Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Russian Government. Show all posts
Spear Phishing
Critical Infrastructure Cyber Attacks cybercrime group Defense Kaspersky Russian Government Spear Phishing

Awaken Likho Targets Russian Agencies with MeshCentral Remote Access Tool

 

Awaken Likho, also referred to as Core Werewolf or PseudoGamaredon, is a cyber threat group targeting Russian government agencies and industrial entities. Since June 2024, a new campaign has been observed, where attackers have shifted from using UltraVNC to MeshCentral’s legitimate agent for remote access to compromised systems. The campaign primarily focuses on Russian government contractors and industrial enterprises, as reported by Kaspersky. Spear-phishing is a key method employed by Awaken Likho, with malicious executables disguised as Word or PDF files. 

These files trick victims by using double extensions such as “.doc.exe” or “.pdf.exe,” making them appear like standard document formats. When opened, these files trigger the installation of UltraVNC or, in the new campaign, MeshCentral’s MeshAgent tool, which grants the attackers full control over the compromised system. Awaken Likho’s cyberattacks date back to at least August 2021, first gaining attention through targeting Russia’s defense and critical infrastructure sectors. However, more recently, the group has shifted to using self-extracting archives (SFX) to covertly install UltraVNC, along with presenting decoy documents. 

In its latest campaigns, an SFX archive triggers the execution of a file named “MicrosoftStores.exe,” which unpacks an AutoIt script. This script eventually runs the MeshAgent tool, facilitating ongoing remote control via the MeshCentral server. By creating a scheduled task, Awaken Likho ensures persistence within the infected system. The scheduled task consistently runs the command file, which in turn launches MeshAgent, allowing communication with the MeshCentral server. This tactic gives the attackers access to the system long after the initial breach. Russian cybersecurity company Kaspersky has revealed that the campaign’s primary focus remains within Russian government bodies, contractors, and industrial enterprises. 

Additionally, earlier findings from BI.ZONE in June 2023 indicated that Awaken Likho has targeted sectors including defense and critical infrastructure, emphasizing the group’s intent on penetrating Russia’s most vital industries. A notable attack in May 2023 targeted a Russian military base in Armenia, as well as a research institute involved in weapons development. These actions suggest Awaken Likho’s primary focus on entities involved in Russia’s security and defense sectors, with significant consequences for the country’s critical infrastructure. 

This new chapter in Awaken Likho’s activity signals the group’s evolving tactics and its continued interest in leveraging spear-phishing attacks with more sophisticated tools. By transitioning to the MeshCentral platform, the group showcases its adaptability in maintaining control over systems while evading detection, making it a significant threat to Russian entities in the future.
Read more »
Ukraine-Russia War
attackers Cyber Attacks Cyber Warfare Data Data Safety data security Russian Government Russian Hackers Safety Security Ukraine Government Ukraine-Russia War

This Threat Actor Targeted NATO Summit Attendees

 

A Russia-linked threat actor known as RomCom has been targeting entities supporting Ukraine, including guests at the 2023 NATO Summit. The summit is taking place in Vilnius, Lithuania, and will discuss the war in Ukraine and new memberships in NATO, including Sweden and Ukraine itself.

RomCom has created malicious documents that are likely to be distributed to supporters of Ukraine. The threat actor appears to have dry-tested the delivery of these documents on June 22, a few days before the command-and-control (C&C) domain used in the campaign went live, BlackBerry explained.

The malicious documents are likely distributed via spear-phishing. They contain an embedded RTF file and OLE objects that initialize an infection chain that garners system information and delivers the RomCom remote access trojan (RAT).

At one stage in the infection chain, a flaw in Microsoft's Support Diagnostic Tool (MSDT) – CVE-2022-30190, also known as Follina – is exploited for remote code execution (RCE).

BlackBerry has identified the C&C domains and victim IPs used in this campaign. All of these were accessed from a single server that has been observed connecting to known RomCom infrastructure.

"Based on the nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine,” BlackBerry says.

BlackBerry has alerted relevant government agencies of this campaign. RomCom is also known as Void Rabisu and Tropical Scorpius, and is associated with the Cuba ransomware. The group was previously believed to be financially motivated, but recent campaigns have shown a shift in tactics and motivation, suggesting that they are now working for the Russian government.

Since at least October 2022, the RomCom backdoor has been used in attacks targeting Ukraine. These attacks have targeted users of Ukraine's Delta situational awareness program and organizations in Ukraine's energy and water utility sectors.

Outside Ukraine, RomCom attacks have targeted a provincial local government helping Ukrainian refugees, a parliament member of a European country, attendees of the Munich Security Conference and the Masters of Digital conference, and a European defense company.
Read more »
Technology
Encrypted Email new startup Russian Government Skiff Technology

Russia Blocked Encrypted Email Startup Skiff

Recently, the government of Russia blocked another encrypted email provider Skiff. The government blocked Skiff after exactly three years when it had blocked similar email encrypted services including Proton Mail and Tutanota, according to a Russian digital rights organization and the email provider.
 
Skiff is an email and cloud service provider which was launched last year. These actions of the Russian government show that this regime is decidedly knocking down encrypted communication services that allow common people of the country to have conversations that are harder to spy on. 

It is about last Wednesday when Roskomsvoboda reported that an unidentified Russian state organization has ordered to block off the skiff. Roskomsvoboda describes itself as “the first Russian public organization active in the field of protecting digital rights and expanding digital opportunities”. 

After the action against skiff, it is assumed that the reason for this was the sending of anonymous letters through this service, which were containing fake mining reports. The same reasons were given when the Protonmail, Tutanota, and Mailbox were blocked by the government. 

Skiff is a decentralized and open-source email, which also provides a decentralized cloud storage and teamwork environment in which users can organize and create various types of cards or tables, write notes, lead projects, and much more. 

The Russian Embassy in Washington, D.C. was asked to make a comment on the matter, however, it did not respond to a request for comment. 

The technical director and co-founder of the Russian government’s censorship authority, commonly known as Roskomnadzor, Stanislav Shakirov reported that the block is in full effect and that “the blocking is done by the ISP on their equipment by the URL mask (*.skiff.com) and IP addresses.” 

After the news, Skiff founder Milich said “I started Skiff with a more private vision for the internet, where our personal information is not shared, bought, and sold. Jason and I have both had personal or professional connections to Russia — mine through Stanford, and Jason’s family escaped the Soviet Bloc in the late 1970s via a covert radio network…,” Milich said. “…With the fast adoption of our products and now suppression of them, we’re even more confident and determined in our mission to build products for private communication and freedom.”
Read more »
Subscribe to: Posts (Atom)