The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Cybersecurity News and Analysis: Ukrainian Hackers

Ukrainian CERT Warns Citizens of a New Wave of Attacks Distributing Jester Malware

Ukrainian CERT Warns Citizens of a New Wave of Attacks Distributing Jester Malware

May 09, 2022Ravie Lakshmanan
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of phishing attacks that deploy an information-stealing malware called Jester Stealer on compromised systems. The mass email campaign carries the subject line "chemical attack" and contains a link to a macro-laced Microsoft Excel file, opening which leads to computers getting infected with Jester Stealer. The attack, which requires potential victims to enable macros after opening the document, works by downloading and executing an .EXE file that is retrieved from compromised web resources, CERT-UA detailed. Jester Stealer, as documented by Cyble in February 2022, comes with features to steal and transmit login credentials, cookies, and credit card information along with data from passwords managers, chat messengers, email clients, crypto wallets, and gaming apps to the attackers. It's purchasable for $99 per month or $249 for lifetime access. "The hackers get the stolen data via Telegram usi
Ukraine War Themed Files Become the Lure of Choice for a Wide Range of Hackers

Ukraine War Themed Files Become the Lure of Choice for a Wide Range of Hackers

May 04, 2022Ravie Lakshmanan
A  growing number of threat actors  are using the ongoing Russo-Ukrainian war as a lure in various phishing and malware campaigns, even as critical infrastructure entities continue to be heavily targeted. "Government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links," Google Threat Analysis Group's (TAG) Billy Leonard  said  in a report. "Financially motivated and criminal actors are also using current events as a means for targeting users," Leonard added. One notable threat actor is Curious Gorge, which TAG has attributed to China People's Liberation Army Strategic Support Force (PLA SSF) and has been observed striking government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia. Attacks aimed at Russia have singled out several governmental entiti
Ukrainian FIN7 Hacker Gets 5-Year Sentence in the United States

Ukrainian FIN7 Hacker Gets 5-Year Sentence in the United States

April 08, 2022Ravie Lakshmanan
A 32-year-old Ukrainian national has been  sentenced to five years in prison  in the U.S. for the individual's criminal work as a "high-level hacker" in the financially motivated group FIN7. Denys Iarmak, who worked as a penetration tester for the cartel from November 2016 through November 2018, had been previously arrested in Bangkok, Thailand in November 2019, before being extradited to the U.S. in May 2020. In November 2021, Iarmak had pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking. FIN7 has been attributed to a number of attacks that have led to the theft of more than 20 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations in the U.S, costing the victims $1 billion in losses. The criminal gang, also known as Carbanak Group and the Navigator Group, has a track record of hitting restaurant, gambling, and hospitality indu
Multiple Hacker Groups Capitalizing on Ukraine Conflict for Distributing Malware

Multiple Hacker Groups Capitalizing on Ukraine Conflict for Distributing Malware

April 04, 2022Ravie Lakshmanan
At least three different advanced persistent threat (APT) groups from across the world have launched spear-phishing campaigns in mid-March 2022 using the ongoing Russo-Ukrainian war as a lure to distribute malware and steal sensitive information. The campaigns, undertaken by El Machete, Lyceum, and SideWinder, have targeted a variety of sectors, including energy, financial, and governmental sectors in Nicaragua, Venezuela, Israel, Saudi Arabia, and Pakistan. "The attackers use decoys ranging from official-looking documents to news articles or even job postings, depending on the targets and region," Check Point Research  said  in a report. "Many of these lure documents utilize malicious macros or template injection to gain an initial foothold into the targeted organizations, and then launch malware attacks." The infection chains of  El Machete , a Spanish-speaking threat actor first documented in August 2014 by Kaspersky, involve the use of macro-laced decoy doc
Hackers Increasingly Using 'Browser-in-the-Browser' Technique in Ukraine Related Attacks

Hackers Increasingly Using 'Browser-in-the-Browser' Technique in Ukraine Related Attacks

March 31, 2022Ravie Lakshmanan
A Belarusian threat actor known as Ghostwriter (aka UNC1151) has been spotted leveraging the recently disclosed browser-in-the-browser (BitB) technique as part of their credential phishing campaigns exploiting the ongoing Russo-Ukrainian conflict. The method, which  masquerades  as a legitimate domain by simulating a browser window within the browser, makes it possible to mount convincing social engineering campaigns. "Ghostwriter actors have quickly adopted this new technique, combining it with a previously observed technique, hosting credential phishing landing pages on compromised sites," Google's Threat Analysis Group (TAG)  said  in a new report, using it to siphon credentials entered by unsuspected victims to a remote server. Among other groups  using the war as a lure  in phishing and malware campaigns to deceive targets into opening fraudulent emails or links include  Mustang Panda  and  Scarab  as well as nation-state actors from Iran, North Korea, and Russia
Popular NPM Package Updated to Wipe Russia, Belarus Systems to Protest Ukraine Invasion

Popular NPM Package Updated to Wipe Russia, Belarus Systems to Protest Ukraine Invasion

March 17, 2022Ravie Lakshmanan
In what's an act of deliberate sabotage, the developer behind the popular "node-ipc" NPM package shipped a new tampered version to condemn Russia's invasion of Ukraine, raising concerns about security in the open-source and the  software supply chain . Affecting versions 10.1.1 and 10.1.2 of the library, the alterations introduced by its maintainer RIAEvangelist brought about undesirable behavior by targeting users with IP addresses located either in Russia or Belarus, and wiping arbitrary file contents and replacing them with a heart emoji. Node-ipc is a prominent  node module  used for local and remote inter-process communication ( IPC ) with support for Linux, macOS, and Windows. It has over 1.1 million weekly downloads. "A very clear abuse and a critical supply chain security incident will occur for any system on which this NPM package will be called upon, if that matches a geo-location of either Russia or Belarus," Synk researcher Liran Tal  said  
Ukraine Secret Service Arrests Hacker Helping Russian Invaders

Ukraine Secret Service Arrests Hacker Helping Russian Invaders

March 17, 2022Ravie Lakshmanan
The Security Service of Ukraine (SBU) said it has detained a "hacker" who offered technical assistance to the invading Russian troops by providing mobile communication services inside the Ukrainian territory. The anonymous suspect is said to have broadcasted text messages to Ukrainian officials, including security officers and civil servants, proposing that they surrender and take the side of Russia. The individual has also been accused of routing phone calls from Russia to the mobile phones of Russian troops in Ukraine. "Up to a thousand calls were made through this hacker in one day. Many of them are from the top leadership of the enemy army," the SBU  alleged , adding it confiscated the equipment that was used to pull off the operation. Besides implicating the hacker for helping Russia make anonymous phone calls to its military forces based in Ukraine, the agency said the hacker passed commands and instructions to different groups of "Russian invaders.&
CaddyWiper: Yet Another Data Wiping Malware Targeting Ukrainian Networks

CaddyWiper: Yet Another Data Wiping Malware Targeting Ukrainian Networks

March 15, 2022Ravie Lakshmanan
Two weeks after details emerged about a second data wiper strain delivered in attacks against Ukraine, yet another destructive malware has been detected amid Russia's continuing military invasion of the country. Slovak cybersecurity company ESET dubbed the third wiper " CaddyWiper ," which it said it first observed on March 14 around 9:38 a.m. UTC. Metadata associated with the executable (" caddy.exe ") shows that the malware was compiled at 7:19 a.m. UTC, a little over two hours prior to its deployment. CaddyWiper is notable for the fact that it doesn't share any similarities with previously discovered wipers in Ukraine, including  HermeticWiper  (aka FoxBlade or KillDisk) and  IsaacWiper  (aka Lasainraw), the two of which have been deployed in systems belonging to government and commercial entities. "The ultimate goal of the attackers is the same as with IsaacWiper and HermeticWiper: make the systems unusable by erasing user data and partition i
Google: Russian Hackers Target Ukrainians, European Allies via Phishing Attacks

Google: Russian Hackers Target Ukrainians, European Allies via Phishing Attacks

March 08, 2022Ravie Lakshmanan
A broad range of threat actors, including Fancy Bear, Ghostwriter, and Mustang Panda, have launched phishing campaigns against Ukraine, Poland, and other European entities amid Russia's invasion of Ukraine. Google's Threat Analysis Group (TAG) said it took down two Blogspot domains that were used by the nation-state group FancyBear (aka APT28) – which is attributed to Russia's GRU military intelligence – as a landing page for its social engineering attacks. The disclosure comes close on the heels of an advisory from the Computer Emergency Response Team of Ukraine (CERT-UA)  warning  of phishing campaigns targeting Ukr.net users that involve sending messages from compromised accounts containing links to attacker-controlled credential harvesting pages. Another cluster of threat activity concerns webmail users of Ukr.net, Yandex.ru, wp.pl, rambler.ru, meta.ua, and i.ua, who have been at the receiving end of phishing attacks by a Belarusian threat actor tracked as Ghostwrit
Ukrainian CERT Warns Citizens of Phishing Attacks Using Compromised Accounts

Ukrainian CERT Warns Citizens of Phishing Attacks Using Compromised Accounts

March 07, 2022Ravie Lakshmanan
Ukraine's Computer Emergency Response Team (CERT-UA) warned of new phishing attacks aimed at its citizens by leveraging compromised email accounts belonging to three different Indian entities with the goal of compromising their inboxes and stealing sensitive information. The agency  cautioned  that the emails arrive with the subject line "Увага" (meaning "Attention") and claim to be from a domestic email service called Ukr.net, when in actuality, the email address of the sender is "muthuprakash.b@tvsrubber[.]com." The messages purportedly warn the recipients of an unauthorized attempt to log in to their accounts from an IP address based out of the eastern Ukrainian city of Donetsk, further prompting them to click on a link to change their passwords with immediate effect. "After following the link and entering the password, it gets to the attackers," CERT-UA noted in a Facebook post over the weekend. "In this way, they gain access to
Both Sides in Russia-Ukraine War Heavily Using Telegram for Disinformation and Hacktivism

Both Sides in Russia-Ukraine War Heavily Using Telegram for Disinformation and Hacktivism

March 04, 2022Ravie Lakshmanan
Cyber criminals and hacktivist groups are increasingly using the Telegram messaging app to coordinate their activities, leak data, and spread disinformation, as the Russia-Ukraine conflict enters its eighth day. A new analysis by Israeli cybersecurity company Check Point Research has  found  that "user volume grew a hundred folds daily on Telegram related groups, peaking at 200,000 per group." Prominent among the groups are anti-Russian cyber attack groups, including the Ukraine government-backed IT Army, which has urged its more 270,000 members to conduct distributed denial-of-service (DDoS) attacks against Russian entities. Other hacktivist-oriented Telegram groups used to coordinate the attacks on Russian targets via DDoS, SMS or call-based attacks are Anna_ and Mark_, Check Point researchers noted. That said, there may be more to these attacks than meets the eye. "It seems that many of the hacktivist groups are more focused on building self-reputation and recei
Russia Releases List of IPs, Domains Attacking Its Infrastructure with DDoS Attacks

Russia Releases List of IPs, Domains Attacking Its Infrastructure with DDoS Attacks

March 03, 2022Ravie Lakshmanan
As the ongoing Russia-Ukraine conflict continues to escalate, the Russian government on Thursday  released  a massive list containing 17,576 IP addresses and 166 domains that it said are behind a series of distributed denial-of-service (DDoS) attacks aimed at its domestic infrastructure. Some of the noticeable domains in the listing released by Russia's National Coordination Center for Computer Incidents (NCCCI) included the U.S. Federal Bureau of Investigation (FBI), Central Intelligence Agency (CIA), and websites of several media publications such as the USA Today, 24News.ge, megatv.ge, and Ukraine's Korrespondent magazine. As part of its recommendations to counter the DDoS attacks, the agency is urging organizations to ringfence network devices, enable logging, change passwords associated with key infrastructure elements, turn off automatic software updates, disable third-party plugins on websites, enforce data backups, and watch out for phishing attacks. "Use Russ
Hackers Try to Target European Officials to Get Info on Ukrainian Refugees, Supplies

Hackers Try to Target European Officials to Get Info on Ukrainian Refugees, Supplies

March 02, 2022Ravie Lakshmanan
Details of a new nation-state sponsored phishing campaign have been uncovered setting its sights on European governmental entities in what's seen as an attempt to obtain intelligence on refugee and supply movement in the region. Enterprise security company Proofpoint, which detected the malicious emails for the first time on February 24, 2022, dubbed the social engineering attacks " Asylum Ambuscade ." "The email included a malicious macro attachment which utilized social engineering themes pertaining to the Emergency Meeting of the NATO Security Council held on February 23, 2022," researchers Michael Raggi and Zydeca Cass  said  in a report published Tuesday. "The email also contained a malicious attachment which attempted to download malicious Lua malware named SunSeed and targeted European government personnel tasked with managing transportation and population movement in Europe." The findings build on an  advisory  issued by the State Service
Second New 'IsaacWiper' Data Wiper Targets Ukraine After Russian Invasion

Second New 'IsaacWiper' Data Wiper Targets Ukraine After Russian Invasion

March 01, 2022Ravie Lakshmanan
A new data wiper malware has been observed deployed against an unnamed Ukrainian government network, a day after destructive cyber attacks struck multiple entities in the country preceding the start of Russia's military invasion. Slovak cybersecurity firm ESET dubbed the new malware " IsaacWiper ," which it said was detected on February 24 in an organization that was not affected by  HermeticWiper  (aka FoxBlade), another data wiping malware that targeted several organizations on February 23 as part of a sabotage operation aimed at rendering the machines unusable. Further analysis of the HermeticWiper attacks, which infected at least five Ukrainian organizations, have revealed a worm constituent that propagates the malware across the compromised network and a ransomware module that acts as a "distraction from the wiper attacks," corroborating a  prior report  from Symantec. "These destructive attacks leveraged at least three components: HermeticWiper f
Microsoft Finds FoxBlade Malware Hit Ukraine Hours Before Russian Invasion

Microsoft Finds FoxBlade Malware Hit Ukraine Hours Before Russian Invasion

March 01, 2022Ravie Lakshmanan
UPDATE: It's worth noting that the malware Microsoft tracks as FoxBlade is the same as the data wiper that's been denominated HermeticWiper (aka KillDisk) . Microsoft on Monday disclosed that it detected a new round of offensive and destructive cyberattacks directed against Ukraine's digital infrastructure hours before Russia launched its first missile strikes last week. The intrusions involved the use of a never-before-seen malware package dubbed FoxBlade , according to the tech giant's Threat Intelligence Center (MSTIC), noting that it added new signatures to its Defender anti-malware service to detect the exploit within three hours of the discovery. "These recent and ongoing cyberattacks have been precisely targeted, and we have not seen the use of the indiscriminate malware technology that spread across Ukraine's economy and beyond its borders in the  2017 NotPetya attack ," Microsoft's President and Vice Chair, Brad Smith,  said . Additio
Putin Warns Russian Critical Infrastructure to Brace for Potential Cyber Attacks

Putin Warns Russian Critical Infrastructure to Brace for Potential Cyber Attacks

February 25, 2022Ravie Lakshmanan
The Russian government on Thursday warned of cyber attacks aimed at domestic critical infrastructure operators, as the country's full-blown invasion of Ukraine enters the second day. In addition to cautioning of the "threat of an increase in the intensity of computer attacks," Russia's National Computer Incident Response and Coordination Center  said  that the "attacks can be aimed at disrupting the functioning of important information resources and services, causing reputational damage, including for political purposes." "Any failure in the operation of [critical information infrastructure] objects due to a reason that is not reliably established, first of all, should be considered as the result of a computer attack," the agency added. Furthermore, it notified of possible influence operations undertaken to "form a negative image of the Russian Federation in the eyes of the world community," echoing a  similar alert  released by the U
Ukraine Continues to Face Cyber Espionage Attacks from Russian Hackers

Ukraine Continues to Face Cyber Espionage Attacks from Russian Hackers

February 01, 2022Ravie Lakshmanan
Cybersecurity researchers on Monday said they uncovered evidence of attempted attacks by a Russia-linked hacking operation targeting a Ukrainian entity in July 2021. Broadcom-owned Symantec, in a new report published Monday, attributed the attacks to an actor tracked as Gamaredon (aka Shuckworm or Armageddon), a cyber-espionage collective known to be active since at least 2013. In November 2021, Ukrainian intelligence agencies  branded  the group as a "special project" of Russia's Federal Security Service (FSB), in addition to pointing fingers at it for carrying out over 5,000 cyberattacks against public authorities and critical infrastructure located in the country. Gamaredon attacks typically originate with phishing emails that trick the recipients into installing a custom remote access trojan called Pterodo. Symantec disclosed that, between July 14, 2021 and August 18, 2021, the actor installed several variants of the backdoor as well as deployed additional scripts
Massive Cyber Attack Knocks Down Ukrainian Government Websites

Massive Cyber Attack Knocks Down Ukrainian Government Websites

January 14, 2022Ravie Lakshmanan
No fewer than 70 websites operated by the Ukrainian government went offline on Friday for hours in what appears to be a coordinated cyber attack amid heightened tensions with Russia. "As a result of a massive cyber attack, the websites of the Ministry of Foreign Affairs and a number of other government agencies are temporarily down," Oleg Nikolenko, MFA spokesperson,  tweeted . The Security Service of Ukraine, the country's law-enforcement authority,  alluded  to a possible Russian involvement, pointing fingers at the hacker groups associated with the Russian secret services while branding the intrusions as a supply chain attack that involved hacking the "infrastructure of a commercial company that had access to the rights to administer the web resources affected by the attack." Prior to the update from the SSU, the Ukrainian CERT claimed that the attacks may have exploited a security vulnerability in Laravel-based October CMS ( CVE-2021-32648 ), which cou
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.