Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

CERT of Ukraine says Russia-linked APT backdoored multiple govt sites

The CERT of Ukraine (CERT-UA) revealed that Russia-linked threat actors have compromised multiple government websites this week.  The Computer Emergency Response Team of Ukraine (CERT-UA) said that Russia-linked threat actors have breached multiple government websites this week. The government experts attribute the attack to UAC-0056 group (DEV-0586, unc2589, Nodaria, or Lorec53). “the Government Computer Emergency […]

Ukraine CERT-UA backdoor SSU PathWiper wiper

The CERT of Ukraine (CERT-UA) revealed that Russia-linked threat actors have compromised multiple government websites this week. 

The Computer Emergency Response Team of Ukraine (CERT-UA) said that Russia-linked threat actors have breached multiple government websites this week. The government experts attribute the attack to UAC-0056 group (DEV-0586, unc2589, Nodaria, or Lorec53).

“the Government Computer Emergency Response Team of Ukraine CERT-UA is taking measures to investigate the circumstances of the incident on February 23, 2023.” reads the alert published by Ukraine’s Computer Emergency Response Team. “As of 11:00 on 02/23/2023, a previously known encrypted web shell was detected on one of the websites, and the fact of its use was confirmed in the period from 22:00 on 02/22/2023 to 05:30 on 02/23/2023, as a result of which, among other things , the file “index.php” was created in the root web directory, which provided modification of the content of the main page of the web resource.” 

The SSSCIP’s National Cybersecurity Coordination Center along with the Cyber ​​Police are working together to lock out the threats and investigate the security breaches.

“Today, on February 23, an attack was detected on a number of websites of Ukrainian central and local authorities, resulting in a modification of the content of some of their webpages.” reads the advisory published by Ukraine’s cybersecurity defense and security agency SSSCIP.

The state-sponsored hackers used a web shell created no later than December 23, 2021, to deploy multiple backdoors. 

The nation-state actor employed the SSH backdoor CredPump (PAM module) to achieve remote SSH access (with a static password value) and logging of logins and passwords when connecting via SSH.

The attackers also used the HoaxPen and HoaxApe backdoors, experts discovered that the malicious codes were in the form of a module for the Apache web server and were installed in February 2022.

The alert states that attackers employed GOST (Go Simple Tunnel) and the Ngrok program in the early stages of the attack.

The alert also includes Indicators of compromise (IoCs) for the attacks.

The UAC-0056 APT group has been active since at least March 2021, it focuses on Ukraine, despite it has been involved in attacks on targets in Kyrgyzstan and Georgia.

In early February, the UAC-0056 group has been observed deploying a new information stealer dubbed Graphiron in attacks against Ukraine.

In early February 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) warned of a phishing campaign aimed at state authorities that involves the use of the legitimate remote access software Remcos.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)