Synopsis

1. Russia keeps DDoSing a Ukrainian bank, and Russian hacks Microsoft and HPE. Ukraine steals Russian military construction plans. Two Chinese cyber espionage campaigns were uncovered. How bad is cybercrime? We look at Ransomware, the impact of cybercrime on organizations, a huge new ‘Data Breaches’ and new things to hack.

2. Russia vs Ukraine cyberwar. Russia appears to be committed to the following ongoing ‘Course of Action’ for its cyber forces:

Russian cyber forces, including allied and supporting hackers, continue to launch campaigns against Ukrainian targets, including perceived Ukrainian allies. Targeting Includes critical infrastructure, industrial infrastructure, political, and media organizations as well as targets of opportunity.

Russia vs Ukraine

3. Russia launched a large Distributed Denial-Of-Service (DDoS) attack against one of Ukraine’s most popular online banks, Monobank. The bank serves customers exclusively through a mobile application. “Monobank users interviewed by Recorded Future News reported no issues with the bank’s app or virtual banking cards. … The company’s CEO, Oleh Horokhovskyi, said the bank faced its largest attack ever, with 580 million service requests over three days. … Monobank would be a logical target for Russian threat actors. It is frequently used by Ukrainians to raise donations for the military.” Horokhovskyi also said: “I think that today Monobank is one of the most attacked IT targets in our country. DDoS attacks come just non-stop.“ There was no attribution for the attack.

4. Russia Hacks Microsoft. Russian cyberespionage group Midnight Blizzard compromised Microsoft systems in late November 2023 … “using usernames with default passwords on the application.” Midnight Blizzard “gained access to the accounts of members of the company’s senior leadership team and employees in cybersecurity, legal, and other functions.” Their initial objective was to “gather intelligence on investigations conducted by Microsoft on Midnight Blizzard’s activities.”1

5. Russia Hacks HPE. Days later Hewlett Packard Enterprise’s (HPE) revealed that the same attackers ‘infiltrated’ their “cloud email environment to exfiltrate mailbox data.” It is believed that “the threat actors persisted within its network undetected for more than six months.”2 “The hackers targeted “a small percentage of HPE mailboxes” used by staff in cybersecurity, go-to-market, business segments, and other departments. Midnight Blizzard … is one of the most active and most sophisticated threat actors linked to the Russian government.”3

6. The Black Basta ransomware group claims they have hacked two major water companies, one in the UK and one in the US. “‘Southern Water’ provides water services to 2.5 million customers and wastewater services to 4.7 million customers in the South of England.” Veolia describes itself as “the world’s largest private player in the water sector, providing water and wastewater services to tens of millions of people.” Veolia North America posted a notice on its website saying “Its Municipal Water division was hit by ransomware last week. This incident seems to have been confined to our internal back-end systems at Veolia North America.”4 Analysts Comment: Although the Black Basta ransomware group is not ‘directly’ affiliated with the Russian war effort, the group’s victims are from ‘Five Eyes’ countries and Japan.

7. Ukraine. Ukraine’s military intelligence agency, the GUR, said their ‘hacking operation’ called ‘Blackjack’ hacked “over 500 military bases across Russia and Russia-occupied regions in Ukraine, including the Russian Army’s military headquarters. … Maps and construction plans were exfiltrated. … The stolen data amounted to more than 1.2TB from Russian servers and 150 computers across Russia ‘were deactivated’. … Russian special construction workers were left without the entire array of data and backup copies of information.”5 “Critically important information about Russian military facilities that have already been completed, are at the stage of construction/reconstruction, or are planned for construction, was transferred to the Security and Defense Forces of Ukraine,” the GUR said on its website.”6

China

8. A hacker group identified as ‘UTA0178’, ‘who has a nexus in China’, has commenced “widespread exploitation” of two Ivanti VPN (Virtual Private Network) exploits. “The hacked devices belong to organizations in the government, military, telecoms, defense, tech, banking, finance, accounting, consulting, aerospace, aviation and engineering sectors. They include small businesses and Fortune 500 companies.”7 The initial attacks were thought to be ‘highly targeted’. A report by cyber security company Mandiant said that that fewer than 20 devices were compromised on January 11th. By January 16th “mass exploitation by the same actor … compromised at least 1,700 devices.” The Register quotes Mandiant: “There’s also evidence to suggest that attackers beyond the group responsible now have their hands on a working exploit, which might offer a partial explanation for the shift toward mass exploitation.”8

9. A China-linked actor, tracked as UNC3886, has been exploiting VMWare’s vCenter Server vulnerabilities since late 2021. “vCenter Server serves as a centralized and comprehensive management platform for VMware’s virtualized data centers. … The attacker could execute privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs – without authentication. … Experts believe that the attack was carried out for cyberespionage purposes.”9 The vulnerability has been patched.

Israel vs Iran

10. NetBlocks, a global internet monitoring platform specializing in tracking outages, disruptions, and censorship events worldwide, reported a significant network disruption affecting the Israeli ‘Bazan Group’. The BAZAN Group, is Israel’s top oil refinery and petrochemical operator. Anonymous Sudan claimed responsibility for the attack on its Telegram channel. “Their entire infrastructure has been hit hard. Note; that some irrelevant public-facing BAZAN websites may be up; however, the important infrastructure servers are confirmed to be down,” the group claimed.”10 The day after the attack the “Bazan Group confirmed a temporary hiatus to the operation, stating, We are aware of this sort of report. Yesterday we have experienced a temporary and minor slowdown in connectivity. No damage to the business nor to operational processes has been done.”11

State of Cyber-Crime

11. Ransomware Is Increasing. GuidePoint Research and Development Team (GRIT) is reporting that there was an 80 percent increase in ransomware activity in 2023. The report says: “While mass exploitation campaigns contributed substantially to this large increase, we saw a significant increase in ransomware activity overall. … Long-established groups account for the overwhelming majority of observed victims (85 percent), followed by developing groups (10 percent).” GuidePoint observed:

• 63 distinct ransomware groups using encryption, data exfiltration, data
extortion, and other novel tactics;
• publicly post 4,519 victims; and
• across all 30 of GRIT’s tracked industries in 120 countries.12

12. Barracuda Networks and the Ponemon Institute collaborated on a study of ‘cybernomics’ – the financial forces that are driving cyberattacks, based on a survey of 1,917 IT ‘Security Practitioners‘ from the United States, United Kingdom, France, Germany, and Australia. The research sought to understand the economic consequences on organizations.13

• 71 percent of respondents had experienced a ransomware attack over
the last year;
• 61 percent paid the ransom;
• The average annual cost to respond to compromises is a startling $5.34
million; and
• Survey respondents believe that generative AI (Artificial Intelligence)
will enable hackers to launch more frequent and more successful
attacks.14

13. MOAB. Some hackers compile data from breaches to make a database of resources for launching new attacks. An open database was discovered “with a new, supermassive Mother of all Breaches (MOAB) which contains 26 billion records or 13 terabytes of data taken from previous leaks, breaches and hacked databases. … leak also includes records from government organizations in the U.S., Brazil, Germany, the Philippines, Turkey and several other countries. … If you reuse the same password across multiple sites and services, once hackers get your credentials for one account, they will then use them to access your other accounts.”15 Analysts Comment: Password reuse is the most common vulnerability for the average user.

14. New Hacking Targets. New additions to ‘what can be hacked’ now include ‘SmartTVs’16, Tesla’s, EV’s and their charging systems17. Worse is to come as the British “National Cyber Security Centre (NCSC) said it was “almost certain” … Ransomware attacks will increase in both volume and impact over the next two years due to artificial intelligence (AI) technologies”. The warning goes on to say: “At present, generative AI is already being used to create a “capability uplift in reconnaissance and social engineering” making both of these tasks “more effective, efficient, and harder to detect.” … AI is also considered likely to assist with “malware and exploit development, vulnerability research and lateral movement by making existing techniques more efficient.”18 Analysts Comment: The report claims that the ‘good news’ is that only top-tier criminal groups will be able to leverage AI. We disagree. Programmers with limited programming skills are already leveraging AI to improve their programming. Less skilled hackers will be able to do the same thing.