The 29th of April, Cyber News


Cyber ​​attack of the UAC-0098 group on the state authorities of Ukraine using the Metasploit framework (CERT-UA # 4560)

The government’s computer emergency response team CERT-UA, which operates under the auspices of the State Service of Special Communication, warns of a new cyber attack on Ukrainian authorities. This time it is carried out by sending e-mails on the topic “Decree of the President of Ukraine No. 576/22 on unprecedented security measures.» The letters contain attachments in the form of an ISO file with almost the same title: «Decree of the President of Ukraine No. 151 on unprecedented security measures.iso». It is established that the mentioned ISO file contains the bait document «a.docx», the LNK file «DECREE OF THE PRESIDENT OF UKRAINE №151_2022.mp4.lnk», the PowerShell script «z.ps1» and the EXE file «b.exe». If you run an LNK file, the latter will execute a PowerShell script, which in turn will open the DOCX file and execute the «b.exe» file. As a result, your computer will be affected by the malware Meterpreter. Based on the results of the study, the activity is associated with UAC-0098. In addition, there is reason to believe that this activity is relevant to the activities of the TrickBot group. Details – follow the link

Investigation of DDoS attacks as a result of website corruption using malicious JavaScript code BrownFlood (CERT-UA # 4553)

The government team for responding to computer emergencies in Ukraine CERT-UA in close cooperation with the National Bank of Ukraine (CSIRT-NBU) has taken measures to investigate DDoS attacks, for which attackers place malicious JavaScript code (BrownFlood) in the structure of the web pages and files of compromised websites (mostly under WordPress), as a result of which the computing resources of computers of visitors to such websites are used to generate an abnormal number of requests to attack objects, URLs of which are statically defined in malicious JavaScript. code. The mentioned malicious JavaScript-code can be placed in the structure of the main files of the website (HTML, JavaScript, etc.), including in base64-encoded form. Details – follow the link

The DOU website is being attacked again

According to the message of the Telegram-channel Editorial Board of DOU, the problems with the site are caused by DDoS-attacks. «It simply came to our notice then. The site is unstable. We apologize,» the statement reads. Details – follow the link

Cyberpolice exposes three residents of Odesa region in misappropriation of over UAH 300,000 through phishing

The attackers sent phishing links to various sites and thus obtained their bank card details. The defendants could face up to 8 years in prison for their actions. Three friends are involved in these actions. The defendants decided to “earn extra money” and started sending phishing links. Most phishing resources were copied from the sites of banks and ad platforms, where users entered their bank card details during sales. Phishing resources also mimicked the site of the «Support» program. After receiving payment information, the attackers transferred money to controlled accounts. In this way, they deceived more than 100 citizens and misappropriated more than 300,000 hryvnias. Law enforcement officers searched the perpetrators’ homes and confiscated laptops, mobile phones, bank and SIM cards. Details – follow the link

The Volyn online editorial office has already received 10 letters with threats from representatives of the russian measure

Senders have subscribed as group NoName057 (16). We, the hacker group NoName057 (16), warn you and other representatives of your «media»: until you stop the wave of fakes about the russian Federation, we will continue to put your site. You will have to answer for all your crimes according to the law. Think before it’s too late, the letter said. At the same time, it was noted that there were no problems with the site or DDoS attacks. Details – follow the link



Hackers Anonymous have hacked russia’s large power company «Elektrocentromontazh

Working documents, including technical calculations and letters in which employees complain about sanctions and ask for money in debt, have been merged into the Internet. Hackers have released 1.23 million emails totaling 1.7 TB, dating from 2020 to April 2022. It is based on working correspondence of dozens of employees, including the director of the Moscow branch Konstantin Morozov, official documents, invoices, checks, information, equipment calculations, production plans. In one of the reports, design engineer Andriy Borysov from the Kostroma branch of Elektrocentromontazh complained that he had been sanctioned and asked for 20,000 rubles in debt. Details – follow the link

The electronic trading operator rosseltorg (JSC «Single Electronic Trading Platform») reported a DDoS attack

«Today, all sections of rosseltorg were subjected to a large-scale DDoS attack, which affected the work of the site. Our team is actively working to resolve issues. We will make every effort to restore usability as soon as possible, however, our resources may be unavailable for some time. Despite this, all data of users of our site are under reliable protection». Details – follow the link


The new spyware program gives users access to the camera and microphone

ESET warns of new activity of the TA410 cyber spy group. According to ESET telemetry, the attackers target mainly the public and educational sectors in different countries. According to researchers, the TA410 group consists of 3 different subgroups (FlowingFrog, LookingFrog and JollyFrog), which use similar tactics, techniques and procedures, but have different tools and goals. One of the malware used by cybercriminals is a new version of the FlowCloud backdoor. Most of the TA410’s targets are leading diplomatic and educational organizations, but ESET experts have also identified casualties in the military, a manufacturing company in Japan, a mining company in India and a charity in Israel. Users are infected by exploiting vulnerabilities in Internet applications such as Microsoft Exchange or sending malicious documents. «This indicates that their attacks are targeted, and attackers are choosing the best method to infect a specific target,» – said Alexander Kote Sir, ESET researcher. Although the new version of FlowCloud used by the FlowingFrog subgroup is still under development and testing, it has a number of advanced features for cyber espionage. In particular, malware can intercept mouse clicks, keyboard activity, and clipboard contents, as well as open window information. Details – follow the link

The hacker have hacked the Deus Finance project and stole $ 13.4 million in cryptocurrency

The attacker managed to artificially inflate the value of some assets, borrow money within the protocol and make a profit after repaying the loan. Deus allows developers to create financial services on its platform, such as lending, futures and options trading. The hacker borrowed $ 143 million and was able to withdraw $ 13.4 million. PeckShield warned that the total loss of the project may be higher. This is the second break in the protocol in the last two months. In March, an unknown person attacked the project in a similar way and withdrew $ 3 million. Against the background of another hacker attack, the cost of the DEUS project’s own token fell by 16% in a day, according to CoinGecko. Altcoin is trading at $ 502 and has a market capitalization of $ 47.4 million. Details – follow the link

A record DDoS attack with a capacity of 15 million requests per second has been recorded

The DDoS attack lasted less than 15 seconds and was launched using a botnet consisting of 6,000 unique hacked devices. Cloudflare has recorded a denial of service (DDoS) attack with a rate of 15.3 million requests per second. Experts have called it one of the largest HTTPS DDoS attacks in history. «HTTPS DDoS attacks are more costly in terms of computing resources due to the higher cost of establishing a secure encrypted TLS connection. Therefore, it is more expensive for the perpetrator to launch an attack, and the victim – to stop it,» – said IS experts. Details – follow the link