Search This Blog

Showing posts with label Russia. Show all posts

Hackers attack Russian organizations through a new Microsoft Office vulnerability

Information security specialists from Kaspersky Lab reported that hackers are trying to attack Russian companies through a new vulnerability in Microsoft Office products. At least one attack targeted government agencies. Using the vulnerability, attackers can not only spy on users of the infected system, but also download malicious programs like ransomware viruses into it. Experts expect that hackers will actively exploit the system's flaw, as users are slow to install updates.

According to Yevgeny Lopatin, head of the complex threat detection department at Kaspersky Lab, attackers are now exploiting the vulnerability by sending a phishing email with a document attachment. An employee only needs to open such a document on his computer for the vulnerability to work, and then malware is downloaded and installed on the victim’s computer.

Rostelecom-Solar has registered one targeted attack on government bodies using this vulnerability, said Igor Zalevsky, head of the Solar JSOC CERT cyber incident investigation department.

The expert added that a number of government systems are still using Internet Explorer as the recommended browser.

This is actually a vulnerability in MSHTML, the engine of the Internet Explorer browser. This part is responsible for displaying the content of the web page (images, fonts, and other files). In this case, MSHTML is used by the Microsoft Office software package to display web content in documents.

The vulnerability in MSHTML allows an attacker to create modified documents with malicious scripts. After compromising the system through this vulnerability, an attacker can install a backdoor.

According to experts, a wave of attacks using the problem in MSHTML is expected. The vulnerability can be exploited both in advanced attacks and in regular phishing emails.

Only one-in-ten Russian organizations are aware of the danger of vulnerabilities in web applications

In 2020, attacks on the web accounted for one-third of all information security incidents. However, only 10% of Russian organizations believe that web applications are a priority element of the infrastructure for scanning for vulnerabilities.

Rostelecom-Solar surveyed April-June 2021 200 organizations of various sizes and profiles (public sector, finance, industry, IT, etc.) were interviewed. According to it, only 7% of organizations realize the importance of scanning an isolated segment of the IT infrastructure. For example, these are industrial networks or closed state data exchange systems. 29% of respondents consider it important to scan the external perimeter. Meanwhile, 45% of respondents named the organization's local network as the key element for analyzing vulnerabilities. And only one-tenth of respondents consider it important to scan all elements of the infrastructure.

In general, according to the survey, 70% of organizations have vulnerability control. However, most of them do not scan regularly: more than 60% of companies scan the infrastructure once a quarter or less.

Experts note that almost all organizations either conduct scanning automatically (41% of respondents answered this way) or by means of a single dedicated information security specialist (39%). This is not enough to quickly process the data obtained from the scanner and formulate up-to-date recommendations for closing the vulnerabilities found.

According to experts, if the company does not have a vulnerability management process and there are no resources for processing the received data, so-called shadow IT appears in the infrastructure. These are unrecorded and therefore unprotected areas of the IT landscape that can be exploited by hackers to carry out an attack.

Hackers switched to combined cyber attacks on the Russian financial sector

Experts began to note the particular interest of cybercriminals in the Russian banking sector as early as mid-summer 2021. In July, the Bank of Russia reported about the risks of "infecting" financial institutions through members of their ecosystems.

In August, FinCERT noted a series of large-scale DDoS attacks on at least 12 major Russian banks, processing companies and Internet service providers. The requests came from the USA, Latin America and Asia.

In early September, the Russian financial sector was attacked again. So, large banks and telecom operators that provide them with communication services were attacked.

Since August 9, the Russian Cyber Threat Monitoring Center (SOC) of the international service provider Orange Business Services has recorded a big increase in the number of requests. Attackers combine not only well-known attacks such as TCP SYN, DNS Amplification, UDP Flood and HTTPS Flood, but also only recently discovered ones, for example, DTLS Amplification.

In total, more than 150 attacks were recorded during the month, from August 9 to September 9, 2021. At the same time, their intensity is constantly increasing. Criminals are constantly trying to increase the power of attacks in the hope that telecom providers will not be able to clean up traffic in such large volumes.

In addition, the attackers used large international botnets. So, SOC Orange Business Services identified one of the networks based in Vietnam and South America, with more than 60 thousand unique IP addresses, and which was used to organize attacks like HTTPS Flood on the 3D Secure payment verification service.

The attackers also used the HTTPS Flood attack to make it impossible to use the banks' application, in this case, the attack was carried out from the IP addresses of Russia, Ukraine and France.

“Based on how persistently and ingeniously cybercriminals act, we can say that we are dealing with a complex planned action aimed at destabilizing at least the Russian financial market,” said Olga Baranova, COO of Orange Business Services in Russia and the CIS.

Scammers in Russia Offer Free Bitcoin on a Hacked Government Website


The website of the Russian government was recently hacked. The fraudsters started a phoney Bitcoin (BTC) scheme, which they then re-published after being taken down several times. An unnamed gang of hackers began promoting the Free BTC Giveaway scam on the Ryazan administration's website, according to the local Russian news source Izvestia. 

Hackers had disputed the distribution of 0.025 BTC to everyone who installed the specified programme on their device in the aforementioned scam. In addition, the hackers added in the re-post that five lucky winners will each receive an extra $1,000. As of late, all messages, including the second post, have been removed. 

The Russian government has tightened its grip on all crypto-crime in the country. Last month, Russia's Federal Financial Monitoring Service in Moscow, known as Rosfinmonitoring, launched the latest cryptocurrency tracing system. This will deanonymize traders' identities by further analysing their actions and movements. The tracing system in Russia, according to Rosfinmonitoring, is focused on combating money laundering and terrorist funding rackets.

In 2021, the global volume of cryptocurrency-related fraud grew substantially. According to specialists from the IT security firm Zecurion, losses in the first half of this year were an estimated $1.5 billion, which is two to three times more than the sum recorded in the same period last year. According to a study released, the Russian Federation is responsible for 2% of the total — some $30 million, or over 2.2 billion rubles.

The Central Bank of Russia (CBR) said in July that in the first six months of the year, it had discovered 146 financial pyramid schemes. In comparison to the same period in 2020, the number is 1.5 times greater. According to the regulators, consumers with poor financial literacy are frequently duped into investment schemes involving cryptocurrency or crypto mining. According to the CBR, the increase is due to increased activity by "unfair market participants" and increased investment demand in Russia. 

The primary reasons for the increase, according to analysts, are consumers' increasing exposure to digital assets as well as a desire to earn rapid profits in a burgeoning industry with few rules amid instability in traditional financial markets. They also predict crypto fraud to continue to climb this year, with an annual increase of 15% expected.

Mēris Botnet is the Perpetrator Behind the DDoS Attack that Hit Yandex


A new botnet dubbed Mēris has launched a record-breaking distributed denial-of-service (DDoS) attack on Russian internet company Yandex. The botnet is thought to have pounded the company's web infrastructure with millions of HTTP requests before peaking at 21.8 million requests per second (RPS), surpassing a recent botnet-powered attack that pounded an unnamed Cloudflare customer in the financial industry with 17.2 million RPS last month. 

 Mēris - which means "Plague" in Latvian - is a "botnet of a new kind," according to Russian DDoS mitigation provider Qrator Labs, which revealed details of the attack on Thursday. The DDoS assaults used a method known as HTTP pipelining, which allows a client (such as a web browser) to create a connection to a server and send numerous requests without having to wait for each answer. 

The malicious traffic came from over 250,000 compromised hosts, mostly Mikrotik network devices, with evidence pointing to a variety of RouterOS versions weaponized by exploiting yet unknown vulnerabilities. 

"It is also clear that this particular botnet is still growing. There is a suggestion that the botnet could grow in force through password brute-forcing, although we tend to neglect that as a slight possibility. That looks like some vulnerability that was either kept secret before the massive campaign's start or sold on the black market," the researchers noted. “Mēris can overwhelm almost any infrastructure, including some highly robust networks due to the enormous RPS power that it brings along.”

Mēris utilises the SOCKS4 proxy on the infected device, the HTTP pipelining DDoS method, and port 5678 to launch an assault, according to the researchers. The hacked devices, according to the researchers, are linked to MikroTik, a Latvian manufacturer of networking equipment for organisations of various kinds. Ports 2000 and 5678 were open on the majority of the attacker devices. The latter refers to MikroTik equipment, which employs it for the function of neighbour detection (MikroTik Neighbor Discovery Protocol). While MikroTik's regular service is delivered via the User Datagram Protocol (UDP), hacked devices additionally have an open Transmission Control Protocol (TCP). 

According to Qrator Labs experts, this type of disguise might be one of the reasons devices were hacked without their owners' knowledge. More than 328,000 hosts replied to a search for open TCP port 5678 on the public internet. However, this number does not include all MikroTik devices, as LinkSys equipment utilises TCP on the same port.

Berlin accused Russian hackers of preparing cyberattacks before the elections

Andrea Sasse, a spokesman for the German Foreign Ministry, said that German intelligence agencies are recording the growing activity of hackers allegedly connected with Russia.

"The German government calls on the Russian government to immediately stop this illegal cyber activity," she said.

According to the publication Suddeutsche Zeitung, the Federal Office for the Protection of the Constitution (which performs counterintelligence functions in Germany) and the Federal Office for Information Security also warn about the threat of hacker attacks. According to them, hackers have recently been increasingly attacking the personal and official email addresses of members of parliament.

The intelligence service warns that hackers can use the data obtained "to publish personal and intimate information or even fabricated fake news."

"The federal government has reliable information that [the hacker group] Ghostwriter, cybercriminals of the Russian state and, in particular, the Russian military intelligence of the GRU are behind the attacks," Sasse said. According to her, Berlin considers what is happening "as a heavy burden for bilateral relations."

According to U.S. cybersecurity company FireEye, Ghostwriter has existed since at least 2017, it acts "in accordance with the security interests of Russia." The group specializes in spreading disinformation, primarily among residents of Lithuania, Latvia and Poland, mainly about the attitude to the presence of NATO forces in Eastern Europe.

In May 2020, German Chancellor Angela Merkel announced that there was evidence of Russia's involvement in a cyberattack on the systems of the German parliament in 2015. Then a Trojan program was launched into the Bundestag computer system, the attackers managed to gain access to internal documents. The German prosecutor's office issued an arrest warrant for Russian Dmitry Baden, accusing him of working for the Russian secret services. According to German intelligence agencies, Sofacy and APT28 groups were behind the attack, which were "financed by the Russian government."

The largest banks in Russia were subjected to a large-scale DDoS attack

A new large-scale DDoS attack carried out late in the evening on September 2 led to the system failure of major banks and made some of their services unavailable. Thus, a number of large banks experienced problems with payments and card services for some time.

VTB, Sberbank and Alfa-Bank withstood the attack, but their Internet provider Orange Business Services experienced significant difficulties.

"Everything that went through Internet providers, including land points that are connected by wires, ATMs, POS terminals, did not work for some time," said a bank representative.

"The IT services of our partners and their communication providers faced a DDoS attack, which affected the payment of customers in remote service channels," VTB reported.

Sberbank reported that on September 2, a failure was recorded on the side of an external service provider, which could lead to short delays in the operation of individual services.

"Some reports recorded by the Downdetector resource could be related to problems with one of the local Internet providers," Alfa-Bank reported.

Olga Baranova, Operational Director of Orange Business Services in Russia and the CIS, said that since August 9, the company's cyber threat monitoring center has been recording attacks on financial clients around the clock using capacitive attacks such as Amplification, as well as attacks using encrypted protocols (HTTPS).

"These attacks continue even now. The most powerful one was about 100 Gbps. Moreover, in terms of the number of attacks we detected, this August is comparable to the entire last year," added she.

As explained by the founder and CEO of Qrator Labs, Alexander Lyamin, Amplification attacks are aimed at communication channels, and HTTPS or Application Layer attacks are aimed directly at applications. "DDoS attacks of this type are the most dangerous: they are difficult to detect and neutralize since they can simulate legitimate traffic," noted he.

The largest Internet companies of the Russian Federation signed the charter for the safety of children on the Internet

On Wednesday, September 1, Russian Internet companies, media holdings and telecom operators signed a charter on the safety of children on the Internet. The signing ceremony was attended by Russian President Vladimir Putin.

Within the framework of the charter, an Alliance for the Protection of Children in the Digital Environment was created, the participants of which made a number of voluntary commitments.

"The members of the alliance are the owners of the largest Russian platforms, video hosting sites and search engines. They take increased obligations to independently identify and restrict access to illegal information and content that can harm the health and development of children, as well as to exchange best practices and the latest developments in this area," the Kremlin website says.

Thus, the document was signed by Yandex, Group, Kaspersky Lab, National Media Group, Rostelecom, Megafon, MTS and Vimpelcom.

It is noted that the goal of the alliance is to create a favorable and safe digital environment that would give children the opportunity for creative and professional development, socialization and safe communication in the virtual space.

Evgeny Kaspersky, CEO of Kaspersky Lab, noted that the business already has the technological capabilities for this. According to him, technologies for protecting children "from malicious and poisonous berries on the Internet" have been developed and provided to many regions of Russia.

"We feel our responsibility to make the digital environment convenient for children so that they can learn, communicate and develop," said Anton Shingarev, chairman of the alliance.

Earlier, on May 22, First Deputy Head of the Presidential Administration of the Russian Federation Sergey Kiriyenko supported the idea of business to unite Russian IT companies into an Alliance for the Protection of Children in the Information Space. The initiative was proposed by Mikhail Pribochy, Managing Director of Kaspersky Lab in Russia, CIS and Baltic countries. According to him, the need for it arose in connection with the decline in digital literacy of the Russian population.

Customers of Russian banks will be recognized by the veins with the help of a new technology

Russian banks are going to introduce customer identification by the pattern of veins on their hands. It is assumed that this method of authentication will help to prevent unauthorized access to the savings of citizens. Meanwhile, experts were skeptical about the initiative. In their opinion, the system has significant disadvantages which can be used by criminals.

It is worth noting that Russian banks already have biometrics that allow them to identify customers by voice and face. "The palm vein pattern will remove barriers to biometric identification for people with hearing and speech problems due to various reasons," the Central Bank explained.

Nikita Durov, Technical director of Check Point Software Technologies in Russia and the CIS, said that with the introduction of the new identification system there are new risks of data substitution by intruders.

"Recently, we have witnessed how attackers used neural networks to replace people's faces in photos and videos. The same thing can happen with the substitution of the vein pattern," added he.

According to Durov, banks should be prepared for potential attacks.

"Scans should be done with the latest modern scanners to avoid mistakes and distortions," Durov added. He stressed that sometimes companies save money and buy cheaper storage and data protection systems that are not able to provide the necessary level of security.

Martin Hron, a leading cyber threat researcher at Avast, said that hackers always try to be one step ahead and look for ways to bypass even the strongest security systems, including biometrics.

The expert clarified that the creation of a fictitious pattern of veins is a matter of time.

Alexey Kuzmin, an expert of the Jet Infosystems company, agreed with the opinion that it is possible to deceive the identification system by scanning blood vessels, but it is much more difficult than systems with voice, face or finger detection.

The number of cases of hacking smartphone games has increased in the world

In the first half of 2021, the Russian mobile games market was among the world's top five leaders in terms of downloads. Therefore, hackers began to actively attack Russians playing on smartphones. In online games with prizes, attackers can crack the code to get rewards instead of honest participants. In games with registration, hackers hunt for the personal data of players. 

According to forecasts, the volume of the Russian video game market by the end of this year is expected to amount to $2,236 million. Along with the growing interest of consumers in video games, the activity of hackers and scammers is also growing.

Basically, the key to obtaining personal data, logins and access to the victim's computer is phishing. There are various schemes: from simple chat correspondence with malicious links to fraudulent sites where players are offered to improve statistics, download various hacks containing keyloggers or spyware.

It is quite simple to distinguish a game in which there is a chance to meet a dishonest player. You just need to find out if the application is using any anti-cheat (software for tracking and preventing the use of funds for cheating), as well as how often it is updated. Such information can be found in the public domain, often the developers of a particular game write about it themselves.

According to Panda Security in Russia and the CIS, cryptojacking malware can also be added to the current problems of gamers. Cryptojacking is the use of devices (computers, smartphones, tablet PCs, or even servers) without the knowledge of their owners for the purpose of hidden mining of cryptocurrencies. 

The best way not to become a victim of such fishing is not to download pirated software. If the user notices that the PC or mobile device has become slower or fails, then there is a high probability that the gamer is unknowingly "mining" cryptocurrency for hackers.

Ficker – An Info-Stealer Malware Being Distributed by Russians


Threat actors are using the Malware-as-a-Service (MaaS) model to attack Windows users, according to researchers. The new info-stealer malware “Ficker” was discovered and is being disseminated via a Russian underground forum by threat actors. FickerStealer is a family of data-stealing malware that first appeared in the year 2020. It can steal sensitive data such as passwords, online browser passwords, cryptocurrency wallets, FTP client information, Windows Credential Manager information, and session information from various chat and email clients. 

Unlike in the past, when Ficker was spread via Trojanized web links and hacked websites, causing victims to unintentionally download the payload, the current outbreak is stealthy and uses the well-known malware downloader Hancitor to spread. 

Hancitor (also known as Chanitor) malware first appeared in the wild in 2013, relying on social engineering techniques such as posing as DocuSign, a genuine document signing service. This malware tricked users into allowing its harmful macro code to run, allowing it to infect the victim's computer. Hancitor will attempt to download a wide range of additional harmful components after connecting to its command-and-control (C2) infrastructure, depending on its operators' most recent malicious campaign. 

The attack begins with the attackers sending malicious spam emails with a weaponized Microsoft Word document attached, which is fully phoney yet masquerades as the real thing. Spam email content entices victims to open it, resulting in the execution of malicious macro code that allows Hancitor to communicate with the command and control server and get a malicious URL containing a Ficker sample.

It employs the evasion approach to avoid detection by injecting Ficker into an instance of svchost.exe on the victim's PC and concealing its activity. Threat actors routinely utilize svchost.exe to hide malware in the system process and avoid detection by typical antivirus software. 

Researchers also discovered that Ficker is heavily obfuscated, preventing it to execute in a virtual environment by employing multiple analysis checks. Malware authors also included an execution feature in the malware, preventing it from being executed in certain countries such as Russia, Uzbekistan, Belarus, Armenia, Kazakhstan, and Azerbaijan. 

According to the Blackberry report, “The malware also has screen-grab abilities, which allow the malware’s operator to remotely capture an image of the victim’s screen. The malware also enables file-grabbing and additional downloading capabilities once connection to its C2 is established.”

ESET: 77% of Russian residents believe they are being tracked via their smartphones

According to a survey conducted by ESET, a company specializing in anti-virus software development and protection against cyberthreats, most Russians (77%) believe that they are being tracked via mobile devices.

Young people aged 18 to 24 expressed the least concern about possible surveillance (35%), believing it is a manifestation of paranoia. People over 35 years of age are more concerned about surveillance.

At the same time, 39.5% of respondents believe that the search history on all devices is tracked, 25.5% believe that all actions performed on the device are transmitted, 14.1% believe that they are monitored using the microphone and gadget camera, and 20.9% think that all the above means are used.

Among the main reasons why interested companies collect personal data, 65% of the study participants named the setting of targeted advertising. According to other respondents, the data is used by special services and fraudsters.

According to the study, the Russians are afraid of the use of their personal data by fraudsters, leakage of intimate videos and photos, reading correspondence and wiretapping, as well as study habits and interests based on the search history.

To avoid potential surveillance, 45% of respondents disable geolocation on their devices. Another 39% check the ability of applications to access data. 34 and 32% avoid discussing personal topics on the phone and connecting to public Wi-Fi.

In July, Pavel Durov, the founder of VKontakte and Telegram, reported about the surveillance of his mobile device with the help of a spyware program. According to him, spyware applications are able to hack any phone on the iOS and Android operating systems and there is no way to protect the device now.

Researchers Uncovered Russian Spy Agencies Targeting Slovak Government


For months, the Slovak government has been targeted by a cyber-espionage group associated with a Russian intelligence agency, Slovak security companies ESET and IstroSec stated this week. The Slovak internet security firm ESET develops anti-virus and firewall products. With headquarters in Bratislava, Slovakia, ESET earned the award for the most successful Slovakian company in 2008, 2009, and 2010. 

Additional revelations targetting the Slovak Government including the Cobalt Strike Infrastructure operation employed by the attackers were provided by the companies. Dukes, Nobelium, and APT29 are the organizations that are held responsible for the attacks. These are affiliated with the Russian Foreign Intelligence Service (SVR). Their activities date back to 2008, typically targeting government networks in NATO and European countries, research institutes, and think tanks. 

The SVR hackers are believed to have spear-phished senior government officials using publicly available information, community threat intelligence sources (VirusTotal), and their investigations. The security firms IstroSec and ESET claimed that the SVR targeted the Slovak officials through spear-phishing campaigns. 

Researchers at the Def Con conference reported that SVR operators sent spear-phishing attacks to Slovak diplomats in the form of emails posing as the National Security Authority (NBU) of Slovak to infect their systems. The ISO/IMG attachment in the email looked like a Word document. 

IstroSec researchers have described how the SVR command-and-control servers used during these assaults have been uncovered. The ISOC report stresses certain C&C servers used by SVR also had papers directed against the government representatives in the Czech Republic. 

Furthermore, European diplomats in 13 countries have been targeted by the group, as stated by the security firm ESET. All the cyberattacks in these events employed the same strategy, according to ESET: email -> ISO disk image -> LNK shortcut file -> Cobalt Strike backdoor. Volexity and Microsoft have previously described this tactic in their respective reports. 

Cobalt Strike is an Adversary Simulations and Red Team Operations Software. It has been used by numerous Pen-testers and red staff and sophisticated actors like APT19, APT29, APT32, Leviathan, The Cobalt Group, and FIN6, and it costs $3,500 per year per user for a commercial tool. 

As part of its malware attack on iOS devices, the Russian cyber espionage group employed a huge variety of tactics against them. One such attack has exploited a zero-day Safari iOS flaw to steal information and data of diplomats that read their emails on their iPhones. 

Local authorities, for instance, the computer security incident response committee, were notified of the incidents and outcomes. The study includes the collected compromise signs such as hashes and IP addresses.

Russia has developed a virtual reality helmet for recruitment

Researchers from Samara State University have developed a technology to assess the psychological qualities of a job seeker using a virtual reality helmet. Such an idea will help employers assess the personality of the person when recruiting staff.

It is noted that the tested person gets into a specially created virtual environment, which he perceives as real. At this time, the computer evaluates his physical and emotional state without human assistance.

The cost of such a system, which includes a computer and a VR helmet, will be about 120 thousand rubles ($1,600). The program "Psychodiagnostics in VR" and joysticks that read the micro-movements of fingers are also included. The level of anxiety, the reaction to stress, emotional excitability, as well as the cognitive activity of a person are assessed.

Experts reacted to the initiative ambiguously. Sports psychologist Olga Tiunova noted that for many years there have been attempts to create a psychological portrait of an ideal champion, but so far they have not been crowned with success. Special forces instructor Alexander Lastovina added that "Psychodiagnostics in VR" can be used to test soldiers, but the technology should be verified for effectiveness.

Also, specialists noted that a person is something more than a set of psychological characteristics.

It is interesting to note that earlier Irish scientists recognized that computer games are useful in the fight against a number of mental illnesses: they have a beneficial effect on people with anxiety disorders and depression and may even be more useful than traditional methods of treatment. The researchers concluded that games can be used as an alternative to medical care.

Russian scientists have launched the first quantum network with open access in Moscow

 Russian scientists have launched in Moscow the first quantum network with open access, in which all interested organizations will be able to participate.

"The main advantage of our quantum network is its openness compared to those that were developed earlier. This could radically change the quantum communications market. Both software developers and organizations wishing to connect experimental sections of their infrastructure to implement quantum-protected solutions can participate in this project," said Yuri Kurochkin, head of the quantum communications group at the Russian Quantum Center.

Mr. Kurochkin and his colleagues have launched Russia's first interuniversity quantum network based on an open architecture. Thanks to this, it can be scaled and expanded in any way.

The network is based on the technology of quantum key distribution, as well as comprehensive network protection systems. Existing fiber optic lines are used for key and data transmission, which significantly reduces the cost of operating and expanding the network.

The network is configured in such a way that it is allowed to be used by interested organizations primarily for the development of modern software applications in the field of information security based on the use of quantum keys. In addition, once the network is expanded, scientists plan to study in detail how effectively the procedure for reserving its capacities will work.

Unbreakable quantum communication and cryptography systems began to actively develop in the last ten years. In Russia, the first research networks of this kind appeared in 2014, and in recent years several long-distance and intercity quantum networks have been created, which are used in practice in several branches of major Russian banks.

According to their developers, quantum cryptography and communication systems, in theory, minimize the possibility of "invisible eavesdropping" due to the fact that the laws of quantum mechanics do not allow to copy the states of light particles exchanged by participants in quantum networks. This makes them attractive for the secure exchange of cryptographic keys, which are already used for data encryption in conventional fiber-optic or wireless networks.

Spanish botnet attacked Russian companies

 StormWall, the provider of services for protecting networks from DDoS attacks, said that Russian companies have been attacked by one of the most powerful DDoS botnets on the Internet for the last month. Qrator Labs noticed this botnet at the end of last year.

According to StormWall, the new botnet is of Spanish origin and consists of 49 thousand devices, the maximum power of its attacks reaches 2 Tbit/s. Most of the attacks target the gaming industry. Such a botnet can be rented for $2,500 for two days.

The new botnet has several sites that provide DDoS services for rent, the tariff for organizing attacks at a speed of several terabits per second is about $100 per hour. According to Qrator Labs, attacks using it occur every month, and they are dangerous because not all operators, even at the federal level, are able to resist attacks of such power.

The Kaspersky Lab expert believes that the gaming industry has long faced the problem of DDoS attacks, and its large companies use effective protection, so less powerful botnets do not give hackers the necessary efficiency.

In addition, according to experts, now the games segment is experiencing another financial boom due to an increase in the audience because people began to devote more time to games during the pandemic.

Experts believe that cybercriminals prefer not to attack protected resources because it is expensive, not very effective and there is a risk that a botnet will be detected and blocked. It is hard to believe that a botnet consists of 49 thousand infected servers, as they are usually better protected than the user's computers.

Chinese Webdav-O Virus Attacked Russian Federal Agencies


In 2020, a collection of Chinese state-sponsored threat groups may have been behind a series of targeted attacks on the Russian federal executive authority. The latest study, published by Singapore-based Group-IB, looks into a piece of computer virus known as "Webdav-O" that was discovered in the intrusions, with the cybersecurity firm noticing similarities between the tool and a popular Trojan known as "BlueTraveller," which is linked to a Chinese threat group known as TaskMasters and used in malicious activities with the aim of espionage and plundering confidential documents. 

The report builds on a series of public disclosures in May from Solar JSOC and SentinelOne, both of which revealed a malware called "Mail-O" that was also observed in attacks against Russian federal executive authorities to access the cloud service, with SentinelOne linking it to a variant of another well-known malicious software called "PhantomNet" or "SManager" used by a threat actor dubbed TA428. 

TA428 has been targeting government entities in East Asia since 2013, with a particular focus on those involved in domestic and foreign policy, government information technology, and economic development. Attackers used the Microsoft Equation Editor exploit CVE-2018-0798 to deploy a custom malware called Cotx RAT, according to Proofpoint researchers. This APT gang also employs Poison Ivy payloads, which share command and control (C&C) infrastructure with the newly discovered Cotx attacks.

"Chinese APTs are one of the most numerous and aggressive hacker communities," researchers Anastasia Tikhonova and Dmitry Kupin said. "Hackers mostly target state agencies, industrial facilities, military contractors, and research institutes. The main objective is espionage: attackers gain access to confidential data and attempt to hide their presence for as long as possible."

"The main goal of the hackers was to completely compromise the IT infrastructure and steal confidential information, including documents from closed segments and email correspondence of key federal executive authorities," Solar JSOC noted, adding the "cybercriminals ensured themselves a high level of secrecy through the use of legitimate utilities, undetectable malware, and a deep understanding of the specifics of the work of information protection tools installed in government bodies."

“It is noteworthy that Chinese hacker groups actively exchange tools and infrastructure, but perhaps it is just the case here,” Group-IB points out. The researchers also point out that evidence implies a big hacking force made up of People's Liberation Army intelligence units may be operating out of China, with the numerous Chinese APT groups tracked by threat intelligence agencies being little more than subgroups.

Widespread Cyber Espionage Attacks Use New Chinese Spyware


According to new research, a threat actor believed to be of Chinese origin was linked to a series of ten attacks from January to July 2021 that involved the deployment of a remote access trojan (RAT) on infected computers and targeted Mongolia, Russia, Belarus, Canada, and the United States. The breaches have been linked to APT31 (FireEye), an advanced persistent threat that has been dubbed Zirconium (Microsoft), Judgement Panda (CrowdStrike), and Bronze Vinewood (Secureworks) by the cybersecurity community. 

BRONZE VINEWOOD has hidden malicious activity within legal network traffic by using prominent social media and code repository sites. Previous BRONZE VINEWOOD campaigns leveraging DLL search-order hijacking to distribute the HanaLoader downloader malware and other malicious payloads have also been uncovered by Secureworks Counter Threat Unit (CTU) researchers. 

According to researchers, the group is thought to be a Chinese state-sponsored cyberespionage actor attempting to acquire intelligence to aid the Chinese government and state-owned firms. 

In the attacks, a new malware dropper was utilized, which included a downloader for next-stage encrypted payloads from a remote command-and-control server, as well as the ability to decode and execute the malware. The malicious code can download further malware, putting vulnerable victims at risk even more, as well as perform file operations, exfiltrate sensitive data, and even remove itself from the compromised machine. 

Positive Technologies researchers Denis Kuvshinov and Daniil Koloskov discovered the self-delete command fascinating since it employed a bat file to wipe all of the registry keys and files created as a result of running the command. 

The malware's similarities to a trojan known as DropboxAES RAT, which was used by the same threat group last year and relied on Dropbox for command-and-control (C2) communications, are also worth noting, with numerous overlaps found in the techniques and mechanisms used to inject the attack code, achieve persistence, and delete the espionage tool.

Despite the fact that BRONZE VINEWOOD calls the software DropboxAES RAT, CTU researchers discovered that it does not use the Advanced Encryption Standard (AES). Instead, it uses the ChaCha20 stream cypher to encrypt and decrypt data. When encrypting data, older versions of the malware may have used AES encryption. 

"The revealed similarities with earlier versions of malicious samples described by researchers, such as in 2020, suggest that the group is expanding the geography of its interests to countries where its growing activity can be detected, Russia in particular," the researchers concluded.

Security Researchers Discovered Crimea Manifesto Buried in VBA Rat


On Thursday, Hossein Jazi and the Threat Intelligence team at Malwarebytes released a report revealing a new threat actor that may be targeting Russian and pro-Russian individuals. A manifesto regarding Crimea was included by the assailants, implying that the attack was politically motivated. A suspicious document called "Manifest.docx" is used in the attacks, and it downloads and runs two attack vectors: remote template injection and CVE-2021-26411, an Internet Explorer exploit. Malwarebytes' Threat Intelligence team discovered the "Манифест.docx" ("Manifest.docx") on July 21.

"Both techniques have been loaded by malicious documents using the template injection technique. The first template contains a url to download a remote template that has an embedded full-featured VBA Rat. This Rat has several different capabilities including downloading, uploading, and executing files," Jazi said. 

The second template is imported into the document and is included in Document.xml.rels. According to the threat research teams at Google and Microsoft, the loaded code contains an IE Exploit (CVE-2021-26411) that was previously utilized by Lazarus APT to target security researchers working on vulnerability disclosure. The shell code used in this vulnerability loads the same VBA Rat as the remote template injection exploit. 

The attack, according to Jazi, was motivated by the ongoing conflict between Russia and Ukraine, which includes Crimea. Cyberattacks on both sides have been on the rise, according to the report. The manifesto and Crimea information, however, might be utilized as a false flag by threat actors, according to Jazi. 

The attackers used a combination of social engineering and the exploit, according to the report, to boost their chances of infecting victims. Malwarebytes was unable to pin the assault on a single actor but said that victims were shown a decoy document with a statement from a group linked to a figure named Andrey Sergeevich Portyko, who supposedly opposes Russian President Vladimir Putin's Crimean Peninsula policies. 

The decoy document is loaded after the remote templates, according to Jazi. The document is written in Russian but also has an English translation. A VBA Rat is also included in the attack, which collects victim information, identifies the AV product installed on the victim's workstation, runs shell-codes, deletes files, uploads and downloads files, and reads disc and file system information. Instead of using well-known API calls for shell code execution, which can easily be flagged by AV products, the threat actor employed the unique EnumWindows to run its shell-code, according to Jazi.

Evidence Indicates Russia's SVR is Still Using 'WellMess' Malware, Despite US Warnings


President Joe Biden's appeal for Vladimir Putin to crack down on cyberattacks emanating from within Russia appears to have failed to persuade the Kremlin to give it up. 

In a report published Friday, RiskIQ stated it discovered ongoing hacking infrastructure that Western governments associated last summer to the Russian SVR intelligence agency-linked APT29 or Cozy Bear, which it utilized to obtain Covid-19 research data.

The malware, also known as WellMess or WellMail, led to official warnings in the United States, the United Kingdom, and Canada in July 2020. In April, the FBI urged companies to fix five known vulnerabilities that the SVR had exploited, according to US officials. 

RiskIQ detected three dozen command and control servers supplying WellMess which were under APT29 control, as per the firm. Following a US-Russia summit at which cyberattacks were discussed, the focus was on infrastructure. 

“The behaviour found was noteworthy considering the circumstances in which it emerged, following on the heels of President Biden's public condemnation of Russian hacking at a recent summit with President Putin,” stated RiskIQ's Team Atlas. 

Cozy Bear has not been openly accused of being involved in any recent ransomware operations, which were the focus of the White House's discussions with Russia. The organization has set itself apart by executing cyber-espionage against targets like the federal contractor SolarWinds and the Democratic National Committee. 

RiskIQ is perplexed as to how Russian agents are now utilizing the WellMess malware. The company stated, “Readers should note that much of this infrastructure is still in active use by APT29, though we do not have enough information to say how it is being used or who the targets are.” 

Biden has been urging Putin both personally and in public statements, to stop malicious cyber activities originating from Russia, notably ransomware assaults are believed to be conducted by criminal groups.

A phone call between the two men came after a series of high-profile ransomware attacks with suspected Russian roots, the most recent of which has affected hundreds of people as a result of an incident at the software company Kaseya. 

“I made it very clear to him that the United States expects, when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Biden stated reporters about the call. 

In a speech last week, Biden told intelligence officials that if the US finds itself in a “shooting war” with a significant foreign power, it will probably come in response to a cyber attack.