Russia Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 31 May 2024 01:07:54 +0000 en-US hourly 1 https://wordpress.org/?v=99399 200474804 Microsoft CVE-2023-36884 Vulnerability Exploited in the Wild https://gridinsoft.com/blogs/microsoft-cve-2023-36884-vulnerability/ https://gridinsoft.com/blogs/microsoft-cve-2023-36884-vulnerability/#respond Mon, 17 Jul 2023 17:11:08 +0000 https://gridinsoft.com/blogs/?p=15957 On July 11, 2023, Microsoft published an article about addressing the CVE-2023-36884 vulnerability. This breach allowed for remote code execution in Office and Windows HTML. Microsoft has acknowledged a targeted attack that exploits a vulnerability using specifically designed Microsoft Office documents. The attacker can gain control of a victim’s computer by creating a malicious Office… Continue reading Microsoft CVE-2023-36884 Vulnerability Exploited in the Wild

The post Microsoft CVE-2023-36884 Vulnerability Exploited in the Wild appeared first on Gridinsoft Blog.

]]>
On July 11, 2023, Microsoft published an article about addressing the CVE-2023-36884 vulnerability. This breach allowed for remote code execution in Office and Windows HTML. Microsoft has acknowledged a targeted attack that exploits a vulnerability using specifically designed Microsoft Office documents. The attacker can gain control of a victim’s computer by creating a malicious Office document, but the victim must participate by opening it.

Microsoft discovered a phishing campaign conducted by a Threat Actor named Storm-0978. The targets were government and defense entities in Europe and North America. The Threat Actor used lures related to the Ukraine World Congress and exploited the vulnerability known as CVE-2023-36884.

Who is Storm-0978?

The cybercriminal group known as Storm-0978, based in Russia, is infamous for engaging in various illegal activities. These activities include conducting ransomware and extortion operations, targeted campaigns to collect credentials, developing and distributing the RomCom backdoor, and deploying the Underground Ransomware.

Who is Storm-0978(RomCom)?
Overall RomCom architecture

Underground ransomware is associated with Industrial Spy Ransomware, detected in the wild in May 2022. Microsoft identified a recent campaign in June 2023 that exploited CVE-2023-36884 to distribute a RomCom-like backdoor. This was done by a group known as Storm-0978, who use a phishing site masquerading as legitimate software to infect users. The impersonated products include Adobe products, SolarWinds Network Performance Monitor, SolarWinds Orion, Advanced IP Scanner, KeePass, and Signal. Users unwittingly download and execute files that result in the infection of the RomCom backdoor by visiting these phishing sites.

CVE-2023-36884 Exploitation

Storm-0978 conducted a phishing campaign in June 2023, using a fake OneDrive loader to deliver a backdoor similar to RomCom. The phishing emails targeted defense and government entities in Europe and North America, with lures related to the Ukrainian World Congress, and led to exploitation via CVE-2023-36884 vulnerability.

CVE-2023-36884 Exploitation
Storm-0978 email operates NATO themes and the Ukrainian World Congress

During a phishing attempt, Microsoft detected that Storm-0978 used an exploit to target CVE-2023-36884.

BlackBerry documented the attacks on guests for the upcoming NATO Summit on July 8, but the use of the zero-day in the attacks was unknown at the time.

The attackers used the RomCom variant for espionage, and Underground Ransomware was deployed for ransomware operations. The campaign indicates that Storm-0978 is a highly sophisticated group that seems to be also targeting multiple organizations in the future.

How do you avoid vulnerability?

Organizations should adopt all possible mitigation strategies until a patch is released. The vulnerability has been used in targeted attacks, and news of its existence will doubtlessly lead other attackers to attempt to replicate the exploit.

Microsoft offers performing the registry trick in order to prevent exploitation. In Regedit, go by the following path and find there FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION key.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\

There, create REG_DWORD values with data 1 with the names of exploitable applications:

  • Excel.exe
  • Graph.exe
  • MSAccess.exe
  • MSPub.exe
  • Powerpnt.exe
  • Visio.exe
  • WinProj.exe
  • WinWord.exe
  • Wordpad.exe

Though, patching the breach in such a way is not always enough. Hackers know about the offered fix and can find a way to revert it or exploit the breach by circumventing any registry blocks. For that reason, I also recommend having proactive and reactive security measures.

  • Activate cloud-delivered protection in your antivirus software to defend against constantly changing attacker methods. Cloud-based machine learning can detect and block most new and unknown threats.
  • Back up your data and store those backups offline or on a separate network for added protection. Backups are the ransomware attacks’ kryptonite, as they can do nothing if you just recover everything back.
  • Wherever possible and practical, enable automatic software updates on all connected devices, including your computer and mobile phone.
  • To stay safe online, it’s crucial to always verify the authenticity of links and email attachments before opening them, especially if they’re from an untrusted source.
  • Use CDR solutions. CDR, or Content Disarm and Reconstruction, is the name of a content management system that aims particularly at document security. It removes active content from the document, making it impossible to exploit.

Patch CVE-2023-36884

Microsoft still needs to release a patch for CVE-2023-36884. This section will be updated as more information becomes available. However, even after a patch is found, it pays to be cautious, watch your every move on the Internet, and always follow the Zero Trust rule.

The post Microsoft CVE-2023-36884 Vulnerability Exploited in the Wild appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-cve-2023-36884-vulnerability/feed/ 0 15957
One Year of Russian-Ukrainian War in Cybersecurity https://gridinsoft.com/blogs/russian-ukrainian-war-cybersecurity/ https://gridinsoft.com/blogs/russian-ukrainian-war-cybersecurity/#respond Sun, 26 Feb 2023 20:15:33 +0000 https://gridinsoft.com/blogs/?p=13491 February 24, 2022, will be a turning point in history. It was the day of the full-scale Russian invasion of Ukraine and the most significant geopolitical event of the past year. This war was, without exaggeration, the bloodiest military conflict in Europe in decades. However, it is the first major hybrid war that uses cyberspace… Continue reading One Year of Russian-Ukrainian War in Cybersecurity

The post One Year of Russian-Ukrainian War in Cybersecurity appeared first on Gridinsoft Blog.

]]>
February 24, 2022, will be a turning point in history. It was the day of the full-scale Russian invasion of Ukraine and the most significant geopolitical event of the past year. This war was, without exaggeration, the bloodiest military conflict in Europe in decades. However, it is the first major hybrid war that uses cyberspace as a full-fledged battlefield in addition to the main kinetic fronts. Of all of this, several important points can be made about the collateral cyber damage, viz:

  • The effectiveness of destructive malware
  • The attribution of cyber activity in wartime
  • The distinction between nation-state, hacktivism, and offensive cybercriminal activity
  • Cyber warfare and its impact on defense pacts
  • The ability of cyber operations to engage in tactical warfare and necessary training

The impact on global cyberspace is already visible in some areas.

Wipers comeback

Wiper is a malware that disrupts the operation of target systems as it can delete or corrupt important files, though its use is relatively rare. However, wiper malware has become much more widespread over the past year, not just in Eastern Europe. For example, at the beginning of the Russian-Ukrainian war, the number of cyber attacks on Ukraine by malicious actors affiliated with Russia increased dramatically. Before the full-scale ground invasion, pro-Russian hackers used three wipers – HermeticWiper, HermeticWizard, and HermeticRansom – and a little later, in April, hackers used Industroyer. This is an updated version of the same malware used in a similar attack in 2016. Thus, at least nine wipers have been deployed in Ukraine in less than a year. They were developed by Russian secret services and use different wiping and evasion mechanisms.

Ukraine cyberattacks timeline

Multi-pronged Cyberattacks

Let’s look at the vector of cyberattacks in the Russian-Ukrainian war. Same as any other attack within the war course, they can be divided into two types – strategical and tactical. The first type of cyber attack is aimed at causing widespread damage and disrupting the daily lives of civilians. In turn, the second type of attack is more targeted, coordinated with real combat operations, and aimed at achieving tactical goals. Such goals may include:

  • Disabling or disrupting critical military infrastructure systems
  • Hacking into and infiltrating military organizations’ networks
  • Launching a disinformation campaign
  • Cyber espionage

Strategical attacks

A few hours before the ground invasion of Ukraine, hackers launched a cyber attack on Viasat. This attack aimed to interfere with satellite communications, which provide services to both military and civilian organizations in Ukraine. In this attack, hackers used a wiper called AcidRain, designed to destroy modems and routers and disable Internet access for tens of thousands of systems.

Result of attack
The attack affected most previously active modems in Ukraine and other parts of Europe. Eventually, tens of thousands of modems disconnected from the network, and attempts by these modems to re-enter the network were not observed.

In addition, even before the full-scale invasion, Ukrainian government agencies, such as Diia, and some banks were subjected to cyberattacks. The purpose of these attacks was to cause the Ukrainian population to distrust the government. Another curious incident took place on November 3, 2022. At that time, a certain “Joker DNR” hacked into the Instagram page of Valery Zaluzhny, the commander-in-chief of the AFU, installing a photo of the Russian dictator on his profile photo. Later, an image appeared on the page with the caption, “So, I confirm that Joker DNR infiltrated DELTA“. However, Ukrainians ridiculed the incident rather than taking it seriously. This is far from the only case of hacking into Ukrainians’ social networks. Since the start of the full-scale Russian-Ukrainian war, Ukrainian users have periodically received phishing emails asking them to click a link.

Tactical cyberattacks

Any tactical, high-precision cyber attack requires careful preparation and planning. Prerequisites include accessing target networks and creating customizable tools for different attack stages. One example of a coordinated tactical attack occurred on March 1. That day, Russian missiles struck the Kyiv TV tower, causing television broadcasts in the city to stop. Next, hackers orchestrated a cyber attack to amplify the effect.

Adaptive cyberattacks

According to the available data, the Russians were not preparing for a lengthy campaign—the abrupt change in the characterization of cyber attacks in April evidence this. They shift from fairly precise attacks with clear tactical objectives to less elaborate ones. Similar to the change of tactics on the battlefield, where Russian troops were rebuffed with dignity and decided to fight civilians, the hackers also changed their vector – they tried to harm Ukrainian civilians. The use of multiple new tools and wipers was replaced by detected capabilities using already-known attack tools and tactics, such as Caddywiper and FoxBlade.

The head of Britain’s intelligence, cybersecurity, and security agency called Ukraine’s response “the most effective defensive cyber activity in history. This is not surprising, as part of Ukraine’s success is because it has been repeatedly subjected to cyber attacks since 2014. The impact of the Indistroyer2 attack on the energy sector in March 2022 is evidence of this because compared to the first deployment of Industroyer in 2016, the effect in March was negligible. In addition, Ukraine has received significant external assistance to repair the damage caused by these cyberattacks. For example, foreign governments and private companies helped Ukraine quickly move its IT infrastructure to the cloud. As a result, data centers were physically removed from combat zones and received additional layers of protection from service providers.

Shift in the focus

Since September, data show a gradual but significant decrease in cyber-attacks against Ukrainian targets. Instead, the number of attacks on NATO members has increased significantly. Moreover, while the number is negligible in some countries, in others, the number of attacks has increased by almost half:

  • U.S. by 6 percent
  • United Kingdom by 11%
  • Poland by 31%
  • Denmark by 31%
  • Estonia by 57%.

This suggests that Russia and related groups have shifted their attention from Ukraine to NATO countries that support Ukraine.

The New Era of Hacktivism

A new era of hacktivism began with the creation and leadership of the “IT Army of Ukraine,” composed of volunteer IT specialists. Whereas hacktivism used to be characterized by free cooperation between individuals in ad hoc interactions, new-era hacktivist groups have significantly increased their organization and control and now conduct military-like operations. The new mode of operation includes recruitment and training, intelligence and target allocation, tool sharing, etc. Nevertheless, anti-Russian hacktivist activity continued throughout the year, affecting infrastructure, financial, and government organizations. Since September 2022, the number of attacks on organizations in Russia has increased significantly, especially in the government and military sectors.

Not all hacktivists are good

Unfortunately, not all hacktivists have good intentions. For example, while groups such as Team OneFist rigorously enforce the rules of war and take steps to avoid potential damage to hospitals and civilians, the pro-Russian group Killnet carried out targeted DDoS attacks on critical infrastructure in the United States. Predictably, their primary targets were not military installations but U.S. medical organizations, hospitals, and airports. In addition, most new hacktivist groups have a clear and consistent political ideology tied to government narratives.

As a result, pro-Russian hacktivists have shifted their focus from Ukrainian targets to NATO member states and other Western allies. For example, another Russian-linked hacktivist group, NoName057(16), attacked the Czech presidential election. In addition, the hacktivist group From Russia with Love (FRwL), also known as Z-Team, deployed Somnia ransomware against Ukrainian targets. In turn, the CryWiper malware was deployed against municipalities and courts in Russia.

Hacking Russia was off-limits before Russian-Ukrainian War

Some cybercrime organizations have been forced to join the nationwide effort and curtail their criminal activities. Attacks on Russian enterprises, once considered impregnable by many cybercriminal organizations, are now on the rise. Russia is struggling with hacking attacks caused by the government and its criminal activities. In addition, other countries have also stepped up their spying activities in Russia to attack Russian state defense institutions. For example, Cloud Atlas constantly attacks Russian and Belarusian organizations.

War impact to other regions and domains

Against the backdrop of the Russian-Ukrainian war, wiper activity began to spread to other countries. For example, Iranian-linked groups have attacked facilities in Albania, and the Azov ransomware has spread worldwide. However, Azov is more of a destructive wiper than a ransomware program because it does not provide for decrypting and restoring encrypted data. Various state actors have also taken advantage of the war to advance their interests. For example, several campaigns by different APT groups have used the ongoing battle between Russia and Ukraine to intensify their activities. The Russian-Ukrainian war has dramatically affected cyber tactics in many areas. Undoubtedly, as long as the war continues, its events will affect other regions and locations.

The post One Year of Russian-Ukrainian War in Cybersecurity appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/russian-ukrainian-war-cybersecurity/feed/ 0 13491
Hacker Group XDSpy Distributes Malware in Russia under the Guise of Subpoenas for the Army https://gridinsoft.com/blogs/hacker-group-xdspy/ https://gridinsoft.com/blogs/hacker-group-xdspy/#respond Mon, 10 Oct 2022 11:34:25 +0000 https://gridinsoft.com/blogs/?p=11025 In early October, Kaspersky Lab experts recorded a targeted attack on Russian organizations: attackers from the XDSpy hacker group sent several hundred malicious emails allegedly related to the topic of the so-called “partial mobilization”. Recall that dictator Vladimir Putin in September announced the mobilization into the armed forces of Russia against the backdrop of a… Continue reading Hacker Group XDSpy Distributes Malware in Russia under the Guise of Subpoenas for the Army

The post Hacker Group XDSpy Distributes Malware in Russia under the Guise of Subpoenas for the Army appeared first on Gridinsoft Blog.

]]>
In early October, Kaspersky Lab experts recorded a targeted attack on Russian organizations: attackers from the XDSpy hacker group sent several hundred malicious emails allegedly related to the topic of the so-called “partial mobilization”.

Recall that dictator Vladimir Putin in September announced the mobilization into the armed forces of Russia against the backdrop of a series of defeats during the aggression against Ukraine.

partial mobilization
“Partial mobilization” in Russia

And we also note that Kaspersky Lab may well be connected with the Russian intelligence, therefore we do not recommend treating information from this company with full confidence, and we also do not recommend using the company’s products.

Let me remind you that we wrote that Cisco Hack Is Linked to Russian-Speaking Hackers from Evil Corp, and also that State Department Offers $1 million for Info on Russian Hackers.

Researchers write that in the first working week of October they discovered the distribution of malicious emails. These messages said that due to the refuse to receive summons for the conscription, the person was called to urgently appear at the appointed place and time. More detailed information is allegedly indicated in the agenda in PDF format, which must be downloaded from the link.

The letter is carefully prepared and looks believable: it contains references to the articles of the Criminal Code of the Russian Federation, the heraldry and style of the relevant department. In the text, the perpetrators threaten the victims with possible fines and criminal liability.

The link to the fake summons leads to an archive with an executable script with the WSF extension. If you open the file, it will fake download and display in the browser a PDF document that mimics the scanned agenda, but in parallel will create the AnalysisLinkManager.exe file in the temporary folder and run it.

It is noted that the malware and techniques used have many similarities with the tools of the XDSpy hack group. In particular, the source code of the malicious WSF script and the launch methods, as well as partially the names of the files, coincide with the versions of previous years.

The goals of XDSpy grouping are espionage, theft of documents and other files, as well as data for accessing corporate mailboxes.

This campaign uses a number of techniques that allow attackers to penetrate and gain a foothold in the system as targeted phishing mailings, imitation of letters from regulators, using the current news agenda, displaying the image that the user expects. This is traditional for XDSpy.comments Andrey Kovtun, Head of the Mail Threat Protection Group at Kaspersky Lab.

We also recall that the best way to survive for Russian soldiers and conscripts who have received a real summons and got into the territory of Ukraine is to surrender to the Ukrainian armed forces.

The post Hacker Group XDSpy Distributes Malware in Russia under the Guise of Subpoenas for the Army appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hacker-group-xdspy/feed/ 0 11025
Russian Organizations Under Attack By Chinese APTs https://gridinsoft.com/blogs/chinese-apts-increasingly-target-russian-organizations/ https://gridinsoft.com/blogs/chinese-apts-increasingly-target-russian-organizations/#respond Fri, 08 Jul 2022 16:03:44 +0000 https://gridinsoft.com/blogs/?p=9250 Unveiling a recent cyber saga, the experts at SentinelLabs have unearthed a menacing digital force, strategically honing in on Russian organizations. In their detective work, they’ve traced the sinister trail back to the notorious Chinese APT group, a revelation corroborated by the vigilant eyes at Ukraine CERT (CERT-UA). The plot thickens as the adversaries deploy… Continue reading Russian Organizations Under Attack By Chinese APTs

The post Russian Organizations Under Attack By Chinese APTs appeared first on Gridinsoft Blog.

]]>
Unveiling a recent cyber saga, the experts at SentinelLabs have unearthed a menacing digital force, strategically honing in on Russian organizations. In their detective work, they’ve traced the sinister trail back to the notorious Chinese APT group, a revelation corroborated by the vigilant eyes at Ukraine CERT (CERT-UA).

The plot thickens as the adversaries deploy cunning tactics, leveraging phishing emails as Trojan horses, delivering malevolent Office documents armed with Bisonal—the underworld’s go-to Remote Access Trojan (RAT). Like a cyber echo, these same techniques reverberated across borders, targeting unsuspecting victims in Pakistani organizations, a sinister symphony meticulously observed by the sharp minds at SentinelLabs.

In the grand theater of digital warfare, China takes center stage, orchestrating a myriad of campaigns against Russia, a retaliatory crescendo following its invasion of Ukraine.

On June 22nd 2022 CERT-UA made a public release of Alert #4860 that presents several documents built with the help of Royal Road malicious document builder and constructed to reflect Russian government interests. Specialists from SentinelLabs analyzed further the report by CERT-UA and confirmed the involvement of a Chinese APT group.

Chinese APTs Increasingly Target Russian Organizations
One Of Malicious Documents Distributed In A Campaign – Russia Telecom Theme – “Пояснительная записка к ЗНИ.doc”
Chinese APTs Increasingly Target Russian Organizations
Translation Of The Previous Document Example

The malicious activity comes amidst other Chinese attacks against Russia such as Space Pirates, Mustang Panda, Scarab, but here it is separate Chinese activity. The specific actor’s identity is unclear so far, although it remains clear that Chinese APT groups aim to target a wide range of different Russian organizations.

Who may be behind the attack?

SentinelLabs specialists speculate that the Tonto Team APT (“Earth Akhlut”, “CactusPete”) group, reported for nearly a decade, might be the potential culprit behind the attacks. However, they emphasize that it is premature to draw definitive conclusions based on the current available data.

The malicious documents are generally used for the delivery of custom malware, such as the Bisonal RAT, which as noted by CERT-UA, is unique to Chinese groups, including Tonto Team. Bisonal has a uniquely long history of use and continued development by its creators, such as expanding features for file searching and exfiltration, anti-analysis and detection techniques, and maintaining generally unrestricted system control,” goes in a report published by SentinelLabs.

Tonto Team APT group also targeted multiple victims across the globe including the targets of their particular interest in Northeast Asia such as private businesses, critical infrastructure, governments, etc. The group has been particular in their interests in Russian targets for the past years but recently in this direction specialists observed a significant spike of activity.

We assess with high confidence that the Royal Road-built malicious documents, delivered malware, and associated infrastructure are attributable to Chinese threat actors. Based on our observations, there’s been a continued effort to target Russian organizations by this cluster through well-known attack methods– the use of malicious documents exploiting n-day vulnerabilities with lures specifically relevant to Russian organizations,” also goes in a report by researchers.

On the whole the purpose of the attacks seems to be espionage-related, but that’s a limited assumption because of external visibility of the researchers’ standpoint.

The post Russian Organizations Under Attack By Chinese APTs appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/chinese-apts-increasingly-target-russian-organizations/feed/ 0 9250
Anonymous hackers published the mail database of the Ministry of Culture of Russia https://gridinsoft.com/blogs/anonymous-and-the-russian-ministry-of-culture/ https://gridinsoft.com/blogs/anonymous-and-the-russian-ministry-of-culture/#respond Thu, 14 Apr 2022 14:46:09 +0000 https://gridinsoft.com/blogs/?p=7333 The media discovered that Anonymous hackers had made public a database of emails from the Russian Ministry of Culture, the administration of the city of Blagoveshchensk, and the office of the governor of the Tver region. The total size of the dump exceeded 700 GB. According to Kommersant, in the leaked documents you can find… Continue reading Anonymous hackers published the mail database of the Ministry of Culture of Russia

The post Anonymous hackers published the mail database of the Ministry of Culture of Russia appeared first on Gridinsoft Blog.

]]>
The media discovered that Anonymous hackers had made public a database of emails from the Russian Ministry of Culture, the administration of the city of Blagoveshchensk, and the office of the governor of the Tver region. The total size of the dump exceeded 700 GB.

According to Kommersant, in the leaked documents you can find information about salaries, layoffs, and defects in cultural heritage sites.

The data was published on the hacktivist website DDoSecrets (Distributed Denial of Secrets). According to media reports, the dump contains 230,000 letters from the Ministry of Culture, 230,000 letters for the period from 2019 to 2022 from the administration of the city of Blagoveshchensk, and 130,000 letters dated 2016-2022 from the office of the governor of the Tver region.

According to Cybernews, the leak was the result of an Anonymous attack, as earlier hacktivists had declared war on the Russian government in connection with a “special military operation” in Ukraine.

Kommersant’s own source confirmed that the posted files contain real mail correspondence from Russian departments. The correspondent of the publication got acquainted with one of the archives and made sure that it really contains letters sent from the Ministry of Culture, including information on salaries, dismissals, correspondence on the topic of defects in cultural heritage objects, as well as internal correspondence of employees of the Federal State Budgetary Institution Rosgosexpertiza controlled by the Ministry of Culture.

Representatives of the Ministry of Culture confirmed to the media that they had detected a hacker attack on the email of the subordinate Federal State Budgetary Institution Rosgosexpertiza:

At the moment, FGBU specialists are working to eliminate the consequences of hacking and strengthen the protection of the information bases of the institution. The entire electronic document flow of the Ministry of Culture is functioning normally.

According to information security experts interviewed by the journalists, the cause of the leak was the exploitation of the vulnerability of mail servers, which “speaks of the neglect of cybersecurity policy by government agencies.”

The correspondence of the Ministry of Culture could contain, among other things, information on budgets, projects, provision of conditions by contractors, conditions of competitions and tenders, suggests Ilya Tikhonov, head of compliance and audit at Softline UIB. In his opinion, in such correspondence “with a high degree of probability there is no information that is detrimental to the state.”

However, theoretically, Tikhonov notes, the incident could lead to a revision of budgets, reevaluation of projects and conditions of competitions:

Most likely, all correspondence is nominal, so if someone allowed a personal assessment of the project, tender, contractor, employee, then this information can be made public.

Recall also that we reported that Anonymous claims they hacked dozens of CCTV cameras in Russia.

The post Anonymous hackers published the mail database of the Ministry of Culture of Russia appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/anonymous-and-the-russian-ministry-of-culture/feed/ 0 7333
The US won’t cooperate with Russia on ransomware anymore https://gridinsoft.com/blogs/the-us-wont-cooperate-with-russia-on-ransomware-anymore/ https://gridinsoft.com/blogs/the-us-wont-cooperate-with-russia-on-ransomware-anymore/#respond Thu, 14 Apr 2022 08:59:22 +0000 https://gridinsoft.com/blogs/?p=7311 The US suspends its cooperation with Russia on ransomware criminals amidst the brutal war the Russian government wages against Ukraine, State Department spokesperson told Sputnik. “The Russian government is engaged in a brutal and unjustified war against Ukraine, so our channel on criminal ransomware actors is not active,” the spokesperson said. On Thursday White House… Continue reading The US won’t cooperate with Russia on ransomware anymore

The post The US won’t cooperate with Russia on ransomware anymore appeared first on Gridinsoft Blog.

]]>
The US suspends its cooperation with Russia on ransomware criminals amidst the brutal war the Russian government wages against Ukraine, State Department spokesperson told Sputnik.

“The Russian government is engaged in a brutal and unjustified war against Ukraine, so our channel on criminal ransomware actors is not active,” the spokesperson said.

On Thursday White House notified about the decision the Russian government, Russian Security Council Deputy Secretary Oleg Khramov said in an interview with Rossiyskaya Gazeta.

The notorious ransomware gangs in the world

And while we mentioned the theme it would be interesting to talk about the cybercriminals of this particular kind as well. In recent years the ransomware criminal ecosystem has grown to be a real threat to the users around the world.

But it’s always interesting what’s behind the curtain. And we found some quite interesting info on what you can call them the mafias of the cybercriminal world.

And they for real can be called mafias because of how well organized they are and what sums of money they extort from their victims.

Some of them has now been in the field for years while some of them just recently gaining their fame. This particular kind of cybercrime has evolved from some of the simplest things to now the whole Evil Corporations kind of thing.

Here will be named just a few names but we are pretty sure you’ve heard them somewhere.

What statistics say about ransomware gangs?

Now ransomware criminals largely target high profile business, public sectors and infrastructure operators other than individuals. According to cryptocurrency researchers Chainalysis, in 2020 ransomware victims paid in total up to $350m growing by 311%.

This is an ever improving professional industry with vast networks of affiliates whose job is to make research on a victim, infiltrate and hold negotiations while in the center of all is the gang who develop and operate the malware; but there’s a parity either they work as a ransomware-as-a-service (RaaS) or attack victims directly.

Ransomware-as-a-service or RaaS means that malware operators instead of using the malicious software by themselves they sell it to other cybercriminals to use.

The US won’t cooperate with Russia on ransomware anymore
BlackFog Global Ransomware Report – May 2021

Last year security provider BlackFog made an analysis of the distribution of the malware used in ransomware attacks the same year; the analysis reveals the top ten ransomware gangs in 2021.

Even though the identities of the group members for the most part are unknown, their methods of operating and the scale of the activities are quite impressive.

So the analysis shows the next: in the period from January to May 2021 incidences of ransomware variants as a % of threats detected belong to REvil and Conti as being the most common threat variants in 2021.

Conti (Also Called IOCP Ransomware)

Among the ransomware criminal groups Conti is one at the top of the list. The FBI states the group has conducted over 400 cyber attacks on organizations around the globe. And their demands go up to $25 million.

Although being the best of the best doesn’t mean the group guarantees to give back your files. Cybersecurity specialists say instances when this group refused to give back files even when the victim paid the ransom are not rare.

The US won’t cooperate with Russia on ransomware anymore
Leaked Data on Conti’s Website

The group has one of the “finest” portfolios of victims among ransomware threat groups including Florida’s Broward County Public Schools with $40 million ransom demand, Irish Health Service Executive causing major delays in patient appointments.

Conti also attacked a government agency in Scotland and government board in New Zealand.

Conti is renowned for employing the technique of double extortion. This means they not only encrypt the data but also steal it so in the future they will have the possibility to threaten the unwilling to pay the ransom victims.

The biggest leak Conti made was from Advantech, manufacturer of chips for IoT devices. 3 GB of data were leaked on Conti’s dark web site.

Apart from this leak, the gang also leaked 20 files of info from Scottish Environment Protection Agency (SEPA) adding that it was only a small part of what was actually accessed by the group.

REvil (Also Called Sodinokibi)

According to the articles by Dark Reading, in the period from January 2021 to July 2021 REvil was the most common ransomware variant having conducted 25% of ransomware attacks.

REvil is a private ransomware-as-a-service (RaaS) group which is also responsible for several infamous ransomware attacks on the world’s largest scale.

This group shows no less ruthlessness than the previous one. According to an article by Cyber Talk, the REvil ransomware group targeted at least 360 US-based organizations. In total the gang has also earned over $11 million.

The US won’t cooperate with Russia on ransomware anymore
Leaked Data on REvil’s Happy Blog

Among the victims of the group are the energy company Invenergy, software provider Kaseya, tech giant Acer, meat supplier JBS and Apple’s supplier Quanta Computer Inc.

REvil gang also uses a double extortion technique to encrypt and steal the data at the same time. It gives the criminals additional pull to force victims to pay the demanded ransom. Those who refuse to pay will have their data leaked on the gang’s Happy Blog site. Already several companies around the world have their data publicly available on it.

DarkSide Ransomware Gang

Originating from Eastern Europe this ransomware gang at the very start made itself the name. First time it appeared in August 2020.

DarkSide operates as a ransomware-as-a-service (RaaS) and has already targeted multiple organizations across 15 countries. The unusual and peculiar thing about this gang is that it once donated stolen $10,000 to charity.

The gang members try to position themselves as ethical hackers stating that they do not target specific organizations like health, critical infrastructure, governments, schools, etc.

The US won’t cooperate with Russia on ransomware anymore
Leaked Data on DarkSide’s website

And one more surprising thing is that the group maintains even “customer service” that should ensure the proper restoration of the victims’ systems after the ransom has been paid.

But promoting themselves as ethical hackers they also employ a double extortion strategy in case they will deal with the stubborn victims.

The most famous case is the Colonial Pipeline ransomware attack when more than a week the whole East Coast was paralyzed. The consequences of this attack were so serious that politicians started to talk about the threat to national security.

In addition the group stole more than 100 GB of corporate data from the company.

Clop Ransomware Group

Another no less prominent in the field group responsible for the attacks on Universities of Miami and Colorado, security firm Qualys, residential mortgage servicer Flagstar Bank and the jet manufacturer Bombardier.

The US won’t cooperate with Russia on ransomware anymore
Data Leaked by Clop on its Dark Website

But unlike other ransomware gangs mentioned above, this one deploy the triple extortion mechanism. In addition to encrypting data and stealing it they also make threats to customers of the affected companies notifying them over the breach and then urging the companies’ customers to make the company pay the ransom in order to avoid the leak of their personal data.

What else to add?

Certainly it’s not a good sign that the cooperation channel between US and Russia is closed. It means that even the little efforts of the Russian government to stem the ransomware cybercriminal activity on its own territory will more than certainly be reduced to null.

Subsequently it may give “a green light” to those who were previously suppressed by the Russian government meaning that the more arduous ransomware attacks will plunge on the US enterprises and organizations.

The post The US won’t cooperate with Russia on ransomware anymore appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/the-us-wont-cooperate-with-russia-on-ransomware-anymore/feed/ 0 7311
Russian Aviation agency switched to paper documents due to a hacker attack https://gridinsoft.com/blogs/russian-aviation-switched-to-paper-documents/ https://gridinsoft.com/blogs/russian-aviation-switched-to-paper-documents/#respond Wed, 30 Mar 2022 10:42:27 +0000 https://gridinsoft.com/blogs/?p=7221 The media, citing their own sources, report that at the end of last week, Russian Aviation agency suffered from a hacker attack, after which 65 TB of data was erased and it was necessary to temporarily switch to paper workflow. The Aviatorshchina Telegram channel was the first to report the attack, which wrote that as… Continue reading Russian Aviation agency switched to paper documents due to a hacker attack

The post Russian Aviation agency switched to paper documents due to a hacker attack appeared first on Gridinsoft Blog.

]]>
The media, citing their own sources, report that at the end of last week, Russian Aviation agency suffered from a hacker attack, after which 65 TB of data was erased and it was necessary to temporarily switch to paper workflow.

The Aviatorshchina Telegram channel was the first to report the attack, which wrote that as a result of a hacker attack, Russian Aviation lost files on servers and all documents.

The entire document flow, emails, files on the servers disappeared, now the search for the register of aircraft and aviation personnel is underway, the system of public services has been removed. All incoming and outgoing letters for 1.5 years were lost. We don’t know how to work.said Aviatorshchina channel’s own source.

It was reported that the attack allegedly occurred due to poor performance of contractual obligations by InfAvia LLC, which operates the IT infrastructure of the Federal Air Transport Agency.

Alexander Neradko
Alexander Neradko

The Federal Air Transport Agency does not have backup copies, “because the Ministry of Finance did not allocate money for this,” the source of the Telegram channel claims.

The channel also published a screenshot of a message from the head of the Federal Air Transport Agency, Alexander Neradko, telling that due to the lack of access to the Internet and a failure in the electronic document management system, the department is temporarily switching to paper document management, courier mail and Russian Post.

The attack was also commented on in the Anonymous group.

Powerful cyber attack on Russia’s Civil Aviation Authority servers: no more data nor back-up. In total, about 65 terabytes of data was erased.the hackers tweeted.

Recall that Anonymous hackers declared war on the Russian government.

The Kommersant publication writes that the Federal Air Transport Agency did not respond to their requests, but two sources close to the service confirmed the existence of problems and the fact of a hacker attack. They specified that specialists are now working on restoring access to the servers.

Interestingly, the fact of the attack was indirectly confirmed by the head of Russian Aviation, Alexander Neradko, although he denies the loss of terabytes of data and the transition to paper workflow. In an interview with MK journalists, Neradko said:

Now there are a huge number of federal executive bodies, many companies, both with state participation and without state participation, are subject to a large number of DDoS attacks. We are no exception. We have to work on protecting from them. The last attack was also repelled.Everything is calm, everything is working as planned. I do not think that this requires any increased attention from the media.

We also wrote that Hacker groups split up: some of them support Russia, others Ukraine.

The post Russian Aviation agency switched to paper documents due to a hacker attack appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/russian-aviation-switched-to-paper-documents/feed/ 0 7221
Most likely russian hackers defaced Ukrainian government websites https://gridinsoft.com/blogs/russian-hackers-defaced-ukrainian-government-websites/ https://gridinsoft.com/blogs/russian-hackers-defaced-ukrainian-government-websites/#respond Fri, 14 Jan 2022 16:15:10 +0000 https://gridinsoft.com/blogs/?p=6923 Hackers defaced several Ukrainian government websites: the attack occurred on the night of January 13-14 and affected the websites of the Ukrainian Foreign Ministry, the Ministry of Education and Science, the Ministry of Defense, the State Emergency Service, the website of the Cabinet of Ministers, and so on. The Record notes that all resources have… Continue reading Most likely russian hackers defaced Ukrainian government websites

The post Most likely russian hackers defaced Ukrainian government websites appeared first on Gridinsoft Blog.

]]>
Hackers defaced several Ukrainian government websites: the attack occurred on the night of January 13-14 and affected the websites of the Ukrainian Foreign Ministry, the Ministry of Education and Science, the Ministry of Defense, the State Emergency Service, the website of the Cabinet of Ministers, and so on.

The Record notes that all resources have been deleted and their contents replaced with a statement published in Russian, Ukrainian and Polish.

hackers defaced government websites

Ukrainian! All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered. All information about you stab (public, fairy tale and wait for the worst. It is for you for your past, the future and the future. For Volhynia, OUN UPA, Galicia, Poland and historical areas.the hackers said in a statement.

The fact of the attack was officially confirmed by the country’s authorities by posting relevant messages on official websites, as well as on Facebook and Twitter. All affected resources have been temporarily down and some sites are still down, reporting that they are under maintenance.

Officials say they are investigating the attack and so far everything points to Russian hackers.

According to security researcher Gary Warner, the distortions appear to have been aimed at creating divisions between various ethnic groups, especially between native Ukrainians and the Polish minority.

The last sentence is meant to remind the people of the region about the ethnic cleansing of Poles in Volhynia and Galicia.Warner said.

Information security journalist Kim Zetter writes that sources in the Ukrainian government told her that a vulnerability in CMS October was used for the attack, which was used by all affected resources.

Sources tell me ~15 sites in Ukraine – all using October content management system – have been defaced, incl Min of Foreign Affairs, Cabinet of Ministers, Min of Ed, Emergency Services, Treasury, Environmental Protection. Attackers apparently used CVE-2021-32648.Kim Zetter tweeted.

Later, this information was confirmed in the Ukrainian CERT.

Let me remind you that we recently wrote that Russian-speaking hackers attacked the government infrastructure of Poland, and also that the FBI and NSA release a statement about attacks by Russian hackers.

The post Most likely russian hackers defaced Ukrainian government websites appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/russian-hackers-defaced-ukrainian-government-websites/feed/ 0 6923
The head of the Group-IB arrested, searches were carried out in the company’s office https://gridinsoft.com/blogs/the-head-of-the-group-ib-arrested/ https://gridinsoft.com/blogs/the-head-of-the-group-ib-arrested/#respond Wed, 29 Sep 2021 19:11:47 +0000 https://blog.gridinsoft.com/?p=5968 Today, September 29, 2021, the media reported that yesterday the founder and head of the Russian Internet security company Group-IB, Ilya Sachkov, was arrested for two months on suspicion of treason. A little later, Anastasia Romanova, press secretary of the Lefortovo court in Moscow, confirmed this information: It must be said that the punishment under… Continue reading The head of the Group-IB arrested, searches were carried out in the company’s office

The post The head of the Group-IB arrested, searches were carried out in the company’s office appeared first on Gridinsoft Blog.

]]>
Today, September 29, 2021, the media reported that yesterday the founder and head of the Russian Internet security company Group-IB, Ilya Sachkov, was arrested for two months on suspicion of treason.

A little later, Anastasia Romanova, press secretary of the Lefortovo court in Moscow, confirmed this information:

With regard to Ilya Konstantinovich Sachkov, suspected of committing a crime under section 275 of the Criminal Code of the Russian Federation, a preventive measure was chosen in the form of detention for a period of 60 days, that is, until November 27, 2021.

It must be said that the punishment under this section provides for up to 20 years in prison. Currently, Sachkov is in jail, and it is only known that the materials of the criminal case are classified.

Russian President’s press secretary Dmitry Peskov has already commented on Sachkov’s arrest, saying that events have nothing to do with the business and investment climate:

This has nothing to do with the business and investment climate in our country, you see that the accusations are not related to the economy, but related to treason.said Peskov, but stressed that the Kremlin does not have the details.

According to RTVI, on the night of September 29, FSB officers conducted a search at the Moscow headquarters of Group-IB, and this information has already been confirmed by company representatives. Journalists who arrived at the company’s office on Sharikopodshipnikovskaya Street found that at the entrance to the building, there was a passenger bus and a minivan with tinted windows and turned-on position lamps.

A man in civilian clothes was dragging things from the office to the bus, and at the entrance of the building, the correspondents were greeted by two armed men in tactical clothes and masks on their faces. They told reporters that they would not be allowed inside and would not comment on what was happening in the office.says RTVI.

According to TASS and their own sources in the power structures, Sachkov does not admit guilt in high treason and also does not admit that he collaborated with the intelligence services of foreign states.

Group IB has already released an official statement on what is happening. In particular, it is reported that the second founder of Group-IB Dmitry Volkov will temporarily take over the management of the company.

At the moment, the lawyers of Group-IB, one of the leading developers of solutions for detecting and preventing cyberattacks, detecting fraud, researching high-tech crimes and protecting intellectual property on the network, are studying the ruling of the Lefortovo District Court of Moscow dated 09/28/2021 in relation to the founder and general Director of Group-IB Ilya Sachkov.

Employees are confident in their manager’s innocence and honest business reputation.

All divisions of Group IB are operating normally. The company would like to thank customers, partners and journalists for their support.reads the official press release.

Let me remind you that I also talked about the fact that the FBI and NSA release a statement about attacks by Russian hackers.

The post The head of the Group-IB arrested, searches were carried out in the company’s office appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/the-head-of-the-group-ib-arrested/feed/ 0 5968
SolarWinds hack allowed Russian attackers to infiltrated dozens of US Treasury Department mailboxes https://gridinsoft.com/blogs/solarwinds-hack-allowed-russian-attackers-to-infiltrated-dozens-of-us-treasury-department-mailboxes/ https://gridinsoft.com/blogs/solarwinds-hack-allowed-russian-attackers-to-infiltrated-dozens-of-us-treasury-department-mailboxes/#respond Thu, 24 Dec 2020 21:38:21 +0000 https://blog.gridinsoft.com/?p=4887 US Senator Ron Wyden, a member of the US Senate Finance Committee, said that hackers, standing behind the SolarWinds hack, compromised dozens of US Treasury Department mailboxes. The statement came after the Treasury Department and the IRS held a briefing with committee members regarding the attack on SolarWinds. While has yet been found no evidence… Continue reading SolarWinds hack allowed Russian attackers to infiltrated dozens of US Treasury Department mailboxes

The post SolarWinds hack allowed Russian attackers to infiltrated dozens of US Treasury Department mailboxes appeared first on Gridinsoft Blog.

]]>
US Senator Ron Wyden, a member of the US Senate Finance Committee, said that hackers, standing behind the SolarWinds hack, compromised dozens of US Treasury Department mailboxes.

The statement came after the Treasury Department and the IRS held a briefing with committee members regarding the attack on SolarWinds.

While has yet been found no evidence that the IRS itself or any taxpayer data has been compromised, the senator says that “the Treasury hack appears to be significant.”

According to employees of the Ministry of Finance, there was a serious compromise in the organization, the depth of which is still unknown. Microsoft has notified the organization that dozens of email accounts have been hacked.Weiden says.

Also, according to Weiden, the Ministry of Finance still does not know exactly what actions the hackers took, and what information was stolen.

I am extremely concerned about the breach at Treasury. Hackers accessed dozens of email accounts, and the full extent of the damage is still unknown. It’s time to become concerned about cybersecurity, and put an end to any plan that weakens encryption.Wyden said on Twitter.

The statements were made the same day that Attorney General William P. Barr joined Secretary of State Mike Pompeo in his last press conference before retiring, claiming Moscow was almost certainly behind the hack. The invasion went through a commercial network management software package created by SolarWinds, a company based in Austin, Texas, and gave hackers wide access to government and corporate systems.

Let me remind you that the compromise of SolarWinds, which develops software for enterprises to help manage their networks, systems and infrastructure, became known in mid-December. After infiltrating the SolarWinds network, the attackers provided Orion’s centralized monitoring and control platform with a backdoor.

It also became known that SolarWinds was hacked because its credentials were publicly available on GitHub.

To complicate matters, SolarWinds’ client list includes more than 400 of the largest US Fortune 500 companies, as well as many government agencies, banks, medical institutions and smaller businesses.

The post SolarWinds hack allowed Russian attackers to infiltrated dozens of US Treasury Department mailboxes appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/solarwinds-hack-allowed-russian-attackers-to-infiltrated-dozens-of-us-treasury-department-mailboxes/feed/ 0 4887