Review of security incidents for the period from March 10 to March 16, 2022

image


The state of emergency in Israel due to unprecedented cyber attacks, the continuation of the Anonymous cyber war against Russia, new ransomware attacks – read about this and more in our review of the main events in the world of information security for the week.

A number of Israeli government websites were inaccessible as a result of a massive DDoS attack that blocked access to government websites. A source in the defense department claims that this was the largest cyber attack ever carried out on Israel. A statesman or a large organization is allegedly behind the attack, but it is not yet known who exactly. In connection with the incident, a state of emergency was declared in the country.

Anonymous continues its cyber war against Russia. This time, the hacktivists announced the hacking of Roskomnadzor and the theft of 820 GB of data. Judging by the timestamps, some files are dated March 5, 2022. Allegedly, the files belong to the Office of Roskomnadzor of the Republic of Bashkortostan.

The German subsidiary of the Russian oil giant Rosneft has been subjected to a cyberattack and is now trying to cope with its consequences. Rosneft Deutschland was allegedly attacked on the night of March 11-12, it seems, by the same Anonymous. Hackers claim that they managed to gain access to Rosneft Germany servers and download more than 20 TB of data.

On March 16, hackers carried out a massive hacking of the websites of the arbitration courts of the Russian Federation. The attackers posted texts on the main pages with insults to Vladimir Putin and Russians related to the operation in Ukraine. Soon the messages disappeared, but the information on the websites continued to remain inaccessible. The courts of Moscow, Primorsky, Krasnodar, Khabarovsk Krai and other regions were attacked. By about 6:15, the message was gone, but the sites still did not open.

Experts have warned hacktivists who want to DDoS Russian sites that they themselves may become victims of cybercriminals. According to them, a tool is being distributed in Telegram allegedly to carry out DDoS attacks on Russian resources, which actually steals cryptocurrency from the one who uses it. Under the tool for hacktivists Disbalanscer.The Phoenix infostiler known since 2019, stealing data from cryptocurrency wallets, has been disguised in zip.

Another high-profile case of the week is the espionage tool of the US National Security Agency, which China managed to seize. NOPEN is able to access sensitive information on the victim’s computer, monitor and redirect network traffic, and remotely monitor the system for surveillance of objects abroad. The spyware was detected on Internet equipment used around the world.

Experts have discovered a new malware for destroying CaddyWiper data, attacking Ukrainian organizations and deleting data from all systems in compromised networks. The new malware erases user data and information from removable disk partitions. Judging by ESET telemetry, it infected several dozen systems in a limited number of organizations.

The Ukrainian Computer Emergency Response Team has warned about attackers who distribute fake updates of Windows antivirus software in order to install Cobalt Strike beacons and other malware. Cybercriminals impersonate Ukrainian government agencies in phishing emails, offering ways to improve network security, and advise recipients to download “critical security updates.”

Western intelligence agencies are investigating a cyberattack by unknown hackers who disrupted broadband satellite Internet access in Ukraine. Analysts from the US National Security Agency, the French government cybersecurity organization ANSSI and Ukrainian intelligence are trying to find out whether the remote sabotage of satellite Internet provider services was the work of Russian hackers.

A major Ukrainian Internet provider Triolan was hacked twice by cybercriminals. According to Forbes sources, the first hacking occurred on February 24 this year, and the second on March 9. Difficulties arose with the restoration of computer systems, since in some cases specialists needed physical access, which was impossible due to the fighting in the city.

The computer systems of a large Latin American e-commerce company Mercado Libre were hacked during a cyber attack. As a result of the incident, the information of 300 thousand users of the platform was disclosed. As representatives of the company noted, part of its source code was subjected to unauthorized access, which led to the disclosure of user data.

The South American cybercrime group Lapsus$ reminded about itself again. This time she announced the hacking of a major computer game manufacturer Ubisoft. The company itself assures that the personal data of the players is safe — so far there are no signs that anyone could access them. The company says that games and services are now “working fine.” For security reasons, the company also “initiated a password reset for all accounts in the company.” Lapsus$ confirmed that the target of the hack was not information about Ubisoft customers.

Hacker group OldGremlin attacked the international online store Wildberries. Hackers not only disrupted the site, but also seized control over it. The attackers placed a cryptographic virus in the site data, which caused a large-scale malfunction of Wildberries.

A major Japanese film company Toei has been subjected to a cyberattack, which led to a delay in the airing of new episodes of popular anime series, including One Piece and Delicious Party Precure. According to Toei’s statement, the studio discovered unauthorized access to its systems on March 6, 2022. The next day, the company issued an incident notification, shut down all internal systems as a precautionary measure, and began an investigation.

Denso, Toyota’s leading supplier, was attacked by ransomware last week. The Japanese supplier said that on March 10 it discovered unauthorized access to the networks of Denso Automotive Deutschland GmbH, a group of companies that deals with sales and engineering in Germany.

The Iranian cybercrime group MuddyWater has carried out a series of attacks on companies and organizations in Turkey and the Arabian Peninsula in order to deploy Trojans for remote access on compromised systems. During the malicious campaign, the attackers sent phishing emails with infected Microsoft Excel files. As a result of a successful attack, a Trojan for remote access called SloughRAT (also known as Canopy) was installed on the victim’s computer, capable of executing arbitrary code and commands from the command server.

Start a discussion …