted a New Year’s message from the President of Ukraine to several Russian websites. Throughout 2022, the group has claimed responsibility for several high-profile defacements against Russian government websites, which often include messages critical of the Russian government and its actions in Ukraine.

Suggested Article:

IT Army of Ukraine

NoName057(16)

Recently, the pro-Russian hacktivist group NoName057(16) has been observed launching a series of DDoS attacks against the 2023 Czech presidential election, businesses across Poland and Lithuania, and the financial sector in Denmark. The group was also observed launching DDoS attacks against the cyber security firms, Avast and Cymru for reporting on their campaigns.

Suggested Articles:

Pro-Russia hackers use Telegram, Gitand Hub to attack Czech presidential election

Poland warns of pro-Kremlin cyberattacks aimed at destabilization

Hackers hit websites of Danish central bank, other banks

Warnings from Poland

The Polish government has warned about cyber-attacks by a hacking group linked to Russia called Ghostwriter. The group has been known to target government and military organizations and critical infrastructure providers. They use a variety of tactics, including spear-phishing and malware, to gain access to networks and steal sensitive information. The group is considered to be highly sophisticated and has been active for several years. The Polish government is urging organizations to protect themselves from these attacks, such as implementing security best practices and staying vigilant for suspicious activity.

Additionally, The Polish government has charged two individuals for espionage, alleged to be members of Russian intelligence services, known as the GRU. The charges come after a joint investigation by the Polish Internal Security Agency and the military counterintelligence service. The suspects are accused of conducting espionage activities in Poland, including recruiting Polish citizens to gather information for the GRU. The Polish government has warned these types of actions by foreign intelligence services are a threat to national security and is taking measures to counter them.

Suggested Articles:

Poland warns of attacks by Russia-linked Ghostwriter hacking group

Alleged Russian and Belarusian GRU spies charged in Poland

Killnet

The pro-Russian hacking group known as Killnet has been conducting many defacement campaigns similar to Anonymous Russia’s. These campaigns have specifically targeted United States government websites. The term “defacement” refers to altering a website’s appearance without permission from the website’s owner. Hackers usually do this to display a message or image of their choice, often used as a protest or to make a political statement. In this case, it is believed that Killnet is using these defacement campaigns to target the US government and undermine public confidence. It is essential for government agencies and other organizations to remain vigilant and implement strong cybersecurity measures to protect against these types of attacks.

In addition, support for criminal organizations like Killnet can come in many forms and be found in unexpected places. In Radware’s latest blog on Killnet’s social circles, we highlight this fact by showing how the group has obtained social and financial backing from individuals in Russia who support the occupation of Ukraine. From financial contributions to active participation in illegal activities to passive support through art and entertainment, the social circles of Killnet demonstrate the complexity of criminal organizations’ relationships, connections, and structure.

Suggested Article:

Exploring Killnet’s Social Circles

Darknet

Solaris vs Kraken

A darknet market known as Solaris, specializing in selling illegal drugs and reportedly affiliated with Killnet, was recently hijacked by a rival group called “Kraken.” The Solaris market has been operating for over a year and has many clients and vendors worldwide. The group had used advanced techniques to evade detection and had taken steps to ensure the anonymity of its clients. After the takeover, Kraken began selling the same illegal drugs as Solaris and offered money laundering services to clients. The incident highlights the ongoing problem of illicit drug trafficking on the darknet and market competition.

Suggested Articles:

Illegal Solaris darknet market hijacked by competitor Kraken

Botnets

8220 Gang

The 8220 Gang, also known as 8220 Mining Group, is a for-profit threat group from China that mainly targets cloud providers and poorly secured applications with a custom-built crypto miner and IRC bot. Crypto mining malware, like that used by the 8220 Gang, is designed to abuse a system’s resources to mine for cryptocurrency. While crypto mining malware may seem a relatively harmless threat, it can significantly impact the public cloud’s performance, security, and cost. The main concern with crypto mining malware is that it can dramatically affect the system’s performance. But it can also expose systems to additional security risks. Once infected, threat actors can use the same access to install other types of malware, such as keyloggers or remote access tools, which can subsequently be leveraged to steal sensitive information, gain unauthorized access to sensitive data, or deploy ransomware and wipers. Organizations should adopt a comprehensive security strategy that includes security controls, monitoring, and incident response capabilities to protect their cloud environments and applications from crypto mining campaigns. Additionally, organizations should ensure their security controls provide complete visibility into their hybrid and multi-cloud environment to better detect and respond to new security threats.

Suggested Article:

The 8220 Gang: Targeting cloud providers and vulnerable applications

RapperBot

Researchers at Qianxin have discovered a new variant of the Rapper botnet. The botnet is primarily used for cryptocurrency mining and has been found to infect both Windows and Linux systems. Rapper botnet uses various techniques to propagate itself, exploiting vulnerabilities in unpatched systems and using weak or stolen credentials. The botnet also uses a rootkit to hide its presence on infected systems and to evade detection by security software. The botnet is believed to be controlled by cyber criminals and is actively mining Monero, a type of cryptocurrency. The botnet is a reminder of the need for individuals and organizations to keep their systems updated and secure to protect against such threats.

Suggested Articles:

Watch Out for New Variants of Rapper Botnet and Related Mining Activities

InfoStealers

CircleCI Targeted by InfoStealer

CircleCI, a cloud-based continuous integration and delivery platform, recently suffered a security breach caused by malware deployed to a CircleCI engineer’s laptop. The malware could steal a valid, 2FA-backed SSO session, and the attackers could impersonate the targeted employee in a remote location and then escalate access to a subset of production systems. The unauthorized third party could access and exfiltrate data from several databases and stores, including customer environment variables, tokens, and keys. The company promptly addressed the issue, but not before the unauthorized third party engaged in reconnaissance activity and exfiltration of encrypted data at rest. They are working with third-party cyber security specialists to investigate the incident and validate their findings.

Suggested Article:

CircleCI incident report

Ukrainian DELTA System

On December 17, 2022, the Government Computer Emergency Response Team of Ukraine (CERT-UA) received information about a phishing campaign distributed through email and messengers. The attackers used a compromised email address of an employee of the Ministry of Defense to send a message about the need to update certificates in the “DELTA” system. The attackers included a link to a malicious ZIP archive in the attachments, which, when clicked, would download malware onto the victim’s computer. Once downloaded, the malware would launch RomCom malware that would steal files with specific extensions, including ‘.txt,’ ‘.rtf,’ ‘.xls,’ ‘.xlsx,’ ‘.ods,’ ‘.cmd,’ ‘.pdf,’ ‘.vbs,’ ‘.ps1’, ‘.one,’ ‘.kdb,’ ‘.kdbx,’ ‘.doc,’ ‘.docx,’ ‘.odt,’ ‘.eml,’ ‘.msg,’ ‘.email’ using FTP and exfiltrate them. The activity is tracked under UAC-0142 but has similarities to threat cluster UAC-0132 (CERT-UA#5509).

Suggested Article:

Ukraine’s DELTA military system users targeted by info-stealing malware

FBI Warning

The Federal Bureau of Investigation (FBI) is warning the public that cybercriminals use search engine advertisement services to impersonate well-known brands and direct users to malicious sites that host ransomware and steal login credentials and other financial information. These cyber criminals purchase advertisements that appear within internet search results using a domain similar to an actual business or service. Once users click on the ad, they are directed to a webpage identical to the impersonated business’s official website. The FBI recommends that individuals and companies check URLs, use ad-blocking extensions, and educate users about spoofed websites.

Suggested Article:

Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users

Google Malvertising

According to security researcher Will Dormann, cybercriminals use Google Search advertising links to distribute malware. Dormann found that paid listings on the search engine that purported to link to legitimate software websites were instead decoys leading to malware-containing websites. The researcher questioned why the Google-owned threat analyzer VirusTotal could not be used to check sponsored links for malware automatically. A Google spokesperson said protecting users was the company’s top priority and took “dishonest business practices very seriously.”

Suggested Articles:

Malvertising on Google Ads is a growing problem that isn’t going away

Google Ads invites being abused to push spam, adult sites

Card Testing

Powell Lacrosse

In a bot attack, the online website of Powell Lacrosse in Chittenango, NY, was targeted with 20,000 fraudulent online transactions over the holiday weekend. This type of attack is known as ‘card testing’ and involves threat actors leveraging bots to make small purchases with large batches of credit cards to determine the validity of the card numbers. If the attack is not mitigated correctly, it can have a massive impact on business operations and, in some cases, bankrupt a company due to network, transaction, dispute, and resolution fees.

Suggested Article:

22,000 orders, most for $12.71, in a weekend? Powell brothers lacrosse company hit by cyber attack

Supply Chain

PyTorch

PyTorch, a machine learning library for Python, warned users who installed PyTorch-nightly between December 25th and December 30th, 2022, to ensure their systems were not compromised due to a malicious dependency named “torchtriton” that appeared on the Python Package Index (PyPI) registry. They urged users to uninstall it immediately and use the latest nightly binaries. The malicious dependency shares the same name with an official library on PyTorch-nightly’s repo, causing it to be pulled on users’ machines instead of the legitimate one. This type of attack is known as “dependency confusion,” and PyTorch stated that users of the stable packages are not affected.

Suggested Article:

PyTorch discloses malicious dependency chain compromise over holidays

Ransomware

The Guardian

The Guardian newspaper has confirmed that the cyber incident it experienced in December was a criminal ransomware attack and that the criminals are believed to have accessed staff data. Staff was told to work from home until January 23, and the company contacted the data protection regulator to comply with legal requirements around data breaches. The email, signed by the newspaper’s editor Katharine Viner and chief executive Anna Bateson, said that the sensitive data accessed related to employment details, including “name, National Insurance number, address, salary, identity documents such as passports.” The Guardian acknowledged that “there is the potential for these types of data to be combined and used for identity fraud” but said it has “seen no evidence that personal data has been exposed online, and so the risk is low.”

Suggested Article:

The Guardian confirms criminals accessed staff data in ransomware attack

Rackspace

Cloud computing provider Rackspace has confirmed that the Play ransomware operation was behind a cyberattack that took down the company’s hosted Microsoft Exchange environments. The attack used a new exploit called OWASSRF, which allowed the attackers to bypass ProxyNotShell URL rewrite mitigations provided by Microsoft by likely targeting a critical flaw (CVE-2022-41080) allows remote privilege escalation on Exchange servers. They also gained remote code execution on vulnerable servers by abusing CVE-2022-41082. Rackspace has provided customers free licenses to migrate their email from its Hosted Exchange platform to Microsoft 365 and is working on delivering affected users with download links to their mailboxes.

Suggested Article:

Rackspace confirms Play ransomware was behind recent cyberattack

Raids and Arrests

Aaron Sterritt, aka Vamp

A County Antrim man, Aaron Sterritt, is being sought in America over his alleged central role in a scheme to facilitate cyber-attacks. He appeared at Belfast County Court for the first stage in an extradition process to face fraud charges in the United States. Sterritt is accused of conspiring to develop and operate a series of botnets known as Satori, Masuta, and Okiru for potential distributed denial of service attacks on computer sites or networks and selling access to the software to generate illicit proceeds. He is facing fraud and conspiracy to commit fraud offenses. His defense lawyers are set to argue that it would be oppressive and a breach of human rights to have him stand trial on mental health grounds.

Suggested Article:

Co Antrim man accused of role in cyber-attacks scheme appears before court in Belfast as US seeks his extradition

Operations Power Off

The FBI has seized 48 internet domains associated with some of the world’s leading DDoS-for-hire services and filed criminal charges against six defendants who allegedly oversaw attack platforms commonly called “booter” services. The websites targeted in this operation were used to launch millions of DDoS attacks targeting victims worldwide. The coordinated law enforcement action came just before the Christmas holiday period, which typically increases DDoS attacks significantly across the gaming world. In addition to the website seizures, the FBI, the United Kingdom’s National Crime Agency, and the Netherlands Police have launched an advertising campaign using targeted placement ads in search engines triggered by keywords associated with DDoS activities.

Suggested Article:

Federal Prosecutors in Los Angeles and Alaska Charge 6 Defendants with Operating Websites that Offered Computer Attack Services

Closing Remarks

As we close out this month’s newsletter, we remind our readers to remain vigilant in protecting their online identities and assets. Cyber security is constantly evolving, and staying updated on the latest threats and best practices are essential. Remember to use strong, unique passwords, update your software and devices regularly, and think twice before clicking on suspicious links or attachments. Thank you for reading, and stay safe in the cyber world.