The 21st of July, Cyber News

Ukraine  

Cyber Attack on State Organizations of Ukraine Using the OK Theme «South» and the Malicious Program AgentTesla (CERT-UA#4987)

The government computer emergency response team of Ukraine CERT-UA discovered the file «Report_050722_4.ppt», which contains a thumbnail image that mentions the operational command «South». In the case of opening the document and activating the macro, the latter will ensure the creation of the files «gksg023ig.lnk» and «sgegkseg23mjl.exe», as well as the execution of the LNK file using rundll32.exe, which in turn will lead to the launch of the mentioned EXE file. The executable is a .NET program obfuscated with ConfuserEx that loads the JPEG file «thumb_d_F3D14F4982A256B5CDAE9BD579429AE7.jpg», finds the appropriate offset, decrypts and decompresses the data, and runs the resulting .NET program MCMDiction.exe (compile date: 2022 -07-08). In the future, after a series of transformations (Gzip, AES, base64, XOR), including steganography applications, the malicious stealer program AgentTesla (compilation date: 2022-07-06) will be executed on the computer. Considering the name and content-bait of the PPT-document, we assume that the attack was aimed at the state organizations of Ukraine. ^[1]

The Ukrainian Hacker Was Distributing Information about Companies in Forums Administered in the russian federation

The department said that the man created and was distributing malicious software to steal personal data, log files of logins to computer networks and accounts of banking systems. With the help of hijacker viruses, he obtained remote access to the networks of companies, including foreign ones, and the restricted information circulating in them. The man sold the stolen data in closed hacker forums, which are administered from the territory of the russian federation. During the search of the person’s place of residence, law enforcement officers seized computer equipment, media, bank cards and mobile terminals. ^[2]

russian Hackers Are Collecting Data of Ukrainians Using the Fake Azov Application

Turla, a russian hacking group linked to the FSB, recently hosted an Android app on a domain that mimics the Ukrainian Azov regiment. As Google reported, the application is supposed to attack russian state websites, but in reality it only collects information about Ukrainians. who installed it. This is the first known case of Turla distributing Android-related malware. The program was not distributed through the Google Play Store, but was hosted on a private domain. The application was distributed in messengers and social networks. The fake «Azov» application is distributed under the guise of a program to perform denial-of-service (DoS) attacks against a number of russian sites. However, a «DoS» only consists of a single GET request to the target site, which is not enough to be effective. At the same time, Google believes that the distribution of the fake application did not have a serious impact on Android users and that the number of installations was insignificant. ^[3]

russia 

In russia, the Record for the Duration of DDoS Attacks Was Updated Several Times in the Second Quarter

In addition to increasing the duration of attacks, hackers have become more professional and prepared. According to Kaspersky Lab, the average duration of hacker DDoS attacks in May increased to 57 hours, which is 17 hours more than in April. In June, the duration of the attacks became shorter, but still almost an order of magnitude longer than last year, when the longest attack lasted 6.5 hours. During the quarter, the record for the duration of attacks was renewed several times, which reached almost 29 days in May. According to Kaspersky Lab’s report, the main target of hackers in the second quarter was companies in the financial sector, although their share decreased from 70% in April to 37% in June. At the same time, the share of government organizations among those affected by hacker attacks has sharply increased, accounting for 38% of all DDoS attacks in russia in June. As Oleksandr Gutnikov, a cybersecurity expert at Kaspersky Lab, noted, since the beginning of 2022, the share of participation in DDoS attacks by amateur hackers who express their position has decreased, and the company’s specialists have increasingly begun to detect attacks prepared by professionals. If there is no access to the company’s website, it is not listed in Yandex or any other search engine, or may disappear altogether if it continues for a long time, says Oleksandr Lyamin, founder and CEO of Qrator Labs. In turn, «Yandex» announced that they are retraining the algorithms so that the sites have more time to resume work. According to Ilnaz Gataullin, the head of the analytics group of the IZ:SOC cyber attack monitoring and countermeasures center of the Informzakhist company, a large number of companies are currently doing business on the Internet and at high turnover «even ten minutes of downtime lead to colossal losses». ^[4]

World 

russia’s War Against Ukraine Is Accompanied by a Surge of Cyberattacks in the World – the EU

After the start of the unprovoked and criminal aggression against Ukraine, russia has significantly increased its hostile cyber activities against the EU countries and the whole world, which creates risks of side effects, misunderstandings and escalation of tensions on a global scale. This is stated in the Declaration of the High Representative of the EU on behalf of all the countries of the European Community, which was published on July 19 on the website of the European Council. The declaration states that the EU condemns the cyber attack against Ukraine on January 14, 2022, as well as the attack on the KA-SAT satellite network, for which the russian federation is responsible. «Recent DDoS attacks against several EU member states and partners, which were perpetrated by pro-russian hacker groups, are another example of the increasing level of cyber threats being detected by the EU and its member states. We strongly condemn such unacceptable behavior in cyberspace and express solidarity with all countries that have become victims of such attacks,» the declaration states. EU countries have expressed their intention to investigate and respond to these hostile cyber activities, which are directed against international peace, security and stability, including the security of the European Union and its member states, the security of European democratic institutions, citizens, businesses and civil society. ^[5]

Hackers WereAable to Hack iOS 15 and Presented a Tool for It

Hackers from the cyber group The Odyssey Team said that they managed to create the first jailbreak tool ie. hacking iOS 15. The OS was hacked a year after its release. For comparison, iOS 14 was hacked a week after the presentation. Members of The Odyssey Team reported that they were able to make good progress in developing software for hacking iOS 15 to further customize the system and install the programs the user needs. The tool is called Cheyote. The program will be available to everyone, but still limited – owners of iPhones with versions of iOS 15.0 – 15.1.1 will be able to install it. These updates were released until November 2021. Other users will have to wait. ^[6]