A threat actor, called ‘4c3’ selling access to a central bank. The threat actor did not disclose the name of the bank.
The ad posted today, in exploit.in website. The threat actor did not disclose the name of the bank but gave some information like the bank has Symantec as EDR and around 10k machines, mostly running Windows. The bank is using Flexcube database too.
The threat actor is claiming that she/he can give VPN access for the central bank and all passwords of domain dump.
The threat actor announced that she/he is not giving the name of the bank publicly and she/he can give it only via private chat.
exploit.in is a very popular Russian undergroun hacking forum.
Large-scale cyber attacks against the electronic information resources of Azerbaijan have been prepared.
The Center for Combating Computer Incidents of the State Service of Special Communication and Information Security of Azerbaijan released information about this.
“The Center for Combating Computer Incidents of the Special Communication and Information Security State Service (XRITDX) monitors cyber attacks against our country 24/7 and successfully prevents DDOS and other types of cyber attacks against state information resources since 03.05.2022.”
“XRITDX calls on state and non-state information resource administrators, as well as our citizens, to be careful and vigilant against phishing attacks.”
Today, posts about Azerbaijan in many Russian telegram channels attracted attention. It is mentioned that the threat actor will attack to government targets of Azerbaijan for a few weeks.
Later, the sharing of information about some of Azerbaijan’s airports and important gas station networks in Telegram groups drew attention too.
We will try to share the developments on the subject as soon as possible.
After many companies sanctioned Russia, Cisco announced that it would leave Russia in June. According to CNews, illegal Cisco licenses appeared on sale in Russia after this decision.
It is mentioned that there are several methods to use Cisco licenses illegally. There are cases when a government agency hacked a Cisco product with the help of an external company. It was stated that cryptocurrency is another method for obtaining licenses.
Russian integrator Ramek-VS provides a service called UNLIC openly and calls it “the return of the stability of the Cisco infrastructure.”
Ramek-VS also guarantees complete confidentiality and the absence of legal risks in the Russian legal field.
To talk about how this is done technically, one of the sources of these licenses are purely hacking activities. And the second method is that they are registering these licenses somewhere in China or Montenegro not like Russian equipment, but as if to be used in Montenegro.
SentinelOne reported that they identified Chinese APT groups are attacking to Russian organizations in several sectors like telecommunications and government.
The attacks start with phishing emails including Office documents to exploit targets in order to deliver their RAT (Remote Access Trojan) called Bisonal. These phishing emails spoofing RU-CERT, the country’s cybersecurity incident response center.
The documents exploit CVE-2018-0798, a remote execution vulnerability in Microsoft Office, to install the embedded malware.
On June 22nd 2022, CERT-UA – Ukraine’s CERT – also publicly shared some of these documents that are created with a tool called ‘Royal Road’.
Tonto Team APT Group: The attack was associated with the Tonto Group by SentinelOne. They are a Chinese group firstly reported near 2013. We have identified that they targeted South Korean National Security entities, Japanese chemical organizations, and also Russian government again in the past.
CVE-2018-0798: This is a stack-based buffer overflow vulnerability exists within the Microsoft Equation Editor (eqnedt32.exe) in Microsoft Office. It is a high risky and exploitable vulnerability. When exploited, the attacker can remotely execute arbitrary code. We have seen this vulnerability has been exploited widely in the past.
IoCs of Related Activity:
6/21/2022 Royal Road Document”Вниманию.doc”
6/16/2022 Royal Road Document “Вниманию.doc”
6/15/2022 (Estimate) Royal Road Document”Анкетирование Агентства по делам государственной службы.rtf”
6/20/2022 Royal Road Document”17.06.2022_Протокол_МРГ_Подгруппа_ИБ.doc”
C2 Domain for cb8eb16d94fd9242baf90abd1ef1a5510edd2996
6/21/2022 Royal Road Document”О_формировании_проекта_ПНС_2022_файл_отображен.doc”
6/21/2022 Royal Road Document”замечания таблица 20.06.2022.doc”
6/23/2022 Royal Road Document”Пояснительная записка к ЗНИ.doc”
C2 Domain for 415ce2db3957294d73fa832ed844940735120bae
IP Resolved for C2 Domains news.wooordhunts[.]com supportteam.lingrevelat[.]com upportteam.lingrevelat[.]com
6/23/2022 Royal Road Document”РЭН 2022.doc”
5/12/2022 Phishing Email File
5/12/2022 Royal Road Document”Please help to Check.doc”
C2 Server for f444ff2386cd3ada204c3224463f4be310e5554a
According to a Russian website – habr, at least dozens of accounts have been blocked by GitHub.
Sanctions against Sberbank and Alfa-Bank, the country’s largest private banks, include the freezing of bank assets and the imposition of a ban on US citizens and companies from doing business with them. Under the sanctions, as an example, these GitHub accounts of these two banks have been blocked;
One of the largest Ukrainian telecom-providers, Ukrtelecom, suffered in the powerful attack on March 28, 2022. It was just an incident during the hybrid warfare between Russia and Ukraine, that we are always trying to inform you about the latest situations.
Ukrtelecom’s CIO Kyrylo Honcharuk spoke about the details of the Ukrtelecom attack:
“Ukrtelecom as part of Ukraine’s vital information infrastructure is in the focus of hackers’ attention all the time. We’ve been observing the increase in the number of cyberattacks against our infrastructure since the very beginning of the invasion. The attack on March 28 was powerful and sophisticated,”
Officials mentioned that the discovery phase of the attack launched from the Ukrainian territory recently temporarily occupied by the Russians. The hackers used for discovery a compromised account of the company’s employee.
Once they gained access, the hackers then tried to disable Ukrtelecom’s equipment and servers to gain control over its network and equipment. There was also an attempt to change the passwords of employees’ accounts and of logins to access equipment and firewalls. With the attack, Ukrtelecom temporarily limited the access to its services for private and business clients. The traffic in the network fell to 13% from the regular regime of the network’s functioning. The Internet access for the clients started to be restored late on March 28. The following day, Ukrtelecom services became available to almost all its users.
The investigation continues. We saw several attacks on Ukraine’s organizations related to Russian invasion, however, this attack cannot be attributed to any hacker group. We expect to see more attacks on Ukrainian targets including government, energy and financial organizations.
Another sanction decision against Russia came from Canonical. Canonical announced that they are cancelling support, professional services, and channel partnerships with Russian enterprises.
“In response to the Russian invasion and acts of war in Ukraine, Canonical has sent notice of termination of support, professional services, and channel partnerships with Russian enterprises. We will not resume such engagements while broad and democratically instituted sanctions on Russia remain in place.
We will not restrict access to security patches for Ubuntu users in Russia – free software platforms like Ubuntu, VPN technologies, and Tor, are important for those who seek news and dialogue outside state control. We will direct any Russian subscription income for such maintenance to Ukrainian humanitarian causes.
We are actively supporting all of our colleagues affected by this war to ensure to the greatest degree possible their financial, emotional and physical safety. We are also supportive of colleagues around the world who have joined the effort to help and house victims and refugees.
As a company and a community, we are appalled by the senseless loss of life, and destruction of property and heritage, underway in Ukraine.“
Anonymous continues to target Russian government entities and private businesses. Lastly, it is announced that Russian Orthodox Church’s charitable wing hacked by Anonymous group.
The group leaked 15GB of data however, they offer to share this data only to journalists or researches.
This week, Thozis Corp. was another victim of Anonymous in Russia. Thois Corp. is a Russian investment company and owned by Zakhar Smushkin. The Group have stolen thousands of internal email (about 5500) and shared.
As the sanctions against Russia gradually increased, we saw that technology companies also participated in these sanctions at a large rate. Meanwhile, cyber attacks against Russia continue with all their violence by different threat actors. Against these sanctions and threats, different measures stand out on the Russian side.
Sberbank, one of the biggest banks in Russia, temporarily stop updating software due to the increased risk of device infection.
“We urge users to stop updating software now, and developers to tighten control over the use of external source code. If there is an urgent need to use software, be sure to check all downloaded files with an antivirus, and when using someone else’s source code in your programs, conduct a manual or automated check, including, view the text of the source code,” Sberbank officials said.
The use of such software can lead to infection of personal and corporate computers, as well as IT infrastructure.The most important attack like this was experienced with the Solarwinds case. Customers of Solarwinds hacked because of the infected update of its Orion software and went undetected for months until Mandiant determined the malicious.
These latest events that emerged with the war showed us that there will be big changes in the cyber security industry in the coming days. On the one hand, many large cybersecurity manufacturers are buying smaller companies, it seems like countries will concentrate more on local cyber security and even IT product production.