[10 May 2022, Version 13, NEW]
Docker Images Used by Pro-Ukraine Hackers to DDoS Russian Websites
This week researchers observed a plethora of distributed denial-of-service (DDoS) attacks on Russian and Belarusian websites. The targeted websites are managed by either the respective governments of these two nations, military organizations, or media houses.
It is suspected that pro-Ukrainian threat actors, probably backed by Ukraine’s IT Army – are behind this attack. Researchers note that the two Docker images used in this attack were being deployed between February and March.
On sample analysis it was found that the compromised honeypot Docker image contains a Go-based HTTP benchmarking tool named bombardier with SHA256 hash 6d38fda9cf27fddd45111d80c237b86f87cf9d350c795363ee016bb030bb3453 that uses HTTP-based requests to stress-test a website.
Recommendations:
[29 April 2022, Version 12]
CERT-UA Warns of Ongoing DDoS Attacks
Ukraine’s Computer Emergency Response Team (CERT-UA) has published an advisory warning of the ongoing Distributed Denial-of-Service (DDoS) attacks which target Government web portals as well as Pro-Ukraine websites.
As per the advisory, threat actors are compromising WordPress-based websites. This was done by injecting malicious JavaScript code which is placed in the HTML structure of the main files of the website. These codes are base64-encoded to evade detection.
Some of the targeted websites include:
Recommendations:
[22 April 2022, Version 11]
Joint Advisory Released by US and Allied Cybersecurity Authorities
A recent advisory was released by the cyber authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom to warn organizations about the Russian state-sponsored and criminal cyber threats to critical infrastructure.
The Cybersecurity and Infrastructure Security Agency (CISA) authored “Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure” in partnership with the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), National Cyber Security Centre New Zealand (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) and National Crime Agency (NCA), and with contributions from industry members of CISA’s Joint Cyber Defense Collaborative.
As per the advisory, the Russian invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity. As per experts, these activities might be a response to the unprecedented economic costs imposed on Russia as well as the material support provided by the United States and U.S. allies and partners.
Final Takeaways:
[19 April 2022, Version 10]
Ukraine’s Energy Provider Targeted by Industroyer2 Malware
It has been observed that the energy providers in Ukraine have been targeted by a new variant of Industroyer malware – dubbed Industroyer2. The threat actor Sandworm (reportedly linked to the Russian State Security Services) is suspected to be behind this attack. In collaboration with CERT-UA, the researchers discovered that Sandworm made attempts to implant Industroyer2 malware against Ukrainian high-voltage electrical substations. The threat actor groups, in addition to Industroyer2, used other malware families including CaddyWiper, ORCSHRED, SOLOSHRED, and AWFULSHRED. At this point, researchers are unclear about the initial access vector, and nor are they sure about how the threat actor moved from IT to the ICS network.
Final Takeaway:
Recommendations:
[05 April 2022, Version 9]
AcidRain: The Newest Wiper Malware in the Russia-Ukraine Crisis
Post the multifaceted and deliberate cyberattack launched against Viasat’s KA-SAT network, researchers have discovered a new wiper malware named AcidRain. This is an ELF MIPS malware that wipes modems and routers.
Viasat has confirmed the use of this malware in the attack on its modems on the 24th of February. As per researchers, AcidRain can destroy all files inside a compromised machine by overwriting files leaving them unusable after the data wiping processes are completed. AcidRain is the 7th malware wiper used by Russia in the ongoing war with Ukraine. The other notable ones are WhisperKill, WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero.
There is a section of researchers in the threat intel community which believes that this wiper malware was specifically designed to launch cyberattacks in Ukraine, though there is no clear evidence available at the moment.
[04 April 2022, Version 8]
As per the recent incident report released by Viasat, on 24th February 2022 “a multifaceted and deliberate cyberattack” was launched against its KA-SAT network which led to a partial interruption of KA-SAT’s consumer-oriented satellite broadband service. The company has confirmed that the cyber attack did impact several thousand customers located in Ukraine and tens of thousands of other fixed broadband customers across Europe.
According to Viasat, the incident was localized to a consumer-focused partition of the KA-SAT network. High volumes of focused, malicious traffic were detected emanating from several SurfBeam2 and SurfBeam 2+ modems and/or associated customer premise equipment (CPE) physically located within Ukraine and serviced by one of the KA-SAT consumer-oriented network partitions. This targeted denial of service attack made it difficult for many modems to remain online.
The cyber attackers leveraged “a misconfiguration in a VPN appliance to gain remote access to the trusted management segment of the KA-SAT network.”
Final Takeaway:
Recommendations:
[ 31 March 2022, Version 7]
5 weeks since the Russia-Ukraine war, its repercussions from the cybersecurity angle are being experienced in major parts of the world.
Here is a timeline of the major events in the Russia-Ukraine crisis:
30 March 2022
29 March 2022
28 March 2022
Ukrtelecom Hit by Cyberattack: Ukraine’s state-owned telecommunications company – experienced a “powerful” cyberattack, which was eventually repelled as per the Ukrainian government officials and company representatives.
24 March 2022
SAP out of Russia: German business software giant SAP shut its cloud operations in Russia.
22 March 2022
5 US Energy Firms Scanned: FBI releases an advisory on hackers associated with Russian internet addresses who have been scanning the networks of five US energy companies in a possible prelude to hacking attempts.
21 March 2022
Need to strengthen US Healthcare Cybersecurity: Department of Health and Human Services is urged healthcare organizations to review and bolster defenses to guard against possible fallout from the Russian invasion of Ukraine.
18 March 2022
SaintBear Targets Ukraine: Ukraine is being targeted with fake translation software by the suspected threat actor UAC-0056 aka SaintBear. The threat actor has been observed to be deploying Cobalt Strike, GrimPlant, and GraphSteel.
15 March 2022
CaddyWiper Targets Ukraine: The malware was observed targeting Ukraine is designed to wipe data across the Windows domains it is deployed on.
14 March 2022
Rise in Phishing Attacks: Ukraine witnessed a rise in the use of phishing emails as the primary attack vector to further execute scams and deliver malicious malware (including, but not limited to Remote Access Trojans/ RAT) since the Russian invasion.
13 March 2022
Rosneft Hit by Cyberattack: The Russian Energy company’s German subsidiary suffered cyberattacks.
11 March 2022
Series of DDoS Attacks on Russian Websites: Russian company websites were hit by increased hacking attempts.
Broadband Cyberattacks Disrupted: Western intelligence agencies investigate unidentified hackers who disrupted the broadband satellite Internet access in Ukraine.
8 March 2022
ISP’s Quit Russia: Internet Service Providers, Cogent Communications and Lumen Technologies stop their internet services in Russia.
7 March 2022
IsaacWiper Launched on Ukraine: Data wiper malware named “IsaacWiper” – suspected to be part of Russian sabotage arsenal, deployed on Ukrainian government infrastructure.
2 March 2022
Patriotic Emotions Gets the Better of Conti Ransomware Group: A new Twitter account named “Contileaks” emerged, which is – suspectedly created by a pro-Ukraine member of the ransomware group – in an effort towards “Glory to Ukraine” has leaked what our threat intelligence team regards as precious classified information.
1 March 2022
Russian Power Grid and Railways Attacked: In an attempt to strike back at Russia over its Ukraine invasion, a Ukraine-based cyber guerrilla warfare group plans to launch digital sabotage attacks against critical Russian infrastructure.
28 February 2022
FoxBlade Trojan Launched on Ukraine: Hours before the Russian invasion, Ukraine witnessed a cyberattack by FoxBlade – a trojan that has DDoS capabilities.
27 February 2022
US Banks Gear Up for Cyberattacks: Post sanctions on Russia, US banks strengthen their cyber defense keeping retaliatory cyberattacks from Russia.
26 February 2022
Internet Shut Down in Ukraine: As Russian troops advanced in Ukraine, the country faces a major internet knockout.
Official Russian Website Offline: As several Russian governments and state media websites suffered DDoS attacks, the official website of the Kremlin went offline.
25 February 2022
Conti Sides with Russia: In the emerging Russia-Ukraine crisis, the Conti ransomware group sides with Russia and vows to “retaliate in case the Western warmongers attempt to target critical infrastructure in Russia.
Ukrainian Personnel Attacked by Phishing Attacks: Belarus-based hackers launch phishing attacks targeting Ukrainian military personnel.
24 February 2022
Russian Government Websites Down: The websites of the Russian government, State Duma, and Russian President were intermittently unavailable in Russia and Kazakhstan.
Ukraine Calls on Hacker Underground: Ukrainian Government called for support from hackers underground to conduct espionage against Russia and protect critical infrastructure.
23 February 2022
Linux Systems Attacked by Sandworm: Russian APT hacking group Sandworm allegedly attacked UK and US agencies.
Ukraine Attacked by Wiper Malware: Ukrainian enterprises have been attacked by a new wiper malware, which was witnessed in Latvia and Lithuania.
18 February 2022
Ukraine Suffers SMS Spam and DoS Attacks: Cyber Officials in the US found evidence of massive DoS and SMS Spam campaigns in Ukraine – originating in Russia.
11 January 2022
Joint Alert Released on Cyberattacks: The National Security Agency, Cybersecurity Infrastructure and Security Agency, and the FBI have released a joint alert warning of ongoing targeted cyberattacks from Russian state-sponsored cyber operations.
[ 18 March 2022, Version 6]
As per our Cyber Threat Intelligence Team Ukraine is being targeted with fake translation software by the suspected threat actor UAC-0056 aka SaintBear. The threat actor has been observed to be deploying Cobalt Strike, GrimPlant, and GraphSteel.
We believe that UAC-0056 was behind the WhisperGate activity which impacted the Ukrainian government agencies. As per our research, the threat actor was perhaps building on the GrimPlant and GraphSteel campaign since December 2021.
Post the compromise of the target organization, the GraphSteel variant will execute a set of reconnaissance and credential harvesting commands.
[ 15 March 2022, Version 5]
In line with CYFIRMA’s Cyber Security Predictions for 2022, the world is witnessing ongoing hybrid warfare against nations and their critical infrastructure. The Russia-Ukraine crisis head started with a plethora of cyberattacks with data wiping malware being used as a potent tool against Ukraine.
The newest malware observed in this chain is “CaddyWiper”. This malware is designed to wipe data across the Windows domains it is deployed on. What makes it different from the other malware is the tactic used by the attackers to maintain access inside the compromised networks of organizations they hit while still heavily disturbing operations by wiping other critical devices. For this to happen – the wiper malware used the DsRoleGetPrimaryDomainInformation() function to check if a device is a domain controller. If so, the data on the domain controller will not be deleted.
While the CaddyWiper does not share any similarity with the other wiper malware used before Russia’s physical invasion of Ukraine – it is quite similar to the HermeticWiper deployments. A sample analysis of this malware shows that just like the Hermetic Wiper, CaddyWiper was being deployed via GPO. This means that the attackers had control of the target’s network beforehand.
[ 14 March 2022, Version 4]
Like any global conflict, the Russia-Ukraine crisis too has opened the doors of exploits for opportunistic threat actors. This pattern of exploiting the existing public sentiments for financial gains is not new among cybercriminals – and has been witnessed during several global crises including the Covid-19 pandemic.
Our Cyber Threat Intelligence has observed a meteoric rise in the use of phishing emails as the primary attack vector to further execute scams and deliver malicious malware (including, but not limited to Remote Access Trojans/ RAT). Especially several Business Email Compromise (BEC) campaigns have been witnessed since the Russian invasion. Most of these emails use commodity malware such as Remcos RAT to deliver malevolent payloads which are distributed in large quantities across the target threat landscape. This is also the time that threat actors are exploiting existing vulnerabilities in Microsoft Office for malware implant. For instance, CVE-2017-11882 – a “Microsoft Office Memory Corruption Vulnerability” – has been successfully leveraged by cybercriminals to run arbitrary code.
[ 04 March 2022, Version 3]
As Russia bombs major Ukrainian cities, more intel on the symphony of cyberattacks that took place before the invasion has emerged. Our threat intelligence team has observed the use of a new data wiper malware named “IsaacWiper” – which they believe was part of Russian sabotage arsenal and has been deployed on Ukrainian government infrastructure (that were not attacked by HermeticWiper).
While the first incidence of IsaacWiper was observed on the 24th of February, there is substantial evidence that a new version of the data wiper was dropped on February 25th. Based on our hypothesis, the second version of the malware was suspected to be used as the threat actors failed to wipe off part of the target infrastructure. The log messages were added to keep a grip of how the malware interacted with the attacked asserts.
Apart from IsaacWiper, researchers have also found new samples signed under Hermetica Digital Limited and named them as HermeticWizard. This malware works on finding the machines connected to the local networks and moves on to gathering local IP addresses. The end goal seems to be dropping and executing the HermeticWiper malware.
Furthermore, our threat intelligence team has also identified additional TTPs of Conti Ransomware being leveraged in the ongoing conflict.
[ 02 March 2022, Version 2]
Patriotic Emotions Gets the Better of Conti Ransomware Group
The announcement of the “full support” to the Russian invasion of Ukraine by the notorious Conti Ransomware Group – seems to have ruffled some patriotic emotions among a member of the gang or a security researcher with Ukrainian origin.
The end result? 3 days after the attack on Ukraine, a new Twitter account named “Contileaks” emerged on the 27th of February. The account – suspected created by a pro-Ukraine member of the ransomware group – in an effort towards “Glory to Ukraine” has leaked what our threat intelligence team regards as precious classified information. This data not only gives an inner glimpse of Conti’s workings since January 29, 2021 – but explosive TTPs which can be leveraged by several cybercriminal groups in the upcoming months.
[ 26 February 2022, Version 1]
Objective: Unauthorized Access, Cyber Espionage, Data Exfiltration, Payload Delivery, Defense Evasion, Defacement, Hybrid Warfare.
Type of Attack: Spear-Phishing, Impersonation, Malware Implant/ Data Wiper Malware, Smishing, BGP Hijacking, DDoS (Distributed Denial-of-Service), Vulnerabilities & Exploits (October CMS).
Target Technology: Microsoft Windows, Linux, Web Applications.
Target Geography: Ukraine, Global.
Target Industry: Government, Defence, Utilities, Energy, Transportation Infrastructure, Diversified Financials, Critical Infrastructure.
Suspected Vulnerability Leveraged: CVE-2021-32648 (CVSS Score: 9.1).
Suspected Threat Actors: Gamaredon, Ghostwriter, MuddyWater, Unknown Russian Threat Actors.
Malware: WhisperGate, HermeticWiper.
Business Impact Analysis: Data Loss, Operational Disruption, Reputational Damage, Geopolitical Risk.
Reported Date: February 26, 2022.
SUMMARY: As this article is being written, Russia has officially declared war on Ukraine. Ukraine which has been for years a testing ground for cyberweaponry has now turned into a textbook case of how cyberattacks can be used to launch hybrid warfare.
While cyber offensive and use of state-sponsored threat actors are not new for both Russia and Ukraine (can be traced back to 2005), the recent cocktail of attacks launched by Russian Intelligence before formally declaring this invasion further highlights how geopolitical issues can snowball into a crippling effect on critical infrastructure and state machinery.
Recent Cyber Escalations in Ukraine:
Since October 2021, our cyber threat intelligence team has observed a trail of spear-phishing campaigns targeting organizations and entities connected with Ukrainian affairs – ranging from government agencies, defense bodies, judiciary, moving on to NGOs and humanitarian aid bodies.
These campaigns were tracked down to be cyber-espionage operations launched by Gamaredon, aimed at exfiltrating sensitive data, gaining access to critical infrastructure, maintaining persistence, and following it up with lateral movement.
Linked to Russia’s domestic intelligence service (FSB), Gamaredon resorted to remote template injection to evade detections as well as control how and when will the malicious components in the phishing emails will be delivered. It was observed that the attachments to these emails carried first-stage payloads which when downloaded can execute further payloads. The initial staging capabilities include (but are not limited to) obfuscated VBScripts, obfuscated PowerShell commands, LNK files, and self-extracting archives.
While the clarity on multiple subsequent staging scripts is limited, there is a fair possibility staging VBScripts were deployed for defense evasion and to execute Command-&-Control (C2) changes.
Fast-forward 2022, on January 13, a detrimental malware operation – masquerading as a ransomware attack – was observed to be targeting more than 70 websites of the Ukrainian government. While the defacement message on the websites was political in nature, the aim of the bootloader malware was to corrupt the data of the target infrastructure.
According to researchers, this three-stage Master Boots Record (MBR) wiper malware belongs to a new malware family named WhisperGate. They also observe that the Log4j vulnerability was leveraged to launch this attack. While the modus operandi of WhisperGate seems to resonate with VOODOO BEAR’s NotPetya malware, researchers observe no technical intersection between the two.
Though no clear attribution was made in this attack, Ukrainian officials did suspect Ghostwriter – a Belarusian threat actor group – to be responsible for this attack.
Around the same time, a vulnerability in the OctoberCMS (CVE-2021-32648) was leveraged by threat actors to gain access into the network of Ukrainian government websites. The vulnerability is caused by a flaw in the October/system package. By sending a specially crafted request, an attacker could exploit this vulnerability to request an account password reset and then gain access to the account.
As per our threat intelligence team, the vulnerability exists due to a weak password recovery mechanism. The CWE is CWE-640, CWE-287 and the vulnerability has an impact on confidentiality and integrity.
It was the breach of the Belarus Railway’s computer systems by the hacktivists, which brought in a real-world kinetic attack angle to previous cyber offensive activities. The group not only gained access to the railways’ control systems which could enable them to shut down systems – leading to several accidents.
This series of cyberattacks reached its high point when on the 23rd of February, a new series of malware samples were observed to be making inroads in Ukrainian infrastructure. This new malware, named HermeticWiper – based on the signature used in the digital certificate – was found to be a custom-written application, aiming (just like WhisperGate) to deploy a wiper targeting Windows-based devices and also manipulating the MBR for resultant boot failure. The attack exploits a benign partition management driver to further execute sabotage operations.
The DDoS attack launched using HermeticWiper, not only targeted the government websites and government contractors but also impacted the financial organizations in Ukraine and other member nations of NATO.
Note: As a retaliation to the cyber-kinetic attacks on Ukraine, the hacking group Anonymous Collective claims to have declared war on the Russian government.
Hypothesis:
We believe that these series of activities are a classic case of how cyberattacks can be used to build a smokescreen around political propaganda. By the virtue of being well-incorporated into Western Europe’s internet network as well as with the West, Ukraine provides the perfect backdoor entry into the rest of Europe as well as cyberattacks at a global level.
We expect similar long-term politically motivated cyberattacks as the newest addition in the global warfare weaponry.
While the kinetic attack on Ukraine is being witnessed at the global level, our threat intelligence team is closely monitoring the activities in the underground forums and dark web. With claims by random threat actors around the data leak of sensitive US personnel information – as retaliation to its support to Ukraine – we expect the dark web and underground forums to remain active with such spoils in the forthcoming days.
As per our threat intelligence team the ongoing Russia-Ukraine conflict can spill over and cause the following impact:
INSIGHTS:
Indicators of Compromise:
Refer to the IOCs file to exercise controls on your security systems.
Targeted Recommendations:
YARA Rules
Rule 1:
rule APT_UA_Hermetic_Wiper_Feb22_1 {
meta:
description = “Detects Hermetic Wiper malware”
score = 75
hash1 = “0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da”
hash2 = “3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767”
hash3 = “2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf”
hash4 = “1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591”
strings:
$xc1 = { 00 5C 00 5C 00 2E 00 5C 00 50 00 68 00 79 00 73
00 69 00 63 00 61 00 6C 00 44 00 72 00 69 00 76
00 65 00 25 00 75 00 00 00 5C 00 5C 00 2E 00 5C
00 45 00 50 00 4D 00 4E 00 54 00 44 00 52 00 56
00 5C 00 25 00 75 00 00 00 5C 00 5C 00 2E 00 5C
00 00 00 00 00 25 00 73 00 25 00 2E 00 32 00 73
00 00 00 00 00 24 00 42 00 69 00 74 00 6D 00 61
00 70 00 00 00 24 00 4C 00 6F 00 67 00 46 00 69
00 6C 00 65 }
$sc1 = { 00 44 00 72 00 69 00 76 00 65 00 72 00 73 00 00
00 64 00 72 00 76 00 00 00 53 00 79 00 73 00 74
00 65 00 6D 00 33 00 32 }
$s1 = “\\\\?\\C:\\Windows\\System32\\winevt\\Logs” wide fullword
$s2 = “\\\\.\\EPMNTDRV\\%u” wide fullword
$s3 = “DRV_XP_X64” wide fullword
$s4 = “%ws%.2ws” wide fullword
$op1 = { 8b 7e 08 0f 57 c0 8b 46 0c 83 ef 01 66 0f 13 44 24 20 83 d8 00 89 44 24 18 0f 88 3b 01 00 00 }
$op2 = { 13 fa 8b 55 f4 4e 3b f3 7f e6 8a 45 0f 01 4d f0 0f 57 c0 }
condition:
( uint16(0) == 0x5a53 or uint16(0) == 0x5a4d ) and
filesize < 400KB and ( 1 of ($x*) or 3 of them )
}
Rule 2:
rule APT_UA_Hermetic_Wiper_Artefacts_Feb22_1 {
meta:
description = “Detects artefacts found in Hermetic Wiper malware related intrusions”
score = 75
strings:
$sx1 = “/c powershell -c \”rundll32 C:\\windows\\system32\\comsvcs.dll MiniDump” ascii wide
$sx2 = “appdata\\local\\microsoft\\windows\\winupd.log” ascii wide
$sx3 = “AppData\\Local\\Microsoft\\Windows\\Winupd.log” ascii wide
$sx4 = “CSIDL_SYSTEM_DRIVE\\temp\\sys.tmp1” ascii wide
$sx5 = “\\policydefinitions\\postgresql.exe” ascii wide
$sx6 = “powershell -v 2 -exec bypass -File text.ps1” ascii wide
$sx7 = “powershell -exec bypass gp.ps1” ascii wide
$sx8 = “powershell -exec bypass -File link.ps1″ ascii wide
/* 16 is the prefix of an epoch timestamp that shouldn’t change until the 14th of November 2023 */
$sx9 = ” 1> \\\\127.0.0.1\\ADMIN$\\__16″ ascii wide
$sa1 = “(New-Object System.Net.WebClient).DownloadFile(” ascii wide
$sa2 = “CSIDL_SYSTEM_DRIVE\\temp\\” ascii wide
$sa3 = “1> \\\\127.0.0.1\\ADMIN$” ascii wide
condition:
1 of ($sx*) or all of ($sa*)
}
Rule 3:
rule APT_UA_Hermetic_Wiper_Scheduled_Task_Feb22_1 {
meta:
description = “Detects scheduled task pattern found in Hermetic Wiper malware related intrusions”
score = 85
strings:
$a0 = “
