Mar 23, 2024NewsroomCyber Espionage / Cyber Warfare

The WINELOADER backdoor used in recent cyber attacks targeting diplomatic entities with wine-tasting phishing lures has been attributed as the handiwork of a hacking group with links to Russia’s Foreign Intelligence Service (SVR), which was responsible for breaching SolarWinds and Microsoft.

The findings come from Mandiant, which said Midnight Blizzard (aka APT29, BlueBravo, or Cozy Bear) used the malware to target German political parties with phishing emails bearing a logo from the Christian Democratic Union (CDU) around February 26, 2024.

“This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions,” researchers Luke Jenkins and Dan Black said.

WINELOADER was first disclosed by Zscaler ThreatLabz last month as part of a cyber espionage campaign that’s believed to have been ongoing since at least July 2023. It attributed the activity to a cluster dubbed SPIKEDWINE.

Attack chains leverage phishing emails with German-language lure content that purports to be an invite for a dinner reception to trick recipients into clicking on a phony link and downloading a rogue HTML Application (HTA) file, a first-stage dropper called ROOTSAW (aka EnvyScout) that acts as a conduit to deliver WINELOADER from a remote server.

“The German-language lure document contains a phishing link directing victims to a malicious ZIP file containing a ROOTSAW dropper hosted on an actor-controlled compromised website,” the researchers said. “ROOTSAW delivered a second-stage CDU-themed lure document and a next stage WINELOADER payload.”

WINELOADER, invoked via a technique called DLL side-loading using the legitimate sqldumper.exe, comes equipped with abilities to contact an actor-controlled server and fetch additional modules for execution on the compromised hosts.

It’s said to share similarities with known APT29 malware families like BURNTBATTER, MUSKYBEAT, and BEATDROP, suggesting the work of a common developer.

WINELOADER, per the Google Cloud subsidiary, has also been employed in an operation targeting diplomatic entities in the Czech Republic, Germany, India, Italy, Latvia, and Peru in late January 2024.

“ROOTSAW continues to be the central component of APT29’s initial access efforts to collect foreign political intelligence,” the company said.

“The first-stage malware’s expanded use to target German political parties is a noted departure from the typical diplomatic focus of this APT29 subcluster, and almost certainly reflects the SVR’s interest in gleaning information from political parties and other aspects of civil society that could advance Moscow’s geopolitical interests.”

The development comes as German prosecutors have charged a military officer, named Thomas H, with espionage offenses after he was allegedly caught spying on behalf of Russian intelligence services and passing on unspecified sensitive information. He was arrested in August 2023.

“From May 2023, he approached the Russian Consulate General in Bonn and the Russian Embassy in Berlin several times on his own initiative and offered to cooperate,” the Office of the Federal Prosecutor said. “On one occasion, he transmitted information that he had obtained in the course of his professional activities for forwarding to a Russian intelligence service.”

Mar 22, 2024NewsroomLinux / Cyber Warfare

The data wiping malware called AcidPour may have been deployed in attacks targeting four telecom providers in Ukraine, new findings from SentinelOne show.

The cybersecurity firm also confirmed connections between the malware and AcidRain, tying it to threat activity clusters associated with Russian military intelligence.

“AcidPour’s expanded capabilities would enable it to better disable embedded devices including networking, IoT, large storage (RAIDs), and possibly ICS devices running Linux x86 distributions,” security researchers Juan Andres Guerrero-Saade and Tom Hegel said.

AcidPour is a variant of AcidRain, a wiper that was used to render Viasat KA-SAT modems operable at the onset of the Russo-Ukrainian war in early 2022 and cripple Ukraine’s military communications.

It also builds upon the latter’s features, while targeting Linux systems running on x86 architecture. AcidRain, on the other hand, is compiled for MIPS architecture.

Where AcidRain was more generic, AcidPour incorporates logic to target embedded devices, Storage Area Networks (SANs), Network Attached Storage (NAS) appliances, and dedicated RAID arrays.

That said, both the strains overlap when it comes to the use of the reboot calls and the method employed for recursive directory wiping. Also identical is the IOCTLs-based device-wiping mechanism that also shares commonalities with another malware linked to Sandworm known as VPNFilter.

“One of the most interesting aspects of AcidPour is its coding style, reminiscent of the pragmatic CaddyWiper broadly utilized against Ukrainian targets alongside notable malware like Industroyer 2,” the researchers said.

The C-based malware comes with a self-delete function that overwrites itself on disk at the beginning of its execution, while also employing an alternate wiping approach depending on the device type.

AcidPour has been attributed to a hacking crew tracked as UAC-0165, which is associated with Sandworm and has a track record of striking Ukrainian critical infrastructure.

The Computer Emergency Response Team of Ukraine (CERT-UA), in October 2023, implicated the adversary to attacks targeting at least 11 telecommunication service providers in the country between May and September of last year.

“[AcidPour] could have been used in 2023,” Hegel told The Hacker News. “It’s likely the actor has made use of AcidRain/AcidPour related tooling consistently throughout the war. A gap in this perspective speaks to the level of insight the public often has to cyber intrusions – generally quite limited and incomplete.”

The ties to Sandworm are further bolstered by the fact that a threat actor known as Solntsepyok (aka Solntsepek or SolntsepekZ) claimed to have infiltrated four different telecommunication operators in Ukraine and disrupted their services on March 13, 2024, three days prior to the discovery of AcidPour.

Solntsepyok, according to the State Special Communications Service of Ukraine (SSSCIP), is a Russian advanced persistent threat (APT) with likely ties to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), which also operates Sandworm.

It’s worth pointing out that Solntsepyok has also been accused of hacking into Kyivstar’s systems as early as May 2023. The breach came to light in late December.

While it’s currently not clear if AcidPour was used in the latest set of attacks, the discovery suggests that threat actors are constantly refining their tactics to stage destructive assaults and inflict significant operational impact.

“This progression reveals not only a refinement in the technical capabilities of these threat actors but also their calculated approach to select targets that maximize follow-on effects, disrupting critical infrastructure and communications,” the researchers said.

Mar 19, 2024NewsroomLinux / Cyber Espionage

A new variant of a data wiping malware called AcidRain has been detected in the wild that’s specifically designed for targeting Linux x86 devices.

The malware, dubbed AcidPour, is compiled for Linux x86 devices, SentinelOne’s Juan Andres Guerrero-Saade said in a series of posts on X.

“The new variant […] is an ELF binary compiled for x86 (not MIPS) and while it refers to similar devices/strings, it’s a largely different codebase,” Guerrero-Saade noted.

AcidRain first came to light in the early days of the Russo-Ukrainian war, with the malware deployed against KA-SAT modems from U.S. satellite company Viasat.

An ELF binary compiled for MIPS architectures is capable of wiping the filesystem and different known storage device files by recursively iterating over common directories for most Linux distributions.

The cyber attack was subsequently attributed to Russia by the Five Eyes nations, along with Ukraine and the European Union.

AcidPour, as the new variant is called, is designed to erase content from RAID arrays and Unsorted Block Image (UBI) file systems through the addition of file paths like “/dev/dm-XX” and “/dev/ubiXX,” respectively.

It’s currently not clear who the intended victims are, although SentinelOne said it notified Ukrainian agencies. The exact scale of the attacks is presently unknown.

The discovery once again underscores the use of wiper malware to cripple targets, even as threat actors are diversifying their attack methods for maximum impact.

Mar 09, 2024NewsroomCyber Attack / Threat Intelligence

Microsoft on Friday revealed that the Kremlin-backed threat actor known as Midnight Blizzard (aka APT29 or Cozy Bear) managed to gain access to some of its source code repositories and internal systems following a hack that came to light in January 2024.

“In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access,” the tech giant said.

“This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.”

Redmond, which is continuing to investigate the extent of the breach, said the Russian state-sponsored threat actor is attempting to leverage the different types of secrets it found, including those that were shared between customers and Microsoft in email.

It, however, did not disclose what these secrets were or the scale of the compromise, although it said it has directly reached out to impacted customers. It’s not clear what source code was accessed.

Stating that it has increased in its security investments, Microsoft further noted that the adversary ramped up its password spray attacks by as much as 10-fold in February, compared to the “already large volume” observed in January.

“Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus,” it said.

“It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.”

The Microsoft breach is said to have taken place in November 2023, with Midnight Blizzard employing a password spray attack to successfully infiltrate a legacy, non-production test tenant account that did not have multi-factor authentication (MFA) enabled.

The tech giant, in late January, revealed that APT29 had targeted other organizations by taking advantage of a diverse set of initial access methods ranging from stolen credentials to supply chain attacks.

Midnight Blizzard is considered part of Russia’s Foreign Intelligence Service (SVR). Active since at least 2008, the threat actor is one of the most prolific and sophisticated hacking groups, compromising high-profile targets such as SolarWinds.

Feb 22, 2024NewsroomMalware / Cyber Espionage

An installer for a tool likely used by the Russian Consular Department of the Ministry of Foreign Affairs (MID) has been backdoored to deliver a remote access trojan called Konni RAT (aka UpDog).

The findings come from German cybersecurity company DCSO, which linked the activity as originating from the Democratic People’s Republic of Korea (DPRK)-nexus actors targeting Russia.

The Konni (aka Opal Sleet, Osmium, or TA406) activity cluster has an established pattern of deploying Konni RAT against Russian entities, with the threat actor also linked to attacks directed against MID at least since October 2021.

In November 2023, Fortinet FortiGuard Labs revealed the use of Russian-language Microsoft Word documents to deliver malware capable of harvesting sensitive information from compromised Windows hosts.

DCSO said the packaging of Konni RAT within software installers is a technique previously adopted by the group in October 2023, when it was found to leverage a backdoored Russian tax filing software named Spravki BK to distribute the trojan.

“In this instance, the backdoored installer appears to be for a tool named ‘Statistika KZU’ (Cтатистика КЗУ),” the Berlin-based company said.

“On the basis of install paths, file metadata, and user manuals bundled into the installer, […] the software is intended for internal use within the Russian Ministry of Foreign Affairs (MID), specifically for the relaying of annual report files from overseas consular posts (КЗУ — консульские загранучреждения) to the Consular Department of the MID via a secure channel.”

The trojanized installer is an MSI file that, when launched, initiates the infection sequence to establish contact with a command-and-control (C2) server to await further instructions.

The remote access trojan, which comes with capabilities for file transfers and command execution, is believed to have been put to use as early as 2014, and has also been utilized by other North Korean threat actors known as Kimsuky and ScarCruft (aka APT37).

It’s currently not clear how the threat actors managed to obtain the installer, given that it’s not publicly obtainable. But it’s suspected that the long history of espionage operations targeting Russia may have helped them identify prospective tools for subsequent attacks.

While North Korea’s targeting of Russia is not new, the development comes amid growing geopolitical proximity between the two countries. State media from the Hermit Kingdom reported this week that Russian President Vladimir Putin has given leader Kim Jong Un a luxury Russian-made car.

“To some extent, this should not come as a surprise; increasing strategic proximity would not be expected to fully overwrite extant DPRK collection needs, with an ongoing need on the part of the DPRK to be able to assess and verify Russian foreign policy planning and objectives,” DCSO said.

Feb 21, 2024NewsroomPhishing Attack / Information Warfare

Cybersecurity researchers have unearthed a new influence operation targeting Ukraine that leverages spam emails to propagate war-related disinformation.

The activity has been linked to Russia-aligned threat actors by Slovak cybersecurity company ESET, which also identified a spear-phishing campaign aimed at a Ukrainian defense company in October 2023 and a European Union agency in November 2023 with an aim to harvest Microsoft login credentials using fake landing pages.

Operation Texonto, as the entire campaign has been codenamed, has not been attributed to a specific threat actor, although some elements of it, particularly the spear-phishing attacks, overlap with COLDRIVER, which has a history of harvesting credentials via bogus sign-in pages.

The disinformation operation took place over two waves in November and December 2023, with the email messages bearing PDF attachments and content related to heating interruptions, drug shortages, and food shortages.

The November wave targeted no less than a few hundred recipients in Ukraine, including the government, energy companies, and individuals. It’s currently not known how the target list was created.

“What’s interesting to note is that the email was sent from a domain masquerading as the Ministry of Agrarian Policy and Food of Ukraine, while the content is about drug shortages and the PDF is misusing the logo of the Ministry of Health of Ukraine,” ESET said in a report shared with The Hacker News.

“It is possibly a mistake from the attackers or, at least, shows they did not care about all details.”

The second disinformation email campaign that commenced on December 25, 2023, is notable for expanding its targeting beyond Ukraine to include Ukrainian speakers in other European nations owing to the fact that all the messages are in Ukrainian.

These messages, while wishing recipients a happy holiday season, also adopted a darker tone, going as far as to suggest that they ampute one of their arms or legs to avoid military deployment. “A couple of minutes of pain, but then a happy life!,” the email goes.

ESET said one of the domains used to propagate the phishing emails in December 2023, infonotification[.]com, also engaged in sending hundreds of spam messages beginning January 7, 2024, redirecting potential victims to a fake Canadian pharmacy website.

It’s exactly unclear why this email server was repurposed to propagate a pharmacy scam, but it’s suspected that the threat actors decided to monetize their infrastructure for financial gain after realizing that their domains have been detected by defenders.

“Operation Texonto shows yet another use of technologies to try to influence the war,” the company said.

The development comes as Meta, in its quarterly Adversarial Threat Report, said it took down three networks across its platforms originating from China, Myanmar, and Ukraine that engaged in coordinated inauthentic behavior (CIB).

While none of the networks were from Russia, social media analytics firm Graphika said posting volumes by Russian state-controlled media has declined 55% from pre-war levels and engagement has plummeted 94% compared to two years ago.

“Russian state media outlets have increased their focus on non-political infotainment content and self-promotional narratives about Russia since the start of the war,” it said. “This could reflect a wider off-platform effort to cater to domestic Russian audiences after multiple Western countries blocked the outlets in 2022.”

Feb 15, 2024NewsroomMalware / Cyber Espionage

The Russia-linked threat actor known as Turla has been observed using a new backdoor called TinyTurla-NG as part of a three-month-long campaign targeting Polish non-governmental organizations in December 2023.

“TinyTurla-NG, just like TinyTurla, is a small ‘last chance’ backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems,” Cisco Talos said in a technical report published today.

TinyTurla-NG is so named for exhibiting similarities with TinyTurla, another implant used by the adversarial collective in intrusions aimed at the U.S., Germany, and Afghanistan since at least 2020. TinyTurla was first documented by the cybersecurity company in September 2021.

Turla, also known by the names Iron Hunter, Pensive Ursa, Secret Blizzard (formerly Krypton), Snake, Uroburos, and Venomous Bear, is a Russian state-affiliated threat actor linked to the Federal Security Service (FSB).

In recent months, the threat actor has singled out the defense sector in Ukraine and Eastern Europe with a novel .NET-based backdoor called DeliveryCheck, while also upgrading its staple second-stage implant referred to as Kazuar, which it has put to use as early as 2017.

The latest campaign involving TinyTurla-NG dates back to December 18, 2023, and is said to have been ongoing up until January 27, 2024. However, it’s suspected that the activity may have actually commenced in November 2023 based on the malware compilation dates.

It’s currently not known how the backdoor is distributed to victim environments, but it has been found to employ compromised WordPress-based websites as command-and-control (C2) endpoints to fetch and execute instructions, enabling it to run commands via PowerShell or Command Prompt (cmd.exe) as well as download/upload files.

TinyTurla-NG also acts as a conduit to deliver PowerShell scripts dubbed TurlaPower-NG that are designed to exfiltrate key material used to secure the password databases of popular password management software in the form of a ZIP archive.

The disclosure comes as Microsoft and OpenAI revealed that nation-state actors from Russia are exploring generative artificial intelligence (AI) tools, including large language models (LLMs) like ChatGPT, to understand satellite communication protocols, radar imaging technologies, and seek support with scripting tasks.

Russian state-sponsored actors have staged NT LAN Manager (NTLM) v2 hash relay attacks through various methods from April 2022 to November 2023, targeting high-value targets worldwide.

The attacks, attributed to an “aggressive” hacking crew called APT28, have set their eyes on organizations dealing with foreign affairs, energy, defense, and transportation, as well as those involved with labor, social welfare, finance, parenthood, and local city councils.

Cybersecurity firm Trend Micro assessed these intrusions as a “cost-efficient method of automating attempts to brute-force its way into the networks” of its targets, noting the adversary may have compromised thousands of email accounts over time.

APT28 is also tracked by the broader cybersecurity community under the names Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422.

The group, believed to be active since at least 2009, is operated by Russia’s GRU military intelligence service and has a track record of orchestrating spear-phishing containing malicious attachments or strategic web compromises to activate the infection chains.

In April 2023, APT28 was implicated in attacks leveraging now-patched flaws in networking equipment from Cisco to conduct reconnaissance and deploy malware against select targets.

The nation-state actor, in December, came under the spotlight for exploiting a privilege escalation flaw in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) and WinRAR (CVE-2023-38831, CVSS score: 7.8) to access a user’s Net-NTLMv2 hash and use it to stage an NTLM Relay attack against another service to authenticate as the user.

An exploit for CVE-2023-23397 is said to have been used to target Ukrainian entities as early as April 2022, according to a March 2023 advisory from CERT-EU.

It has also been observed leveraging lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace, alongside striking Ukrainian government entities and Polish organizations with phishing messages designed to deploy backdoors and information stealers like OCEANMAP, MASEPIE, and STEELHOOK.

One of the significant aspects of the threat actor’s attacks is the continuous attempt to improve its operational playbook, fine-tuning and tinkering with its approaches to evade detection.

This includes the addition of anonymization layers such as VPN services, Tor, data center IP addresses, and compromised EdgeOS routers to carry out scanning and probing activities. Another tactic entails sending spear-phishing messages from compromised email accounts over Tor or VPN.

“Pawn Storm has also been using EdgeOS routers to send spear-phishing emails, perform callbacks of CVE-2023-23397 exploits in Outlook, and proxy credential theft on credential phishing websites,” security researchers Feike Hacquebord and Fernando Merces said.

“Part of the group’s post-exploitation activities involve the modification of folder permissions within the victim’s mailbox, leading to enhanced persistence,” the researchers said. “Using the victim’s email accounts, lateral movement is possible by sending additional malicious email messages from within the victim organization.”

It’s currently not known if the threat actor themselves breached these routers, or if it is using routers that were already compromised by a third-party actor. That said, no less than 100 EdgeOS routers are estimated to have been infected.

Furthermore, recent credential harvesting campaigns against European governments have used bogus login pages mimicking Microsoft Outlook that are hosted on webhook[.]site URLs, a pattern previously attributed to the group.

An October 2022 phishing campaign, however, singled out embassies and other high-profile entities to deliver a “simple” information stealer via emails that captured files matching specific extensions and exfiltrated them to a free file-sharing service named Keep.sh.

“The loudness of the repetitive, oftentimes crude and aggressive campaigns, drown out the silence, subtlety, and complexity of the initial intrusion, as well as the post-exploitation actions that might occur once Pawn Storm gets an initial foothold in victim organizations,” the researchers said.

The development comes as Recorded Future News revealed an ongoing hacking campaign undertaken by the Russian threat actor COLDRIVER (aka Calisto, Iron Frontier, or Star Blizzard) that impersonates researchers and academics to redirect prospective victims to credential harvesting pages.

Jan 26, 2024NewsroomCyber Crime / Malware

40-year-old Russian national Vladimir Dunaev has been sentenced to five years and four months in prison for his role in creating and distributing the TrickBot malware, the U.S. Department of Justice (DoJ) said.

The development comes nearly two months after Dunaev pleaded guilty to committing computer fraud and identity theft and conspiracy to commit wire fraud and bank fraud.

“Hospitals, schools, and businesses were among the millions of TrickBot victims who suffered tens of millions of dollars in losses,” DoJ said. “While active, Trickbot malware, which acted as an initial intrusion vector into victim computer systems, was used to support various ransomware variants.”

Originating as a banking trojan in 2016, TrickBot evolved into a Swiss Army knife capable of delivering additional payloads, including ransomware. Following efforts to take down the botnet, it was absorbed into the Conti ransomware operation in 2022.

The cybercrime crew’s allegiance to Russia during the Russo-Ukrainian war led to a series of leaks dubbed ContiLeaks and TrickLeaks, which precipitated its shutdown in mid-2022, resulting in its fragmentation into numerous other ransomware and data extortion groups.

Dunaev is said to have provided specialized services and technical abilities to further the TrickBot scheme between June 2016 and June 2021, using it to deliver ransomware against hospitals, schools, and businesses.

Specifically, the defendant developed browser modifications and malicious tools that made it possible to harvest credentials and sensitive data from compromised machines as well as enable remote access. He also created programs to prevent the Trickbot malware from being detected by legitimate security software.

Another TrickBot developer, a Latvian national named Alla Witte, was sentenced to two years and eight months in prison in June 2023.

News of Dunaev’s sentencing comes days after governments from Australia, the U.K., and the U.S. imposed financial sanctions on Alexander Ermakov, a Russian national and an affiliate for the REvil ransomware gang, for orchestrating the 2022 attack against health insurance provider Medibank.

Cybersecurity firm Intel 471 said Ermakov went by various online aliases such as blade_runner, GustaveDore, JimJones, aiiis_ermak, GistaveDore, gustavedore, GustaveDore, Gustave7Dore, ProgerCC, SHTAZI, and shtaziIT.

As JimJones, he has also been observed attempting to recruit unethical penetration testers who would supply login credentials for vulnerable organizations for follow-on ransomware attacks in exchange for $500 per access and a 5% cut of the ransom proceeds.

“These identifiers are linked to a wide range of cybercriminal activity, including network intrusions, malware development, and ransomware attacks,” the company said, offering insights into his cybercrime history.

“Ermakov had a robust presence on cybercriminal forums and an active role in the cybercrime-as-a-service economy, both as a buyer and provider and also as a ransomware operator and affiliate. It also appears that Ermakov was involved with a software development company that specialized in both legitimate and criminal software development.”

Jan 25, 2024NewsroomCyber Attack / Data Breach

Hackers with links to the Kremlin are suspected to have infiltrated information technology company Hewlett Packard Enterprise’s (HPE) cloud email environment to exfiltrate mailbox data.

“The threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions,” the company said in a regulatory filing with the U.S. Securities and Exchange Commission (SEC).

The intrusion has been attributed to the Russian state-sponsored group known as APT29, and which is also tracked under the monikers BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes.

The disclosure arrives days after Microsoft implicated the same threat actor to the breach of its corporate systems in late November 2023 to steal emails and attachments from senior executives and other individuals in the company’s cybersecurity and legal departments.

HPE said it was notified of the incident on December 12, 2023, meaning that the threat actors persisted within its network undetected for more than six months.

It also noted that attack is likely connected to a prior security event, also attributed to APT29, which involved unauthorized access to and exfiltration of a limited number of SharePoint files as early as May 2023. It was alerted of the malicious activity in June 2023.

HPE, however, emphasized that the incident has not had any material impact on its operations to date. The company did not disclose the scale of the attack and the exact email information that was accessed.

APT29, assessed to be part of Russia’s Foreign Intelligence Service (SVR), has been behind some high-profile hacks in recent years, including the 2016 attack on the Democratic National Committee and the 2020 SolarWinds supply chain compromise.