Russian indicted for pre-war cyberattacks

Jun 28 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your favourite cybersecurity newsletter thatโ€™s missing the Euros like hackers miss the Silk Road ๐Ÿ’€๐Ÿ’€๐Ÿ’€ Roll on Saturday!! ๐ŸŽ‰๐ŸŽ‰๐ŸŽ‰

Itโ€™s Friday, folks, which can only mean one thingโ€ฆ Itโ€™s time for our weekly segment!

It goes by many names. Patch of the Week, Tweak of the week. Okay, thatโ€™s it.

Congrats, the cybercriminals are no matchโ€ฆ for your patch! ๐Ÿฉน๐Ÿฉน๐Ÿฉน

Check out this freshly hatched patch ๐Ÿฃ

Apple fights Bluetooth and nail against eavesdropping ๐Ÿ‘‚

๐Ÿšจ Apple AirPods Update: Security Alert! โš ๏ธ

Apple has issued a firmware update fixing a critical flaw (CVE-2024-27867) that could let hackers hijack your AirPods ๐ŸŽง! Affected models include AirPods (2nd gen+), AirPods Pro, AirPods Max, Powerbeats Pro, and Beats Fit Pro. When your headphones seek a connection, attackers nearby could spoof the source and gain unauthorised access, potentially eavesdropping on private conversations.

Thanks to Jonas DreรŸler, the flaw is now patched in updates 6A326 and 6F8ย ๐ŸŽ‰. This follows Apple's visionOS update addressing 21 issues, including a major web content DoS vulnerability (CVE-2024-27812) discovered by Ryan Pickren, marking the "world's first spatial computing hack" ๐Ÿ›ก๏ธ.

Stay secure and update your devices now! ๐Ÿ”’โœจ

Now, todayโ€™s hottest cybersecurity news stories:

  • ๐Ÿป Russian indicted for pre-war cyberattacks on the Ukraine ๐Ÿ—๏ธ

  • ๐Ÿค– Botnet evolution: Rust-based P2PInfect intros miner payloads ๐Ÿ’ฐ

  • ๐Ÿ‘ฅ P2P users infected with malware via Korean telco. Oh no! ๐Ÿ™…๐Ÿปโ€โ™‚๏ธ

His Ukraine of terror is over ๐Ÿ˜

๐Ÿšจ๐Ÿ’ฐ Kraken Zero-Day Exploit Leads to $3M Theft! ๐Ÿ’ฐ๐Ÿšจ

๐Ÿšจ Russian National Indicted for Cyber Attacks on Ukraine and Allies ๐Ÿ“ฐ

A 22-year-old Russian national, Amin Timovich Stigal, has been indicted in the U.S. for allegedly staging destructive cyber attacks against Ukraine and its allies in the lead-up to Russia's military invasion of Ukraine in early 2022. Stigal is believed to be affiliated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU) and remains at large. If convicted, he faces a maximum sentence of five years in prison.

๐Ÿ’ฐ U.S. Offers Reward for Information

The U.S. Department of State's Rewards for Justice program is offering up to $10 million for information on Stigal's whereabouts or his involvement in the cyber attacks. Attorney General Merrick B. Garland emphasised the severity of the actions, stating that Stigal conspired with Russian military intelligence to launch cyberattacks targeting the Ukrainian government and its allies, including the U.S.

๐Ÿฆ  WhisperGate Malware Attacks

The cyberattacks involved the deployment of a wiper malware named WhisperGate (also known as PAYWIPE), which targeted government, non-profit, and IT entities in Ukraine. These attacks began around mid-January 2022. WhisperGate was designed to masquerade as ransomware but could render infected systems inoperable if activated by the attacker. Microsoft has been tracking the malware under the name Cadet Blizzard.

๐Ÿ“‚ Data Exfiltration and Website Defacement

Court documents reveal that Stigal and his associates used services from an unnamed U.S.-based company to distribute WhisperGate and exfiltrate sensitive data, including patient health records. They also defaced websites and sold the stolen information on cybercrime forums, aiming to create panic among the Ukrainian populace regarding the safety of government systems and data.

๐ŸŒ Probing U.S. Government Systems

Between August 2021 and February 2022, the conspirators used the same infrastructure for the Ukrainian attacks to probe computers belonging to a federal government agency in Maryland, mirroring their initial probing of Ukrainian government networks.

๐Ÿ”’ Related Conviction: Florida Man and Crypto Thefts

In a related development, the U.S. Department of Justice announced the conviction of Remy St Felix, a 24-year-old Florida man, for a series of violent home invasion robberies aimed at stealing cryptocurrency. St Felix and his accomplices kidnapped and assaulted victims in their homes, forcing them to drain their cryptocurrency accounts. In one incident in April 2023, St Felix and a co-conspirator zip-tied a victim and their spouse at gunpoint, transferring over $150,000 in cryptocurrency using AnyDesk remote desktop software.

๐Ÿ›๏ธ Sentencing and Charges

St Felix, convicted of nine counts including conspiracy, kidnapping, Hobbs Act robbery, wire fraud, and brandishing a firearm, faces a minimum of seven years and a maximum of life in prison. He is scheduled for sentencing on September 11, 2024.

โ€œTryna strike a chord and it's prolly A Minerโ€ ๐Ÿ’€

๐Ÿšจ P2PInfect Botnet Targets Redis Servers with Ransomware and Crypto Miners ๐Ÿ“ฐ

The P2PInfect botnet, previously considered dormant, has resurfaced with ransomware and cryptocurrency mining capabilities, targeting misconfigured Redis servers. This development indicates a shift towards financially motivated operations.

๐Ÿ’ป Malware Evolution

P2PInfect, discovered nearly a year ago, now targets MIPS and ARM architectures. Originally spreading by exploiting Redis server vulnerabilities, the botnet turns victim systems into follower nodes, allowing attackers to issue arbitrary commands.

๐Ÿ› ๏ธ New Capabilities

The Rust-based worm has added features like internet scanning for vulnerable servers and an SSH password sprayer module to log in using common passwords. It also changes passwords, restarts SSH services with root permissions, and performs privilege escalation to prevent other attackers from hijacking the same server.

๐Ÿค– Peer-to-Peer Network

As a peer-to-peer botnet, P2PInfect forms a mesh network where each infected machine acts as a node. This structure allows the botnet to efficiently propagate updates across the network using a gossip mechanism.

๐Ÿค‘ Financial Motivations

Recent updates include miner and ransomware payloads. The ransomware encrypts files with specific extensions and demands 1 XMR (~$165) in ransom. The miner, configured to use maximum processing power, often interferes with ransomware operations.

๐Ÿ•ต๏ธโ€โ™‚๏ธ Rootkit and Evasion Techniques

P2PInfect now includes a usermode rootkit that hides malicious processes and files using the LD_PRELOAD environment variable. This technique, also used by groups like TeamTNT, aims to evade detection by security tools.

๐Ÿ’ผ Botnet-for-Hire?

The botnet may be a botnet-for-hire service, deploying other attackers' payloads for payment. Different wallet addresses for miner and ransomware support this theory.

โš ๏ธ Broader Threat Landscape

This revelation aligns with findings from AhnLab Security Intelligence Center (ASEC) and Fortinet FortiGuard Labs, which report similar botnet activities exploiting vulnerable web servers and cloud services for malware distribution and updates.

๐Ÿšจ Security Recommendations

Given the rise in such attacks, it's crucial for organisations to secure Redis servers, update software regularly, and monitor for suspicious activities to mitigate the risk of infection by botnets like P2PInfect.

Donโ€™t ask, donโ€™t telco ๐Ÿค

๐Ÿšจ KT Accused of Malware Attack to Throttle P2P Traffic ๐Ÿšฆ

South Korean telco KT is under fire for allegedly infecting customers with malware to curb excessive use of peer-to-peer (P2P) downloading tools, affecting around 600,000 users of "web hard drives"โ€”online storage services for uploading and sharing content. ๐Ÿ“๐Ÿ’พ

๐Ÿ•ต๏ธโ€โ™‚๏ธ Police Investigation Unfolds

The malware, inserted into KT's Grid Program, disrupted file exchange services, leading to user complaints. ๐Ÿ˜ก This activity reportedly began in May 2020 and lasted nearly five months, originating from within KT's datacenters. ๐Ÿข

A police investigation is underway, with searches conducted at KT's headquarters and datacenters for evidence of violations of South Korea's Communications Secrets Protection Act (CSPA) and Information and Communications Network Act (ICNA). โš–๏ธ Thirteen KT employees have been identified for potential prosecution. ๐Ÿ‘ฎโ€โ™‚๏ธ

๐Ÿ“ฃ KT's Defense and Public Outcry

KT defends its actions by labelling the P2P service as malicious. However, distributing malware and disrupting customer files have raised serious ethical concerns about privacy and consent. ๐Ÿค”

Given the notorious targeting of P2P-shared files by malware distributors, KT might have assumed its users wouldn't notice an extra virus or two. But the public outcry suggests otherwise. ๐Ÿ˜ ๐Ÿ”

Have a good weekend yโ€™all!

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles