AdvIntel intelligence well-known for tracking Conti activity has discovered the shutdown of Conti ransom operations, as critical ransom features were identified to have been removed from the infamous Conti News blog.
Red Canary has provided details of malware Gootloader, which is being tracked separately from Gootkit malware. An infection chain is offered by Red Canary as the malware is often reported in the security firm’s monthly intelligence insights and 2021 Threat Detection report, indicating the malware’s popularity amongst cybercriminals.
Cybereason has been analyzing Quantum ransomware, a rebrand of various ransomware starting with Mount Locker (September 2020) to Astro Locker (March 2021) and Xing Locker (May 2021).
March 3rd, 2022: Hacked Sites Spreads Fake “Capitulation” News
As reported by Reuters, Ukraine’s State Service of Special Communication and Information Protection (SSSCIP) has identified compromised government sites posting false information of surrender/”capitulation.” Compromised sites are identified and shared on the SSSCIP Ukraine Twitter with an example tweet posting an image of compromised sites with the following message tweeted “WARNING! ANOTHER FAKE! The enemy has broken into some sites of regional authorities and local governments and spreads through them lies about the alleged “capitulation and signing of a peace treaty with Russia.” It’s a FAKE!”
|
March 3rd, 2022: Telegram Fuels Cyber Communication Industry: N/A | Level: Strategic | Source: Check PointResearch from Check Point has identified an increase in Telegram groups during the Russia and Ukraine conflict. Groups assembled, stand on both sides of the conflict with anti-Russian groups as well as mischievous users creating fraudulent Ukrainian support groups. Check Point’s research insight shares, “since the beginning of the war, we have seen tens of groups being created daily. Some groups boast over 250,000 users. CPR estimates that about 23% of the groups observed on Telegram attempt to unite hackers, IT professionals, and other IT “fans” to attack Russian targets in cyberspace. These groups are used to coordinate the attack, decide on targets and share results, even offering to help each other towards the goal.” From reports, hackers on both sides have leveraged DDoS attacks, with anti-Russian groups on Telegram observed to specifically call out particular Russian sites to DDoS. |
|
March 9th, 2022: MicroBackdoor Attacks Ukraine Industry: Government | Level: Tactical | Source: PortswiggerUkraine’s Computer Emergency Response Team (CERT-UA) warns malware MicroBackdoor is targeting Ukrainian government agencies. The malware reported from The Daily Swig, is distributed in a phishing email containing a zip file with accompanying files that executes malicious code in VBScript. Intelligence from CERT-UA identified the malware was created in January 2022.
|
March 16th, 2022: Anonymous Attacks Russian Government Sites
As the result of DDoS attacks, the Anonymous group appeared to have taken down multiple Russian government sites. Reported by HackRead, the impact sites are “Federal Security Service (aka FSB, the principal security agency of Russia), Stock Exchange, Analytical Center for the Government of the Russian Federation, and Ministry of Sport of the Russian Federation.” The Russian Stock Exchange’s website was identified to be offline when the article was published on March 15th, 2022, the attack spanned over seven hours with several targeted sites remaining inaccessible.
March 16th, 2022: Ukraine Targeted with Fraudulent Translation Software
SentinelOne identified threat actor group, SaintBear (aka UAC-0056, UNC2589, TA471) distributing fraudulent translation software to users in Ukraine to infect users with malware GrimPlant and GraphSteel. The fraudulent translation software is complied in python and has been identified as early as February 2022 in threat campaigns. When dropped on the victim’s host, the malware downloads additional .exe payloads, runs reconnaissance commands, establishes persistence and collects credentials.
March 21st, 2022: Threat Group, InvisiMole Striking Ukraine
Ukraine’s Computer Emergency Response Team for Ukraine (CERT-UA) warns of attacks by the hacking group, InvisiMole; the group is alleged to have associated with the APT group, Gamaredon. The group is targeting industries that are “high-profile” in military and diplomatic affairs. Reported by ZDNet, the threat group is initiating phishing campaigns to distribute LoadEdge backdoors to Ukrainian organizations. The described attack chain, described by CERT-UA, involves “phishing emails being sent that have an attached archive, 501_25_103.zip, together with a shortcut (LNK) file. If opened, an HTML Application file (HTA) downloads and executes VBScript designed to deploy LoadEdge.” In addition, the activity following involves using DNS tunneling to deliver malicious payloads, create persistence through registry and data collection.
March 22nd, 2022: White House Statement to Harden Cybersecurity
United States President, Joe Biden, continues to emphasize the importance of active vigilance for cyber activity given the ongoing conflict between Russia and Ukraine. The warning is provided from a White House statement, “I have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners. It’s part of Russia’s playbook. Today, my Administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks.” Actions taken to secure cyber defenses have included the implementation of additional cybersecurity measures for the Federal Government and various critical infrastructure sectors. Follow alerts and guidance from agencies for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to best be kept organized and informed.
March 22nd, 2022: Miratorg Agribusiness Holding – Ransomware Attack
A ransomware attack using Windows BitLocker has hit Miratorg Agribusiness Holding, a meat supplier based in Moscow. The story reported by BleepingComputer believe the attack was conducted for “sabotage and not financial” with a focus of the attack against “VetIS, a state information system used by veterinary services and companies engaging in the field, making it likely a supply chain compromise.” Additionally, a machine translated statement from the company paints the attack as hostility from the West in regards to the Russia and Ukraine conflict “Probably, this incident is a manifestation of the informational and economic “total war” that the collective West unleashed against Russia. We are pushed to this assumption by the fact that during the entire existence of VetIS (more than 10 years) and tens of thousands of Russian and foreign software systems integrated with it, this has never happened.” Miratorg Agribusiness is working to restore business services.
March 22nd, 2022: DoubleZero Wiper
Reporting for the latest wiper, DoubleZero continues to be limited. A brief analysis from Symantec identified the wiper to be written in .NET code that is obfuscated and “overwrites or uses API calls to zero out critical system files and registry keys.” The list of wipers observed now includes WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper and DoubleZero.
|
March 23rd, 2022: Anonymous Hacker Group Potentially Hacks Nestlé Industry: Food & Beverage | Level: Strategic | Source: FortuneOn March 22nd, 2022, the Anonymous hacker group published on their Twitter profile a claimed hack of 10 GBs of data from Nestlé, a multinational food and drink corporation. A response of the data breach from Nestlé company, reported by Fortune, denies the hack stating the leaked data had been “accidentally” released by the company last month. A company excerpt states “[the data leak] it relates to a case from February this year, when some randomized and predominantly publicly available test data of a (business-to-business) nature was made accessible unintentionally online for a short period of time. We quickly investigated and no further action was deemed necessary.” The Anonymous group’s motivation for attacking Nestlé was due to the company’s ongoing operations in Russia, in continuing to provide services in the country which in response the company has opted to limit its consumers offerings. |
