U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

APT

Sandworm APT group hit Ukrainian news agency with five data wipers

The Ukrainian (CERT-UA) discovered five different wipers deployed on the network of the country’s national news agency, Ukrinform. On January 17, 2023, the Telegram channel “CyberArmyofRussia_Reborn” reported the compromise of the systems at the Ukrainian National Information Agency “Ukrinform”. The Ukrainian Computer Emergency Response Team (CERT-UA) immediately investigated the claims and as of January 27, […]

Ukraine CERT-UA backdoor SSU PathWiper wiper

The Ukrainian (CERT-UA) discovered five different wipers deployed on the network of the country’s national news agency, Ukrinform.

On January 17, 2023, the Telegram channel “CyberArmyofRussia_Reborn” reported the compromise of the systems at the Ukrainian National Information Agency “Ukrinform”.

The Ukrainian Computer Emergency Response Team (CERT-UA) immediately investigated the claims and as of January 27, 2023, found five samples of data wipers:

“As of January 27, 2023, 5 samples of malicious programs (scripts) were detected functionality of which is aimed at violating the integrity and availability of information (writing files/disks with zero bytes/arbitrary data and their subsequent deletion)” reads the report published by the CERT-UA.

“It was found that the attackers made an unsuccessful attempt to disrupt the regular operation of users’ computers using the CaddyWiper and ZeroWipe malicious programs, as well as the legitimate SDelete utility (which was supposed to be launched using “news.bat”).”

The attackers attempted to disrupt the regular operation of target systems using the CaddyWiper and ZeroWipe, as well as the legitimate SDelete utility that was allegedly launched using the file “news.bat”. The attackers also created a group policy object (GPO) to distribute the CaddyWiper malware.

However, the attack attempt partially failed because the threat actors were able to wipe out the data only on some of the news agency’s systems, such as several data storage systems, which didn’t impact the operations at the Ukrainian agency.

According to the report, threat actors conducted a reconnaissance of the Ukrinform agency no later than December 7, 2022, and breached its systems on January 17, 2023.

The CERT-UA attributes the attack to the Russia-linked APT group UAC-0082 (aka Sandworm, BlackEnergy, and TeleBots).

The Sandworm group has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).

The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017.

In 2022, the Russian APT used multiple wipers in attacks aimed at Ukraine, including AwfulShredCaddyWiperHermeticWiperIndustroyer2IsaacWiperWhisperGatePrestigeRansomBoggs, and ZeroWipe. 

On September 2022, the Sandworm group was observed impersonating telecommunication providers to target Ukrainian entities with malware.

Last week, researchers from ESET discovered a new Golang-based wiper, dubbed SwiftSlicer, that was used in attacks aimed at Ukraine. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Sandworm)