Russia Launches Cyber Attacks From Botnets Comprised of Firewall Devices

Summary: Government intelligence agencies from the U.S. and U.K. have released information regarding a new botnet malware named “Cyclops Blink.” This malware has been attributed to the known Russia-based threat actor group “Sandworm” or “Voodoo Bear”. They are considered a highly advanced adversary that has previously targeted the Ukrainian energy sector.

The National Counterintelligence and Security Center stated: “Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office (SOHO) routers, and network-attached storage (NAS) devices.” This malware is primarily used to gather intelligence but has also been known to be used in destructive cyber-attacks.

Why it matters: 

Paying attention to strategies used by highly advanced threat actors such as “Sandworm” are especially more relevant considering the current geopolitical climate. Closer monitoring of security devices could be the difference between having a breach or a destructive attack on a system. Currently, the malware specializes in infiltrating WatchGuard firewall devices, however agencies have warned of the potential for this malware to be adapted to other firewall devices.

Cyber Attacks Against the U.S. Have Begun Despite Sanctions

Summary: Due to the tension mounting between Russia and NATO, cyberattacks have spread to the U.S. and other countries for aiding Ukraine and imposing economic sanctions against Russia. Several threat actor entities associated with the Russian government are targeting those interfering with Putin’s agenda.

“The western world should be on red alert status for Russian cyber retaliation,” says Paul Caiazzo, advisor at Avertium. Their tendency to launch attacks on multiple fronts also applies to the malware they are currently employing against the western nations. The observed methodologies of attack include DDoS attacks, disk wiping malware, and a new malware framework. CISA urged US organizations to prepare by taking a  “Shields Up” stance in preparation for cyberattacks by Russia-backed threat actors.

Why it matters:

Currently a high level of scrutiny must be used against Russia and Russia-allied nations as the conflict in Ukraine continues. Activity sourcing from eastern nations should be closely monitored for potential spread of malware and lateral movement. The conflict in Ukraine is still early on, however the number of cyberattacks are expected to rise in the coming months as efforts increase from Russia.


Free HermeticRansom Ransomware Decryptor by Avast

Summary: A new free tool has been released to unlock a new ransomware found tied to the data wiping malware HermeticWiper. The malware was first discovered targeting computers in Ukraine, Latvia, and Lithuania. The malware was originally detected targeting machines in the financial, defense, aviation and IT services sector. However, malware may spread beyond the intended targets.

Analysis on the ransomware by Crowdstrike led to the discovery of the malware’s .encryptedJB extension recoverable. The weak cryptography function of the malware has allowed companies to quickly create tools to combat it. A tool to decrypt the ransomware has been released by Avast and is available for free.

Why it matters:

Ransomware has been a growing threat for many years. The basic premise of ransomware is that a machine and its files may be locked down by an attacker. To recover access to the machine, the user must pay the attacker to unlock the machine and files. As such, the device is held in ransom, hence the name. This threat ransomware targets the web application risk outlined in OWASP Top 10’s Security Logging and Monitoring Failures. Ransomware is generally downloaded by users and installed on the machine. Failure to properly protect these devices can have severe effects for affected entities. Ensure that logging is enabled and that logs are properly formatted to aid in monitoring for such attacks.


Microsoft Phishing Campaigns

Summary: Malicious emails have aimed to convince users that unusual activity from Russia has been detected on the user’s accounts. The threat appears to take advantage of users’ worries on the Ukraine-Russia conflict and prompts them to interact with the email.

The emails reportedly allow the recipients to report the activity but expose them to substantial risk instead. It is likely that the recipient will be sent to a phishing page so that their credentials may be harvested. These emails can be identified through their grammatical errors and misspellings. Outlook has reportedly sent the emails directly to the spam folder.

Why it matters:

Social engineering is the technique used by malicious actors to fool victims into giving them privileged access. This technique targets humans rather than computers and relies on the victim’s psychology and fears. The fear is exacerbated by the current Ukraine-Russia conflict. Phishing attempts are normally successful through Security Misconfiguration of email applications which is a common vulnerability of OWASP Top 10’s Web Application Security Risks. Outlook has successfully placed the phishing email in the spam folder. However, there is still a risk that a user may click on the email. Ensure that end users remain vigilant to email threats and are trained to identify and report them.


Microsoft Exchange Exploits

Summary: The ransomware group known as “Cuba”, or “UNC2596”, has recently been detected exploiting Microsoft Exchange bugs. These bugs include ProxyShell and ProxyLogon as initial infection vectors for their COLDDRAW ransomware. To encourage compliance with their demands, they threaten to sell the data or release it in a public forum.

The COLDDRAQW ransomware exploits vulnerabilities in Microsoft Exchange and uses a mix of public and private tools during the attack. The main target of these attacks has been private industries mostly located in the United States. This threat group’s ransomware has only grown since the group was first discovered.

Why it matters:

Ransomware is a growing threat all around the world, particularly in the last several years. The cost of ransomware attacks every year has been the fastest growing cybercrime and has since affected multiple companies. The threat that this ransomware group has been targeting is among a common web application vulnerability.

The OWASP Top 10 lists the 10 most common web application vulnerabilities. This method of ransomware delivery takes advantage of vulnerable and outdated components particularly in Microsoft Exchange. The importance of patching and updating software to the latest version is exemplified by the threat group’s method of installation of taking advantage of well-known vulnerabilities of Microsoft Exchange.

Russian Hackers Abuse Duo MFA Flaw

Summary: Russian state-backed hackers are targeting non-governmental organizations by enrolling new devices to the organization’s multifactor authentication. Threat actors start by brute forcing passwords of accounts that do not currently have MFA active and are not currently active. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network. After access is gained, threat actors could move laterally and gain access to the cloud storage and email accounts and exfiltrate data.

Why it matters:

As cyber threats ramp up during the current geopolitical climate, it is increasingly important to secure access to organizational environments. If a threat actor gains access to an account using this method, there is no telling what information may be exposed to outside parties. To mitigate this risk, it is considered best practice to ensure all inactive accounts are disabled across Active Directory and MFA systems.

Security Tip of the Month

Summary: Aberebot Android banking trojan returns under the new name “Escobar”. The Trojan was discovered on a Russian-speaking hacking forum. The forum included a post from the creator detailing a price to rent the malware. This malware also asks for permissions to record audio, read and send SMS messages, take screenshots, uninstall apps, get the precise location of device, and download media files from victims’ devices. MalwareHunterTeam first spotted the suspicious APK on March 3, 2022, posing as a McAfee app, and warned about its elusiveness.

Why it matters:

It is impossible to tell if this malware will gain popularity given its price tag. Users can avoid the chances of encountering this new form of Aberebot and other malicious mobile apps by only installing apps from the Google Play Store. It is best to also ensure Google Play Protect is enabled on all Android devices. Google Play Protect can also be used to scan all apps currently on the device for malicious activity. Users should also consider using mobile security tools for early detection of any malware. When installing any new apps, users should monitor app permissions and any unusual device behavior following installation such as high-power consumption.