22 June 2022

Ukraine’s cybersecurity authorities warn of two new malicious campaigns


Ukraine’s cybersecurity authorities warn of two new malicious campaigns

The Computer Emergency Response Team of Ukraine (CERT-UA) has detailed two new hacking campaigns, one of them aimed at the country’s critical infrastructure sector.

The first campaign involved phishing emails distributing a malicious Microsoft Word document titled “Imposition of penalties” ostensibly sent from the State Tax Service of Ukraine. Once the document is opened, the download of an HTML file is triggered, which, in turn, leads to the execution of the JavaScript code that exploits the Follina (CVE-2022-30190) vulnerability on the victim's system to download the Cobalt Strike Beacon malware.

CVE-2022-30190 is the Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution bug, which allows a remote hacker to execute arbitrary shell commands on the target system. The vulnerability was fixed earlier this month as part of Microsoft’s June 2022 Patch Tuesday release.

According to cybersecurity officials, the campaign targeted unspecified critical infrastructure within Ukraine. CERT-UA attributed this campaign to a threat actor it tracks as UAC-0098, which previously has been linked to other attacks against Ukraine.

In the second campaign attackers distributed a malicious Microsoft Word document titled “Nuclear Terrorism A Very Real Threat.rtf,” which also exploited the CVE-2022-30190 vulnerability to install the CredoMap malware.

The CERT-UA team associated the new campaign with the APT28 (aka Fancy Bear) advanced persistent threat group thought to be a Russian military unit specializing on cyber-espionage.

Earlier, German authorities issued an arrest warrant for the Russian hacker Nikolaj Kozachek (aka “blabla1234565” and “kazak”) linked to APT28 who was accused of carrying out cyber-espionage operations against a NATO think tank in Germany.

Cybersecurity Help statement on the critical situation in Ukraine

On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!

Back to the list

Latest Posts

Cyber security week in review: August 5, 2022

Cyber security week in review: August 5, 2022

The cybersecurity world in brief: Two crypto platforms targeted in multimillion-dollar attacks, hackers exploited an Atlassian Confluence bug to install a never-before-seen backdoor, and more.
5 August 2022
Threat actors exploit Atlassian Confluence bug to install a never-before-seen backdoor

Threat actors exploit Atlassian Confluence bug to install a never-before-seen backdoor

Ljl Backdoor is a fully-featured malware designed to gather files and user accounts, as well as system information.
4 August 2022
Thousands of Solana wallets drained in yet another multimillion exploit

Thousands of Solana wallets drained in yet another multimillion exploit

More than 8,000 wallets have been affected in the hack.
3 August 2022