Home » Security Bloggers Network » Threat Researchers Newsletter #9

Threat Researchers Newsletter #9

by Radware Research on May 1, 2023

Welcome to the latest edition of Radware’s monthly Threat Researchers Newsletter! This issue covers a wide range of cyberattacks and developments in the threat landscape. We will discuss the resurgence of hacktivist operations, such as OpIsrael and OpsPetir, fueled by geopolitical tensions in the middle east and the ongoing conflict in Ukraine. We will also provide insight into other hacktivist campaigns, such as the most targeted countries, industries, and motivations behind these attacks. We will also examine the Eurocontrol cyberattacks, the future of Ukraine’s IT Army, and the latest training program released by Killnet. In addition, we will explore recent supply chain attacks, including the 3CX breach, Discord leaks, and the connection between the FSB and the Zarya hacktivist group. We will also cover recent legal actions surrounding ransomware attacks, the concerns surrounding DDoS attacks, and the recently disclosed vulnerability in the Service Location Protocol (SLP). Furthermore, we discuss the recent swatting incidents targeting New York schools and noteworthy raids and arrests, including the arrest of RATY and the raid on Genesis Market. Stay informed and vigilant as we investigate the latest cyber threats and trends.

As always, please do not hesitate to contact us via our Telegram chat channel, email, or social media if there is a cyber-attack that we did not cover this month or one that you would like us to cover next month on our monthly stream, Threat Researchers Live.

Table of Content

Radware Alerts
War in Ukraine
Supply Chain Attacks
Discord Leaks
Legal Action
Packet District
Swatting, Again
Raids and Arrests

Radware Alerts

OpIsrael

Radware raised concerns at the end of March about the potential resurgence of Anonymous operations like OpIsrael, which could pose a significant threat to organizations across various sectors in Israel. This was mainly due to the ongoing conflict in Ukraine and geopolitical tensions surrounding Israel, which have fueled a revival in hacktivism. In the past few weeks, hacktivist groups have ramped up their activities for the 10th anniversary of OpIsrael. Anonymous Sudan, an unexpected participant, has launched a series of highly impactful DDoS attacks on various sectors, including healthcare, government, and education. As OpIsrael 2023 comes and goes, organizations in Israel must remain vigilant and implement comprehensive cybersecurity measures to protect their resources and minimize the impact of potential attacks. The recent DDoS attacks on Israel’s enterprises and infrastructure serve as a wake-up call, demonstrating that even unsophisticated attacks can pose significant risks to well-defended targets.

Suggested Article:

New DDoS attacks on Israel’s enterprises, infrastructure should be a wake-up call

OpsPetir

This month, DragonForce Malaysia, a pro-Palestinian hacktivist group, has announced a new operation called OpsPetir, targeting Israel. This rebranded campaign follows OpsBedil in 2021 and OpsBedil Reloaded in 2022, reacting to political events involving Israel. OpsPetir began on April 12th and last until April 21st. DragonForce Malaysia is known for collaborating with various threat groups and using its forum and social media platforms to organize and disseminate information about its campaigns. The group utilized a denial-of-service tool called CyberTroopers, which leverages free and open proxies to launch attacks, aiming to disrupt and temporarily disable targeted online services and websites. DragonForce Malaysia planned to focus its attacks on various sectors, including religion, finance, healthcare, service providers, transportation, education, and government. Entities that support Israel directly or indirectly should be vigilant during the month of April, as they may become targets of DragonForce Malaysia’s operations in the future.

Suggested Article:

Radware alert on OpsPetir

Hacktivism Unveiled

A new alert by Radware Research, titled “Hacktivism Unveiled, April 2023 Insights into the Footprints of Hacktivists,” provides insights into recent DDoS attacks claimed by hacktivists between February 18 and April 18, 2023. The report analyzes various aspects of hacktivism, including the countries and industries targeted, the motivations behind the attacks, and the hacktivist groups involved. The most attacked countries were Israel, India, Poland, Australia, the United States, and Germany, with attacks driven by religious and political motivations. Business and government websites were the most targeted globally, followed by travel, education, financial services, military, and healthcare sectors. The report also discusses the emergence of patriotic and pro-Russian hacktivist groups in response to the Russo-Ukraine conflict.

Suggested Article:

Hacktivism Unveiled

War in Ukraine

Recent DDoS Attacks

In recent cyberattack news, Eurocontrol, Europe’s air traffic control authority, has been under attack by pro-Russian hackers since Wednesday. Although the website has been affected, air traffic and flights have not been impacted. Eurocontrol manages European airspace and shares information between commercial and military actors. Hackers, thought to have ties to Russia’s military, have targeted many European institutions since Moscow invaded Ukraine last year, imposing sanctions and supporting the Ukrainian government. Pro-Russian hackers have also targeted Canadian websites during a visit by the Ukrainian prime minister. Killnet and Anonymous Sudan, Russia-sympathetic hacktivist groups, have also attacked Australian schools.

Meet a member of the IT Army

The conflict between Russia and Ukraine has extended into the cyber domain, with hacker armies participating in the fight. The BBC’s cyber correspondent, Joe Tidy, traveled to Ukraine to speak with individuals involved in the cyber war and found that the lines between those working for the military and unofficial hacktivist groups have become blurred. The IT Army of Ukraine, a volunteer hacking network with nearly 200,000 members, is one of the most prominent hacker groups on the Ukrainian side. Meanwhile, Russian hacktivist groups, such as Killnet, have emerged with close links to the Russian military. The consequences of these blurred lines could be significant, as some attacks on civilian targets may constitute a breach of existing laws. Experts predict that the severity of cyberattacks will increase as Russia continues to struggle on the physical battlefield.

Suggested Article:

Meet the hacker armies on Ukraine’s cyber front line

Future of the IT Army

This month, Ukraine’s Minister of Digital Transformation, Mykhailo Fedorov, was featured in an exclusive interview with The Hill. As Ukraine’s youngest Cabinet member, Fedorov leads the digital fight against Russia by overseeing a project securing drones, rolling out public service apps, and combating Russia in the cyber sphere. He has built a digital campaign pressuring companies like Microsoft and Apple to cut off services to Russia and helped shape Ukraine’s online campaign to shame Russia and call out its alleged abuses on Twitter and other social media platforms. Fedorov also spearheaded the creation of a massive IT Army of Ukraine, with about 200,000 volunteers engaged in cyber warfare with Russia, which has been massively successful in distracting Russian hackers’ attention from Ukraine’s information systems. He is quoted saying, “This project has a very big and bright future.” Fedorov also manages the crucial link between the federal government and the Ukrainian people across several digital platforms. He is working on rebuilding Ukraine’s telecommunications infrastructure, which needs at least $1.8 billion to repair, and is a supporter of Rise Ukraine, an international coalition dedicated to creating a digital reconstruction management system that keeps track of projects and provides accountability and trust to stamp out corruption and address potential misuse of funds.

Suggested Article:

Ukraine’s millennial minister leads digital fight against Russia

Dark School

This month, a hacking group called KIllnet released a new training program designed to teach people how to conduct professional cyber warfare or improve their skills for financial gain. The training covers various topics such as DDOS attacks, Google AdWords arbitrage, creating and promoting fake content for profit, carding, cyber espionage, social engineering, and cyber warfare psychology. The training costs $500, payable only in cryptocurrency, and the training lasts for 14 days, with 24/7 access to private video lessons, written manuals, and personal communication with instructors. Upon completion, students receive an official certificate from KIllnet and the opportunity to join the hacking group’s team. The training is available in Russian, English, Spanish, and Hindi and will begin once 2,000 people have enrolled. It is impossible to purchase individual courses, only the entire training package.

Suggested Article:

Dark School – Killnet

Supply Chain Attacks

3CX

Last month, it was revealed that the 3CX supply chain attack was caused by another supply chain compromise where suspected North Korean attackers breached the stock trading automation company Trading Technologies site to push trojanized software. The malicious installer for Trading Technologies’ X_TRADER software, downloaded and installed on an employee’s personal computer, deployed the multi-stage modular backdoor VEILEDSIGNAL designed to execute shellcode, inject a communication module into Chrome, Firefox, or Edge processes, and terminate itself. According to Mandiant, the cybersecurity firm that helped 3CX investigate the incident, the threat group behind the attack stole corporate credentials from the employee’s device. It used them to move laterally through 3CX’s network, eventually breaching both the Windows and macOS build environments. Symantec’s Threat Hunter Team also discovered that at least several critical infrastructure organizations in the United States and Europe were impacted by the X_Trader software supply chain attack that led to the 3CX breach.

Suggested Article:

3CX breach was a double supply chain compromise

Discord Leaks

The Discord Leaker

This month, the US Justice Department and Pentagon started investigating an apparent online leak of sensitive documents, including some marked “Top Secret.” The existence of the documents was first reported by the New York Times after a number of Russian Telegram channels shared five photographed files relating to the invasion of Ukraine on April 5th. These documents were dated to early March when they were first posted online on Discord, a messaging platform popular with gamers. The leaked documents also spread to other sites, such as the imageboard 4Chan, before recently appearing on Telegram, Twitter, and then major media publishers worldwide. The content of the shared documents ranges widely, with some topics including maps of hotspots in Ukraine such as Bakhmut and Kharkiv, a delivery timetable for Western munitions to Ukraine, as well as maps and catalogs of Ukrainian air defense assets. The Department of Defense has formally referred the Department of Justice for investigation.

Later this month, a US Air National Guard airman was arrested and charged with unauthorized retention and transmission of national defense information and unauthorized removal and retention of classified documents. The charges under the Espionage Act carry a potential sentence of up to 10 years in prison. The airman, Jack Teixeira, allegedly shared classified documents on a Discord server he ran, frequented by online friends who bonded over interests including guns, racist memes, and gaming. While the cache of documents eventually made its way to public social media sites, they first sat on the small Discord server for months without the government’s notice. After the classified information began appearing on public social networks, the FBI’s investigation began. Discord has since deleted the classified content, banned the accounts involved, and warned other users still sharing the documents on other servers.

Zarya Connection

Recently, a pro-Russia hacktivist group called Zarya claimed to have breached the network of a Canadian gas pipeline company in February and caused damage that resulted in a loss of profits, according to a leaked briefing seen by Zero Day. According to the document, the hackers could cause an explosion and sought instruction from the FSB, which was part of a cache of leaks recently circulated on the internet. US intelligence did not identify the Canadian victim, but the Canadian Communications Security Establishment declined to comment. Radware’s Head of Research, Cyber Threat Intelligence, Daniel Smith, said that if the claims are true, it would indicate a significant shift in Zarya’s tactics, which have focused until now on DDoS and leaks.

Suggested Article:

Leaked Pentagon document claims Russian hacktivists breached Canadian gas pipeline company

Legal Action

Oakland Police Union File Claim

Oakland’s police union has filed a legal claim against the city after personal information for thousands of current and former employees was released in a ransomware attack. The union is asking for up to $25,000 in damages per affected employee, claiming that the city failed to implement industry-standard security protocols for its information systems. The attack, which occurred nearly two months ago, released over 9 gigabytes of data, including hundreds of records related to police misconduct allegations. Security experts have noted that municipalities are often prime targets for ransomware attacks because they house vast amounts of public information and may not have enough resources to invest in their technology departments. The city declined to comment on the claim, and it remains unclear what systems are still affected by the attack. Radware advises organizations to implement comprehensive cybersecurity programs that include regular risk assessments, employee training, and incident response plans to protect against ransomware attacks.

Suggested Article:

Oakland’s police union files legal claims against city for data release after ransomware attack

Packet District

DDoS, Not Ransomware, is a Top Concern

According to AT&T’s “2023 Cybersecurity Insights Report,” distributed denial-of-service (DDoS) attacks are the most concerning type for businesses. Based on a survey of 1,418 participants, the report found that DDoS attacks are believed to have the largest impact on businesses. The study also found that ransomware attacks are viewed as having the lowest overall perceived likelihood of an attack on the edge. However, it is noted that over the past 24 months, organizations of all types and sizes have invested in ransomware prevention. Additionally, the study suggests that cyber adversaries may be cycling with the rise and fall of different types of attacks. The report comes as DDoS attacks continue to make headlines, with international crackdowns like “Operation Power Off” taking place to combat the issue.

Suggested Article:

DDoS, not ransomware, is tip business concern for edge networks

TP Link Device Exploited by Mirai

A new version of the Mirai malware botnet exploits a vulnerability in TP-Link Archer A21 (AX1800) WiFi routers to incorporate devices into distributed denial of service (DDoS) swarms. The CVE-2023-1389 vulnerability is a high-severity (CVSS v3: 8.8) unauthenticated command injection flaw in the locale API of the web management interface of the TP-Link Archer AX21 router. The flaw was first abused during the Pwn2Own Toronto hacking event in December 2022. Researchers disclosed it to TP-Link in January 2023. Although TP-Link released a fix in a new firmware update last month, the Zero Day Initiative detected exploitation attempts in the wild starting last week and are now detected globally. TP-Link Archer WiFi router owners can download the latest firmware update from TP-Link’s website.

Suggested Article:

TP-Link Archer WiFi router flaw exploited by Mirai malware

SLP Amplification Attack

Recently, cybersecurity researchers discovered a high-severity vulnerability in the Service Location Protocol (SLP). This legacy internet protocol allows systems on a network to find and communicate with each other. The vulnerability, CVE-2023-29552, could potentially allow attackers to launch massive Denial-of-Service (DoS) amplification attacks with an amplification factor as high as 2200 times. Researchers identified over 2,000 global organizations and over 54,000 SLP instances, including VMware ESXi Hypervisor, Konica Minolta printers, Planex Routers, IBM Integrated Management Module (IMM), SMC IPMI, and others, that attackers could exploit to launch DoS attacks on unsuspecting organizations around the world. The impact of the vulnerability is broad, spanning various sectors, including finance, insurance, technology, telecommunications, manufacturing, healthcare, hospitality, and transportation. To protect against this vulnerability, SLP should be disabled on all systems running on untrusted networks, or firewalls should be configured to filter traffic on UDP and TCP port 427. Strong security measures, access controls, and an incident response plan can help reduce the risk of falling victim to these attacks.

Suggested Article:

New high-severity vulnerability discovered in SLP protocol

Swatting, Again

New York Schools Targeted

Police in Western New York are investigating a series of alleged swatting incidents at local schools. Swatting involves making fake emergency calls to law enforcement, often claiming there is an active shooter, to prompt a large-scale police response. New York State police have said that all reports are unfounded and are working alongside federal and local partners to investigate the threats. Several schools were placed on lockdown due to the incidents, and police have warned the public to remain vigilant and report any suspicious activity or individuals to law enforcement immediately. The FBI has also urged caution, stressing that swatting is a serious issue that puts innocent people at risk.

Suggested Article:

Police in western New York investigating alleged ‘swatting at local schools

Raids and Arrests

Alcasec Arrested

Spanish police have arrested a 19-year-old hacker, known online as “Alcasec,” who was suspected of carrying out several high-profile cyberattacks, including the breach of Spain’s national council of the Judiciary in November 2022. The police accused him of being a “serious threat to national security”. They claimed that he had extensive experience in the world of cybercrime. Huertas is also accused of stealing hundreds of thousands of euros through impersonation attacks and running a platform called Udyat to sell large amounts of stolen data. He allegedly attempted to conceal the proceeds through cryptocurrency mixing services. Spanish media reported that Huertas has been placed in provisional prison until his trial due to his risk of absconding.

Suggested Article:

Teenage hacker ied to high-profile cyberattacks arrested by Spanish police

RATY Arrested

A beef between Kremlin-backed hacktivist groups emerged recently, with Killnet’s leader, “Killmilk,” outing the identity of Anonymous Russia’s leader, “Raty,” as Arseni Yeliseyeu. Killmilk appointed “Radis” as the new leader of Anonymous Russia following the arrest of Raty in Belarus. In response, the Anonymous Russia Telegram channel declared itself a pro-Kremlin group. It offered its DDoS attacks as a for-hire service, adding that “anyone can purchase.” The incident is the latest example of Killnet’s attempts to consolidate power by collecting all major and minor groups under its umbrella. However, smaller groups like Phoenix are pushing back against Killnet, creating a more competitive hacktivist market.

Suggested Article:

Killnet boss exposes rival leader in Kremlin hacktivist beef

Genesis Market Raided

This month, the FBI, Dutch National Police, and the UK’s National Crime Agency collaborated in an international operation to dismantle the Genesis Market, a major cybercrime store that sold stolen data, access to passwords, and digital identities to millions of infected computers. The operation involved seizing several domain names associated with the marketplace, which hosted around 80 million credentials and digital fingerprints stolen from over two million people, making it a popular service for criminals seeking to defraud victims. The crackdown coincided with over 100 arrests in 14 countries, including the United States, the Netherlands, and the UK, targeting operators, suppliers, and platform users. In addition, measures were taken to disrupt Genesis Market, such as removing malicious files linked to the store and targeting suppliers responsible for distributing various strains of infostealer malware. Many victims’ data for sale on the platform were infected with malware bundled with pirated software. As part of the effort, Microsoft released an update to support Windows computers to remove infections associated with Genesis Market’s malware families. The coordinated global operation resulted in approximately 120 arrests, over 200 searches, and nearly 100 instances of preventative activity.

Suggested Article:

FBI seizes bot shop ‘ Genesis Market’ amid arrest targeting operators, suppliers

Closing Remarks

As we wrap up this month’s cybersecurity newsletter, it is evident that the cyber threat landscape remains diverse and dynamic. With the resurgence of hacktivist operations like OpIsrael, an increase in DDoS attacks, and ongoing cyber warfare in the Ukraine conflict, organizations across various sectors must remain vigilant and adapt to the evolving threats. Supply chain attacks, such as the 3CX breach, highlight the need for robust security measures throughout the entire chain.

Organizations must continue investing in comprehensive cybersecurity measures, including regular risk assessments, employee training, and incident response plans. As cyberattacks become more sophisticated, organizations must stay informed of the latest trends, tactics, and threats in the cybersecurity world. By maintaining a proactive approach to security and fostering a culture of resilience, organizations can minimize the impact of potential attacks and safeguard their valuable resources in the face of an ever-evolving cyber landscape.