Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Foreign hackers breached Russian federal agencies, said FSB

FSB National Coordination Center for Computer Incidents (NKTsKI) revealed that foreign hackers have breached networks of Russian federal agencies. A joint report published by Rostelecom-Solar and the FSB National Coordination Center for Computer Incidents (NKTsKI) revealed that foreign hackers have stolen information from Russian federal agencies. The attacks were spotted in 2020, threat actors leveraged […]

FSB Russia's Secret Blizzard APT targets Ukraine with Kazuar backdoor https://securityaffairs.com/171896/apt/secret-blizzard-targets-ukraine-with-kazuar-backdoor.html #securityaffairs #hacking

FSB National Coordination Center for Computer Incidents (NKTsKI) revealed that foreign hackers have breached networks of Russian federal agencies.

A joint report published by Rostelecom-Solar and the FSB National Coordination Center for Computer Incidents (NKTsKI) revealed that foreign hackers have stolen information from Russian federal agencies.

The attacks were spotted in 2020, threat actors leveraged spear-phishing attacks, exploitation of vulnerabilities in web applications, hacking the infrastructure of contractors to penetrate the infrastructure of the Russian federal executive authorities.

Experts believe that threat actors behind the intrusions are sophisticated cyber mercenaries engaged by a foreign state.

“The level of attackers (the technologies and mechanisms used, the speed and quality of the work they have done) makes it possible to qualify them as cyber mercenaries pursuing the interests of a foreign state. Such attackers could stay inside the infrastructure for a long time and not give themselves away.” reads the report. “The main goal of the hackers was to completely compromise the IT infrastructure and steal confidential information, including documents from closed segments and mail correspondence of key federal executive authorities.”

Once compromised the networks of the targeted agencies, hackers gathered sensitive information from internal systems. Attackers gained access to mail servers, electronic document management servers, file servers, and workstations of various levels to steal data of interest.

The threat actors employed two previosuly undetected piece of malware dubbed Mail-O and Webdav-O.

“Mail-O is a downloader program that accesses the Mail.ru Cloud associated with account sewn into the sample. All communication takes place using the Cloud API Mail.ru” states the report. “Webdav-O is another malware that has never been described before. Like Mail-O, it interacts with the management server through the Yandex.Disk cloud. The malware supports two authentication methods: basic (with login and password) and oauth (with using a token).”

According to the report, the hackers have specifically targeted systems within federal agencies and designed their malware to bypass the most popular Russian antivirus Kaspersky that is usually installed by government offices.

“The malware developed by cybercriminals used the cloud storages of the Russian companies Yandex and Mail.ru Group to download the collected data. The hackers disguised their network activity as the legitimate utilities Yandex Disk and Disk-O. Such malware has never been encountered anywhere before;” continues the report.

  • FSB concludes these are unprecedented attacks for multiple factors including:
  • Level of threat, the attacks hit federal significance;
  • 5th level of threat according to the model used by Solar JSOC;
  • Complete compromise of infrastructure and theft of confidential government data;
  • Involvement of previously undetected malware;
  • The use of multiple attack vectors;
  • The use of Russian cloud providers “Yandex” and Mail.ru Group;
  • Zero-detection rate of the artifacts involved;

FSB did not attribute the attack to any foreign country.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Russian federal agencies)

[adrotate banner=”5″]

[adrotate banner=”13″]