Review of security incidents for the period from March 24 to March 30, 2022

Source: https://cobaltstrike.net/2022/03/30/review-of-security-incidents-for-the-period-from-march-24-to-march-30-2022/



The theft of $625 million from the blockchain of the NFT Axie Infinity game, a large-scale cyberattack on a major Ukrainian Internet provider, zero–day vulnerabilities in Google Chrome, Anonymous leaks – read about these and other security incidents for the period from March 24 to March 30, 2022 in our review.

This week saw the biggest hack in the history of decentralized finance (DeFi). An unknown hacker stole a cryptocurrency worth about $ 625 million from the Ronin blockchain, which is the basis of the popular crypto game Axie Infinity. Operator Ronin and Axie Infinity Sky Mavis on Tuesday revealed a breach and froze transactions on the Ronin cross-chain bridge, which allows you to deposit and withdraw funds from the company’s blockchain. According to the observations of The Block Research researcher Igor Igamberdiev, part of the funds went to centralized FTX exchanges and Crypto.com .

The hacking of the supplier of software for customer relationship management (CRM), sales and marketing HubSpot affected large cryptocurrency companies. According to the HubSpot team, the attackers stole only user information stored in the tool, and internal data such as passwords were safe. Many users of the affected firms have already reported phishing attacks.

The Ukrainian Internet provider “Ukrtelekom” was subjected to a large-scale cyberattack. According to the State Service of Special Communications and Information Protection of Ukraine, by the middle of the day on Monday, March 28, the attack was neutralized. As the NetBlocks service shows, which displays Internet availability around the world, the attack affected users throughout Ukraine. According to the network, since the beginning of the special military operation, traffic in the country has decreased by 13%.

Hackers began hacking sites running WordPress in order to introduce malicious scripts into them that use visitors’ browsers to carry out DDoS attacks on Ukrainian resources. After loading, the JavaScript code forces the user’s browser to send HTTP GET requests to each site in the list (including government, financial and scientific) with no more than 1 thousand simultaneous connections. This allows the scripts to carry out DDoS attacks, while the site visitor does not know about anything.

Ukrainian organizations have also become victims of the Chinese hacker group Scarab. The organizers of a malicious targeted phishing campaign are sending out a RAR archive with an executable file designed to secretly install a malicious DLL library called HeaderTip in the background. According to information security specialists, Scarab participants act in order to collect geopolitical information. Phishing attacks use a decoy document allegedly sent on behalf of the National Police of Ukraine.

Hackers attacked the information systems of the company “TAVR”, which operates in the Rostov region. By installing malware, servers, workstations, and enterprise information systems were attacked. In particular, we are talking about financial and economic information. The company’s work was temporarily paralyzed, significant economic damage was caused, and currently the company’s activities are carried out in a limited mode.

The hacktivist collective Anonymous “worked hard” throughout the week. On March 24, “anonymous” announced the hacking of the Bank of Russia’s systems and posted 35 thousand files allegedly containing secret financial organization agreements. However, it seems that the leak of the Central Bank is a compilation of data from open sources.

On March 29, the Aviatorschina Telegram channel reported an alleged cyberattack on the Federal Air Transport Agency, according to unofficial data, as a result of which data could have been lost. According to the channel, hackers allegedly destroyed about 65 TB of Rosaviation data. First of all, the document flow, as well as e-mail, has suffered over the past year and a half. Aviatorschina claims that hackers deleted all files on the department’s servers and at the same time the system of public services.

Pro-Ukrainian hackers allegedly hacked an information service based on the “Unified regional integration platform of the hardware and software complex “Safe City”. Hackers gained access to the universal medical Personal account (UMLC), created in the spring of 2020 to account for COVID-19 patients, contact persons, persons tested for coronavirus, and visitors from other regions who were supposed to remain in self-isolation.

Italian state-owned railway operator Ferrovie dello Stato SpA has temporarily halted ticket sales at stations after detecting signs of a cyberattack on its systems. Suspicious activity on the company’s network indicates a cyber incident similar to an attack using the CryptoLocker ransomware.

Cybercriminals began to spread the IcedID backdoor through hacked Microsoft Exchange servers. The attacks target energy, medical, legal and pharmaceutical organizations. Although experts do not associate this IcedID campaign with a certain cybercrime group, the Proofpoint report for June 2021 noted that the groups TA577 and TA551 prefer to use IcedID as their malware.

The Muhstik botnet, known for spreading through vulnerabilities in web applications, is now attacking Redis servers through a recently disclosed sandbox bypass vulnerability in Lua (CVE-2022-0543). The vulnerability received 10 out of 10 points on the hazard assessment scale and allows you to remotely execute code on a system with vulnerable software. Attacks using it began on March 11, 2022. The Muhstik botnet, first documented by specialists of the Chinese information technology company Netlab 360, has been active since March 2018 and is used for mining cryptocurrencies and carrying out DDoS attacks.

Trustwave has warned about new attacks on Windows users in order to steal data. Attackers use the Vidar spyware and distribute it through fake emails from Microsoft support. Vidar is a Windows spyware and information theft tool available for purchase by cybercriminals. Vidar can collect OS and user data, online service and cryptocurrency account data, as well as credit card information.

The leak of official data from the Ministry of Finance of Pakistan has become, apparently, the biggest cybersecurity breach that a Pakistani institution has ever faced. In December 2021, an unknown hacker claimed to have hacked the computer systems of the Ministry of Finance of Pakistan, but the fact of the cyberattack was denied by the ministry’s spokesman Muzammil Aslam. Three months later, the hacker released some confidential data of the ministry, including confidential information related to other countries, international financial organizations, national institutions, ministries and departments.

Within a week, it became known about two zero-day vulnerabilities in the Chrome browser, already exploited in hacker attacks. Google’s Threat Analysis Group (TAG) team has linked two malicious campaigns exploiting the CVE-2022-0609 vulnerability to two groups supported by the North Korean government. Very little is known about another vulnerability, CVE-2022-1096.

Start a discussion …