20 December 2024

Cyber Security Week in Review: December 20, 2024


Cyber Security Week in Review: December 20, 2024

A suspected Russian cyberattack hits Ukraine's state registries

Russia has launched a massive cyberattack on Ukraine's state registries, according to Deputy Prime Minister Olha Stefanishyna. The attack, described as the largest external cyber attack on Ukraine in recent times, temporarily disrupted the operations of critical systems managed by the Ministry of Justice. Ukrainian authorities said that no data leaks occurred.

The attack, attributed to Russian intelligence services, targeted essential state infrastructure. Systems affected include national registries, ministry websites, and services under National Information Systems. The disruption also impacted functions of the state service portal Diia, halting various digital services like property registration and online marriage applications.

The Russian hacker group XakNet Team claimed responsibility, boasting of stealing and deleting over one billion data entries, including information stored in Poland. Ukraine's Security Service linked the group to Russia's GRU military intelligence. Efforts are underway to restore systems.

Earlier this week, Ukraine’s CERT warned about a malicious campaign targeting Ukrainian military personnel, which is exploiting Cloudflare Workers to distribute malware disguised as a legitimate mobile application Army+. The agency also said that it detected a series cyberattacks carried out by the threat group UAC-0099 that took place in November and December 2024. The attacks targeted multiple government organizations, including forestry enterprises, forensic institutions, industrial plants, and other entities, likely for espionage.

Separately, Trend Micro released a report detailing activities of the Russia-linked threat actor group APT29, also known as Earth Koshchei and Midnight Blizzard, that has been spotted repurposing a legitimate red teaming attack methodology to launch sophisticated cyberattacks. The group has adopted a “rogue Remote Desktop Protocol (RDP)” technique to target governments, armed forces, think tanks, academic researchers, and Ukrainian entities. The technique employs an RDP relay, rogue RDP server, and malicious configuration files. Victims unknowingly grant attackers partial control of their machines.

In addition to cyberattacks, Russian offensive tactics include recruiting Ukrainian citizens, in particular kids, for sabotage purposes. This week, the Security Service of Ukraine (SSU) and the National Police busted a covert operation by Russian intelligence aimed at exploiting Ukrainian minors to gather intelligence and commit acts of arson. Under the guise of so-called “quest games,” the scheme involved recruiting children as young as 15 and 16 to carry out dangerous missions that directly aided Russian operations.

In response to Russia’s destabilizing activities abroad, the Council of the European Union has enacted restrictive measures against 16 individuals and three entities involved in Russia’s operations. More specifically, the EU sanctioned GRU Unit 29155, a covert unit within Russian military intelligence, known for assassinations, bombings, and cyberattacks across Europe, as well as activities in Ukraine, Western Europe, and Africa.

Another sanctioned entities include those responsible for the ‘Doppelganger’ campaign, a Kremlin-led digital disinformation operation aimed at manipulating narratives about Russia’s war in Ukraine, targeting EU member states, the US, and Ukraine; Sofia Zakharova and Nikolai Tupikin, senior figures in Russian disinformation efforts, including the development of digital propaganda tools and infrastructure.

New ICS malware targets Mitsubishi and Siemens systems

Forescout researchers uncovered a new malicious campaign targeting industrial control systems (ICS), capable of disrupting engineering processes. The campaign involved two types of attacks: the Ramnit worm targeting Mitsubishi engineering workstations and experimental malware named Chaya_003 targeting Siemens workstations.

Chaya_003 was found to terminate engineering processes and use Discord webhooks for command and control (C2). Meanwhile, Ramnit, a banking trojan turned modular malware, infects systems via physical devices or poorly segmented networks. Forescout identified two Ramnit clusters on Mitsubishi workstations but could not confirm their infection methods. The malware likely added malicious code to Windows executables.

Hackers actively exploiting MS Windows, Adobe ColdFusion flaws

The US Cybersecurity and Infrastructure Security Agency (CISA) has added two known security vulnerabilities in its KEV catalog based on evidence of active exploitation. The first issue is CVE-2024-35250, an untrusted pointer dereference vulnerability in Windows Kernel-Mode Driver, which, if exploited, could allow an attacker to gain SYSTEM privileges. The flaw was patched in June 2024 as part of that month’s Patch Tuesday release. The second actively exploited flaw is CVE-2024-20767, an improper access control issue in the Adobe ColdFusion web application development platform. The vulnerability can be leveraged by a remote attacker to send a specially crafted HTTP request and read arbitrary files on the system.

Earlier this month, the Clop ransomware gang has reportedly confirmed that they have been behind the reсent Cleo data theft attacks exploiting two security issues (CVE-2024-50623 and CVE-2024-55956) to breach corporate networks.

Security researchers have warned that threat actors are attempting to exploit a recently disclosed high-risk vulnerability in the widely used open-source web application framework Apache Struts. The flaw, tracked as CVE-2024-53677, allows attackers to upload arbitrary payloads to affected systems, enabling remote code execution (RCE). If successfully exploited, the flaw could be used to execute malicious commands, exfiltrate sensitive data, or deploy additional malware for follow-on attacks.

In the meantime, Sophos has released hotfixes to patch a slew of security flaws in Sophos Firewall products that could be exploited for remote code execution.

Additionally, Fortinet has warned of a high-severity path traversal issue (CVE-2023-34990) in its FortiWLM product that can be used by a remote attacker to perform directory traversal attacks.

Citrix Netscaler targeted in widespread password spray attacks

Citrix Netscaler devices have become the latest targets in a growing wave of password spray attacks aimed at breaching corporate networks by compromising edge networking devices and cloud platforms. Earlier this week, Germany's Federal Office for Information Security (BSI) issued a warning about multiple incidents involving brute force attacks against these devices. The attacks reportedly began in November and have escalated through December. Victims have reported massive login attempts—ranging from 20,000 to over one million—using generic usernames in an effort to brute force account credentials.

Major phishing campaign abuses HubSpot to steal credentials from European firms

Palo Alto Network’s Unit 42 researchers have uncovered a sophisticated phishing campaign that targets European companies, with a focus on industries in Germany and the UK. The campaign, which began in June 2024 and is currently ongoing, aims to harvest account credentials and compromise victims' Microsoft Azure cloud infrastructure.

Threat actors use MS Teams vishing technique to deploy DarkGate malware

A threat actor has been observed leveraging vishing (voice phishing) technique involving Microsoft Teams to distribute the DarkGate malware, gaining unauthorized remote access to the victim’s computer network. In the observed case, the attacker initiated contact with the victim by impersonating an employee of a known client during a Microsoft Teams call and convinced the victim to download the remote desktop application AnyDesk, which facilitated the deployment of the DarkGate malware.

20,000 DrayTek routers exploited in a massive ransomware campaign

Threat actors are exploiting vulnerabilities in legacy DrayTek routers to breach networks to steal passwords and deploy ransomware. According to a joint report from cybersecurity firms Prodaft and Forescount, the campaign active since August 2024, has been leveraging a suspected zero-day exploit in the “mainfunction.cgi” endpoint of DrayTek Vigor routers. The campaign has been linked to Monstrous Mantis, a threat actor believed to be associated with the Ragnar Locker ransomware gang.

Massive malvertising campaign delivers Lumma Stealer via fake CAPTCHA pages

A large-scale malvertising campaign has been discovered distributing the Lumma Stealer info-stealing malware through fake CAPTCHA verification pages. The campaign, dubbed “DeceptionAds,” by Guardio Labs researchers, has been linked to a threat actor known as “Vane Viper.” The campaign is believed to be a more sophisticated iteration of earlier “ClickFix” attacks, where victims were tricked into executing malicious PowerShell commands.

HiatusRAT targets vulnerable web cameras and DVRs, FBI warns

The US Federal Bureau of Investigation (FBI) issued a warning about a surge in HiatusRAT malware attacks that are actively scanning for and infecting vulnerable web cameras and DVRs exposed online. The attacks mainly focus on Chinese-branded devices that are either awaiting critical security patches or have reached end-of-life status.

Winnti’s new Glutton backdoor targets organizations and cybercriminals alike

A new PHP backdoor named ‘Glutton’ observed in a cyber campaign believed to have been orchestrated by the notorious Chinese hacking group Winnti (APT41). The malware is reportedly being used not only in attacks against organizations in China and the United States but also as part of an unusual ‘black eats black’ strategy targeting other cybercriminals. Glutton is described as an ELF-based modular backdoor, with architecture broken into four core components responsible for detecting the target environment, installing the backdoor, obfuscation, and executing the backdoor and managing communication with the command-and-control (C2) server.

Mirai botnet targets Juniper SSR products

Juniper Networks has issued a warning about an ongoing malicious campaign targeting its Session Smart Router (SSR) products configured with default passwords. The attack involves the deployment of Mirai botnet malware, with several customers reporting unusual activity on their Session Smart Network (SSN) platforms as of December 11, 2024. Indicators of compromise include unusual port scanning, brute-force SSH login attempts, unexpected outbound traffic, random reboots, and connections from known malicious IPs.

In a separate report, Akamai highlighted a Mirai variant called "Hail Cock," active since at least October 2024.

BadBox malware campaign is still active despite recent disruptions

The BadBox Android malware botnet has infected over 192,000 devices worldwide, despite a recent disruption effort by Germany’s Federal Office for Information Security (BSI). The malware, linked to the Triada family, initially targeted lesser-known Chinese Android devices but has expanded to infect well-known brands like Yandex TVs and Hisense smartphones.

BadBox spreads through supply chain attacks, insider threats, or injection during distribution, aiming for financial gain by converting devices into residential proxies or exploiting them for ad fraud. These proxies are often rented to cybercriminals for malicious activities.

While BSI sinkholed a command-and-control server, disconnecting 30,000 devices in Germany, BitSight researchers report the botnet's continued growth, with infections now exceeding 192,000 devices globally.

Raccoon malware operator sentenced, NetWalker ransomware affiliate gets 20 years in prison, LockBit dev faces extradition to the US

The 28-year-old Ukrainian Mark Sokolovsky was sentenced to 60 months in US federal prison for operating Raccoon Infostealer, a malware-as-a-service (MaaS) platform. Users of the malware paid $200/month in cryptocurrency to steal credentials, financial data, and personal records from victims via phishing. The FBI and international partners dismantled the Raccoon Infostealer infrastructure in 2022, and Sokolovsky was extradited from the Netherlands in February 2024.

Daniel Christian Hulea, a 30-year-old Romanian, was sentenced to 20 years in prison for using NetWalker ransomware to extort approximately $21.5 million in bitcoin from global victims, including healthcare organizations during the COVID-19 pandemic. He was also ordered to pay restitution and forfeit significant assets, including a luxury resort under construction in Bali.

An Israeli citizen Rostislav Panev is facing extradition to the US for allegedly developing tools for the LockBit ransomware group, including software that printed ransom notes via compromised systems. Panev reportedly received $230,000 in bitcoin for his work. Panev, a dual Russian-Israeli national, has been charged in the US. He worked with LockBit from its inception in 2019 until February 2024, during which the group extorted over $500 million from more than 2,500 victims in 120 countries, causing billions in damages.

Evidence from Panev's computer linked him to LockBit’s tools and repositories, including the data exfiltration tool 'StealBit.' He has admitted to Israeli authorities his involvement in developing and supporting LockBit’s malware.

The Alliance for Creativity and Entertainment (ACE), an anti-piracy coalition, has dismantled a major live sports piracy network based in Vietnam. The operation's illegal streaming sites, which primarily targeted US and Canadian audiences, garnered 812 million visits in the past year, making it one of the largest sports piracy networks globally. The sites offered daily streams of sports events, including content from all US sports leagues and various international leagues.


Back to the list

Latest Posts

Cybersecurity Week in Review: January 24, 2025

Cybersecurity Week in Review: January 24, 2025

In brief: SonicWall SMA zero-day exploited in attacks, hackers are exploiting older Ivanti flaws, and more.
24 January 2025
AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

The attacks have been active since June 2024.
23 January 2025
SonicWall SMA zero-day exploited in attacks

SonicWall SMA zero-day exploited in attacks

SonicWall has released a patch in version 12.4.3-02854 and higher versions to address the issue.
23 January 2025