Chaos Ransomware Aligns with Russia

May 24, 2022

Chaos Ransomware Aligns with Russia

Industry: N/A | Level: Strategic | Source: Fortinet

Amongst notable ransomware groups taking sides with Russia in the Ukraine conflict, Chaos appears to have joined the list as identified by Fortinet. The indication is based on the display message Chaos leaves when encryption has completed, speaking negatively of the Ukraine government. The arrival vector was not determined however, is likely to have come from an email or user browsing a forum post. The malware used by Chaos appears to be new, having compiled data of May 16th, 2022. The variant investigated by Fortinet is identified as a potential file destroyer as the attackers did provide options for recovery to the affected files and have deleted shadow copies from impacted workstations.

Mandiant Tracks APT29 Phishing Campaigns

May 10, 2022

Mandiant Tracks APT29 Phishing Campaigns

Industry: Diplomatic, Government | Level: Tactical | Source: Mandiant

Mandiant has identified Russian state-sponsored threat group, APT29 as having launched phishing campaigns against verticals in government and diplomacy, since January 17th, 2022. Geographically the targets are located in Europe, the Americas, and Asia. The phishing emails were themed as administrative notices and sent through compromised email accounts. The malicious emails would contain an HTML dropper to write files to disk, either an IMG or ISO. When mounted a LNK and DLL file is presented to the victim, triggering an infection when the LNK file is executed. Various custom malware was utilized by the group during initial access and post-compromise to establish a foothold in the environment such as ROOTSAW, BOOMMIC, and BEATDROP. Techniques observed within the environment include abusing certificates, modifying registry run keys, creating/modifying scheduled tasks, conducting discovery with native commands, and kerberoasting. APT29 has demonstrated the ability to move quickly within the environment as Domain Admin privileges are reached by the group typically within 12 hours.

  • Anvilogic Use Cases:
    • Symbolic OR Hard File Link Created
    • Suspicious Certificate Modification
    • Create/Modify Schtasks
    • New AutoRun Registry Key
    • Registry key added with reg.exe
    • WinRM Tools
    • Common Reconnaissance Commands
    • Locate Credentials

Vigilance for Critical Infrastructure Defense

April 26, 2022

Vigilance for Critical Infrastructure Defense

Industry: Critical Infrastructure | Level: Strategic | Source: Defense.gov

A joint advisory provided by the Cybersecurity and Infrastructure Security Agency (CISA) along with Australia, Canada, New Zealand, and the United Kingdom, urges critical infrastructure operators to remain alert to cyber activity from Russia. As the conflict continues to impact Russia’s economy, intelligence continues to point towards the Russian government exploring options for cyberattacks. As provided in the advisory, government agencies are urging vigilance, “U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities urge critical infrastructure network defenders to prepare for and mitigate potential cyber threats—including destructive malware, ransomware, DDoS attacks, and cyber espionage—by hardening their cyber defenses and performing due diligence in identifying indicators of malicious activity.”

Connecticut Airport Hit with Cyberattack

April 05, 2022

Connecticut Airport Hit with Cyberattack

Industry: Aviation | Level: Strategic | Source: NewsWeek

Disclosed by CyberKnow a situational awareness service and the Connecticut Airport Authority’s a cyberattack that occurred on Tuesday, March 29th, 2022 impacted the website for Bradley International Airport, located in Windsor Locks, Connecticut. The attackers left messages on the website with snippets, translated by CyberKnow, implicating the attack is in response to the Russia and Ukraine conflict. Messages left includes “when the supply of weapons to Ukraine stops, attacks on the information structure of your country will instantly stop,” along with the statement “America, no one is afraid of you.” Currently, the website is available, and reported by the U.S. Cybersecurity & Infrastructure Security Agency (CISA) there’s no evidence of a data breach. Although CyberKnow attributed the attack to the Russian threat actor group, Killnet the hackers associated with the attack remain undetermined.

Russian State-Sponsored Cyber Actors Exploit “PrintNightmare”

March 22, 2022

Russian State-Sponsored Cyber Actors Exploit “PrintNightmare”

Industry: N/A | Level: Tactical | Source: CISA

A joint advisory was released by the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) identifying Russian state-sponsored actors compromising a non-governmental organization (NGO) in May 2021. The threat actors were able to abuse a default MFA configuration in Duo with a compromised account that was inactive but not disabled in Active Directory. A problematic flaw in Duo’s configuration is the “re-enrollment of a new device for dormant accounts,” which threat actors were able to take advantage of. Threat actors were able to run arbitrary code with system privileges by exploiting Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527). Another notable technique observed was, “the actors also modified a domain controller file, c:\windows\system32\drivers\etc\hosts, redirecting Duo MFA calls to localhost instead of the Duo server [T1556]. This change prevented the MFA service from contacting its server to validate MFA login—this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to ‘Fail open’ if the MFA server is unreachable.” Following, threat actors largely used internal windows tools to conduct reconnaissance, modify the registry, collect files, and steal credentials.

  • Anvilogic Use Cases:
    • Rare dll called by Spoolsv.exe
    • Suspicious Spool Authentication
    • Windows External Remote Login
    • Utility Archive Data
    • Locate Credentials
    • NTDSUtil.exe execution
    • Tunnel connection on local host

Anonymous Group Hacks Federal Russian Agency

March 21, 2022

March 14th, 2022: Anonymous Group Hacks Federal Russian Agency

Industry: Government | Level: Strategic | Source: CySecurity

The Anonymous Group supporting Ukraine in the Russian conflict has compromised, Roskomnadzor the Russian media censoring agency. The hack, reported by HackRead, identified an Anonymous affiliate sharing approximately 820Gb of data from Roskomnadzor that has been shared on the website, Distributed Denial of Secrets (aka DDoSecrets). Since the Russian invasion has started, Russia has censored information regarding the attack with Roskomnadzor playing a vital role, as stated by HackRead, “the Russian government has blocked all key sources of information, particularly news and media outlets, and Roskomnadzor was tasked to block Facebook, Twitter, and other online platforms.”

Anonymous Attacks Russian Government Sites

March 18, 2022

March 16th, 2022: Anonymous Attacks Russian Government Sites

Industry: Government | Level: Strategic | Source: HackRead

As the result of DDoS attacks, the Anonymous group appeared to have taken down multiple Russian government sites. Reported by HackRead, the impact sites are “Federal Security Service (aka FSB, the principal security agency of Russia), Stock Exchange, Analytical Center for the Government of the Russian Federation, and Ministry of Sport of the Russian Federation.” The Russian Stock Exchange’s website was identified to be offline when the article was published on March 15th, 2022, the attack spanned over seven hours with several targeted sites remaining inaccessible.

Protestware

March 18, 2022

Protestware

Industry: Technology | Level: Strategic | Source: Synk

To protest the ongoing conflict between Russia and Ukraine, the developer of NPM package, node-ipc, released compromised versions of the software for users in Russia and Belarus. Sabotaged versions of the packages were released on March 8th by the developer Brandon Nozaki Miller, aka RIAEvangelist. Described by Snyk as a supply chain-style attack, compromised versions of the package cause impact on the victim host by “corrupting files on disk by one maintainer and their attempts to hide and restate that deliberate sabotage in different forms.” Tracked under CVE-2022-23812, the reported malicious versions of the software are node-ipc versions 10.1.1 and 10.1.2, the versions are no longer available on GitHub or npm with version 10.1.3 released, that does not contain the delete operations in the code.

TA416

March 15, 2022

TA416

Industry: N/A | Level: Tactical | Source: Proofpoint

Proofpoint research provides an update for activity since November 2021, involving Chinese APT group TA416, initiating targeted campaigns against European Diplomatic entities. An increase in activity has been observed since the invasion with Russia in Ukraine has taken place.  A new technique was identified in the group’s phishing campaigns.  Initiallythe threat group utilizes web bugs to profile victims to provide a “sign of life,” indicating to the attackers the victim is active and can be enticed into opening malicious emails. Phishing emails have then been observed to be leveraging “email marketing service SMTP2Go, which allows users to alter the envelope sender field while using a unique sender address generated by the service field while using a unique sender address generated by the service.” The abuse of the SMTP2Go service has enabled the group to impersonate different European organizations. When sending the malicious phishing emails, the threat actor provides a DropBox link containing the malware executable, PlugX in a zip file. Upon execution, the malware establishes persistence through DLL Search Order hijacking using PE file potplayermini.exe associated with a public media player and downloads additional payloads.

  • Anvilogic Use Cases:
    • Compressed File Execution
    • Executable File Written to Disk
    • Suspicious File written to Disk

U.S Hospitals to Brace for Cyber Attacks

March 08, 2022

U.S Hospitals to Brace for Cyber Attacks

Industry: Healthcare | Level: Strategic | Source: HealthExec

The American Hospital Association (AHA) is alerting U.S hospitals to brace for potential cyber-attacks associated with the conflict between Russia and Ukraine as reported by HealthExec. Concerns are due to potential retaliation from Russia in response to economic sanctions being imposed. A statement from AHA’s Cybersecurity advisor John Riggi states “We want hospitals, their C-suite executives and chief information officers to take this very seriously. There is a war going on and the adversary is very proficient in cyberattacks.” In addition, Riggi advises hospitals to “be prepared to operate 4 to 6 weeks without the ability to use their computers or archive data.” A disruption in operation impacts medical equipment and record-keeping abilities. Conti ransomware gang, that has aligned itself with Russia in the conflict, has a history targeting healthcare organizations.