Security News
Cloudflare sees signs of Russians increasingly turning to Western news sources to get accurate information about the situation in Ukraine. A new blog post published today by Cloudflare presents statistical evidence that the netizens of Russia are adopting blockage circumvention tools pretty aggressively to access British, American, and French news sites.
A previously undocumented "Sophisticated" information-stealing malware named BlackGuard is being advertised for sale on Russian underground forums for a monthly subscription of $200. "BlackGuard has the capability to steal all types of information related to Crypto wallets, VPN, Messengers, FTP credentials, saved browser credentials, and email clients," Zscaler ThreatLabz researchers Mitesh Wani and Kaivalya Khursale said in a report published last week. Also sold for a lifetime price of $700, BlackGuard is designed as a.NET-based malware that's actively under development, boasting of a number of anti-analysis, anti-debugging, and anti-evasion features that allows it to kill processes related to antivirus engines and bypass string-based detection.
The cyberattack aimed at Viasat that temporarily knocked KA-SAT modems offline on February 24, 2022, the same day Russian military forces invaded Ukraine, is believed to have been the consequence of wiper malware, according to the latest research from SentinelOne. "The findings come as the U.S. telecom company disclosed that it was the target of a multifaceted and deliberate" cyberattack against its KA-SAT network, linking it to a "Ground-based network intrusion by an attacker exploiting a misconfiguration in a VPN appliance to gain remote access to the trusted management segment of the KA-SAT network."
A previously unknown Android malware has been linked to the Turla hacking group after discovering the app used infrastructure previously attributed to the threat actors. Researchers from Lab52 identified a malicious APK [VirusTotal] named "Process Manager" that acts as Android spyware, uploading information to the threat actors.
A Russian cybercrime gang has lately sent credential-phishing emails to the military of Eastern European countries and a NATO Center of Excellence, according to a Google threat report this week. One of these crews is Coldriver, which the Google team refer to as "a Russian-based threat actor." According to Leonard, Google hasn't seen attackers successfully compromise any Gmail accounts in its phishing campaigns.
The Google Threat Analysis Group says more and more threat actors are now using Russia's war in Ukraine to target Eastern European and NATO countries, including Ukraine, in phishing and malware attacks. The report's highlight are credential phishing attacks coordinated by a Russian-based threat group tracked as COLDRIVER against a NATO Centre of Excellence and Eastern European militaries.
It turns out the only thing Russian forces needed to knock thousands of Ukrainian satellite broadband customers offline was a misconfigured VPN. Viasat, whose Ukrainian satellite broadband service was knocked offline the day Russia invaded Ukraine, said its analysis of the attack revealed a poorly configured VPN appliance was used by the attacker to access the trusted management section of the KA-SAT satellite network. "These destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable," Viasat said today.
A spearphishing campaign targeting Russian citizens and government entities that are not aligned with the actions of the Russian government is the latest in numerous threats that have emerged since Russia invaded the Ukraine in February. MalwareBytes observed two documents associated with the campaign using the previously identified flaw dubbed MSHTML and tracked as CVE-2021-40444.
A new spear phishing campaign is taking place in Russia targeting dissenters with opposing views to those promoted by the state and national media about the war against Ukraine. The campaign targets government employees and public servants with emails warning of the software tools and online platforms that are forbidden in the country.
The UK's National Cyber Security Centre has advised users of Russian technology products to reassess the risks it presents. In advice that builds on 2017 guidance about technology supply chains that include links to hostile states, NCSC technical director Ian Levy stated that the agency has not found evidence "That the Russian state intends to suborn Russian commercial products and services to cause damage to UK interests."