#AxisOfEasy 242: U.S. Government Network Was Crawling With LockBit Ransomware For Months


Weekly Axis Of Easy #242


Last Week’s Quote was  “It is so easy to be wrong-and to persist in being wrong-when the costs of being wrong are paid by others.” was by Thomas Sowell.  Rick ‘s our winner!

This Week’s Quote:  “The only true wisdom is in knowing you know nothing.”…by???

THE RULES: No searching up the answer, must be posted to the blog – the place to post the answer is at the bottom of the post, in the comments section.

The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.

 


This is your easyDNS #AxisOfEasy Briefing for the week of April 18th, 2022, wherein our Technology Correspondent Joann L Barnes and easyCEO Mark E. Jeftovic send out a short briefing on the state of the ‘net and how it affects your business, security and privacy. 
 
In this issue:
  • The Government of Finland has been attacked with cyberattacks following Zelensky’s speech 
  • Ukrainian Power Grid targeted by Russian hacker using Industroyer2 malware 
  • U.S. government network was crawling with LockBit ransomware for months
  • Microsoft exposed new malware created by state-sponsored hackers
  • Fraudsters target the African banking industry with malware-based phishing
 
Elsewhere online:
  • Microsoft takes down domains associated with the Ukraine cyberattack
  • Delivery drivers’ data may be in the hands of hackers after the CitySprint security breach
  • Cyberattacks leave Nordex scrambling to recover
  • Taking a look into Keksec’s new DDoS botnet, Enemybot
  • Those “Your package couldn’t be delivered” USPS messages are smishing scams
 

The Government of Finland has been attacked with cyberattacks following Zelensky’s speech

Finland’s foreign and defense ministry sites were attacked with a denial-of-service attack (DDoS) on Friday as Ukraine’s president addressed the Finnish parliament. According to reports, a Russian government aircraft broke into Finnish airspace on Friday, leading to the suspicion of Russian involvement.

Minister of Defense Antti Kaikkonen stated on Twitter, “Our territorial surveillance capability is good, and we detect all territorial violations and can respond to them effectively.

This is being taken as a message from Moscow, especially since this week’s reports indicated that Finland is now considering applying for NATO membership. Earlier this week, Finland’s prime minister, Sanna Marin, said, “Russia is not the neighbor we thought it was,” and blasted the Russian assault on Ukraine as a “flagrant violation.”

Read:
https://www.zerohedge.com/geopolitical/finland-hit-cyberattacks-airspace-breach-moment-zelensky-addressed-parliament 



Ukrainian Power Grid targeted by Russian hacker using Industroyer2 malware

The Computer Emergency Response Team of Ukraine (CERT-UA) stopped a cyberattack against an unnamed energy provider by Sandworm, a hacker group affiliated with Russia. The threat actors reportedly used an ICS-capable malware, standard disk wipers, and an updated variant of the Industroyer malware, first deployed in a 2016 attack on Ukraine’s power grid.

“The attackers attempted to take down several infrastructure components of their target, namely: Electrical substations, Windows-operated computing systems, Linux-operated server equipment, [and] active network equipment,” the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) said in a statement.

Industroyer is an industrial control system malware that is modular, capable of controlling circuit breakers and switches at an electricity distribution substation. ESET has analyzed the artifacts left behind by Industroyer2 and revealed that the attack against the power facility was planned for at least two weeks.

Reportedly, the targeted energy provider’s network had also been infected by an OrcShred malware worm, which was later used to spread two different wiper malware campaigns targeting Linux and Solaris systems – AwfulShred and SoloShred – to make them unusable.

Read:
https://thehackernews.com/2022/04/russian-hackers-tried-attacking.html 


U.S. government network was crawling with LockBit ransomware for months

Research conducted by cybersecurity company Sophos found that two threat groups had compromised a U.S. government agency’s network for five months before the payload was deployed. The hackers accessed the network through an open remote desktop port, downloaded tools, and spent time laying low. They then stole the credentials of a local server admin to create new accounts with administrator privileges.

In phase two of the attack, a higher-level actor took control of the compromised server, leading Sophos to assume that the initial compromise was a novice attack. The attackers extracted credentials, made their presence more evident, ran network enumeration tools, disabled endpoint security, and created new user accounts.

“The nature of the activity recovered from logs and browser history files on the compromised server gave us the impression that the threat actors who first broke into the network weren’t experts but novices and that they may later have transferred control of their remote access to one or more different, more sophisticated groups who, eventually, delivered the ransomware payload,” said Sophos.

The attacker ran Advanced IP Scanner to access sensitive servers, including personnel and purchasing files. Sophos joined the response effort and shut down the servers providing remote access to the adversaries, but files had already been encrypted.

Researchers say that multi-factor authentication would have stopped the hackers from moving freely, and blocking remote access to RDP ports would have significantly slowed down their action.

Read:
https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-lurked-in-a-us-gov-network-for-months/?&web_view=true 


Microsoft exposed new malware created by state-sponsored hackers

Microsoft exposed Tarrask, a piece of malware likely created by Hafnium, a state-sponsored Chinese hacker group. Tarrask is a nasty piece of malware that uses the Task Scheduler to schedule unwanted tasks on Windows machines that go undetected by antivirus software.

Microsoft found that Russian hackers also used scheduled tasks to gain persistence on a machine, and despite its simplicity, it’s effective.
Hackers used Task Scheduler and the Zoho Manage Engine Rest API authentication bypass vulnerability to compromise Windows machines with the Godzilla web shell. Microsoft says Hafnium used these vulnerabilities to target organizations in the telecommunication, internet service provider, and data services sector.

Microsoft offers instructions on manually checking the registry tree to see whether attackers have created these unwanted scheduled tasks. These steps include monitoring outbound communications to ensure that hackers can not access critical systems.

As part of the campaign, threat actors re-established outbound communications with C&C infrastructure on a regular basis to maintain access to critical assets exposed to the internet. Be vigilant and monitor the behavior of your outbound communications by setting up monitoring and alerting for these connections from Tier 0 and Tier 1 assets,” suggested the tech giant.

Read: https://www.zdnet.com/article/microsoft-these-hackers-are-using-a-simple-trick-to-hide-their-windows-malware/ 


Fraudsters target the African banking industry with malware-based phishing

Researchers from HP Wolf Security have been tracking a cybercrime campaign targeting the African banking sector, which uses phishing emails to lure victims into downloading malicious files.
According to researchers, the attackers used a typosquatted domain registered in December 2021, and reportedly, visiting the website returned an HTTP 404 response. The threat actor also included a reply-to address of a supposed employee of the recruiting bank to make the lure more credible.

The emails contained HTML files that, when viewed, would prompt the user to download an ISO file that, in turn, had Visual Basic scripts that executed malware. This method, known as HTML smuggling, allows attackers to subvert security on email gateways by smuggling malicious files.
HP Wolf Security discovered that attackers were using a downloader executed via PowerShell but otherwise only ran in memory.

HP Wolf Security analyst Patrick Schläpfer said a combination of attack techniques was used in this campaign targeting financial institutions, and companies should watch out for typosquatted websites. HP Wolf Security warns that organizations should make sure they have visibility over their network to isolate or block malicious process behavior and that phishing emails can infect a person through HTML smuggling.

Read: https://portswigger.net/daily-swig/african-banking-sector-targeted-by-malware-based-phishing-campaign 


Elsewhere online:


Microsoft takes down domains associated with the Ukraine cyberattack
Read: https://threatpost.com/microsoft-takedown-domains-ukraine/179257/ 

Delivery drivers’ data may be in the hands of hackers after the CitySprint security breach
Read: https://grahamcluley.com/citysprint-confirms-security-breach-warns-delivery-drivers-their-personal-data-may-be-in-the-hands-of-hackers/ 

Cyberattacks leave Nordex scrambling to recover
Read: https://www.securityweek.com/wind-turbine-giant-nordex-scrambling-recover-cyberattack 

Taking a look into Keksec’s new DDoS botnet, Enemybot
Read: https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet?&web_view=true 

Those “Your package couldn’t be delivered” USPS messages are smishing scams
Read: https://blog.malwarebytes.com/scams/2022/04/usps-your-package-could-not-be-delivered-text-is-a-smishing-scam/?web_view=true


Previously on #AxisOfEasy

If you missed the previous issues, they can be read online here:



 

 

 

 

3 thoughts on “#AxisOfEasy 242: U.S. Government Network Was Crawling With LockBit Ransomware For Months

Leave a Reply to Tait Cancel reply

Your email address will not be published. Required fields are marked *