This week in cybersecurity: the most important news.
- Russian hackers suspected of carrying out a cyberattack on German MPs.
- Researchers gained access to servers of the group linked to SolarWinds attacks.
- Ransomware attacks hit several major companies.
- In the State Duma, authorities said that if Twitter is blocked on Russian soil, they would heed the ‘sad experience’ of Telegram.
Twitter began removing prohibited content after Roskomnadzor’s demands, but the risk of blocking remains
After Roskomnadzor began slowing Twitter’s operation on the territory of the Russian Federation, the social network began removing prohibited content.
The agency called the pace of removing prohibited content unsatisfactory.
Alexander Khinshtein, head of the State Duma Committee on Information Policy, stated that in the event of the service being blocked, authorities would take into account the ‘sad experience’ of Telegram.
Since the unsuccessful attempt to block Telegram, much has changed — in particular, the so-called sovereign Internet law has come into force.
«Today the state has enough technical mechanisms to effectively block internet resources that violate Russian law. Access to VPNs can be restricted just as easily today. And in a chain reaction, that is how it will happen — further blocks of access to these VPNs», — said Khinshtein.
Earlier, Roskomnadzor began slowing Twitter’s operation on March 10 and gave the social network a month to remove prohibited content. Otherwise, the agency threatened to block the service in Russia.
A number of politicians, journalists and activists are prepared to sue Roskomnadzor if the agency blocks Twitter.
Bundestag deputies targeted in hack attack; Russian-linked hackers suspected
Computers of at least seven members of the German Bundestag were attacked by hackers. The attack is attributed to the Ghostwriter group, linked to Russia, according to Spiegel.
The attackers used phishing to breach the systems. It is not yet clear whether data were stolen.
Britons lost more than £479m ($655m) to cybercrime in 2020
In 2020, residents of the United Kingdom lost £479 million (more than $655 million at the time) due to cybercrime, according to the Financial Times, citing UK Finance.
The pandemic spurred a rise in fraud; for example, attackers frequently gained access to users’ devices via emails or messages linking to fake vaccination-site pages.
Babuk ransomware operators stole over 700 GB of data from a US military contractor
The hackers attacked American company PDI Group, a producer of military systems and equipment.
BABUK gang claimed to have hacked into a defense and aerospace company and leaked internal data to DarkWeb. pic.twitter.com/fofXpwprTS
— DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) March 23, 2021
The hackers said they obtained access to a large volume of confidential information, including documents and personal data of employees and clients. At least some of the data has been published on the dark web, the attackers claim.
Facebook blocked a Chinese hacker group monitoring Uyghurs
Facebook announced the takedown of Chinese hackers who used the platform to disseminate malware and to break into activists, journalists, and dissidents among Uyghurs in Xinjiang, China, many of whom live in Turkey, Kazakhstan, the United States, Syria, Australia, Canada and elsewhere.
They created accounts posing as “journalists, students, human-rights advocates, or members of the Uyghur community” to gain the trust of targets and trick them into clicking malicious links.
Microsoft Exchange servers attacked by another ransomware
Black Kingdom ransomware joined attacks on Microsoft Exchange servers, exploiting the recently discovered vulnerabilities.
Someone just ran this script on all vulnerable Exchange servers via ProxyLogon vulnerability. It claims to be BlackKingdom “Ransomware”, but it doesn’t appear to encrypt files, just drops a ransom not to every directory. pic.twitter.com/POYlPYGjsz
— MalwareTech (@MalwareTechBlog) March 21, 2021
Experts noted that Black Kingdom initially did not encrypt files. However, later several companies observed changes in the attacks and operators fixed their mistake.
BlackKingdom ransomware on my personal servers. It does indeed encrypt files. They exclude c:\windows, however my storage drivers were in a different folder and it encrypted those… meaning the server doesn’t boot any more. If you’re reading BlackKingdom, exclude *.sys files pic.twitter.com/nUVUJTbcGO
— Kevin Beaumont (@GossiTheDog) March 23, 2021
Experts gained access to servers of the group tied to the SolarWinds attack
Swiss cybersecurity company PRODAFT said it gained access to the servers used by the SolarWinds-affiliated hackers.
Experts managed to breach the attackers’ computer infrastructure. According to them, the group, which PRODAFT named SilverFish, attacked at least 4,720 victims.
According to researchers, beyond the SolarWinds software vulnerability, the hackers used other methods to attack.
PRODAFT does not link the hackers to any particular country, though notes the group exhibits traits of state-sponsored actors — for example, a lack of monetary motivation and targeting critical infrastructure.
According to the report, the servers used by the hackers were located in Russia and Ukraine, and the group’s members largely wrote comments in Russian slang, though SilverFish did not target organizations in those countries, as well as in Georgia and Uzbekistan.
As reported, the SolarWinds-based breach is considered one of the largest attacks on U.S. government systems in years. For more on the incident, read ForkLog’s exclusive.
Insurance giant CNA hit by a new ransomware variant
Insurance company CNA was hit by a new variant of the Phoenix CryptoLocker ransomware, according to Bleeping Computer.
The attackers encrypted 15,000 devices on CNA’s network, as well as computers of remote employees connected to the corporate VPN during the attack.
The operation is believed to be carried out by the Evil Corp group.
Also on ForkLog:
- The press reported that REvil demanded Acer $50 million in Monero.
- Roskomnadzor proposed to request passport and residential address for social-media registrations, but later called such data requests excessive.
- Hydra sellers devised ‘stash system’ for anonymous Bitcoin withdrawals.
- Mina Protocol launched a privacy-focused blockchain using zk-SNARKs.
- Purple Fox botnet gained worm-like capabilities for distributing a hidden miner.
- A Canadian IoT device maker halted operations due to ransomware.
What to read this weekend?
Read how governments worldwide used the pandemic to tighten surveillance on citizens and curb freedom of the internet in Freedom House’s analysis.
Subscribe to ForkLog news on Telegram: ForkLog Feed — full news stream, ForkLog — the most important news, infographics and opinions