Russian hacker attacks against Ukraine spiked 250% in 2022
Google’s Threat Analysis Group (TAG) says that Russian government-backed attackers increased their attempted hacks on Ukrainian users last year by 250% compared with 2020, with Ukraine’s ministries of Defense, Foreign Affairs and the National Agency for Service being among the top targets.
While Russia-linked hackers focused heavily on Ukrainian government and military entities, there were also multiple campaigns aimed at disrupting critical infrastructure, utilities and public services, and the media and information space.
At the same time, targeting of users in NATO countries increased over 300% in the same period, according to TAG’s new report. The researchers also noted that Russia's invasion has triggered a notable shift in the Eastern European cybercriminal ecosystem that will likely have long term implications for both coordination between criminal groups and the scale of cybercrime worldwide.
Cybersecurity authorities warn of the increasing threat of Chinese cyber-espionage
The European Union Agency for Cybersecurity (ENISA) and CERT-EU have published a joint security advisory to warn European countries of a rising threat of cyber-espionage operations by China-aligned state-sponsored hacker groups such as APT27, APT30, APT31, Ke3chang, GALLIUM and Mustang Panda. These threat actors have been recently conducting malicious cyber activities against business and governments in the EU focused mainly on information theft, the two agencies said.
The advisory also provides best practices and the corresponding security guidance for mitigating such cyberattacks.
Chinese hackers expand operations beyond Asia and Europe
The Chinese state-sponsored cyber-espionage group, tracked by Microsoft as DEV-0147, has been spotted targeting diplomatic entities in South America with the ShadowPad (aka PoisonPlug) remote access trojan.
Microsoft says that DEV-0147’s new campaign represents a notable expansion of the group’s data exfiltration operations that traditionally targeted government agencies and think tanks in Asia and Europe.
North Korean hackers attack healthcare providers with ransomware to fund government regime
Hacker groups working on behalf of the North Korean government target organizations in the healthcare sector and critical infrastructure entities with ransomware attacks to generate revenue to support the Kim regime, a joint advisory from the US and South Korean cybersecurity authorities warned.
As per agencies, North Korean state-backed hackers employed various ransomware tools like their own ransomware strains Maui and H0lyGh0st, but also used ransomware developed by other cybercriminal gangs such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom. In some cases North Korean threat actors posed as other ransomware groups, such as REvil.
Microsoft’s February 2023 Patch Tuesday fixes actively exploited Windows zero-days
Microsoft released security updates to address at least 75 vulnerabilities in its software products, including three zero-day flaws that have been actively exploited in the wild. The three zero-days are: CVE-2023-21715 (Remote code execution in Microsoft Publisher), CVE-2023-21823 (Privilege escalation in Microsoft Windows Graphics Component), and CVE-2023-23376 (Privilege escalation in Windows Common Log File System Driver).
The tech giant did not provide any details on when and how these vulnerabilities were exploited.
Apple also released security updates for its iOS, iPadOS, macOS, and Safari products to address a zero-day vulnerability that has been actively exploited in hacker attacks.
Tracked as CVE-2023-23529, the bug is a type confusion issue in the Webkit browser engine that can be used by a remote attacker to achieve remote code execution by tricking a victim into visiting a specially crafted website. This type confusion issue was addressed with improved checks.
Atlassian confirms data leak
Australian software firm Atlassian has confirmed that threat actors gained access to a contractor's systems and stole data on some of its employees, after a hacker group known as SiegedSec leaked data on what appears to be thousands of employees and floor plans for two of the company's offices in San Francisco and Sydney.
The leaked file contains more than 13,200 entries containing multiple current employees’ data, including names, email addresses, work departments and other information.
An Atlassian spokesperson told Cyberscoop that the data was stolen from Envoy, a third-party app that Atlassian uses to coordinate in-office resources.
Hackers are using Google ads to spread the FatalRat malware
ESET researchers said they discovered a new malicious campaign aimed at Chinese-speaking people in Southeast and East Asia that uses misleading Google ads that lead to downloading trojanized installers. The unknown attackers created fake websites that spoof popular applications such as Firefox, WhatsApp, or Telegram, but in addition to providing the legitimate software, also deliver FatalRat, a remote access trojan that grants the attacker control of the victimized computer.
Norway seizes record $5.9M stolen from Axie Infinity Ronin hack
Norway’s authorities have seized 60 million Norwegian kroner ($5.85 million) in stolen cryptocurrencies linked to the Axie Infinity Ronin Bridge hack in March 2022. The heist was one of the largest of its kind on record, and was linked by the US authorities to a North Korean hacking group known as “Lazarus”.
Spanish police dismantle cybercrime group that stole 5M euros in a year
In a joint operation Spain's National Police and the US Secret Service have dismantled an international criminal ring that stole more than 5 million euros from individuals and North American organizations through a sophisticated cyber scam. The cybercrime gang used social engineering, phishing and smishing techniques to collect sensitive data from potential victims and then contacted them via a phone call using a spoofed number to obtain the rest of the data needed to commit financial fraud.
Russian hacker convicted in $90M hack-to-trade scheme
Vladislav Klyushin, a Russian national and the owner of the Moscow-based IT company M-13 that offered penetration testing and “Advanced Persistent Threat (APT) emulation,” and provided services to the Russian government, was convicted in the US for his role in a scheme that netted $90 million through securities trades based on non-public information stolen from US computer networks.
Klyushin and his co-conspirators managed to make close to $100 million in earnings trading from roughly $9 million in investments using inside information. Of that amount, Klyushin individually netted more than $38 million. Klyushin was arrested in Switzerland in March 2021 and extradited to the US but his co-conspirators are still at large.
Clop ransomware gang says it hacked 130 orgs using GoAnywhere zero-day
The Clop ransomware group claims to have stolen sensitive data from 130 organizations using a recently disclosed zero day vulnerability (CVE-2023-0669) affecting Fortra’s GoAnywhere MFT secure file transfer protocol.
The Clop gang said that they had allegedly stolen the data over the course of ten days after breaching vulnerable instances. The gang has also said they decided against encrypting the breached servers with ransomware. At this stage, it’s not clear whether the hackers’ claims are true, as they didn’t provide any proof of the hacks.
ESXiArgs ransomware has infected hundreds of orgs in Europe
More than 500 European organizations have been hit with the ESXiArgs ransomware attacks over a few past days. Most of the targets are located in France (217), Germany (137), the Netherlands (28), the UK (23), and Ukraine (19).
First reported at the beginning of February, the ESXiArgs ransomware has hit more than 3,000 of unpatched VMware ESXi servers worldwide, including those belonging to Florida’s Supreme Court and universities in the United States and Europe.
Cloudflare says it stopped record-breaking 71 million RPS DDoS attack
Web infrastructure company Cloudflare revealed it detected and blocked dozens of distributed denial-of-service (DDoS) attacks, the majority of which peaked 50-70 million requests per second (RPS) with the largest exceeding 71 million RPS. This marks the largest distributed denial-of-service (DDoS) attack recorded to date.
The company said that the attacks were HTTP/2-based and originated from more than 30,000 IP addresses. Targeted websites included those of an unnamed gaming company, cryptocurrency companies, hosting providers, and cloud computing platforms.