Information security Review for the period from 17 to 24 February 2022


A new tool of the Sandworm cybercrime group, ransomware attacks, a Swiss bank data leak, the theft of $1.7 million from users of the OpenSea NFT platform, cyber attacks on Ukraine – read about these and other events in the world of information security in our review.

Representatives of US and UK law enforcement agencies have linked a new malware called Cyclops Blink with the Russian hacker group Sandworm. Malware was used in attacks on WatchGuard Firebox network security devices and other small office/home office (SOHO) network devices. Cyclops Blink appears to be a replacement for the VPNFilter malware discovered in 2018, and its deployment could allow Sandworm to gain remote access to networks.

In turn, researchers from the Chinese Pangu Lab revealed details about the “top-level” backdoor used by the APT-grouping Equation Group. The tool, dubbed Bvp47 due to numerous references to the Bvp string and the numeric value 0x47 in the encryption algorithm, was discovered on Linux-based systems during an investigation in 2013.

The US authorities have revealed details about a malicious campaign in which hackers allegedly linked to Russia hacked into the networks of several US defense contractors. As a result of the attacks, confidential information about the US communications infrastructure engaged in the development of weapons was disclosed. The campaign began at least in January 2020 and lasted until February of this year. Hackers have successfully hacked verified defense contractors who have contracts with the U.S. Department of Defense and the intelligence community.

An Iranian hacker group called Moses Staff used a multi-component set of tools to carry out espionage on Israeli organizations. During the malicious campaign, the group exploited ProxyShell vulnerabilities in Microsoft Exchange servers as an initial vector of infection to install two web shells with subsequent theft of Microsoft Outlook data files (.PST).

Another Iranian hacker group TunnelVision exploits the critical vulnerability Log4Shell (CVE-2021-44228) in the Apache Log4j open source library to install ransomware on VMware Horizon servers. TunnelVision actively exploits the vulnerability to run malicious PowerShell commands, install backdoors, create backdoor users, steal credentials and move around the network. As a rule, attackers first use a vulnerability in Log4j to directly run PowerShell commands, and then run further commands using reverse PS shells executed through the Tomcat process.

Owners of Asustor NAS devices reported on Reddit and on the official forums of the Asustor manufacturer about the cyberattacks of the DeadBolt ransomware. Earlier, the same ransomware program caused damage to QNAP devices, and the next target was devices from Asustor. The methods of DeadBolt operators have not changed much. Attackers remotely infect the victim’s NAS devices, encrypt information and demand a ransom in bitcoins.

The American manufacturer of kitchen utensils Meyer reported a data leak of its employees as a result of an extortionate software attack in October last year. The break-in took place on October 25, but was discovered only on December 1. The attackers stole the names and surnames of employees, addresses, dates of birth, information about gender, race and ethnicity, social security numbers, insurance data, medical data, driver’s licenses, passports, identification numbers and cards of a permanent resident of the United States, as well as information about immigration status. Meyer did not say which family of ransomware attacked its networks, but the Conti group claimed responsibility for the incident.

After four years of malicious activity, the TrickBot group decided to terminate the work, since the main participants came under the leadership of Conti. TrickBot has dominated the malware market since 2016, collaborating with extortionate groups and causing havoc on millions of devices around the world. Initially, the Ryuk group collaborated with TrickBot, but soon Conti took the place of the latter.

TrickBot operators have organized new phishing attacks on customers of 60 large organizations, many of which are located in the United States. During the attacks, attackers send emails on behalf of well-known companies, in particular, Bank of America, Wells Fargo, Microsoft, Amazon, PayPal, American Express, Robinhood, and the U.S. Navy Federal Credit Union (NFCU).

White House Secretary Jane Psaki at a briefing on Wednesday, February 23, made the statement that new cyber attacks on the networks of the Ukrainian authorities correspond to actions that Russia allegedly took before.

“We have not yet established who is behind these actions. But such behavior corresponds to what Russia has previously undertaken in attempts to destabilize Ukraine, they correspond to what we observed last week. We have established that Russia is responsible for those attacks,” the spokeswoman said.

A new malware called Xenomorph, distributed through the Google Play Store application store, infected more than 50 thousand devices running Android in order to steal banking information. Xenomorph is still at an early stage of development and is designed to carry out attacks on users of dozens of financial institutions in Spain, Portugal, Italy and Belgium.

One of the most high-profile events of the week was the data leak of a large Swiss conglomerate Credit Suisse. These data, obtained by Süddeutsche Zeitung journalists from an anonymous source a little less than a year ago, relate to accounts belonging to 37 thousand people or companies, totaling more than $ 100 billion. According to Le Monde, “at least $8 billion of them are related to clients recognized as problematic.”

Last weekend, attackers carried out a phishing attack on users of one of the largest trading platforms for the sale of NFT OpenSea and stole $1.7 million worth of NFT tokens from them. The attackers managed to trick 32 people into signing a payload allowing the transfer of their NFT to fraudsters for free. Although the company is sure that the victims were victims of a phishing scheme, it is not known what it is. Apparently, the attack was carried out outside of OpenSea.

Start a discussion …