Tag Archives: Russia

Access to Central Bank is for Sale

A threat actor, called ‘4c3’ selling access to a central bank. The threat actor did not disclose the name of the bank.

The ad posted today, in exploit.in website. The threat actor did not disclose the name of the bank but gave some information like the bank has Symantec as EDR and around 10k machines, mostly running Windows. The bank is using Flexcube database too.

The threat actor is claiming that she/he can give VPN access for the central bank and all passwords of domain dump.

The threat actor announced that she/he is not giving the name of the bank publicly and she/he can give it only via private chat.

exploit.in is a very popular Russian undergroun hacking forum.

Russian Threat Actors are Preparing to Attack Azerbaijan

Large-scale cyber attacks against the electronic information resources of Azerbaijan have been prepared.

The Center for Combating Computer Incidents of the State Service of Special Communication and Information Security of Azerbaijan released information about this.

“The Center for Combating Computer Incidents of the Special Communication and Information Security State Service (XRITDX) monitors cyber attacks against our country 24/7 and successfully prevents DDOS and other types of cyber attacks against state information resources since 03.05.2022.”

“XRITDX calls on state and non-state information resource administrators, as well as our citizens, to be careful and vigilant against phishing attacks.”

Today, posts about Azerbaijan in many Russian telegram channels attracted attention. It is mentioned that the threat actor will attack to government targets of Azerbaijan for a few weeks.

Later, the sharing of information about some of Azerbaijan’s airports and important gas station networks in Telegram groups drew attention too.

We will try to share the developments on the subject as soon as possible.

Cisco Licenses on Sale in Russia Illegally

After many companies sanctioned Russia, Cisco announced that it would leave Russia in June. According to CNews, illegal Cisco licenses appeared on sale in Russia after this decision.

It is mentioned that there are several methods to use Cisco licenses illegally. There are cases when a government agency hacked a Cisco product with the help of an external company. It was stated that cryptocurrency is another method for obtaining licenses.

On Sale

Russian integrator Ramek-VS provides a service called UNLIC openly and calls it “the return of the stability of the Cisco infrastructure.”

An example of the service of Ramek-VS

Ramek-VS also guarantees complete confidentiality and the absence of legal risks in the Russian legal field.

To talk about how this is done technically, one of the sources of these licenses are purely hacking activities. And the second method is that they are registering these licenses somewhere in China or Montenegro not like Russian equipment, but as if to be used in Montenegro.

Chinese APT Groups are Targeting Russia

SentinelOne reported that they identified Chinese APT groups are attacking to Russian organizations in several sectors like telecommunications and government.

The attacks start with phishing emails including Office documents to exploit targets in order to deliver their RAT (Remote Access Trojan) called Bisonal. These phishing emails spoofing RU-CERT, the country’s cybersecurity incident response center.

The documents exploit CVE-2018-0798, a remote execution vulnerability in Microsoft Office, to install the embedded malware.

On June 22nd 2022, CERT-UA – Ukraine’s CERT – also publicly shared some of these documents that are created with a tool called ‘Royal Road’.

Timeline of Royal Road Malicious Documents – Source: http://www.sentinelone.com

Tonto Team APT Group: The attack was associated with the Tonto Group by SentinelOne. They are a Chinese group firstly reported near 2013. We have identified that they targeted South Korean National Security entities, Japanese chemical organizations, and also Russian government again in the past.

Malicious Document Example of Related Activity – Source: http://www.sentinelone.com

CVE-2018-0798: This is a stack-based buffer overflow vulnerability exists within the Microsoft Equation Editor (eqnedt32.exe) in Microsoft Office. It is a high risky and exploitable vulnerability. When exploited, the attacker can remotely execute arbitrary code. We have seen this vulnerability has been exploited widely in the past.

IoCs of Related Activity:

IOCDescription
f599ed4ecb6c61ef2f2692d1a083e3bb040f95e66/21/2022 Royal Road Document”Вниманию.doc”
cb8eb16d94fd9242baf90abd1ef1a5510edd29966/16/2022  Royal Road Document “Вниманию.doc”
41ebc0b36e3e3f16b0a0565f42b0286dd367a3526/15/2022 (Estimate) Royal Road Document”Анкетирование Агентства по делам государственной службы.rtf”
2abf70f69a289cc99adb5351444a1bd23fd973846/20/2022 Royal Road Document”17.06.2022_Протокол_МРГ_Подгруппа_ИБ.doc”
supportteam.lingrevelat[.]comC2 Domain
upportteam.lingrevelat[.]comC2 Domain for cb8eb16d94fd9242baf90abd1ef1a5510edd2996
2b7975e6b1e9b72e9eb06989e5a8b1f6fd9ce0276/21/2022 Royal Road Document”О_формировании_проекта_ПНС_2022_файл_отображен.doc”
a501fec38f4aca1a57393b6e39a52807a7f071a46/21/2022 Royal Road Document”замечания таблица 20.06.2022.doc”
415ce2db3957294d73fa832ed844940735120bae6/23/2022 Royal Road Document”Пояснительная записка к ЗНИ.doc”
news.wooordhunts[.]comC2 Domain for 415ce2db3957294d73fa832ed844940735120bae
137.220.176[.]165IP Resolved for C2 Domains news.wooordhunts[.]com supportteam.lingrevelat[.]com upportteam.lingrevelat[.]com
1c848911e6439c14ecc98f2903fc1aea63479a9f6/23/2022 Royal Road Document”РЭН 2022.doc”
91ca78231bcacab0d5e6194041817b96252e65bf5/12/2022 Phishing Email File
f444ff2386cd3ada204c3224463f4be310e5554a5/12/2022 Royal Road Document”Please help to Check.doc”
instructor.giize[.]comC2 Server for f444ff2386cd3ada204c3224463f4be310e5554a
Source: http://www.sentinelone.com

Russian Satellite TV Hacked

The Russian – Ukraine war continues in the cyber world at the same speed as on the ground.

Attackers hacked into the broadcasting network of satellite TV channels in Russia.

The incident happened this morning and according to officers, attackers added anti-war announcements against operations in Ukraine at the bottom of the screen.

According to post of 66.ru, “Our specialists are doing everything possible to resolve the problem as soon as possible. In the near future, everything will be restored, ”the company said.

It is specified that several providers were subjected to the attack.

GitHub Blocks Russian Accounts

According to a Russian website – habr, at least dozens of accounts have been blocked by GitHub.

Sanctions against Sberbank and Alfa-Bank, the country’s largest private banks, include the freezing of bank assets and the imposition of a ban on US citizens and companies from doing business with them. Under the sanctions, as an example, these GitHub accounts of these two banks have been blocked;

https://github.com/Sberbank-Technology

https://github.com/sberbank-ai-lab

https://github.com/alfa-laboratory

Today, some researches reported that some personal accounts have been blocked too.

How was Ukrtelecom hacked?

One of the largest Ukrainian telecom-providers, Ukrtelecom, suffered in the powerful attack on March 28, 2022. It was just an incident during the hybrid warfare between Russia and Ukraine, that we are always trying to inform you about the latest situations.

Ukrtelecom’s CIO Kyrylo Honcharuk spoke about the details of the Ukrtelecom attack:

Ukrtelecom as part of Ukraine’s vital information infrastructure is in the focus of hackers’ attention all the time. We’ve been observing the increase in the number of cyberattacks against our infrastructure since the very beginning of the invasion. The attack on March 28 was powerful and sophisticated,

Officials mentioned that the discovery phase of the attack launched from the Ukrainian territory recently temporarily occupied by the Russians. The hackers used for discovery a compromised account of the company’s employee.

Once they gained access, the hackers then tried to disable Ukrtelecom’s equipment and servers to gain control over its network and equipment. There was also an attempt to change the passwords of employees’ accounts and of logins to access equipment and firewalls. With the attack, Ukrtelecom temporarily limited the access to its services for private and business clients. The traffic in the network fell to 13% from the regular regime of the network’s functioning. The Internet access for the clients started to be restored late on March 28. The following day, Ukrtelecom services became available to almost all its users.

The investigation continues. We saw several attacks on Ukraine’s organizations related to Russian invasion, however, this attack cannot be attributed to any hacker group. We expect to see more attacks on Ukrainian targets including government, energy and financial organizations.

Ubuntu Sanctions Against Russia

Another sanction decision against Russia came from Canonical. Canonical announced that they are cancelling support, professional services, and channel partnerships with Russian enterprises.

In response to the Russian invasion and acts of war in Ukraine, Canonical has sent notice of termination of support, professional services, and channel partnerships with Russian enterprises. We will not resume such engagements while broad and democratically instituted sanctions on Russia remain in place.

We will not restrict access to security patches for Ubuntu users in Russia – free software platforms like Ubuntu, VPN technologies, and Tor, are important for those who seek news and dialogue outside state control. We will direct any Russian subscription income for such maintenance to Ukrainian humanitarian causes.

We are actively supporting all of our colleagues affected by this war to ensure to the greatest degree possible their financial, emotional and physical safety. We are also supportive of colleagues around the world who have joined the effort to help and house victims and refugees.

As a company and a community, we are appalled by the senseless loss of life, and destruction of property and heritage, underway in Ukraine.

Russian Orthodox Church Hacked

Anonymous continues to target Russian government entities and private businesses. Lastly, it is announced that Russian Orthodox Church’s charitable wing hacked by Anonymous group.

The group leaked 15GB of data however, they offer to share this data only to journalists or researches.

This week, Thozis Corp. was another victim of Anonymous in Russia. Thois Corp. is a Russian investment company and owned by Zakhar Smushkin. The Group have stolen thousands of internal email (about 5500) and shared.

Sberbank Temporarily Stopped Updates

As the sanctions against Russia gradually increased, we saw that technology companies also participated in these sanctions at a large rate. Meanwhile, cyber attacks against Russia continue with all their violence by different threat actors. Against these sanctions and threats, different measures stand out on the Russian side.

Sberbank, one of the biggest banks in Russia, temporarily stop updating software due to the increased risk of device infection.

We urge users to stop updating software now, and developers to tighten control over the use of external source code. If there is an urgent need to use software, be sure to check all downloaded files with an antivirus, and when using someone else’s source code in your programs, conduct a manual or automated check, including, view the text of the source code,” Sberbank officials said.

The use of such software can lead to infection of personal and corporate computers, as well as IT infrastructure.The most important attack like this was experienced with the Solarwinds case. Customers of Solarwinds hacked because of the infected update of its Orion software and went undetected for months until Mandiant determined the malicious.

These latest events that emerged with the war showed us that there will be big changes in the cyber security industry in the coming days. On the one hand, many large cybersecurity manufacturers are buying smaller companies, it seems like countries will concentrate more on local cyber security and even IT product production.