As a reminder, we previously reported on the divergence of hacker groups, some siding with Russia and others with Ukraine. Additionally, Microsoft accused Russia of cyberattacks against Ukraine’s allies.

Recent media coverage also highlighted the arrest of two members of the DoppelPaymer Group by law enforcement in Germany and Ukraine.

The report details that the attackers, employing spear phishing and bait emails, capitalized on the Russian invasion of Ukraine. The hackers crafted spear-phishing emails with news topics related to Ukraine, appearing as legitimate media content.

The campaign demonstrated a high level of readiness by hackers who quickly turned news content into bait for recipients. The spear-phishing emails contained news topics related to Ukraine, with topics and content reflecting legitimate media sources.

Recipients were compelled to open the malicious messages, exploiting old vulnerabilities in Roundcube (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) to compromise unpatched servers—requiring no user interaction with malicious attachments.

The attachment contained JavaScript code that executed additional JavaScript payloads from BlueDelta controlled infrastructure.

If the compromise succeeded, the attackers deployed malicious scripts redirecting incoming messages to an email address under their control. These scripts were also employed to locate and pilfer victims’ address books, session cookies, and other data stored in the Roundcube database.

Researchers suggest that the infrastructure used in these attacks has been active since around November 2021, with APT28‘s activities focused on “gathering military intelligence.”

We have identified BlueDelta activity, most likely targeted at the regional Ukrainian prosecutor’s office and the [unnamed] central executive body of the country, and also found intelligence activities associated with other Ukrainian state structures and organizations, including those involved in the modernization and repair of infrastructure for the Ukrainian military aviation.

This collaboration between Recorded Future and CERT-UA emphasizes the crucial role of partnerships between organizations and governments in ensuring collective defense against strategic threats—particularly in the context of Russia’s ongoing conflict with Ukraine.

The post APT28 Attacked Ukrainian and Polish Organizations appeared first on Gridinsoft Blog.

The plot thickens as the adversaries deploy cunning tactics, leveraging phishing emails as Trojan horses, delivering malevolent Office documents armed with Bisonal—the underworld’s go-to Remote Access Trojan (RAT). Like a cyber echo, these same techniques reverberated across borders, targeting unsuspecting victims in Pakistani organizations, a sinister symphony meticulously observed by the sharp minds at SentinelLabs.

In the grand theater of digital warfare, China takes center stage, orchestrating a myriad of campaigns against Russia, a retaliatory crescendo following its invasion of Ukraine.

On June 22nd 2022 CERT-UA made a public release of Alert #4860 that presents several documents built with the help of Royal Road malicious document builder and constructed to reflect Russian government interests. Specialists from SentinelLabs analyzed further the report by CERT-UA and confirmed the involvement of a Chinese APT group.

The malicious activity comes amidst other Chinese attacks against Russia such as Space Pirates, Mustang Panda, Scarab, but here it is separate Chinese activity. The specific actor’s identity is unclear so far, although it remains clear that Chinese APT groups aim to target a wide range of different Russian organizations.

Who may be behind the attack?

SentinelLabs specialists speculate that the Tonto Team APT (“Earth Akhlut”, “CactusPete”) group, reported for nearly a decade, might be the potential culprit behind the attacks. However, they emphasize that it is premature to draw definitive conclusions based on the current available data.

The malicious documents are generally used for the delivery of custom malware, such as the Bisonal RAT, which as noted by CERT-UA, is unique to Chinese groups, including Tonto Team. Bisonal has a uniquely long history of use and continued development by its creators, such as expanding features for file searching and exfiltration, anti-analysis and detection techniques, and maintaining generally unrestricted system control,” goes in a report published by SentinelLabs.

Tonto Team APT group also targeted multiple victims across the globe including the targets of their particular interest in Northeast Asia such as private businesses, critical infrastructure, governments, etc. The group has been particular in their interests in Russian targets for the past years but recently in this direction specialists observed a significant spike of activity.

We assess with high confidence that the Royal Road-built malicious documents, delivered malware, and associated infrastructure are attributable to Chinese threat actors. Based on our observations, there’s been a continued effort to target Russian organizations by this cluster through well-known attack methods– the use of malicious documents exploiting n-day vulnerabilities with lures specifically relevant to Russian organizations,” also goes in a report by researchers.

On the whole the purpose of the attacks seems to be espionage-related, but that’s a limited assumption because of external visibility of the researchers’ standpoint.

The post Russian Organizations Under Attack By Chinese APTs appeared first on Gridinsoft Blog.

According to experts, the APT28 hacker group (Strontium, Fancy Bear and Sofacy) sends out emails with a malicious document called “Nuclear Terrorism Is a Real Threat.rtf”.

The hackers chose this topic to encourage the recipient to open the document, as fear of a potential nuclear attack is common among Ukrainians.

Let me remind you that we reported that Hacker groups split up: some of them support Russia, others Ukraine, and also that War in Ukraine triggered a Stream of amateurish ransomware.

The RTF document exploits the CVE-2022-30190 (Follina) vulnerability to download and run the CredoMap malware (docx.exe) on the victim’s device.

According to a Malwarebytes report, the payload is an infostealer that steals credentials and cookies from Chrome, Edge, and Firefox browsers. The software then extracts the stolen data using the IMAP email protocol and sends everything to the C2 address, which is hosted on an abandoned site in Dubai.

CERT-UA also identified another attacker campaign called UAC-0098 using CVE-2022-30190.

CERT-UA reported that the threat actor used a DOCX file named “Penalty.docx” and the payload was received from the remote resource is a Cobalt Strike beacon (ked.dll) with the latest compilation date.

The e-mails sent out allegedly come from the State Tax Service of Ukraine.

Due to Russia’s invasion of Ukraine, many citizens have temporarily stopped paying taxes to the state, so the bait can be effective against many Ukrainians.

CERT-UA advised employees of organizations to remain vigilant about phishing emails as the number of spear phishing attacks remains high.

The post Russian Hackers Use Follina Vulnerability to Attack Users in Ukraine appeared first on Gridinsoft Blog.

CERT-UA has published a report on ongoing DDoS attacks on Ukrainian websites and a government web portal.

Unknown attackers compromise WordPress sites and inject malicious JavaScript code into the HTML structure. The script is base64 encoded to avoid detection like in this picture.

The code is executed on the visitor’s computer and generates a huge number of requests in order to stop the websites from working. Cyberattacks occur without the knowledge of the owners of compromised sites and create subtle performance disruptions for users.

By the way, we talked about the State Department Offers $1 million for Info on Russian Hackers.

CERT-UA works closely with the National Bank of Ukraine to implement protective measures against DDoS campaigns and numerous previous cyberattacks. In their report, the CERT-UA team provided instructions for removing malicious JavaScript code and added a threat detection tool to scan sites for hacking.

In addition, it is important to keep the content management systems (Content Management Systems, CMS) of the site up to date, update plugins and restrict access to site management.

We also note that it seems that the Chinese comrades do not support Russian hackers: we wrote that Chinese Mustang Panda Cyberspies Attack Russian Officials.

The post Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites appeared first on Gridinsoft Blog.