Conti Source Code Leak

March 22, 2022

Conti Source Code Leak

Industry: N/A | Level: Strategic | Source: BleepingComputer

Conti leaks continue from a Ukrainian security researcher under Twitter handle @ContiLeaks. The latest leak on March 20th, 2022 provided on VirusTotal, contains the source for “conti v3.” A review of the uploaded files was conducted by BleepingComputer having identified the code to be dated to January 25th, 2021, and newer than previously leaked code. The code is authentic, as BleepingComputer was able successfully to compile the code without issue.

German Government Warns Usage of Kaspersky AV

March 22, 2022
German Government Warns Usage of Kaspersky AV
Industry: N/A | Level: Strategic | Source: BleepingComputer

In a bulletin released by the German Federal Office for Information Security (BSI), the government entity advises against the use of Kaspersky’s antivirus software in favor of “alternative products.” The trust and reliability of the product are brought into question given the conflict between Russia and Ukraine, with any relationship the company may have with the Russian government. As the service operates in real-time and in the cloud, various technical attributes are potentially at risk. BSI offers the following for consideration “extensive system authorizations and, due to the system (at least for updates), must maintain a permanent, encrypted and non-verifiable connection to the manufacturer’s servers. Therefore, trust in the reliability and self-protection of a manufacturer as well as his authentic ability to act is crucial for the safe use of such systems. If there are doubts about the reliability of the manufacturer, virus protection software poses a particular risk for the IT infrastructure to be protected.”

Rostec Hit with Cyberattack

March 21, 2022

March 11th, 2022: Rostec Hit with Cyberattack

Industry: Aerospace, Defense | Level: Strategic | Source: BleepingComputer

Russian industrial conglomerate Rostec, has encountered a cyberattack causing its website to be briefly taken offline. This new story is reported by BleepComputer, with the impacted aerospace and defense firm stating it’s encountered consistent attack activity since late February. A statement from Rostec shared, “we had to briefly close the website. The attack has been repelled, and now the website is functioning again and all information about the corporation is available in full.” The attack appears to be attributed to the IT Army of Ukraine, as the group’s Telegram channel lists attributes of Rostec’s internet infrastructure as targets for DDoS attacks.

Update: CaddyWiper Data Wiper Attacks Ukraine

March 18, 2022

March 14th, 2022: CaddyWiper Data Wiper Attacks Ukraine

Industry: N/A | Level: Strategic | Source: BleepingComputer

Initially discovered by ESET researchers and reported by BleepingComputer, a new data-destroying malware named CaddyWiper is attacking Ukrainian organizations. Shared from ESET’s Twitter, “ESET telemetry shows that it was seen on a few dozen systems in a limited number of organizations.” Interestingly the malware conducts a check on the host to validate if it’s a domain controller and if so, the data on the domain controller will not be affected. ESET hypothesizes this exclusion is to ensure access is retained by the attacker. Analysis of the malware identified it was compiled on Monday, March 14th, 2022 at 07:19:32 UTC. While the malware does not share “significant code similarity” with prior wipers, CaddyWipper’s deployment is similar to HermaticWiper as ESET tweet states, “similarly to HermeticWiper deployments, we observed CaddyWiper being deployed via GPO, indicating the attackers had prior control of the target’s network beforehand.”

Threat Group Delivers Cobalt Strike Through AV Updates

March 18, 2022

March 14th, 2022: Threat Group Delivers Cobalt Strike Through AV Updates

Industry: Critical Infrastructure | Level: Strategic | Source: BleepingComputer

The Ukrainian Computer Emergency Response Team alerted users to a phishing campaign impersonating the Ukrainian government. The campaign prompts potential victims into downloading fraudulent “critical security updates” to ultimately deliver a Cobalt Strike beacon. The alerted activity has been observed by the MalwareHunterTeam and is reported by BleepingComputer. The phishing email contains a malicious link that downloads a executable masquerading as “itdefenderWindowsUpdatePackage.exe” and when executed, prompts itself to “installing the Windows update package” however, if installed the user actually downloads a Cobalt Strike beacon from Discord. Additional backdoors are dropped on the victim host, establishing persistence, conducting reconnaissance and command execution to achieve the threat actor’s objective. The Ukrainian Computer Emergency Response Team attributed this threat activity with medium confidence to the Russian threat group, UAC-0056/Lorec53.

Lapsus$ Breaches Mercado Libre

March 15, 2022

Lapsus$ Breaches Mercado Libre

Industry: E-Commerce | Level: Strategic | Source: BleepingComputer

Threat group, Lapsus$’s recent string of breaches, including Nvidia and Samsung, has now added Argentine e-commerce giant, Mercado Libre, Inc. to the compromise list. As reported by BleepingComputer, “unauthorized access” was identified on the company’s source code potentially impacting approximately 300,000 of the company’s users. From the company’s Securities and Exchange Commission (SEC) Form 8-K filing, the breach did not impact the company’s IT infrastructure. Mercado provided the following statement, “Although data from approximately 300,000 users (out of our nearly 140 million unique active users) was accessed, to date and according to our initial analysis, we have not found any evidence that our infrastructure systems have been compromised or that any users’ passwords, account balances, investments, financial information or credit card information were obtained. We are taking strict measures to prevent further incidents.”

CaddyWiper Data Wiper Attacks Ukraine

March 15, 2022

Initially discovered by ESET researchers and reported by BleepingComputer, a new data-destroying malware, named CaddyWiper, is attacking Ukrainian organizations.

Samsung Electronics Data Leak

March 08, 2022

Samsung Electronics Data Leak

Industry: Electronics | Level: Strategic | Source: BleepingComputer

Threat group, Lapsus$ has struck another technology giant, Samsung Electronics. The group has collected roughly 190GB of data from Samsung and has made the data available for download by torrenting. As shared by BleepingComputer, the data is split into three parts, “Part 1 contains a dump of source code and related data about security/Defense/Knox/Bootloader/TrustedApps and various other items. Part 2 contains a dump of source code and related data about device security and encryption. Part 3 contains various repositories from Samsung Github: mobile defense engineering, Samsung account backend, Samsung pass backend/frontend, and SES (Bixby, Smartthings, store).” The story is developing, with no statement from Samsung on the incident or if a ransom was demanded. The data compromise comes following data leaks Lapsus$ had of Nvidia.

Nvidia Certificates Used in Malware

March 08, 2022

Nvidia Certificates Used in Malware

Industry: Technology | Level: Strategic | Source: BleepingComputer

Threat actors are quickly leveraging data obtained from Nvidia’s data leak by Lapsus$. As reported by BleepingComputer and shared by security researchers Bill Demirkapi, Kevin Beaumont and Will Dormann, “Threat actors are using stolen NVIDIA code signing certificates to sign malware to appear trustworthy and allow malicious drivers to be loaded in Windows.” Despite some observed NVIDIA certificates being expired, Windows will allow the expired certificates to be loaded. The certificate is used to sign hacking tools including Cobalt Strike beacons, Mimikatz, as well as a variety of backdoors and RATs.

Conti’s Chats Leaked

March 01, 2022

Conti chats stored from a Jabber communication system were leaked by a Ukrainian security researcher, as reported by BleepingComputer.