Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Fancy Bear. Show all posts

Microsoft Alerts Users as Russian Hackers Target Windows Systems

 

As advancements in AI technology continue to unfold, the specter of cybercrime looms larger each day. Among the chorus of cautionary voices, Microsoft, the eminent IT behemoth, adds its warning to the fray.

Microsoft's Threat Intelligence researchers have issued a stark advisory to Windows users regarding the targeted assaults orchestrated by Russian state-sponsored hackers wielding a sophisticated tool.

These hackers, known in some circles as APT28 or Fancy Bear, but tracked by Microsoft under the moniker Forest Blizzard, have close ties to Russia's GRU military intelligence agency.

GooseEgg, a tool wielded with the aim of siphoning data and surreptitiously establishing backdoors within computer systems. Forest Blizzard, alias APT28, has deployed GooseEgg in a series of calculated strikes targeting governmental entities, educational institutions, and transportation firms across the United States, Western Europe, and Ukraine.

Their modus operandi centers predominantly on the strategic acquisition of intelligence. Evidence suggests that the utilization of GooseEgg may have commenced as early as June 2020, with the possibility of earlier incursions dating back to April 2019.

In response to the threat landscape, a patch addressing a vulnerability identified as CVE-2022-38028 was released by Microsoft in October 2022. GooseEgg, the nefarious tool in the hackers' arsenal, exploits this particular weakness within the Windows Print Spooler service.

Despite its deceptively simple appearance, the GooseEgg program poses an outsized threat, granting attackers elevated permissions and enabling a litany of malicious activities. From the remote execution of malware to the surreptitious installation of backdoors and the seamless traversal of compromised networks, the ramifications are profound and far-reaching.

FancyBear: Hackers Use PowerPoint Files to Deliver Malware

 

FancyBear: Hackers Use PowerPoint Files to Deliver Malware Cluster25 researchers have recently detected a threat group, APT28, also known as FancyBear, and attributed it to the Russian GRU (Main Intelligence Directorate of the Russian General Staff). The group has used a new code execution technique that uses mouse movement in Microsoft PowerPoint, to deliver Graphite malware.
 
According to the researchers, the threat campaign has been actively targeting organizations and individuals in the defense and government organizations of the European Union and East European countries. The cyber espionage campaign is believed to be still active.
 

Methodology of Threat Actor

 
The threat actor allegedly entices victims with a PowerPoint file claiming to be associated with the Organization for Economic Cooperation (OECD).
 
This file includes two slides, with instructions in English and French to access the translation feature in zoom. Additionally, it incorporates a hyperlink that plays a trigger for delivering a malicious PowerShell script that downloads a JPEG image carrying an encrypted DLL file.
 
The resulting payload, Graphite malware is in Portable Executable (PE) form, which allows the malware operator to load other malwares into the system memory.
 
“The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive. The latter downloads a payload that extracts and injects in itself a new PE (Portable Executable) file, that the analysis showed to be a variant of a malware family known as Graphite, that uses the Microsoft Graph API and OneDrive for C&C communications.” States Cluster25, in its published analysis.
 
The aforementioned Graphite malware is a fileless malware that is deployed in-memory only and is used by malware operators to deliver post-exploitation frameworks like Empire. Graphite malware’s purpose is to allow the attacker to deploy other malwares into the system memory.
 
 
Based on the discovered metadata, according to Cluster25, the hackers have been preparing for the cyber campaign between January and February. However, the URLs used in the attacks were active in August and September.
 
With more hacker groups attempting to carry out such malicious cyber campaigns, the government and private sectors must deploy more powerful solutions to prevent future breaches and cyber attacks to safeguard their organizations.

Ukraine: DDoS Attacks on State Websites Continue

 

Since February 23, some Ukrainian government websites have been subjected to DDoS attacks: web resources of the Ministry of Defense, the Verkhovna Rada of Ukraine, the Ministry of Foreign Affairs and others have suffered interruptions. 

The Insider publication (the organization is included in the list of foreign agents by the Ministry of Justice of Russia), referring to the data of the independent cyber analyst Snorre Fagerland, stated that the hacker group ART23 (Fancy Bear), which is attributed to links with the Main Intelligence Directorate of the Russian Federation, was behind the attacks. 

However, Igor Bederov, head of the Information and Analytical Research Department at T.Hunter, called this statement a provocation. "The investigation of a cyberattack (attribution) is a long and complex process that cannot be carried out from beginning to end in hours. Analysis of hacker software and malicious code is always a long and painstaking process," Mr. Bederov said. 

According to him, even if traces leading to Fancy Bear were indeed found, it's still impossible to say that this particular group was behind the attack. Mr. Bederov thinks that other hackers could have also taken advantage of the malware previously used by Fancy Bear. It's possible because hacker tools are openly resold on the Darknet. 

"Primary attribution is based on matching the hacker code used in today's attack with the code used in yesterday's attack, as well as special characters specific to a language group. This approach is fundamentally wrong, because the code can be stolen or bought, and the linguistic features can be imitated," said the expert. 

Mr. Bederov also noted that within the framework of pro-state activity, mainly Chinese groups like to engage in substitution of attribution. In addition, according to him, the NATO cyber intelligence center located in Tallinn was previously noticed for the substitution of attribution. 

Earlier it was reported that DDoS attacks on the website of the Ministry of Defense of Ukraine could have been deliberately set up by the United States. Earlier, Viktor Zhora, Deputy Chairman of the State Service for Special Communications and Information Protection of Ukraine, said that the government of Ukraine is ready for the scenario of forced destruction of secret data on servers. According to him, the authorities do not want to take risks and are not going to leave documentation and detailed information about the population of Ukraine to the enemy. 

He also said that if Russia gets access to government passwords, Ukrainian specialists "will quickly block access to hacked accounts."

NZ Stock Exchange Halted Temporarily Twice After Being Hit by Cyber Attacks


The New Zealand stock exchange was hit by a cyber-attack due to which it had to remain offline two days in a row. The exchange said the attack had "impacted NZX network connectivity" and it had chosen to temporarily halt trading in cash markets not long before 16:00 local time.

The trading had to be stopped briefly for a second time, yet was back ready for action before the day's end. 

A DDoS attack is generally a quite straightforward kind of cyber-attack, wherein a huge 'array' of computers all attempt to connect with an online service at the same time usually resulting in 'overwhelming its capacity'. 

They frequently use devices undermined by malware, which the owners don't know are a part of the attack. 

While genuine traders may have had issues with carrying out their business, but it doesn't mean any financial or personal data was accessed. NZX said the attack had come “from offshore via its network service provider". 

The subsequent attack had halted the trading for a long time in the working day - from 11:24 to 15:00 local time, the exchange said. In any case, in spite of the interference, the exchange was up at the end of the business, close to its 'all-time' high. 

Nonetheless, NZX said it had first been hit by a distributed denial of service (DDoS) attack from abroad and so the New Zealand cybersecurity organization CertNZ had also given a caution in November that mails were being sent to financial firms threatening DDoS attacks except if a ransom was paid. 

The mails professed to be from a notable Russian hacking group Fancy Bear. 

Be that as it may, CertNZ said at the time 'the threat had never had never been carried out, past a 30-minute attack as a scare tactic'.

Microsoft Shuts down Websites in Association with the Russian Military Intelligence Service GRU


On the twentieth of August, Microsoft made public that it effectively terminated 6 websites in affiliation with the Russian Military Intelligence Service GRU.

The hacker group that has come to light is the well-known Fancy Bear also referred to here, as APT28 which likewise has been formerly connected to cyber-espionage campaigns directed towards various governments around the globe, including to the hack of the Democratic National Committee before the 2016 US Presidential Election.

The gathering last targeted the conservative think tanks namely the Hudson Institute and the International Republican Institute, three which were intended to mirror the U.S. Senate sites and one of the fake ones even ridiculed Microsoft's online products.

Microsoft's Digital Crimes Unit (DCU) effectively executed a court order to transfer the control of six internet domains made by the group. The six domains are:

my-iri.org
hudsonorg-my-sharepoint.com
senate.group
adfs-senate.services
adfs-senate.email
office365-onedrive.com

Microsoft’s president and chief legal officer Brad Smith wrote, “We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group. Attackers want their attacks to look as realistic as possible and they therefore create websites and URLs that look like sites their targeted victims would expect to receive email from or visit.”

What's more, in spite of last week's steps, Microsoft is anxious by the continuous activity that is focusing on these and other sites that are for the most part centered towards elected officials, politicians, political groups and additionally think tanks over the political range in the United States.

Since Russian cyber-attacks directed towards the elections are recurring and likely to expand , Microsoft is intending to protract the Microsoft's Defending Democracy Program with yet another initiative called the Microsoft AccountGuard , which will provide the best in class cyber security protection at no additional cost to all the candidates and campaign workplaces at the federal, state and local level as well as think tanks and political organizations that are presently thought to be under attack.