The 25th of May, Cyber News


Invisible front. Ukraine has created a powerful army of 300 IT professionals

«Ukraine has gained unique experience in the use of cyberspace during the war. We have created a fairly powerful IT army. Now about 300 thousand members of this IT army. Our state has united Ukrainian and international professionals. All cyber soldiers have joined this mission voluntarily, so I am convinced that cybersecurity is the foundation for the digital state we have been building since the Ministry was founded,» said Mykhailo Fedorov, Minister of Digital Transformation, at the International Diia Summit Brave Ukraine [1].

PrivatBank warns of another fraudulent scheme under the pretext of paying state aid

According to the bank’s security service, on May 23, fraudsters began spreading fake messages on social networks about an urgent «card check» under the pretext of paying aid from the state. In the message, fraudsters offer customers to «chec» the card by following the link to the phishing site to steal financial data. The bank appealed to law enforcement agencies to stop work and eliminate this and similar fraudulent resources [2].


RIP Killnet. Anonymous has declared cyber war against russian hackers

The hacker group Anonymous has officially declared cyber war against russian Killnet hackers who are carrying out cyber attacks against Ukraine. In particular, the «anonymous» has already put the site of the group Killnet. Since the beginning of the war, Anonymous has supported Ukraine, merged databases from russian structures and hacked their websites [3]. Anonymous hacked the emails of Killnet members. The result was a leak of data on cybercriminals. This information was published by Ukrainian hackers on a specially created site [4].

The 25th of May, Cyber News

Bad news from Google. Government hackers in several countries have gained access to Chrome and Android vulnerabilities

Google said hackers from Greece, Serbia, Egypt, Armenia, Spain, Indonesia, Madagascar and Côte d’Ivoire have gained access to four Chrome vulnerabilities and one — Android. According to the company, Cytrox from Northern Macedonia is suspected of the data leak. She managed to develop the malicious program Predator, through which hackers from several countries gained access to the so-called «zero-day vulnerabilities». This term means software security vulnerabilities that the developer is unaware of. Google has been tracking and fixing these vulnerabilities since 2014, tracking and correcting them where possible. Among the vulnerabilities provided to hackers, Cytrox provided access to the fixed ones, which means that users did not update the software. Google Threat Analysis Group actively tracks more than 30 vendors with varying levels of complexity and publicity who sell exploits or surveillance capabilities to state-supported individuals.TAG experts write that the recently merged vulnerabilities of the system were developed by private companies [5].

Cybercriminals use an executable Eset file to hide the activity of the ArguePatch malware

Eset reports the discovery of an improved version of the malware downloader previously used by Sandworm during the Industroyer2 threat attack on Ukraine’s energy sector. The updated bootloader is named after CERT-UA — ArguePatch. This malware is now used to run CaddyWiper with data destruction functionality, which was used to attack Ukrainian organizations. The new version of the bootloader is a patched version of the legitimate Hex-RaysSA IDA Pro software component, namely the remote IDA debug server (win32_remote.exe). The version adds code to decrypt and run CaddyWiper from an external file. To hide ArguePatch activity, Sandworm has chosen the official Eset executable. It was stripped of its digital signature and the code was rewritten. The added code is quite similar in the previous and new versions of the bootloader, but now it contains a feature to run the next stage of the attack at a certain time. In this way, attackers replace the need to configure a scheduled Windows task to run code. This is probably a way to avoid detection using known TTPs  [6].