SBN

Threat Researchers Newsletter #8

Welcome to the latest edition of our monthly Threat Researchers newsletter! In this issue, we cover various topics, from the resurgence of hacktivist groups and operations to the latest cyber threats and developments in the fight against cybercrime. We discuss how Muslim hacktivist groups have targeted Australia in response to a controversial fashion show and the potential impact of Ukraine integrating its volunteer hackers into its armed forces. We also explore the use of social media in military operations, botnets leveraging vulnerabilities, and recent data breaches affecting Capitol Hill and healthcare organizations. Finally, we cover recent arrests and crackdowns on cybercriminals, including a fake DDoS-for-hire service created by the U.K.’s National Crime Agency.

As always, please do not hesitate to contact us via our Telegram chat channel, email, or social media if there is a cyber-attack that we did not cover this month or one that you would like us to cover next month on our monthly stream, Threat Researchers Live.

Thanks for reading Threat Researchers Newsletter! Subscribe for free to receive new posts and support my work.

Table of Content

  • Threat Alerts

  • War in Ukraine

  • DDoS Attacks

  • Supply Chain Attacks

  • Bots and Botnet

  • Breaches

  • Swatting

  • Raids and Arrests

  • Federal Honeypot

Threat Alerts

OpAustralia/opsjentik

Muslim hacktivist groups have targeted Australia in a large-scale denial-of-service and website defacement campaign in response to a controversial fashion show by Australian label Not A Man’s Dream. The brand featured designs with the word “Allah” in Arabic, causing outrage in the Muslim community. The hacktivist groups, including Team insane pk, Eagle Cyber, and Mysterious Team, have attacked over 70 Australian sites, including government websites, ports, banks, and private businesses under the operation tags #OpAustralia and #opsjentik. These attacks highlight the need for organizations to be prepared for potential cyber threats and demonstrate that any organization can become a target of hacktivists.

Claroty

Suggested Article:

OpAustralia/OpsJentik

OpIsrael: A Decade in Review

Anonymous and operations like OpIsrael have seen a decline in support over the years due to fragmentation, competition, and an escalating threat landscape. However, the war in Ukraine and geopolitical tensions have led to renewed growth in hacktivism, impacting how future armed conflicts will be fought. OpIsrael, launched in response to an Israeli military operation in 2012, has since evolved into an annual campaign against Israel. Anonymous employs various attack vectors, including defacements, data leaks, denial-of-service attacks, and phishing. Although the group is known to exaggerate its accomplishments, their actions have spurred discussions on cybersecurity, hacktivism, and the need for increased transparency. As hacktivist groups like Anonymous reemerge amid global tensions, organizations in Israel should stay alert, monitor the evolving threat landscape, and adopt comprehensive cybersecurity measures to protect their assets.

Suggested Article:

OpIsrael: A Decade in Review

War in Ukraine

Legalizing the I.T. Army

Ukraine is drafting a new law integrating its volunteer hackers, the IT Army, into the armed forces. This move aims to resolve the group’s legal gray area status and addresses concerns raised by the Red Cross. The IT Army has claimed responsibility for cyber-attacks against Russian state media but has also faced criticism for targeting civilian infrastructure. If the law passes, Ukraine will join a few Western nations with full-scale reserve cyber forces, such as Finland and Estonia. The new law aims to build the state’s cyber defense capabilities and create a cyber reserve comprising civilian cyber experts trained by the military. The proposed cyber reserve would absorb the IT Army into a more formal force. Adopting the Estonian model for a cyber reserve would address questions about the IT Army’s legal status and help differentiate combatants from civilians in cyber operations.

Suggested Article:

Ukraine Scrambles to Draft Cyber Law, Legalizing Its Volunteer Hacker Army

Cyber Influencers Support Military Operations

The Ukrainian Ministry of Defense and its soldiers have used social media to share their experiences from the battlefield, garnering significant international attention and support. This distributed message campaign, which utilizes everyday citizens and soldiers to post pro-Ukrainian content directly to their social media feeds, has been highly influential in the information warfare against Russia.

The U.S. military could learn from this strategy, adopting employee advocacy programs similar to those of Fortune 500 companies. The military could win wars and address its recruitment challenges by empowering service members to share their stories on social media. To implement such a program, the Department of Defense should recruit media-savvy social personnel, provide proper training, and reward successful content creators.

However, there are risks involved in adopting this strategy. The military should consider rules of engagement and guidelines to mitigate potential dangers. Starting small, the military could onboard a select group, train them in established policies, and develop rules for sharing content. By embracing authenticity and trusting its service members to tell their stories online, the U.S. military could strengthen its public image and better support future military operations.

Suggested Article:

The Ukrainian Army is Leveraging Online Influencers. Can the U.S. Military?

Russian TV Broadcasts Nationwide Nuclear Alert

Russian TV and radio stations were hacked on Thursday, broadcasting alarming messages about a nuclear attack and urging residents to wear gas masks and seek shelter. Viewers in eastern Russia were even told to take potassium iodide pills and go to shelters immediately. The messages, displayed on T.V. and radio stations in the Moscow and Sverdlovsk regions, also interrupted programming in Yekaterinburg, Russia’s fourth-largest city.

The Russian emergency ministry released a statement to reassure residents that the air raid alert was false and had been broadcast after the servers of radio stations and T.V. channels were hacked. Such hacks have become more common since Russia invaded neighboring Ukraine, with hackers targeting Russians with fake attack messages.

During President Vladimir Putin’s speech the day before the latest hack, the IT Army of Ukraine claimed responsibility for hacking streaming services in Russia. However, the group has not claimed responsibility for the recent warning on Russian TV and radio.

Suggested Article:

Russian TV Hacked to Broadcast Nationwide Nuclear Alert

DDoS Attacks

Wisconsin Courts Hit with DDoS Attack

Wisconsin’s state court system experienced a denial-of-service attack this week, leading to intermittent service and slower response times for some online services. Although the attack temporarily slowed networks, no court data was breached, and court operations continued as usual. The Consolidated Court Automation Programs (CCAP) and other state agencies have been praised for their quick and effective response. Individuals who face issues filing documents through the digital system are advised to contact their circuit court clerk or county court for assistance. The identity of the attackers and the involvement of federal law agencies remain undisclosed. This incident is the latest in a series of cyberattacks on the U.S. court system, including ransomware attacks in Florida and Ohio and the Russian hacking of the federal judiciary’s electronic filing system in 2021.

Suggested Article:

Wisconsin Court System Affected by DDoS Incident

Supply Chain Attacks

3CX Supply Chain Attack

A trojanized version of the 3CX VoIP desktop client, used by over 600,000 companies with 12 million daily users, is currently being utilized in an ongoing supply chain attack. Security researchers from Sophos and CrowdStrike have reported that both Windows and macOS users of the compromised app are being targeted. The attackers have been linked to the North Korean state-backed hacking group Labyrinth Collima.

The supply chain attack, dubbed ‘SmoothOperator,’ involves downloading a trojanized 3CX desktop app from the company’s website or through an update pushed to an already installed application. The attackers employ malicious DLL files to perform the next stages of the attack, ultimately downloading previously unknown information-stealing malware. This malware can harvest system info and steal data and stored credentials from Chrome, Edge, Brave, and Firefox user profiles. 3CX CEO Nick Galea confirmed the compromise and recommended that customers uninstall the desktop app and switch to the PWA client. 

Suggested Article:

Hackers Compromise 3CX Desktop App in a Supply Chain Attack

Bots and Botnets

Botnets Leveraging Cacti and Realtek Vulnerabilities

Between January and March 2023, multiple malware botnets actively targeted Cacti and Realtek vulnerabilities, spreading ShellBot and Moobot malware. These campaigns exploit critical remote code execution and command injection flaws, CVE-2021-35394 and CVE-2022-46169, respectively. Fortinet reported significant malicious activity in 2023, targeting exposed network devices for DDoS attacks. Moobot, a Mirai variant, infects hosts by exploiting these flaws, while ShellBot primarily targets the Cacti flaw. Both malware types continue to evolve and are being actively developed. To defend against these threats, using strong administrator passwords, applying security updates for the mentioned vulnerabilities, and replacing unsupported devices with newer models is recommended.

Suggested Article:

Realtek and Cacti Flaws Now Actively Exploited by Malware Botnets

Prometei Botnet

In a recent cybersecurity update from Cisco Talos, the Prometei botnet malware, first observed in 2016, has infected over 10,000 systems worldwide since November 2022. Notably targeting Brazil, Indonesia, and Turkey, the modular botnet is known for exploiting ProxyLogon Microsoft Exchange Server flaws and avoiding Russian networks. The latest version, Prometei v3, enhances existing features and challenges forensic analysis, making it more difficult to detect and remove. The attack sequence involves the execution of PowerShell commands, followed by using Prometei’s main module and auxiliary components. The v3 variant also uses a domain generation algorithm (DGA) to build its command-and-control infrastructure. It deploys an Apache web server with a PHP-based web shell. Continuous updates since its inception in 2016 make Prometei a persistent threat to organizations, with its financially motivated and geographically indiscriminate targeting strategy.

Suggested Article:

Prometei Botnet Improves Modules and Exhibits New Capabilities in Recent Updates

HinataBot

Akamai’s Security Intelligence Response Team (SIRT) has reported on a new Go-based DDoS-focused botnet called HinataBot, named after a character from the anime series Naruto. Since early 2023, HinataBot has been distributed via exposed HTTP and SSH services, exploiting old vulnerabilities and weak credentials in Realtek SDK devices, Huawei HG532 routers, and Hadoop YARN servers. Researchers found similarities between HinataBot and the notorious Mirai malware family. The botnet is still under active development and can potentially launch powerful DDoS attacks using HTTP and UDP flood methods. As HinataBot evolves, there is a risk of encountering more potent versions in the wild.

Suggested Article:

Uncovering HinataBot: A Deep Dive into a Go-Based Threat

Breaches

Data Breach Impacts Capitol Hill

A significant data breach at D.C. Health Link, the online marketplace for the Affordable Care Act that administers health care plans for members of Congress and certain Capitol Hill staff, has potentially exposed the personally identifiable information of hundreds of lawmakers and staff. The FBI and the U.S. Capitol Police alerted Chief Administrative Officer Catherine L. Szpindor to the breach. The full extent of the breach is still unknown, but it is not believed that House lawmakers were specifically targeted. Impacted individuals will be notified and provided with identity and credit monitoring services. The breach has also affected Senate offices, and investigations are ongoing to determine the extent of the breach and the data compromised. It is reported that the FBI purchased some of the stolen material that was being sold on BreachForums by a threat actor.

Suggested Article:

Data Breach Hits ‘Hundreds’ of Lawmakers and Staff on Capitol Hill

Patients Sue After Data Leaked

A cancer patient has initiated a class-action lawsuit against Lehigh Valley Health Network (LVHN) after a cybercriminal group, BlackCat, stole and leaked sensitive data, including nude images of patients, following LVHN’s refusal to pay a ransom. BlackCat, a group linked to Russia, targeted the Allentown-based health network in February and has previously demanded ransoms as high as $1.5 million. The lawsuit accuses LVHN of negligence in protecting sensitive information. LVHN has not commented on the legal matter but has previously denounced the cyberattack as “despicable” and “unconscionable.”

Suggested Article:

Cancer Patient Sues LVHN Over Cyberattack in Which Photos, Data Were Leaked on Dark Web

Swatting

Mass Swatting Event

In a recent wave of hoax calls, nine school districts in Kansas have experienced “swatting incidents,” where false reports of active shooters at high schools were made. These incidents have been a cause for concern across the country, as similar cases were reported in Minnesota, Texas, California, Florida, Arkansas, Oregon, Illinois, and Oklahoma. The Kansas Bureau of Investigation is currently working with local and federal agencies to identify those responsible. Swatting, defined by the FBI as harassment, aims to deceive emergency services into dispatching first responders under false pretenses.

Suggested Articles:

As Many as 8 Kansas High Schools Report Receiving Swatting Hoax Calls Wednesday Morning

Minnesota DPS: Eight Fake School Shooting Calls Reported in Two Days

Raids and Arrest

Authorities Arrest Two Members of DoppelPaymer 

In a joint operation on February 28, 2023, German Regional Police, Ukrainian National Police, Europol, Dutch Police, and the US FBI targeted core members of the criminal group behind the DoppelPaymer ransomware attacks. First appearing in 2019, DoppelPaymer targeted organizations and critical infrastructure using a double extortion scheme. The attackers compromised systems with the EMOTET malware and distributed ransomware through phishing and spam emails. After compromise, the group would exfiltrate data and threat to post it publicly on a dedicated leak site if a payment wasn’t made. At least 37 companies have fallen victim to the group, with U.S. victims paying out 40 million euros from May 2019 to March 2021.

During the operation, a German national suspected of playing a significant role in the ransomware group was arrested, while a Ukrainian national was interrogated in connection with the group. Europol deployed experts to support forensic analysis of the seized data, and further investigative activities are anticipated.

Suggested Article:

Germany and Ukraine Hit Two High-Value Ransomware Targets

Pompompurin Arrested

In a recent development, U.S. law enforcement arrested a New York man, Conor Brian Fitzpatrick, believed to be Pompompurin, the owner of the BreachForums. He was charged with one count of conspiracy to solicit individuals to sell unauthorized access devices. Released on a $300,000 bond, Fitzpatrick will appear in court on March 24. Pompompurin is a well-known figure in the cybercriminal underground, involved in breaching companies and selling or leaking stolen data. After the FBI seized RaidForums in 2022, he created BreachForums, which has since become the largest data leak forum of its kind. Pompompurin has also been linked to various high-profile company breaches, including the FBI’s Law Enforcement Enterprise Portal (LEEP), Robinhood, and Twitter.

Suggested Article:

Alleged BreachForums Owner Pompompurin Arrested on Cybercrime Charges

Authorities Raid DDoS-for-Hire Hosting Service

German authorities have seized internet servers powering FlyHosting, a dark web service catering to cybercriminals operating DDoS-for-hire services. After serving eight search warrants, five individuals aged 16-24 were identified as suspects who had been operating the service since mid-2021. As a result of the facilitated DDoS attacks, various companies’ websites and the Hesse police were overloaded, causing limited or no operation at times. Authorities confiscated servers, mobile phones, laptops, tablets, storage media, and handwritten notes from the suspects. This crackdown on FlyHosting is part of a broader international effort to combat DDoS-for-hire services, with initiatives such as the U.K.’s National Crime Agency’s creation of fake websites and the US DOJ’s “Operation Power Off” targeting similar services.

Suggested Article:

German Police Raid DDoS-Friendly Host ‘FlyHosting’

Federal Honeypot

NCA Admits to Running Fake DDoS-for-Hire Service

Recently, the U.K.’s National Crime Agency (NCA) has created multiple fake DDoS-for-hire services to identify and track cybercriminals who use these platforms. These services, known as ‘booters,’ are used by individuals seeking to take down websites or disrupt operations for reasons such as espionage, revenge, extortion, or political motives. By simulating the appearance of genuine booter services, the NCA successfully infiltrated the cybercrime market and collected information about users attempting to purchase illegal services. “Operation PowerOFF” is an ongoing international law enforcement effort involving agencies from the U.S., the Netherlands, the UK, Germany, and Poland. The NCA’s latest tactics aim to undermine trust in criminal markets and stop DDoS attacks at their source.

Suggested Article:

U.K. Creates Fake DDoS-for-Hire Sites to Identify Cybercriminals

Closing Remarks

This month’s recent events highlight the evolving nature of cyber threats and the need for organizations to be prepared for potential attacks. The cyber landscape constantly shifts from hacktivist groups targeting Australia to the Prometei botnet’s geographically indiscriminate targeting strategy. Additionally, the use of social media by the Ukrainian Ministry of Defense demonstrates the effectiveness of using employee advocacy programs in the military. However, the risk of potential dangers must also be considered, and rules of engagement and guidelines should be established. It is also encouraging to see law enforcement agencies taking proactive measures to combat cybercrime, such as the NCA’s creation of fake DDoS-for-hire service websites to track down cybercriminals, but we need to be aware that cybercriminals will react and respond. As the threat landscape evolves, organizations must stay informed, adopt comprehensive cybersecurity measures, and remain vigilant in defending against potential attacks.

Join the conversation!  

Do you have additional insight or comments? Join the conversation with our researchers at Radware on Telegram: https://t.me/RadwareResearchChat

Thanks for reading Threat Researchers Newsletter! Subscribe for free to receive new posts and support my work.

*** This is a Security Bloggers Network syndicated blog from Threat Researchers Newsletter authored by Radware Research. Read the original post at: https://radware.substack.com/p/threat-researchers-newsletter-8

Application Security Check Up