Threat Researchers Newsletter #7
Welcome to the latest edition of our monthly Threat Researchers newsletter! It’s been a short month, but there have been no shortages from the threat landscape. In this edition, we’ll cover the latest trends again, highlight recent high-profile incidents, and provide valuable tips for staying safe online.
We would also like to take this opportunity to bring your attention to our latest content piece, The 2022-2023 Global Threat Analysis Report. We invite you to download the report to discover the sharp rise in cyber-attacks in 2022 as threat actors increasingly target cloud infrastructures and remote workers. This report offers valuable insights and recommendations for organizations looking to strengthen their cybersecurity defenses.
As always, please do not hesitate to contact us via our Telegram chat channel, email, or social media if there is a cyber-attack that we did not cover this month or one that you would like us to cover in the future.
Table of Content
-
Hacktivism
-
War in Ukraine
-
Escalating Landscape
-
Ransomware Campaigns
-
Forums and Marketplaces
-
Botnets
-
Exploit in the Wild
-
Hack the FBI
-
Election Interference
-
Crisis in Australia
-
Raids and Arrests
Hacktivism
OpDenmark and OpSweden
An anti-Islam activist burned two copies of the Quran in front of a mosque and another in front of the Turkish Embassy in Copenhagen, Denmark. This has caused Turkey to summon the Danish ambassador and accuse Denmark of endorsing a hate crime.
The far-right activist Rasmus Paludan, who holds both Danish and Swedish citizenship, previously burned the Quran on January 21 in Sweden and has vowed to continue burning the Muslim holy book in Denmark until Sweden is admitted into NATO. Following the burnings, protests were held in several predominantly Muslim countries to denounce Paludan’s protest, resulting in the United States and Europe issuing security warnings, cautioning citizens in Turkey about possible retaliatory attacks. Turkey has also issued an alert for its European citizens, citing possible Islamophobic attacks.
Since Rasmau Paludan burned copies of the Quran, several hacktivist groups, including TurkHackTeam and Anonymous Sudan, have begun launching DDoS attacks against government facilities, critical infrastructures, telecoms, and banks in Denmark and Sweden under operations #OpDenmark and #OpSweden. Other groups like DragonForce Malaysia have posted messages in support of the operations but have not been seen launching DDoS attacks.
Suggested Article:
Quran Burned in Front of Denmark Mosque, Turkish Embassy
War in Ukraine
Pro-Russian DDoS Campaign
Seven German airports experienced a large-scale DDoS attack, with Anonymous Russia claiming responsibility. The incident comes on the heels of an IT outage at Lufthansa, which has been falsely attributed to a pro-Russian hacker group called Killnet. The cyberattacks on German airports are part of a broader wave of incidents across Europe and the Middle East, with Anonymous Sudan and Al-Toufan claiming responsibility for attacks on Scandinavian Airlines and Bahrain’s airport.
Several US and Netherlands hospital websites were reportedly downed by DDoS attacks attributed to Russian hacktivist groups Killnet and Passion. The University of Michigan Hospital and Stanford Health Care Center were among the facilities targeted in the US, while the University Medical Center Groningen in the Netherlands was also impacted. The attacks were reportedly launched in response to US President Biden’s decision to send tanks to Ukraine.
The Russian hacktivist group Killnet carried out a series of DDoS attacks against several public-facing websites of NATO, causing temporary disruptions. Killnet had previously announced the attacks via its Telegram channel. NATO confirmed the attack and stated that its technical teams are working to restore full access. Although NATO’s classified networks were not attacked, the cyber-attack may have impacted networks used by NATO’s Strategic Airlift Capability (SAC).
Suggested Article:
German Airports Hit by DDoS Attack, ‘Anonymous Russia’ Claims Responsibility
Pro-Russian Hacktivist Group Killnet Threat to HPH Sector
Killnet DDoS Attacks Disrupt NATO Websites
Suicide Helpline Outage
The US government has revealed that a cyberattack was responsible for causing an almost daylong outage of the national 988 mental health helpline in December 2021. The attack occurred on Intrado’s network, the company that provides telecommunications services for the helpline, and the federal agency that oversees the program, the Substance Abuse and Mental Health Services Administration, is now under pressure from lawmakers to prevent future attacks. The national 988 phone number is a lifeline for millions of Americans during a mental health crisis, and the system is designed to work similarly to 911. Law enforcement agencies have been notified of the breach, and Intrado is working with a third-party assessor to investigate the incident. This is notable because the pro-Russian hacktivist group under Killnet, Phoenix, has suggested they want to indirectly kill people by launching DDoS attacks against suicide helplines.
Suggested Article:
Feds Say Cyberattack Caused Suicide Helpline’s Outage
Ukraine Strikes Back
Russian state media websites were briefly disrupted during President Vladimir Putin’s annual speech to the federal assembly. According to Russian state-run Tass, error messages reading “technical work is underway” were displayed, while the All-Russia State Television and Radio Broadcasting Company’s (VG TRK) site and Smotrim.ru live streaming platform also experienced outages. Russia’s RIA Novosti said the outages were due to a DDoS attack. While the source of the disruption was unconfirmed, pro-Ukrainian hacktivist the IT Army of Ukraine took to social media to claim responsibility for a DDoS attack on VGTRK, 1TV, and SMOTRIM.
Commercial radio stations in several cities in Russia broadcast an emergency message urging citizens to rush to air raid shelters immediately because of an imminent missile attack. However, both regional and federal authorities downplayed the broadcast, saying it was the doing of a pro-Ukrainian hacktivist. The Russian Emergencies Ministry reported that the attack on the servers of several commercial radio stations in some regions of the country resulted in the airing of information about an alleged air raid alert and the threat of a missile strike. The incident occurred just a day after cyber attackers targeted media outlets owned by All-Russia State Television and Radio Broadcasting Company (VG TRK), a state broadcaster, during online broadcasts of Vladimir Putin’s lengthy state-of-the-nation address to the Federal Assembly.
Suggested Article:
Russian State TV Website Goes Down During Putin Speech
Millions of Russians Told to Rush to Air Raid Shelters – but it was all a ‘Hack.’
Escalating Landscape
Ukraine’s Impact on the Threat Landscape
Google TAG, with additional research from Mandiant, has released a report, Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape, which analyses the role of cyber operations in the Russian invasion of Ukraine and how it transformed the cyber threat landscape. The report covers new findings and retrospective insights across government-backed attackers, information operations, and cybercriminal ecosystems. The report indicates that Russian government-backed attackers have engaged in a multi-pronged effort to gain an advantage in cyberspace during the war. The report also notes that the invasion has triggered a notable shift in the Eastern European cybercriminal ecosystem, which will likely have long-term implications for the coordination between criminal groups and the scale of cybercrime worldwide.
Suggested Article:
Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape
Civilians Always Have Been Military Targets
The International Committee of the Red Cross (ICRC) warned that civilians taking part in the hostilities between Russia and Ukraine through cyberspace could be targeted for military action. The organization’s advisor on the digital technologies of warfare, Mauro Vignati, said the legal issues surrounding digital volunteers participating in the conflict were causing concerns about humanitarian laws protecting civilians during wartime. During the early days of the conflict, there was an unprecedented mobilization of digital volunteers, such as Ukraine’s IT Army, which is made up of domestic and international volunteers who are illegally launching DDoS attacks, against Russia, in the act of war.
Suggested Article:
Civilian Hackers Could Become Military Targets, Red Cross Warns
Belgium has a new Disclosure Policy
Belgium has introduced new vulnerability reporting frameworks that allow cybersecurity researchers to report bugs to organizations and the government legally. Researchers must report vulnerabilities to the relevant company or institution as soon as possible if they have a coordinated vulnerability disclosure policy. If problems arise or no response is received, researchers can send their reports to the Centre for Cyber Security Belgium. These guidelines are strict and take pains to state that they are meant for “people with good intentions” and “no intention to cause harm,” making clear that it is not a license for anyone to hack organizations or businesses.
Suggested Article:
Belgium institutes nationwide vulnerability disclosure policy
Ransomware Campaigns
ESXiArgs Ransomware
Attackers are actively targeting unpatched VMware ESXi servers using the two-year-old remote code execution vulnerability tracked as CVE-2021-21974 to deploy a new ESXiArgs ransomware payload, according to admins, hosting providers, and the French Computer Emergency Response Team (CERT-FR). The flaw, caused by a heap overflow issue in the OpenSLP service, can be exploited by unauthenticated threat actors in low-complexity attacks. The security team said these attacks appear to be exploiting the vulnerability CVE-2021-21974, and the attack campaigns are targeting ESXi hypervisors in version 6.x and prior to 6.7. The ransomware encrypts files on compromised ESXi servers with certain extensions and creates a .args file for each encrypted document with metadata. The ransomware campaign has not seen much success, with only four ransom payments for a total of $88,000, likely due to a VMware ESXi recovery guide created by security researcher Enes Sonmez, allowing many admins to rebuild their virtual machines and recover their data for free.
Suggested Article:
Massive ESXiArgs Ransomware Attack Targets VMware ESXi Servers Worldwide
Forums and Marketplaces
Tor and i2P Under Attacks
The Tor and I2P networks are currently experiencing a series of DDoS attacks. The Tor Network has been targeted since at least July 2022, impacting network connectivity and causing some users to be unable to access onion services. The Tor team is working to mitigate the effects and protect the network, but the attacks’ goal and the attackers’ identity are still unknown. The I2P network has been targeted for the last three days, causing connectivity problems, particularly for routers using i2pd. The attackers are using a variety of tactics and changing tactics frequently.
Suggested Article:
Tor and I2P Networks Hit by Wave of Ongoing DDoS Attacks
Drug Market Openly Advertised
Darknet drug trading platform BlackSprut, which serves clients mainly in Eastern Europe, openly advertised its services on electronic billboards in Moscow. It is one of the leading illicit marketplaces in Russia and is known to back the Kremlin and support its invasion of Ukraine. The fact that BlackSprut could advertise openly in Moscow could indicate a certain level of permissiveness in Russia towards illegal drugs and darknet platforms.
Suggested Article:
Darknet Drug Market BlackSprut Openly Advertises on Billboards in Moscow
Infinity Forum
Infinity forum is a new online community established by the Infinity Team, an apparent collaboration between Killnet and Deanon Club. It is a forum and marketplace where both ethical and malicious individuals can discuss and buy/sell hacking tools, exploits, and vulnerabilities. Infinity forum generates income by selling advertising packages and vendor statuses to those who do business on the forum. Advertisement fees range from $200 to $1000 a month, while status fees range from $299 to $1499 for different levels of visibility. The forum’s creation highlights a growing and ever-evolving threat from pro-Russian hacktivists involved in the Russo-Ukrainian war—specifically, Killmilk and his social circles. Over the last year, Killmilk has continued to grow and expand his social networks to other pro-Russian threat groups and those supporting the Russian invasion of Ukraine. If Infinity is successful, it will produce a windfall of profits for pro-Russian threat groups.
Suggested Article:
Infinity Forum: Another Killnet Social Circle
Botnets
Medusa Botnet
Cyble Research and Intelligence Labs (CRIL) has discovered a new botnet called Medusa, distributed by the well-known Mirai botnet. The Medusa botnet can perform a range of malicious activities, including DDoS attacks, ransomware attacks, brute force attacks, and the injection of additional payloads, and is capable of stealing sensitive information from victims’ machines. The botnet also has a “backdoor” feature that allows it to be controlled remotely.
Suggested Article:
Medusa Botnet Returns as a Mirai-Based Variant with Ransomware Sting
Passion Botnet
The Passion group, affiliated with Killnet and Anonymous Russia, is offering DDoS-as-a-Service to pro-Russian hacktivists through its Telegram channels. The Passion Botnet was used in attacks on medical institutions in several countries as retaliation for their support of Ukraine. The group has also carried out defacement attacks on small organizations in Japan and South Africa to draw attention to their botnet. The group offers subscribers ten attack vectors, with subscription fees ranging from $30 for seven days to $1,440 for a full year, and payment is accepted in Bitcoin, Tether, and through QIWI.
Suggested Article:
Zayra and Akur Group
Pro-Russian hacktivist group Zarya is building Mirai botnets to increase its DDoS capabilities and launching attacks on targets in the west. Zarya is hosting its propaganda website, attack campaign log, and malware on hosts in the akur[.]group domain, which provides hosting services for pro-Russian hacktivists. As the Russo-Ukrainian conflict continues to escalate, pro-Russian hacktivists are using more advanced and potent techniques, leveraging, and cooperating with other hacktivist groups within the Russian-speaking community. Zarya targets government agencies, service providers, critical infrastructure, and civil service employees. The group has also posted information about previous hacking campaigns and leaked data on its website, which can be downloaded by visitors. On February 12, a variation of the well-known Mirai malware was discovered on the website of the Akur Group after infecting one of Radware’s honeypots in Ukraine. The malware can conduct ten DDoS attacks and features 11 exploits for its propagation.
Suggested Article:
Pro-Russian Hacktivists Leverage Mirai Botnets
Exploits in the Wild
Vulnerable QNAP Devices
Over 29,000 QNAP network-attached storage (NAS) devices are vulnerable to a critical security flaw, CVE-2022-27596. QNAP has assigned this bug a CVSS base score of 9.8/10 and recommends that customers running QTS 5.0.1 and QuTS hero h5.0.1 upgrade to QTS 5.0.1.2234 build 20221201 or later and QuTS hero h5.0.1.2248 build 20221215 or later. The vulnerability is not exploited in the wild yet, but QNAP customers are urged to immediately patch their NAS devices before threat actors take advantage of the flaw.
Suggested Article:
Over 29,000 QNAP Devices Vulnerable to Code Injection Attacks
Vulnerable Redis Services
A new threat actor, HeadCrab, has been discovered utilizing a custom-made, undetectable Redis malware to compromise many Redis servers worldwide. The HeadCrab botnet has already taken control of at least 1,200 servers. Redis servers are vulnerable to unauthorized access and command execution when exposed to the internet without authentication. HeadCrab malware is loaded onto affected hosts by setting a server as an agent server and initiating a synchronization with a master server that downloads the malicious Redis module. The HeadCrab malware is highly sophisticated, boasting numerous options and capabilities, including custom commands to enable the attacker to operate the malware. The main impact of the attack is resource hijacking for cryptocurrency mining. The attacker has gone to great lengths to ensure the stealth of their attack, utilizing numerous techniques to evade detection. Organizations can safeguard their systems by securing Redis servers and utilizing detection and response solutions.
Suggested Article:
HeadCrab: A Novel State-of-the-Art Redis Malware in a Global Campaign
Hack the FBI
Someone Tried to Hack the FBI
The FBI recently contained a cyber incident on a portion of its computer network that was used to investigate images of child sexual exploitation. The incident involved the FBI New York Field Office and is still being investigated to determine its origin. The FBI has not provided further comment on the matter. This incident is unrelated to a similar incident in November 2021, where someone used a legitimate email address to send phony emails to thousands of organizations about a purported cyber threat.
Suggested Article:
Exclusive: FBI says it has ‘contained’ cyber incident on bureau’s computer network
Election Interference
Israel is Great, but Have You Heard of Andres Sepulveda?
A new investigation by an international consortium of journalists has revealed that an Israeli company led by Tal Hanan has been manipulating elections worldwide for more than two decades through hacking, sabotage, and automated disinformation on social media. The unit, “Team Jorge,” runs a private service that meddles covertly in elections. Hanan and his team discussed gathering intelligence on rivals, such as hacking techniques to access Gmail and Telegram accounts. They boasted of planting material in legitimate news outlets, which are then amplified by their bot-management software, Advanced Impact Media Solutions (Aims). Aims controls thousands of fake social media profiles on Twitter, LinkedIn, Facebook, Telegram, Gmail, Instagram, and YouTube. Some avatars even have Amazon accounts with credit cards, bitcoin wallets, and Airbnb accounts.
Suggested Article:
Crisis in Australia
Atlassian Compromised by SiegedSec
Atlassian, the Australian tech giant that provides project management and collaboration software, appears to have been hacked, with data on thousands of employees and office floor plans posted online by a group calling itself SiegedSec. The company initially stated that its internal review found the data was accessed from the third-party app Envoy, which it uses to coordinate in-office resources, via the mistakenly posted credentials of an Atlassian employee. Envoy stated that its systems were not breached or compromised, and the two companies have been working to identify the source of the data compromise.
Suggested Article:
After Apparent Hack, Data from Australian Tech Giant Atlassian Dumped Online
https://cyberscoop.com/atlassian-hack-employee-data-seigedsec/
Raids and Arrests
Optus Extortionist Sentenced
A Sydney man has been sentenced to an 18-month community correction order and 100 hours of community service after attempting to blackmail Optus customers with stolen records he found online. The man, aged 20, was arrested on October 6, 2022, after investigators linked him to texts sent to dozens of Optus customers demanding they transfer $2,000 to a bank account. He sent text messages to at least 92 customers, but the Australian Federal Police has no evidence that any of them paid him. The offender identified the customers using details from the 10,200 stolen records posted online by hackers after the Optus data breach in September 2022.
Suggested Article:
Sydney Man Sentenced Over Data Breach SMS Scam
Ubiquiti Dev Pleads Guilty
Nickolas Sharp, a former employee of a New York-based technology company Ubiquiti, has pleaded guilty to multiple federal crimes, including intentionally damaging a protected computer, wire fraud, and making false statements to the FBI. He secretly stole gigabytes of confidential files from his employer and extorted nearly $2 million to return the files and identify an alleged vulnerability. Sharp then caused the publication of misleading news articles about the company’s handling of the breach, resulting in the loss of over $4 billion in the company’s market capitalization. Sharp will be sentenced on May 10, 2023, and faces a total maximum sentence of 35 years in prison.
Suggested Article:
ZeeKill Arrested
A 25-year-old man, ZeeKill, a member of Lizard Squad, suspected of a major data breach at the Finnish psychotherapy center Vastaam,o has been arrested in France after a short run from authorities. He was taken into custody under a European arrest warrant. ZeeKill was detained in a Finnish court in October 2022 on suspicion of attempted extortion, data breaches, and serious infringement of privacy by spreading information. The extradition process is being carried out in close collaboration with the French authorities. The investigation is still ongoing, but it appears that one can arrest a lizard after all.
Suggested Article:
Closing Remarks
In conclusion, the world of cybersecurity continues to face numerous challenges, including data breaches, ransomware attacks, and DDoS attacks. These incidents can cause significant harm to individuals and organizations, and law enforcement agencies worldwide are working tirelessly to combat these threats. As technology advances, prioritizing cybersecurity and taking proactive measures to protect sensitive data is more important than ever. By staying informed and following best practices for online security, we can all do our part to help create a safer and more secure digital world.
Join the conversation!
Do you have additional insight or comments? Join the conversation with our researchers at Radware on Telegram: https://t.me/RadwareResearchChat
*** This is a Security Bloggers Network syndicated blog from Threat Researchers Newsletter authored by Radware Research. Read the original post at: https://radware.substack.com/p/threat-researchers-newsletter-7
