Tag Archive for: linked

Hacker Group Linked to Russian Military Claims Credit for Cyberattack on Kyivstar

/in


Over nearly a decade, the hacker group within Russia’s GRU military intelligence agency known as Sandworm has launched some of the most disruptive cyberattacks in history against Ukraine’s power grids, financial system, media, and government agencies. Signs now point to that same usual suspect being responsible for sabotaging a major mobile provider for the country, cutting off communications for millions and even temporarily sabotaging the air raid warning system in the capital of Kyiv.

On Tuesday, a cyberattack hit Kyivstar, one of Ukraine’s largest mobile and internet providers. The details of how that attack was carried out remain far from clear. But it “resulted in essential services of the company’s technology network being blocked,” according to a statement posted by Ukraine’s Computer Emergency Response Team, or CERT-UA.

Kyivstar’s CEO, Oleksandr Komarov, told Ukrainian national television on Tuesday, according to Reuters, that the hacking incident “significantly damaged [Kyivstar’s] infrastructure [and] limited access.”

“We could not counter it at the virtual level, so we shut down Kyivstar physically to limit the enemy’s access,” he continued. “War is also happening in cyberspace. Unfortunately, we have been hit as a result of this war.”

The Ukrainian government hasn’t yet publicly attributed the cyberattack to any known hacker group—nor have any cybersecurity companies or researchers. But on Tuesday, a Ukrainian official within its SSSCIP computer security agency, which oversees CERT-UA, pointed out in a message to reporters that a group known as Solntsepek had claimed credit for the attack in a Telegram post, and noted that the group has been linked to the notorious Sandworm unit of Russia’s GRU.

“We, the Solntsepek hackers, take full responsibility for the cyber attack on Kyivstar. We destroyed 10 computers, more than 4 thousand servers, all cloud storage and backup systems,” reads the message in Russian, addressed to Ukrainian president Volodymyr Zelenskyy and posted to the group’s Telegram account. The message also includes screenshots that appear to show access to Kyivstar’s network, though this could not be verified. “We attacked Kyivstar…

Source…

New MacOS Malware Linked to North Korean Hackers

/in


A new macOS malware probably used by North Korean hackers to target crypto exchanges has been found by security firm Jamf. The group behind the malware is thought to be the same group behind the recently reported KandyKorn malware. 

In its report on KandyKorn, Kaspersky describes the group as ‘Lazarus’, an overarching term for North Korean hackers. Jamf describes this group as BlueNoroff, a specific group within Lazarus that is “financially motivated, frequently targeting cryptocurrency exchanges, venture capital firms, and banks.”

The new malware is tracked by Jamf as ObjCShellz and is believed to be part of what has been called the RustBucket Campaign. The researchers suspect it is a late stage part of a multi-stage malware attack. “It’s a rather simplistic remote shell,” explains Jaron Bradley, director of Jamf Threat Labs, “but effective.” It allows the attacker to deliver macOS instructions from a C2 server and collect the responses. The malware can do almost everything the user can do on the Mac, but in the background.

Jamf was not able to explore the specific intentions of the attackers with this malware, because the C2 server (located at ‘swissborg[.]blog’) was taken offline as soon as the researchers probed for more information. This is not unusual — attackers often stand down an IP to prevent investigation, only to stand it up at some future date. 

However, a possible alternative reason for taking the server offline is that the malware has already succeeded in its task. “Once they have finished the attack,” commented Bradley, “they take the server offline to prevent researchers gaining any extra insight into what is actually going on.”

The address of the C2 server is hardcoded within the malware. The malware could be reused as part of a different spear-phishing attack simply by changing the C2 link to a different lookalike domain name.

A slightly unusual feature is evident in this malware: it logs the victim server’s responses to the malware commands – both successes and failures. “The choice to log these activities is intriguing, as attackers crafting sophisticated malware typically omit any statements that might leave…

Source…

Jamf uncovers new Mac malware linked to known hacking group

/in


Jamf finds a new strain of malware

Jamf Threat Labs has discovered a new malware strain that appears to be connected to BlueNoroff, a group that often attacks businesses in the financial sector.

The discovery came about during Jamf’s regular security checks. They found software for Mac computers secretly connecting to a known malicious internet domain, although Jamf didn’t mention a particular program that Mac users should be aware of.

What made the find particularly intriguing was that this software was not recognized as a threat by VirusTotal, a popular website used to check suspicious files, at the time of uploading by Jamf.

The program is cleverly disguised, using a digital signature that initially appears legitimate. It communicates with a server that, while appearing to be associated with a legitimate cryptocurrency platform, is controlled by the attackers.

BlueNoroff signature move

The method of operation aligns with the BlueNoroff group’s established strategies. These typically involve creating counterfeit domains that mirror reputable companies, which helps them evade detection and entice their targets.

The fraudulent domain was set up in late May 2023, and the malware uses it to send and receive information. Jamf’s analysis revealed that while they were investigating, the server behind the domain stopped responding, possibly because the attackers became aware of the scrutiny.

Further analysis by Jamf indicated that the malware was designed using Objective-C, a programming language used for Mac software. The malware acts like a remote control for the infected computer, allowing the attackers to send commands and control the system after they have breached it.

Upon activation, the malware sends a signal to the attacker-controlled domain, disguising its communications as regular internet traffic. It also collects and sends information about the infected computer, such as the version of the macOS operating system it is running.

Despite its simplicity, the malware is effective and aligns with BlueNoroff’s approach of…

Source…

Boeing ‘Sensitive Data’ Reportedly Stolen by Ransomware Group Linked to Russia

/in


A hacking group called LockBit claimed Friday that it had infiltrated Boeing Co. and stolen sensitive information from the aerospace giant.

The group, which has been linked to Russia, set a Nov. 2 deadline for Boeing to contact it, otherwise threatening to publish “all available data,” Cybernews reported, citing a LockBit “dark leak” website.

“We are assessing this claim,” a Boeing spokesman said in an email to The Messenger.

Beyond its commercial aircraft business, Boeing is a major defense contractor, selling everything from weapons to satellites to fighter jets to the U.S. and allied governments. The Pentagon referred questions on the matter to Boeing.

Source…