Review of security incidents for the period from March 17 to March 23, 2022


The Greek National Post has been unable to recover for several days after a cyberattack, the Lapsus$ cyber-rich continue their triumphant hacks, Anonymous hacktivists are at war with Russian companies and companies remaining on the Russian market, and Conti have been leaked data again – read about these and other events of the week in our review.

Early in the morning on March 17, interruptions began to occur in the operation of the Polish railway network. The authorities attributed this to “malfunctions in control devices” in several local railway traffic control centers. Transportation was blocked for 820 km. Trains stopped en route or did not get on the route. The movement of trains across the country has stopped.

On Monday, March 21, the National Postal Service of Greece (Hellenic Post, ELTA) announced the temporary shutdown of its commercial information systems in all post offices due to a cyber attack that occurred on the night of Sunday to Monday. IT specialists found that the attackers exploited an uncorrected vulnerability through which malware was downloaded, giving hackers access to one of the workstations using the HTTPS reverse shell. The main purpose of the cyberattack was to encrypt the critical systems of the postal service, but ELTA did not report any ransom demands.

Anonymous hacktivists threatened all companies that continue to cooperate with Russia with cyber attacks and called on them to sever all relations with Russia within 48 hours. The appeal was accompanied by an image with the logos of dozens of large corporations, including Burger King, Citrix, Nestle and Subway. Of these, Nestle — a global manufacturer of food and beverages – seems to have caused the greatest rage among a group of hacktivists who dedicated a separate tweet to the corporation “Nestle,.. you have been warned and are now hacked,” the message says.

Hackers, allegedly members of the Anonymous movement, announced the hacking of dozens of surveillance cameras in Russia and the launch of a political message on top of their video stream. They also created a website Behind Enemy Lines, where you could watch a “live” video broadcast from these cameras.

Anonymous also has solidify That the Omega company, which is its own research division of the Russian state oil company Transneft, was hacked and 79 GB of emails of its employees were stolen. The stolen emails contain invoices, hardware configuration data, and delivery information. Some of the emails are dated March 15, 2022.

Hackers hacked the official VKontakte group with 12.4 million subscribers and sent out an “anti-war manifesto”. In the manifesto, the hackers told “about the number of victims and the economic situation in Russia” after the start of the military operation.

The South American hacker group Lapsus$ continues its “triumphant march” around the planet, this time it announced the hacking of internal repositories of the source code of Azure DevOps and Okta. Hackers posted a 9 GB 7zip archive on the torrent service, containing approximately 37 GB of source code for more than 250 projects that, according to them, belong to Microsoft. As noted by Lapsus$, the archive contains 90% of the source code for Bing and about 45% of the code for Bing Maps and Cortana.

In addition, Lapsus$ has published in Telegram screenshots of data allegedly stolen after gaining access to Superuser/Admin and other computer systems of Okta. Okta analyzed screenshots depicting the alleged leakage of its data and reported that they were related to a cyber incident that occurred in January 2022.

Another South American hacker group N4ughtysecTU attacked the South African division of the credit reporting giant TransUnion, which processes credit data of more than 24 million South Africans. Hackers gained access to TransUnion servers using a simple brute force attack, allegedly stole about 4 TB of data and demanded $15 million in ransom.

BitLocker ransomware attacked the information systems of a number of Miratorg agricultural holding companies. The malware encrypts data in the disk system of infected computers, servers and workstations. To do this, it uses vulnerabilities of Microsoft-based operating systems.

The Rare Bears NFT project has been subjected to a hacker attack. The attacker posted a phishing link on the Discord channel of the project, thanks to which he managed to steal 179 non-interchangeable tokens from various collections, including Rare Bears, CloneX, Azuki, “mfer” and 6 tokens of the LAND metaverse of The Sandbox.

Information security specialists tracking the activities of a financially motivated group of LightBasin hackers have discovered a new Unix rootkit that is used to steal ATM data and conduct fraudulent transactions. According to researchers from Mandiant, the new LightBasin rootkit is a Unix kernel module called Caketap, which is installed on servers running the Oracle Solaris operating system. Caketap hides network connections, processes and files, and also installs several hooks into system functions to get remote commands and configurations.

The Computer Emergency Response Group in Ukraine (CERT-UA) reported on the ongoing phishing campaigns of the InvisiMole cybercrime group (also known as UAC-0035) targeting Ukrainian organizations. Hackers distribute a backdoor LoadEdge among the victims.

A Ukrainian security researcher has published a new source code of malware used by the cyber-extortion group Conti, in retaliation for the support she expressed to the Russian government in the conflict with Ukraine. When Conti sided with Russia, a Ukrainian activist named Conti Leaks decided to merge its data and source code dated September 15, 2020. Now Conti Leaks has uploaded the source code of the third version of Conti to VirusTotal.

The European Aviation Safety Agency (European Union Aviation Safety Agency) has warned of periodic failures in the operation of global Navigation satellite systems (GNSS). Interruptions in GNSS operation can lead to a deterioration of navigation and surveillance due to jamming and/or possible spoofing near the territory of Ukraine.

Hackers are attacking poorly protected Microsoft SQL and MySQL servers in order to infect them with a Trojan for remote access Gh0stCringe, the specialists of the information security company AhnLab reported.

Gh0stCringe (aka CirenegRAT) is a type of Gh0st RAT malware known since 2018 and last used by China in cyber espionage operations in 2020.

Start a discussion …