Surge in Cyberattacks

May 30 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter thatโ€™s always bring the ๐Ÿ”ฅ cyber stories ๐Ÿ˜Ž๐Ÿ˜Ž๐Ÿ˜Ž

Todayโ€™s hottest cybersecurity news stories:

  • ๐Ÿ˜จ Be afraid says CERT-UA of UAC-0006โ€™s malware campaign โ˜ฃ๏ธ

  • ๐Ÿ’ฅ Mitre attack: Rogue VMS allowed hackers to evade detection ๐Ÿ‘ค

  • ๐Ÿคฆโ€โ™‚๏ธ Human error is still the proverbial achilles heal of cybersecurity ๐Ÿคฌ

UAC what we mean? ๐Ÿ‘€

๐Ÿšจ Surge in Cyberattacks by UAC-0006 Targeting Ukraine ๐ŸŽฏ

The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning about a significant increase in cyberattacks linked to the financially-motivated threat actor UAC-0006.

Threat Actor Overview ๐Ÿ•ต๏ธ

  • Group: UAC-0006

  • Active Since: At least 2013

  • ย Primary Targets: Accountantsโ€™ PCs used for financial activities, including remote banking systems.

  • Main Activities: Stealing credentials and making unauthorised fund transfers.

Recent Campaigns ๐Ÿ“…

  • Start Date: May 20, 2024

  • Campaigns: At least two major campaigns distributing SmokeLoader malware via email.

  • Tactics:

  • Emails with ZIP archives containing IMG files, which hide EXE malware and ACCDB documents.

  • Weaponized Microsoft Access files that execute malicious macros.

  • PowerShell commands used to download and run EXE files.

Malware Involved ๐Ÿฆ 

  • SmokeLoader: Acts as a loader for other malware. Injects malicious code into the explorer process and downloads additional payloads.

  • TALESHOT and RMS: Downloaded post initial infection to further compromise the system.

Botnet Operations ๐Ÿค–

  • Size: Several hundred infected machines.

  • Potential Actions: CERT-UA suspects imminent fraudulent activities involving remote banking systems.

CERT-UA Recommendations ๐Ÿ›ก๏ธ

Target Audience: Ukrainian CEOs and IT departments.


  • Enhance cybersecurity measures for accountantsโ€™ automated workplaces.

  • Implement proper security policies and protection mechanisms.

  • Monitor for indicators of compromise provided by CERT-UA.

Historical Context ๐Ÿ•ฐ๏ธ

  • Previous Warnings: In May 2023, CERT-UA alerted about a phishing campaign using SmokeLoader in the form of a polyglot file.

  • Financial Impact: UAC-0006 has attempted to steal tens of millions of hryvnias through mass online theft campaigns between August and October 2023.

Further Reading ๐Ÿ“˜

CERT-UA has published detailed articles on UAC-0006โ€™s tactics, techniques, and procedures (TTPs) to help organisations better understand and defend against this persistent threat.

Conclusion ๐Ÿ›ก๏ธ

The recent surge in cyberattacks by UAC-0006 targeting Ukraine's financial sector underscores the critical need for robust cybersecurity measures. Organisations, particularly those involved in financial operations, must stay vigilant and implement comprehensive security protocols to safeguard against these sophisticated attacks.

Learn how to scale your GRC program with automation and AI

Spending hours gathering evidence, tracking risk, and answering security questionnaires? Move away from manual work by automating key GRC program needs with Vanta.

  • Automate evidence collection across 21+ frameworks including SOC 2 and ISO 27001 with continuous monitoring

  • Centralize risk and report on program impact to internal teams

  • Create your own Trust Center to proactively manage buyer needs

  • Leverage AI to answer security questionnaires faster

Join Vantaโ€™s webinar on June 11 to learn more about scaling your GRC program with automation and AI.

Register to save your spot.

Theyโ€™ve MITRE their match ๐Ÿ˜ฌ

๐Ÿšจ MITRE Corporation Reports Rogue VMs in December 2023 Cyberattack ๐Ÿ›ก๏ธ

The MITRE Corporation has released new details about a significant cyberattack that occurred in December 2023. This breach was disclosed in April 2024, revealing that a China-linked nation-state actor, UNC5221, infiltrated MITREโ€™s systems by exploiting two Ivanti Connect Secure zero-day vulnerabilities.

Timeline and Initial Response ๐Ÿ“…

Date of Breach: January 2024

Discovery: The security team detected unauthorised activities and promptly took mitigation steps, including taking the affected Networked Experimentation, Research, and Virtualization Environment (NERVE) offline.

Action Taken: Third-party forensics and internal experts were engaged for a thorough investigation. Authorities and affected parties were notified, and operational alternatives for collaboration were initiated.

Modus Operandi ๐Ÿ•ต๏ธ

Exploitation Method: Threat actors leveraged Ivanti Connect Secure vulnerabilities to gain access.

Infiltration: Attackers created rogue virtual machines (VMs) within MITREโ€™s VMware environment using compromised vCenter Server access.

Tools and Techniques:

  • Deployed a JSP web shell (BEEFLUSH) under the vCenter Serverโ€™s Tomcat server.

  • Used a Python-based tunnelling tool to facilitate SSH connections between rogue VMs and the ESXi hypervisor infrastructure.

Advanced Tactics ๐Ÿš€

  • Evasion: By creating rogue VMs, the adversaries evaded detection from centralised management interfaces like vCenter, maintaining control over compromised systems.

  • Persistence: On January 7, 2024, they deployed malicious payloads, including the BRICKSTORM backdoor and the BEEFLUSH web shell, ensuring persistent access and arbitrary command execution.

  • Techniques: Manipulated SSH and scripts to control compromised systems.

  • Exploited the default VMware account (VPXUSER) to list drives, create new VMs, and execute payloads.

  • Used SFTP to write files and /bin/vmx to execute them, remaining invisible to standard management interfaces.

Subsequent Payloads ๐Ÿฆ 

Additional malicious payloads such as WIREFIRE (aka GIFTEDVISITOR) and BUSHWALK web shells were deployed for data exfiltration.

Mitigation and Recommendations ๐Ÿ› ๏ธ

Scripts Released:

  • Invoke-HiddenVMQuery: A PowerShell script to detect malicious activities by scanning for anomalous invocations of the /bin/vmx binary.

  • VirtualGHOST: Another tool to help identify and mitigate threats within the VMware environment.

Key Points:

  • Simply using hypervisor management interfaces is insufficient for dealing with rogue VMs.

  • Special tools and techniques are required to effectively identify and manage rogue VMs, which operate outside standard security policies.

Conclusion and Call to Action ๐Ÿ“ข

MITRE emphasises the need for vigilance and adaptability in defending against evolving cyber threats. By understanding and countering new adversary behaviours, organisations can bolster their defences and safeguard critical assets from future intrusions.

Takeaway ๐Ÿฅก

  • Stay Updated: Regularly update systems and follow vendor recommendations.

  • Vigilance: Continuously monitor for anomalous activities and potential threats.

  • Proactive Defence: Implement robust security measures, including the use of specialised tools for detecting rogue VMs.

By enhancing awareness and implementing proactive security strategies, organisations can better protect themselves from sophisticated cyberattacks.

Oh, the humanity! ๐Ÿ™ƒ

๐Ÿšจ CISOs Show Increased Confidence Amid Rising Cyberattack Fears ๐Ÿ”

According to Proofpoint's 2024 Voice of the CISO report, while fears of cyberattacks continue to rise, Chief Information Security Officers (CISOs) are demonstrating increasing confidence in their ability to defend against these threats. ๐Ÿ’ผ๐Ÿ›ก๏ธ

Key Findings ๐Ÿ”

  • Rising Confidence: 70% of CISOs feel at risk of a material cyberattack in the next 12 months, up from 68% in 2023 and 48% in 2022. However, only 43% feel unprepared for a targeted attack, a significant drop from 61% in 2023 and 50% in 2022. ๐Ÿ“ˆ๐Ÿ”’

  • Human Error: Human error remains the most significant vulnerability, with 74% of CISOs identifying it as a major concern. Despite this, 86% believe employees understand their role in protecting the organisation. ๐Ÿ‘ฅโš ๏ธ

  • AI Solutions: 87% of CISOs are looking to deploy AI-powered capabilities to mitigate human-centric risks and advanced threats. ๐Ÿค–๐Ÿ›ก๏ธ

  • Top Threats: The biggest perceived threats in 2024 are ransomware (41%), malware (38%), and email fraud (36%). ๐Ÿฆ ๐Ÿ“ง

  • Generative AI Risks: 54% of CISOs believe generative AI poses a security risk, with tools like ChatGPT, collaboration platforms, and Microsoft 365 seen as top concerns. ๐Ÿค–โš ๏ธ

Strategic Shifts ๐Ÿ”„

  • Increased Investment: There is a notable increase in data loss prevention technology (DLP) and employee education on data security best practices. ๐Ÿ“Š๐ŸŽ“

  • Board Alignment: 84% of CISOs report that their board members align with them on cybersecurity issues, up from 62% in 2023. ๐Ÿ›๏ธ๐Ÿค

  • CISO Burnout: Burnout among CISOs has decreased slightly, but 66% still feel excessive expectations, and 72% would not join an organisation without Directors & Officers (D&O) insurance. โš ๏ธ๐Ÿ˜“

Challenges and Adaptations ๐Ÿ†

  • Economic Impact: 59% of CISOs report that the economic downturn has hampered their ability to make critical investments, with many facing budget cuts and staff reductions. ๐Ÿ’ธ๐Ÿ“‰

  • Proactive Measures: CISOs are increasingly focused on strategic defences, including enhanced education and technological adoption, to counter evolving threats. ๐Ÿ›ก๏ธ๐Ÿ’ก

  • Conclusion

Ryan Kalember, Chief Strategy Officer at Proofpoint, emphasises the need for vigilance and adaptation in the face of ongoing challenges. The report underscores a shift towards greater resilience and preparedness among CISOs globally. ๐ŸŒ๐Ÿ”

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles