The 5th of April, Cyber Digest


Cyber ​​attack of UAC-0010 group (Armageddon) on the state organizations of Ukraine (CERT-UA # 4378)

The attackers are again using painful topics for Ukrainians. In particular, they “parasitize” on information about the personal data of russians who committed war crimes in our country. The government team for responding to computer emergencies in Ukraine CERT-UA has revealed the fact of distribution of e-mails on “Information on war criminals of the russian Federation” among the state authorities of Ukraine. The e-mail contains the HTML-file “War criminals of the russian Federation.htm”, the opening of which will lead to the creation of a RAR-archive “Viyskovi_zlochinci_RU.rar” on the computer. The mentioned archive contains a file-shortcut “War criminals destroying Ukraine (home addresses, photos, phone numbers, social media pages) .lnk”, the opening of which will download an HTA-file containing VBScript-code, which, in its turn to download and run the powershell script “get.php” (GammaLoad.PS1). The task of the latter is to determine the unique identifier of the computer (based on the computer name and serial number of the system disk), transfer this information for use as an XOR key to the management server via HTTP POST request, and download, XOR decoding and start payload. The activity is associated with the activities of the group UAC-0010 (Armageddon). We draw your attention to the need for additional verification of e-mails with attachments in the form of HTM-files, because, at present, the level of their detection is low. See the sourcesource1source2

Ukraine has standardized the use of Bug Bounty to find bugs and vulnerabilities in programs, applications and sites

The Bug Bounty procedure is widely used worldwide. It involves the external experts in the search for errors and vulnerabilities of software products, information, and communication systems and more. This makes it possible to quickly eliminate all deficiencies and gaps in security. Even before the war, after the cyber attacks on January 14 on the websites of the state authorities, the State Service of Special Communication drafted a bill to make urgent changes to Ukrainian legislation to legalize the Bug Bounty procedure. In March the Verkhovna Rada of Ukraine voted to amend the Criminal Code of Ukraine. Due to the approved changes, interference in the operation of information, electronic communication, information and communication systems, electronic communication networks will not be considered unauthorized if such interference is made in accordance with the Procedure for searching and identifying potential vulnerabilities of such systems or networks. Currently, the State Service of Special Communication is actively working on the text of the relevant Procedure. “Once approved, we will be able to launch a full-fledged national Bug Bounty system. The IT community will be able to legally test government information systems for vulnerabilities, and the state will receive a tool to significantly increase the level of protection of such systems, ” – said Yuri Shchigol, the head of the State Service of Special Communication. As for the amount of rewards, this issue is still being discussed. See the source


Most sites of regional and district courts of general jurisdiction of the russian Federation have stopped opening

According to INTERFAX.RU, Moscow, April 4, users can not open the Internet sites of courts of general jurisdiction with the domain sudrf.ru, which is used by regional and district courts in most regions of russia. The press service of the Krasnoyarsk Regional Court told reporters that “all sites of russian courts are in such a condition,” the reason is unknown. First, when you try to open any site of the court, the message “opening is prohibited” appears, as well as error code 403, which may occur, for example, due to an incorrect index file or when transferring a domain from one account to another. Later, the sites of some russian courts issued error message 502, which occurs when a server to which a user is connected acts as an intermediary that transmits information from another server and receives an incorrect response. See the source


Anonymous has released the personal data of 120,000 russian soldiers fighting against Ukraine

The international hacker group Anonymous has leaked the personal data of 120,000 russian servicemen. All of them are taking part in the military aggression against Ukraine. “All soldiers involved in the invasion of Ukraine must be brought to justice for war crimes,” the hackers said in a statement. See the sourcesource1

Armageddon hackers have attacked the state institutions of the European Union, “parasitizing” on humanitarian aid to Ukraine

At the end of March 2022, the Government Team for Response to Computer Emergencies of Ukraine CERT-UA discovered several RAR archives named “Assistance.rar”, “Necessary_military_assistance.rar”. Each of these archives contained malicious shortcut files entitled “List of necessarythings for the provision of military humanitarian assistance toUkraine.lnk”, “Providing military humanitarian assistance toUkraine.lnk”. In addition, it was found that the method of delivery was e-mails with links to the mentioned RAR-archives. The use of English in the names of the files and the text of the e-mail, as well as the fact that the letter was sent to the Latvian government, clearly indicates the UAC-0010 (Armageddon) attacks on government agencies in the European Union. See the source

The 5th of April, Cyber Digest