Take a look at this week's Cyber Weekly Digest for a round up of the latest cyber security news. In this week's digest, we dive into the DDoS attack which took down the European Parliament's website as well as how Google is arming you with the resources to detect Cobalt Strike. Keep reading to stay up to date on the biggest cyber security news.
Microsoft stated that security vulnerabilities found to impact a web server discontinued since 2005 have been used to target and compromise organisations in the energy sector. A report published in April claims state-backed Chinese hacking groups (including one traced as RedEcho) targeted multiple Indian electrical grid operators, compromising an Indian national emergency response system and the subsidiary of multinational logistics company. The attackers gained access to the internal networks of the hacked entities via Internet-exposed cameras on their networks as command-and-control servers. It was reported that the hacking group likely used FastReverseProxy as a foothold into the exploited IP cameras that were used to enumerate Boa web servers. Boa is a discontinued web server that has a wide array of vulnerabilities including arbitrary file access (CVE-2017-9833), Microsoft researchers said. Another adversary that has abused this vulnerability is the Hive ransomware gang who hacked India’s largest integrated power company, Tata power, last month.
Two individuals were arrested in Estonia, on Sunday, after being indicted by the US for running a massive cryptocurrency Ponzi scheme that led to more than $575 million in losses. The defendants, 37-year-olds Sergei Potapenko and Ivan Turõgin, are accused of defrauding hundreds of thousands of victims together with four other co-conspirators residing in Estonia, Belarus, and Switzerland between December 2013 and August 2019. Allegedly the victims have their funds funneled through a complex network of shell companies, bank accounts, virtual asset services, and cryptocurrency wallets designed to help them launder money. The company that they ran was called HashCoins OÜ which imported and assembled other companies’ cryptocurrency mining hardware instead of manufacturing its own, as advertised. The Ponzi scheme elements appeared when customers were not able to withdraw their funds from crypto mining pools that they were in. The two were charged with 16 counts of wire fraud, one count of conspiracy to commit money laundering, and conspiracy to commit wire fraud.
The Google Cloud Threat Intelligence team has open-sourced YARA Rules and a VirusTotal Collection of indicators of compromise (IOCs) to help defenders detect Cobalt Strike components in their networks. Security teams will also be able to identify Cobalt Strike versions deployed in their environment using these detection signatures. Google has prioritised detecting the exact version of Cobalt Strike as they believe that it is an important component to determining the legitimacy of its use by non-malicious actors since some versions have been abused by threat actors. As google explained, cracked and leaked releases of Cobalt Strike are, in most cases, at least one version behind, which allowed the company to collect hundreds of stagers, templates, and beacon samples used in the wild to build YARA-based detections rules with a high degree of accuracy. Google has also shared a collection of detection signatures for Silver, a legitimate and open-source adversary emulation framework designed for security testing that has also been adopted by malicious actors as a Cobalt Strike alternative. Cobalt strike is one of the most common tools used in cyberattacks that could lead to data theft and ransomware.
Cybercriminals are increasingly turning to a new Go-based information stealer named ‘Aurora’ to steal sensitive information from browsers and cryptocurrency apps, exfiltrate data directly from disks, and load additional payloads. According to researchers, at least seven notable cybergangs with significant activity have adopted Aurora exclusively, or along with Redline and Raccoon, two other established information-stealing malware families. RedLine, however, has had the source code leaked numerous times, allowing for low-skilled threat actors to create their own Redline operations without a financial wall to climb over. The reason for Aurora’s popularity is its low detection rates and general unknown status, making its infections less likely to be detected. Simultaneously, Aurora offers advanced data-stealing features and presumably infrastructural and function stability. Upon execution, the stealer runs several commands through WMIC to collect basic host information, snaps a desktop image, and sends everything to the C2, on an encrypted TCP channel. The stealer will then parse through all desktop wallet apps and bundle the data into a single base-64 JSON file and exfiltrate to the C2 through TCP ports 8081 or 9865.
The Website of the European Parliament has been taken down following a DDoS (Distributed Denial of Service Attack) attack claimed by Anonymous Russia, which is part of the Russian hacktivist group Killnet. The European Parliament President confirmed the incident saying that the Parliament’s “IT experts are pushing back against it & protecting our systems.” The Director General for Communication and Spokesperson of the European Parliament also stated after the website went down that the outage was caused by an ongoing DDoS attack. This DDoS attack commenced after the European Parliament recognised Russia as a state sponsor of terrorism and MEPs called for further international isolation of Russia. The Anonymous Russia public Telegram channel created an announcement claiming the attack on the European Parliament. Recently, Killnet has been linked to multiple attacks on U.S. airports, one week before, they attacked several U.S. government websites in Colorado, Kentucky, and Mississippi, with moderate success, managing to knock some of them offline for a short time.