QA's practice director of Cyber Security, Richard Beck, rounds up this week's cyber security news.

Hackers steal $320,000 in Cryptocurrency from NFT & Crypto community platform

The operators of cryptocurrency play-to-earn game WonderHero have disabled the service after hackers stole about $320,000 worth of Binance Coin (BNB). The attack caused the price of WonderHero’s own coin, WND, to plummet more than 90%.  WonderHero is one of many popular games where players earn revenue in cryptocurrencies and NFTs through gameplay. The platform currently has about 11,000 active users.

We understand that the community is concerned with the sudden WND price drop. Our team is looking into this issue and we will update as soon as we can. — WonderHero (@Wonderhero_io) April 7, 2022

But blockchain analysis firm PeckShield notified the company that a hacker was exploiting the platform. WonderHero quickly disabled the game and its website before telling users it was aware of the price drop in WonderHero’s coin. By Thursday afternoon, the company released a blog post confirming that the hackers had stolen a total of 750 BNB after minting 80 million WND. The hackers then sent the 750 BNB to a cryptocurrency mixer called PancakeSwap. They explained that the attack was on their “cross-chain bridging withdrawal.” A cross-chain bridge – also known as a blockchain bridge – allows people to transfer tokens, assets, smart contract instructions and data between blockchains. On Twitter, several users criticized the company, questioning whether they will cover the losses of those whose orders came after the price of WND tanked.  WonderHero did not respond to requests for comment. The attack took place just weeks after another play-to-earn cryptocurrency game, Axie Infinity, was hit with an attack that saw hackers steal about $625 million in cryptocurrency. Edited – Original source - Record

ICS-capable malware targets a Ukrainian energy company

ESET researchers responded to a cyber-incident affecting an energy provider in Ukraine. We worked closely with CERT-UA to remediate and protect this critical infrastructure network. The collaboration resulted in the discovery of a new variant of Industroyer malware, which is named Industroyer2 – see CERT-UA publication here. Industroyer is an infamous piece of malware that was used in 2016 by the Sandworm APT group to cut power in Ukraine. In this case, the Sandworm attackers made an attempt to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine. In addition to Industroyer2, Sandworm used several destructive malware families including CaddyWiper, ORCSHRED, SOLOSHRED and AWFULSHRED. Researchers first discovered CaddyWiper on 2022-03-14 when it was used against a Ukrainian bank – see Twitter thread about CaddyWiper. A variant of CaddyWiper was used again on 2022-04-08 14:58 against the Ukrainian energy provider.

At this point, researchers don’t know how attackers compromised the initial victim nor how they moved from the IT network to the Industrial Control System (ICS) network. The recently discovered malware is a new variant of Industroyer, hence the name Industroyer2. Industroyer2 is highly configurable. It contains a detailed configuration hardcoded in its body, driving the malware actions. In coordination with the deployment of Industroyer2 in the ICS network, the attackers deployed a new version of the CaddyWiper destructive malware.

In the network of the energy provider, attackers deployed a new version of CaddyWiper that uses a new loader, named ARGUEPATCH by CERT-UA. ARGUEPATCH is a patched version of a legitimate component of Hex-Rays IDA Pro software, specifically the remote IDA debugger server win32_remote.exe. Alongside CaddyWiper, a PowerShell script was found both in the energy provider network and in the bank that was compromised earlier. This script enumerates Group Policies Objects (GPO) using the Active Directory Service Interface (ADSI). The script, is almost identical to a snippet provided in a Medium blog post. Researchers believe that attackers deployed CaddyWiper via a GPO and used the script to check the existence of this GPO. Additional destructive malware for systems running Linux and Solaris was also found on the network of the targeted energy company. There are two main components to this attack: a worm and a wiper. The latter was found in two variants, one for each of the targeted operating systems. All malware was implemented in Bash. Edited – Original Source - ESET.

Anonymous Hacked Russia Ministry of Culture

The Anonymous collective has hacked Russia’s Ministry of Culture and leaked 446 GB of data through the DDoSecrets platform. Data leak service DDoSecrets has published over 700 GB of data allegedly stolen from the Russian government, including over 500,000 emails. The dump includes three datasets, the largest one is related to the Ministry of Culture at 446 GB (containing 230,000 emails), which is responsible for state policy regarding art, cinematography, archives, copyright, cultural heritage, and censorship.

Anonymous continues to threaten those companies and financial organizations that are still operating in Russia and are doing business with Moscow. Below is the message sent to the Italian bank Intesa Sanpaolo that announced to have stopped all new financing to Russian and Belarusian counterparts since the war in Ukraine began and has stopped investments in Russian and Belarusian financial instruments. However Anonymous states that Yale University reports that the Italian bank is continuing business-as-usual in Russia and asked for an explanation about this. Edited – Original Source - Reddit

American Gov warns of WatchGuard bug exploited by Russian state hackers

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal civilian agencies and urged all US organizations on Monday to patch an actively exploited bug impacting WatchGuard Firebox and XTM firewall appliances. Sandworm, a Russian-sponsored hacking group, believed to be part of the GRU Russian military intelligence agency, also exploited this high severity privilege escalation flaw (CVE-2022-23176) to build a new botnet dubbed Cyclops Blink out of compromised WatchGuard Small Office/Home Office (SOHO) network devices.

"WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access," the company explains in a security advisory rating the bug with a critical threat level.

The flaw can only be exploited if they are configured to allow unrestricted management access from the Internet. By default, all WatchGuard appliances are configured for restricted management access. Even though this directive only applies to federal agencies, CISA also strongly urged all US organizations to prioritize fixing this actively abused security bug to avoid having their WatchGuard appliances compromised. WatchGuard issued its own advisory after US and UK cybersecurity and law enforcement agencies linked the malware to the GRU hackers, saying that Cyclops Blink may have hit roughly 1% of all active WatchGuard firewall appliances. The disruption of Cyclops Blink botnet is indeed good news and shows how close cooperation between government and private organizations is against cyber threats. Further, the FBI suggested adopting Watchguard's detection and remediation steps for remediating any infection by the malware. Edited – Original source - TechRadar

Cybercrime “remote access tool” (RAT) scams cost hit £50m+ in 2021

Scammers who tricked victims into handing them control of their PCs managed to steal nearly £58m last year, according to official UK police figures. Some 20,144 individuals fell victim to such “remote access tool” (RAT) scams in 2021, according to Action Fraud, the country’s national reporting centre for fraud and cybercrime. Losing on average around £2800 per incident on average, the total losses amounted to £57.8m last year. These attacks often start with victims being bombarded with pop-ups on their screens, claiming that there’s a problem with the computer. That might, in turn, request users call a ‘hotline’ number that’s run by fraudsters, who will persuade the victim to download a remote access tool.

“While remote access tools are safe when used legitimately, we want the public to be aware that they can be misused by criminals to perpetrate fraud. We often see criminals posing as legitimate businesses in order to trick people into handing over control of their computer or smartphone,” warned detective chief inspector Craig Mullish from the City of London Police.

This is akin to a classic “tech support” scam. However, other variations may include scammers, cold-calling victims, pretending to work for their bank and claiming they need to access the computer to cancel a fraudulent transaction. In either scenario, access to the victim’s PC or mobile device may enable the scammers to access banking details or download information-stealing malware with the same end goal. One victim lost over £20,000 after a scammer posing as a Sky employee persuaded them to download a RAT to fix a non-existent problem with their TV. This enabled them to access their bank account. Another lost £1000 after a fraudster pretending to work for Amazon tricked them into downloading a RAT to help them process a payment for an Amazon Prime membership. Edited – Original source - Wired

OpenSSH now defaults to protecting against quantum computer attacks

Post-quantum cryptography has arrived by default with the release of OpenSSH 9 and the adoption of the hybrid Streamlined NTRU Prime + x25519 key exchange method.

"The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo.  We are making this change now (i.e. ahead of cryptographically-relevant quantum computers) to prevent 'capture now, decrypt later' attacks where an adversary who can record and store SSH session ciphertext would be able to decrypt it once a sufficiently advanced quantum computer is available." the release notes said.

As work on quantum computers inches forward, protecting against future attacks has similarly increased. Thanks to the massive parallelism expected from workable quantum computers, it is believed traditional cryptography will be trivial to crack once such a machine is built. Last month, the NATO Cyber Security Centre did a test run of its quantum-proof network. Elsewhere in the OpenSSH release that was mostly focused on bug fixes, the SCP command has been moved from its default legacy protocol to using SFTP even though it brings with it several incompatibilities, such as not supporting wildcards with remote filenames or expanding a ~user path, although the latter is supported through an extension. Edited – Original source - ZDNET

Hackers use Conti's leaked ransomware to attack Russian companies

A hacking group used the Conti's leaked ransomware source code to create their own ransomware to use in cyberattacks against Russian organizations. While it is common to hear of ransomware attacks targeting companies and encrypting data, we rarely hear about Russian organizations getting attacked similarly. This lack of attacks is due to the general belief by Russian hackers that if they do not attack Russian interests, then the country's law enforcement would turn a blind eye toward attacks on other countries. However, the tables have now turned, with a hacking group known as NB65 now targeting Russian organizations with ransomware attacks.

For the past month, a hacking group known as NB65 has been breaching Russian entities, stealing their data, and leaking it online, warning that the attacks are due to Russia's invasion of Ukraine. The Russian entities claimed to have been attacked by the hacking group include document management operator TensorRussian space agency Roscosmos, and VGTRK, the state-owned  Russian Television and Radio broadcaster. The attack on VGTRK was particularly significant as it led to the alleged theft of 786.2 GB of data, including 900,000 emails and 4,000 files, which were published on the DDoS Secrets website. More recently, the NB65 hackers have turned to a new tactic — targeting Russian organizations with ransomware attacks since the end of March. Conti's source code was leaked after they sided with Russia over the attack on Ukraine, and a security researcher leaked 170,000 internal chat messages and source code for their operation. Almost all antivirus vendors detect this sample on VirusTotal as Conti, and Intezer Analyze also determined it uses 66% of the same code as the usual Conti ransomware samples. Edited – Original source - Bleeping

DDoS attack forces Finland’s Defence & Foreign Affairs websites offline

The websites of Finland’s defense and foreign affairs were taken offline today following DDoS attacks. The ministries each confirmed the attacks on Twitter this week, although the websites now appear to be back up and running. The nation’s Ministry of Defense wrote at 10.45 am GMT: “The Department of Defense website http://defmin.fi is currently under attack. We are currently investigating. We will post any additional information below.” It followed up with: “For the time being, we will keep the Department of Defense website closed until the harmful traffic on the website is gone. All our bulletins are readable http://valtioneuvosto.fi.”

Shortly after, at 10.54 am, Finland’s Ministry of Foreign Affairs tweeted: “There are currently disruptions in the Foreign Ministry’s online services. http://Um.fi and Finlanabroad.fi sites have been denied a denial of service attack. We’ll investigate and try to get the services up and running as soon as possible. We apologize for the inconvenience.” However, at 2.06 pm, the official Finnish government Twitter account confirmed the issues had been resolved, and both ministries’ websites had resumed operations. It stated: “Denial-of-service attack is now over. Due to website protection, main part of the sites continued to work normally during the attack.” There is currently no information regarding the attackers’ identity, although suspicion is likely to fall on Russian threat actors given the timing of the incidents. Earlier today, Ukrainian President Volodymyr Zelenskyy addressed the Finnish parliament via video link about the conflict. Additionally, reports in the past few days suggest Finland is considering seeking NATO membership, a move strongly opposed by the Kremlin. Finland’s Ministry of Defense also claimed that a Russian state aircraft violated Finnish airspace this morning.

Train with QA Cyber Security

Interested in learning more about cyber security? QA's Cyber Security practice offers training, labs, certifications and qualifications in a wide range of subjects, including attack and defence, data privacy, security operations, digital forensics and incident response, secure engineering, cyber governance, risk and compliance, cyber intelligence, and cloud security.

Contact us today.

Previous editions of Cyber Pulse

Stay in the know

Subscribe to our monthly Learning Matters newsletter and stay up to date with QA's latest news, views, offers, must-go-to events and more.

And if you want to keep up with the latest cyber news, why not subscribe to our weekly Cyber Pulse newsletter.

Sign up to our newsletters
Stay in the know