On 13th September, we invite you to the grand finale of the Cyber Fortress League during the Security Case Study 2023 conference in the center of Warsaw.
The first tips are already here:
CyberThunder security researchers detected a campaign targeting the healthcare sector. Many hospitals across the country have been infected with wiper software and subsequently lost data as a result of it. The attacker’s goal is to destabilize the country.
Most attacks in the observed campaign begin by exploiting known vulnerabilities in mail servers, Confluence servers, web servers and management systems. The APT group can use various tunneling tools (IVPN, NGROK, SurfShark, Teamviewer and Tor), attack frameworks (Meterpreter) and ready-made binaries (Impacket, PowerShell and procdump). The attacker’s goal is to exfiltrate data and sometimes make it public via a fictitious Free Civilian person (via the Internet or Telegram). The attacker was also involved in activities that disrupted the functioning of his victims and engaged in destructive activities, including replacing websites and erasing data using wiper software, e.g. using malware called WhisperGate. An example of such group activity is the attack on Ukrainian government organizations at the turn of 2022 and 2023. This wiper is also used in this campaign.
So far, the APT group has targeted government organizations, law enforcement agencies, non-profit and non-governmental organizations, IT service providers, consulting companies and emergency services in Ukraine, Europe, Central Asia and Latin America.
The actions of the threat actor responsible for this campaign and the selection of targets (attacks mainly hitting the hinterland of Ukraine and countries supporting Ukraine) prove his connection with the Russian services, especially in the context of Russia’s aggression against Ukraine, which is now in its second year.
We recommend that network administrators continuously monitor and analyze network traffic, and pay special attention to suspicious activity in the PowerShell console, the Windows command line, and the Impacket toolkit.
Monitor your systems to quickly detect a potential attack!!!
If you have discovered unusual activity on your network, please let us know.
CERT Cyber Thunder team