Suspected Threat Actors: Gamaredon (Armagedon, Armageddon, UAC-0010)
Ukraine’s Computer Emergency Response Team (CERT-UA) has detailed a phishing campaign linked to a Russian state-sponsored actor Armageddon. The phishing emails used information about the ongoing Russia-Ukraine war as a lure to target government officials.
One of the two campaigns that targeted Ukrainian government agencies used the subject line, “Information on war criminals of the Russian Federation,” and was sent from the email address vadim_melnik88@i[.]ua. This email carried an HTML file named “War criminals of the Russian Federation.htm” which when opened created a RAR-archive “Viyskovi_zlochinci_RU.rar”. This archive included a file “War criminals destroying Ukraine (home addresses, photos, phone numbers, pages on social networks).lnk”. When opened, the file downloads an HTA-file containing VBScript-code, leading to the download and execution of a PowerShell script “get.php” (GammaLoad.PS1). The objective of this file is to get the unique identifier of the computer.
The second phishing campaign targets the Latvian government officials and has been attributed to Armagedon by CERT-UA.
The files as well as the content in the phishing emails were written in English language and were sent to the Latvian government. The analysis of this campaign by CERT-UA has led to an observation that government agencies across the European Union may also be a potential target for Armagedon. The APT group Armagedon is linked to the Federal Security Service of the Russian Federation and has been known to carry out attacks against Ukraine. The Security Service of Ukraine (SSU) in a statement released in November 2021 outlined the group’s objective and 5000 cyberattacks targeting public authorities and the critical infrastructure of Ukraine.
The Biden administration charged a Russian oligarch linked to the Kremlin with violating U.S. government sanctions and disrupted a cybercrime operation launched by a Russian military intelligence agency.
FBI and Justice Department officials announced this, as the U.S. revealed sanctions against the two adult daughters of Russian President Vladimir Putin and toughened penalties against Russian banks.
The accusation against a Russian media baron and founder of a Russian Orthodox news channel Tsargrad TV is the first of an oligarch since Russia’s war with Ukraine. The Russian oligarch has broadcasted the invasion as a “holy war” and has supported Russia-aligned separatist groups in Ukraine.
The Justice Department also stated that it had taken down a botnet – a network of hijacked computers – typically used for malicious activity that was operated by the Russian military intelligence agency (GRU). The botnet, which involved thousands of infected network hardware devices, was taken down before it could cause any damage.
Since 2021, the Justice Department has aimed against Russia-based cybercrime, recovering most of a multimillion-dollar ransom that Colonial Pipeline paid to hackers after a ransomware attack halted its operations. The department also declared charges against two suspected ransomware operators.
Researchers have observed an ongoing trend of malware infection that redirects website visitors to a scam website. Approximately 3,000 websites infected with this type of injection have already been spotted by researchers this year so far with the toll reaching 17k in total since it was first detected in March 2021. As per researchers, the behaviour of the reported website remains the same where after a few seconds of loading the website, it redirects to a scam site.
The likely suspect for this kind of behaviour and to this much amount would be a vulnerable component in the WordPress ecosystem. However, peculiar as it may seem, no vulnerable plugin or theme has been identified that might have been leveraged by attackers to carry out this type of attack. The same behaviour has been spotted in up-to-date WordPress environments as well.
This leads to a fair assumption that the attackers are indeed leveraging compromised wp-admin administrator accounts and the built-in file editor functionality to inject the malicious code. To compromise a wp-admin administrator account’ credential, a number of credential abuse techniques can be used including brute force, credential stuffing, or compromised credentials sold in underground marketplaces.
On April 4, 2022, the CVE-2021-45382 vulnerability got added to CISA’s (Cybersecurity & Infrastructure Security Agency) known exploited vulnerabilities catalog. CISA is advising users to take the vulnerable devices offline since the affected products have reached the end of life (EOL) if they are still in use.
The CVE-2021-45382 is an RCE vulnerability that exists in all series H/W revisions D-Link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via the DDNS (Dynamic Domain Name System) function in ncc2 binary file.
The ncc2 service on the affected devices appears to have been shipped with a number of diagnostic hooks available and it is possible to call them without authentication. The necessary resources do not exist on the filesystem of the device, nor do they appear to be static. Instead, these files appear to be rendered when queried and can be used to both interrogate the given device for information, as well as enable diagnostic services on demand.
The vulnerability has been classified as critical and can be exploited remotely. In addition, a Proof of Concept (PoC) has been made publicly available on GitHub. In light of these facts, it is trivial for a malicious actor to take control of the vulnerable routers.
It should be noted that CISA’s ‘Catalog of Known Exploited Vulnerabilities’ is an excellent resource for organizations to keep up with trending vulnerabilities among attackers. The initiative aims to catalog the most important vulnerabilities that have been previously exploited by attackers and pose a serious risk. Organizations must monitor and prioritize these vulnerabilities listed in this catalog.