Tag Archive for: blitz

Russian Sandworm Hackers Linked to New Ransomware Blitz

/in


An infamous Russian state-backed APT group could be behind a new wave of ransomware attacks against Ukrainian targets, according to researchers at ESET.

The security vendor claimed in a series of tweets that it alerted the Ukrainian Computer Emergency Response Team (CERT-UA) about the RansomBoggs variant it discovered targeting several local organizations.

The .NET malware is new, but deployed in a similar manner to previous campaigns linked to the Russian military intelligence (GRU) Sandworm group, it said.

There are apparently several references to Pixar movie Monsters Inc. in the malware.

“The ransom note (SullivanDecryptsYourFiles.txt) shows the authors impersonate James P. Sullivan, the main character of the movie, whose job is to scare kids. The executable file is also named Sullivan.exe and references are present in the code as well,” ESET explained.

“There are similarities with previous attacks conducted by Sandworm: a PowerShell script used to distribute the .NET ransomware from the domain controller is almost identical to the one seen last April during the Industroyer2 attacks against the energy sector.”

That script has been dubbed “PowerGap” by CERT-UA and was also used to deploy the destructive CaddyWiper malware alongside Industroyer 2 at the time, using the ArguePatch loader.

“RansomBoggs generates a random key and encrypts files using AES-256 in CBC mode (not AES-128 like mentioned in the ransom note), and appends the .chsch file extension. The key is then RSA encrypted and written to aes.bin,” ESET continued.

“Depending on the malware variant, the RSA public key can either be hardcoded in the malware sample itself or provided as argument.”

The vendor also claimed the operation has similarities to a separate ransomware campaign launched last month against Ukrainian and Polish logistics providers using the “Prestige” variant.

“The Prestige campaign may highlight a measured shift in IRIDIUM’s destructive attack calculus, signaling increased risk to organizations directly supplying or transporting humanitarian or military assistance to Ukraine,” Microsoft wrote at the time.

“More broadly, it may represent…

Source…

Russia’s Cozy Bear comes out of hiding with post-election spear-phishing blitz

/in
Russian President Vladmir Putin in St. Petersburg today for the St. Petersburg International Economic Forum, acknowledged today that Russian hackers may have interfered in the US election.

Enlarge / Russian President Vladmir Putin in St. Petersburg today for the St. Petersburg International Economic Forum, acknowledged today that Russian hackers may have interfered in the US election. (credit: Mikhail Svetlov/Getty Images)

Attackers suspected of working for the Russian government masqueraded as a US State Department official in an attempt to infect dozens of organizations in government, military, defense contracting, media, and other industries, researchers from security firm FireEye warned on Monday.

The spear-phishing campaign began last Wednesday. This is almost exactly two years after the Russian hacking group known under a variety of monikers, including APT29 and Cozy Bear, sent a similar barrage of emails that targeted many of the same industries, FireEye said in a blog post. The tactics and techniques used in both post-election campaigns largely overlap, leading FireEye to suspect the new one is also the work of the Russian-government-controlled hacking arm. FireEye researchers Matthew Dunwoody, Andrew Thompson, Ben Withnell, Jonathan Leathery, Michael Matonis, and Nick Carr wrote:

Analysis of this activity is ongoing, but if the APT29 attribution is strengthened, it would be the first activity uncovered from this sophisticated group in at least a year. Given the widespread nature of the targeting, organizations that have previously been targeted by APT29 should take note of this activity. For network defenders, whether or not this activity was conducted by APT29 should be secondary to properly investigating the full scope of the intrusion, which is of critical importance if the elusive and deceptive APT29 operators indeed had access to your environment.

“Secure” communications

At least 38 FireEye clients have been targeted so far in the spear-phishing campaign, Carr told Ars. The emails purport to deliver an official US State Department from a known public-affairs official at the same US agency. The messages were designed to appear as a secure communication that’s hosted on a webpage linked to the official’s personal drive. To further appear legitimate, the message delivers a legitimate State Department form.

Read 9 remaining paragraphs | Comments

Biz & IT – Ars Technica