Tag Archives: Attack

How was Ukrtelecom hacked?

One of the largest Ukrainian telecom-providers, Ukrtelecom, suffered in the powerful attack on March 28, 2022. It was just an incident during the hybrid warfare between Russia and Ukraine, that we are always trying to inform you about the latest situations.

Ukrtelecom’s CIO Kyrylo Honcharuk spoke about the details of the Ukrtelecom attack:

Ukrtelecom as part of Ukraine’s vital information infrastructure is in the focus of hackers’ attention all the time. We’ve been observing the increase in the number of cyberattacks against our infrastructure since the very beginning of the invasion. The attack on March 28 was powerful and sophisticated,

Officials mentioned that the discovery phase of the attack launched from the Ukrainian territory recently temporarily occupied by the Russians. The hackers used for discovery a compromised account of the company’s employee.

Once they gained access, the hackers then tried to disable Ukrtelecom’s equipment and servers to gain control over its network and equipment. There was also an attempt to change the passwords of employees’ accounts and of logins to access equipment and firewalls. With the attack, Ukrtelecom temporarily limited the access to its services for private and business clients. The traffic in the network fell to 13% from the regular regime of the network’s functioning. The Internet access for the clients started to be restored late on March 28. The following day, Ukrtelecom services became available to almost all its users.

The investigation continues. We saw several attacks on Ukraine’s organizations related to Russian invasion, however, this attack cannot be attributed to any hacker group. We expect to see more attacks on Ukrainian targets including government, energy and financial organizations.

Everything About Attack Surface Management

For many years, we are using vulnerability scanners to identify security weaknesses and flaws in our internet facing environment. A vulnerability scan is an automated process and critically important for organizations to see what vulnerabilities they have and attackers can use if they target them.

Despite all this success, widespread use and importance, vulnerability scan has some gaps to manage the organizations’ attack surface.

Gaps of Vulnerability Scan

Vulnerability scan process is an active scan so risky to use for sensitive assets. It can cause slowness and even interruption. Because of this, especially for systems that need 24×7 operation and are critical, it is a technical risk for the availability of the systems. This is the most important of the hurdles ahead for making the scanning process continuously. The other one is the technique behind the vulnerability scanning, since it is an active scanning process, it takes too long for a wide range of networks. This risk sometimes causes the scan not to be completed in the desired time, and the scan times are slipped and the assets can’t be scanned for a long time. A significant risk remains for vulnerabilities discovered in the time between two scans and for machines installed in the DMZ.

For scanning, a scope is determined and this scope is scanned periodically. This causes Shadow IT. Services that are out of scope for various reasons or hosted in third party institutions remains as unscanned. Shadow IT is a very big problem especially for big organizations.

Vulnerability scanning is a process that focuses only on identifying vulnerabilities. However, attackers may use several findings about the organization like misconfigurations, compromised accounts, third party connections, etc.

What does attack surface management do differently?

There are several tools already in internet that we can check information about out organization. Passive subdomain tools, port scanners, certificate and dns record checkers, etc. Some of them are free and some of them paid services.

These services is also checked by attackers as the discovery phase before an attack. So, it is very important to check the findings at frequent intervals from these tools. However, there are many tools like that and it seems impossible to check all of them everyday, about all keywords of the organizations – keyword means here every word that an attacker searches for in the discovery phase, including brand, application, web site, VIP names, and others.

Fundamentally, Attack Surface Management is a passive scanning process that using these free or paid tools already hosted in internet. This passive scan provides a continuous scanning process. With the keywords explained above, Attack Surface Management tool scans all these tools continuously and since it is a passive scan, there is no any risk about the availability of the systems.

Third Party Connections

With developing technology and methods, all companies need to work with many other companies and have a direct connection for this. The number of these links is increasing day by day. This situation also creates a great opportunity for attackers and in recent years attacks over third party connections increased and they mostly succeeds. This requires the risk management teams to closely monitor third-party risks.

Very understandably, organizations normally do not let others scan their environment. It is not possible to scan the organization to determine their vulnerabilities before starting a connection with them. It remains only to rely on the company’s own tests and some paper work that we will make the third-party connection. With Attack Surface Management, it can be very fast and risk free to identify their risks before creating the connection.

What to Expect from Attack Surface Management?

For covering all internet facing risk, security teams need to master all assets they have both hosted in their own institutions and third party. An Attack Surface Management tool should firstly show all the assets that organization have. These may include all subdomains, IP addresses, dns records, cloud environments, certificates, uris, etc. And also, all the technologies that the organization is using in their DMZ like the number of the web servers, applications and operating systems.

All these findings are critical for Shadow IT. Systems that are forgotten and not patched for long time causes big risks for the organizations.

The other important – and maybe the most important – output is the vulnerabilities of the systems. Attack Surface Management tools use tools like Shodan to investigate the vulnerabilities and unlike a vulnerability scan, Attack Surface Management may show the misconfigurations like forgotten default IIS or Apache web pages, default Admin panels, and again, IIS or Apache misconfigurations. Also missed configurations like DMARC records or A records can be important seeds for attackers for their discovery phases.

As we told above, it is critical to scan all of these assets often, and it is preferable to do it every day. The fact that this scan can be done every day and the scan time is also very important.

The number of tools that an Attack Surface Management product uses in passive scanning is also very important. Do not forget that the main purpose here is to perform the discovery phase of the attacker, and a vulnerability or misconfiguration that you cannot detect after these scans, but can be found by the attacker, can lead to very bad results.

Risk Management

For risk management processes, all tasks including vulnerabilities and misconfigurations should be followed regularly. For providing this, like other vulnerability management solutions, Attack Surface Management tools should be integrated with ticketing systems in the organizations. Via this integration, tasks can be assigned to engineers and followed in a single system.

TEMP.Zagros in Action

While the whole world is dealing with the ongoing cyber war with the land war between Russia and Ukraine, the Iranian threat group TEMP.Zagros (aka MuddyWater) has been attributed to a new swarm of attacks targeting Turkey and the Arabian Peninsula with the goal of deploying remote access trojans (RATs) on compromised systems.

The group is active since at least May 2017 and targeting threatened a wide variety of countries and sectors especially in Middle East and Arabian Peninsula. TEMP.Zagros also known as multiple small groups behaving independently, rather than a single group.

The group had an intense work in Turkey, especially in January, at Turkish private organizations and governmental institutions with the goal of deploying a PowerShell-based backdoor. Recently, the group seems active again with an obfuscated trojan to execute arbitrary code and commands received from its command and control (C2) servers.

For more information about the groups TTPs;

https://attack.mitre.org/groups/G0069/

Toyota Halts Production due to Cyber Attack

Toyota, Japanese automobile giant halts production at all 28 lines of its 14 plants in Japan starting March 1, after a “system failure” at a supplier caused problems with its just-in-time production control system.

The supplier mentioned here is KOJIMA INDUSTRIES CORPORATION hit by a cyber attack, supplies Toyota several components for both interior and exterior of the vehicle.

The automakers are still determining whether they will be able to return to normal operations after Wednesday. The shutdown will affect production of around 13,000 vehicles, or 4% to 5% of Toyota’s monthly output in Japan” reports https://asia.nikkei.com.

Also, “we apologize to our relevant suppliers and customers for any inconvenience this may cause,” Toyota said.

On Monday, an official close to Kojima Industries told Nikkei: “It is true that we have been hit by some kind of cyberattack. We are still confirming the damage and we are hurrying to respond, with the top priority of resuming Toyota’s production system as soon as possible.

Counterattack to Russia by Ukrainian ‘IT Army’

After increasing attacks to Ukraine day by day, last week, Ukraine asked IT pros to help defending its IT infrastructure and attack specific targets. In recent days, we have seen anonymous declared that they are supporting now Ukraine and also several attacks to Russia from volunteers supporting Ukraine.

Cyberpolice of Ukraine announced that “cyber police and volunteers are now working and attacking the aggressor’s web resources.” These sources including both Russian and Belarusian web resources.

List of blocked resources: sberbank.ru, vsrf.ru, scrf.gov.ru, kremlin.ru, radiobelarus.by, rec.gov.by, sb.by, belarus.by, belta.by, tvr.by.

Ukraine is sharing the latest news on https://cyberpolice.gov.ua/ website and @ServiceSsu Twitter account.

Latest News about Russia & Ukraine Cyber War

Before Russian troops entered Ukraine, both government and companies of Ukraine faced several cyber attacks. While these cyber attacks are expected to spread all over the world, the attacks on Ukraine continue. A few days ago, according to Reuters, Ukraine asks hackers to help defending its cyber structure. “The government of Ukraine is asking for volunteers from the country’s hacker underground to help protect critical infrastructure and conduct cyber spying missions against Russian troops, according two people involved in the project” said Reuters. “Ukrainian cyber community! It’s time to get involved in the cyber defense of our country,” said in the post..

While all this is happening, Anonymous, international hacking collective announced they support Ukraine and has declared war against Russia. After this statement, we saw that several Russian government and company websites faced issues.

As recent progress, Ukraine’s Computer Emergency Response Team (CERT-UA) has warned of Belarusian state-sponsored hackers targeting its military personnel as a phishing campaign. “Mass phishing emails have recently been observed targeting private ‘i.ua’ and ‘meta.ua’ accounts of Ukrainian military personnel and related individuals.. After the account is compromised, the attackers, by the IMAP protocol, get access to all the messages” the CERT-UA said.

Before, in November, Mandiant announced that UNC1151 Assessed with High Confidence to have Links to Belarus government. UNC is a naming of Mandiant for the threat actors that under investigation, but not yet matched to an existing group. and Ukraine now blames UNC1151 group for these attacks.

UNC1151 has targeted a wide variety of governmental and private sector entities, with a focus in Ukraine, Lithuania, Latvia, Poland, and Germany,” Mandiant researchers said in the report. “The targeting also includes Belarusian dissidents, media entities, and journalists.

Another statement on the subject, some threat actors behind Conti ransomware posted a warning Friday that said it was “officially announcing a full support of Russian government.” Previously, Mandiant announced that “at least a portion of actors involved with Conti ransomware are based in Russia“. As in the past, it seems that Russian government is taking advantage of their talents.

What is CONTI?

CONTI is a Windows ransomware family that has been used in recent years. Later, a linux version was also encountered. Until today, many different people using this ransomware were encountered in the Russian forums.

Anonymous vs. Russia

Anonymous, an international hacking collective that has declared war against Russia and conducted cyber attacks against several organizations including government. The “YourAnonNews” Twitter account declared the war on Twitter on Thursday.

Ukrainian organizations were under attack for a while and thus, the cyber warfare has taken a two-sided turn. “We want the Russian people to understand that we know it’s hard for them to speak out against their dictator for fear of reprisals” the decentralized hacking collective said.

After this declaration, same account posted several attack information including RT News (rt.com) and ISPs in Russia.

It is expected that cyber attacks will continue mutually and spread all over the world. This move of Anonymous is one of the most important signs of this situation.

Will Cyber Attacks Spread from Ukraine to the Whole World?

Russian troops entered Ukraine, the whole world is watching this situation with surprise and sadness. Before the invasion, numerous Ukrainian organizations getting hit with a sophisticated new disk-wiping malware. Mandiant is tracking this threat as ‘NEARMISS’ and ESET is tracking as ‘HermeticWiper’ and they reported that they found traces of the malware in hundreds of systems in Ukraine. According to their statement, ESET observed the first sample around 14h52 UTC on 23th of February. “The PE compilation timestamp of one of the sample is 2021-12-28, suggesting that the attack might have been in preparation for almost two monthsESET explained.

According to researches, malware being deployed against organizations in several industries in Ukraine and designed solely to damage the Master Book Record (MBR) on Windows systems, making them unbootable once compromised. The malware does not contain any propagation functionality and, according to several reports. The attackers used a genuine code-signing certificate issued to a Cyprus-based company called Hermetica Digital Ltd., hence the wiper’s name (MD5: 94bc2ff3969d9775de508e1181318deb).

In January, Microsoft reported another similar malware targeting organizations in Ukraine. This malware was designed to overwrite and destroy the MBR too.

Currently, while the invasion continues, cyber attacks continue too. And most of the world stands against Russia about this attacks. Also the sanctions are increasing against Russia and with these situation, it is easy to understand that other nations will be the target of these cyber attacks. “Russia and its allies will conduct cyber espionage, information operations, and disruptive cyber attacks during this crisis. Though cyber espionage is already a regular facet of global activity, as the situation deteriorates, we are likely to see more aggressive information operations and disruptive cyber attacks within and outside of UkraineMandiant says about that.

All organizations and security teems should be aware of these threat. Events and incidents should be followed closely. We should work together with strong intelligence services that closely monitor threat groups to follow situation closer.

IoCs:

MD5 – 84ba0197920fd3e2b7dfa719fee09d2f

SHA-1 – 912342f1c840a42f6b74132f8a7c4ffe7d40fb77

SHA-256 – 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da

MD5 – 3f4a16b29f2f0532b7ce3e7656799125

SHA-1 – 61b25d11392172e587d8da3045812a66c3385451

SHA-256 – 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

Turning to White

As we red the details in TheRecord.media, an attacker has abused a vulnerability in a cryptocurrency platform and stole crypto-assets worth $322.8 million at the time of stealing. The news is very detailed in the blog so does not want to mention the details here again.

But, the interesting thing is that the cryptocurrency platform – Wormhole – is now offering a proposal to the hacker including $10 million reward and to take the white hat side. Also it may mean that they won’t file any criminal complaint against the attacker.

This is an interesting situation for many reasons. Firstly, does that unilateral contract mean that the attacker can no longer be blamed, as the TheRecord.media mentioned in their post? The cyber attacks should be treated as a public offense and even if the attacker agrees on the proposal, simply it does not mean that they will never do it again to another organization. The cyber world is just like the real world, at least it should be. Even if you forgive a thief who stole your property, the same is true for cyber crime, just as this criminal is punished. This incident should be treated as a public crime.

If we look at the situation from the side of the attacker, it is not easy living without a trace, especially as long as she continues her similar actions. Considering the possibility that he stole a large amount of money and that she will now retire, with a good plan both during and after the attack, it is meaningless to accept the proposal of the victim. Even if she accepts, as we mentioned above, it does not mean that she will not be punished because of this crime. Putting aside the huge amount of money she stole, accepting the $10 million and with very likely facing a punishment.

Whichever way you look at it, this offer doesn’t make any sense. But still worth a try. We eagerly await the attacker’s response to this offer. We are also curious about your comments on this subject.

Passwordstate Password Manager Supply Chain Attack

Click Studios has notified customers to reset their passwords of Passwordstate password management application. They inform that the reason for this change is a supply chain attack. They announced that bad actors used sophisticated techniques to compromise the software’s update mechanism and used it to drop malware on user computers.

According to the company’s announcement, “any in-place upgrades performed between 20th April 8:33 PM UTC and 22nd April 0:30 AM UTC have the potential to download a malformed Passwordstate_upgrade.zip. This .zip file was sourced from a download network not controlled by Click Studios.”

The company published an Incident Management Advisory on 24th April 2021, 12:38 PM (Australian CDT),about the processes that the company will follow and explaining to customers that this platform is the only authorized place about the iimprovoments.

Passwordstate is an on-prem web-based solution used for enterprise password management, and used by about 29000 customers. Also, several Fortune 500 companies are customers of Passwordstate.