Subj : Russian hackers use a blast from the Windows past to launch cyber
To   : All
From : TechnologyDaily
Date : Thu May 04 2023 19:45:04

Russian hackers use a blast from the Windows past to launch cyberattacks

Date:
Thu, 04 May 2023 18:35:55 +0000

Description:
Sandworm is targeting Ukrainian devices with data-wiping malware that abuses 
WinRAR.

FULL STORY
======================================================================

Russian state-sponsored hackers have wiped data from devices belonging to 
Ukrainian state networks thanks to poorly protected VPNs, and malware that 
abuses popular archiving program WinRAR. 

The Ukrainian Government Computer Emergency Response Team (CERT-UA) recently 
claimed a Russian threat actor, thought to be from the Sandworm group, 
managed to compromise Ukrainian state networks by using compromised VPN 
accounts that did not have multi-factor authentication (MFA) set up. 

After getting access, the hacker would deploy malware dubbed RoarBat which 
essentially wipes the affected drives. Deleting everything 

What the malware does is searches the drive for files with different 
extensions, including .doc, .txt, .jpg, and .xlsx. It then calls for WinRAR 
to archive all those files, and adds the -df command-line option, which 
deletes all of the files that are being archived. 

Once the work is done, the malware deletes the archive itself, essentially 
wiping all of the data found on the disk in one fell swoop. 

The threat actors are also targeting Linux devices, the agency further 
stated, saying that for that OS, theyre using a Bash script and the dd 
utility to overwrite target files with zero bytes. Due to this data 
replacement, recovery for files "emptied" using the dd tool is unlikely, if 
not entirely impossible, BleepingComputer states. 

This is not the first time such an attack targeted Ukrainian state networks, 
CERT-UA claims. In January 2023, the countrys state news agency, Ukrinform, 
was also targeted by Sandworm: Read more 

> These are the best firewalls right now 


 > Russia's quest to seize control of the internet in Ukraine 



> Ukraine wants Russia kicked off the internet 

"The method of implementation of the malicious plan, the IP addresses of the 
access subjects, as well as the fact of using a modified version of RoarBat 
testify to the similarity with the cyberattack on Ukrinform, information 
about which was published in the Telegram channel "CyberArmyofRussia_Reborn" 
on January 17, 2023." CERT-UA said. 

The best way to defend against such attacks is to keep the hardware and 
software updated, to enable MFA whenever possible, and limit access to 
management interfaces as much as possible. Here's our rundown of the best 
endpoint protection right now 

Via: BleepingComputer



======================================================================
Link to news story:
https://www.techradar.com/news/russian-hackers-use-a-blast-from-the-windows-pa
st-to-launch-cyberattacks


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet Technology News (1337:1/100)

.