At a glance.
- New wiper targets Ukraine.
- MuddyWater composed of smaller subgroups.
- Vulnerability allows for record-breaking DDoS packet amplification ratio.
- Analysis of the Conti leaks.
New wiper targets Ukraine.
Researchers at ESET have discovered another new data wiper that's targeting Ukrainian organizations. This malware, called "CaddyWiper" is the third wiper that's been used against Ukraine over the past three weeks:
"Dubbed CaddyWiper by ESET analysts, the malware was first detected at 11.38 a.m. local time (9.38 a.m. UTC) on Monday. The wiper, which destroys user data and partition information from attached drives, was spotted on several dozen systems in a limited number of organizations. It is detected by ESET products as Win32/KillDisk.NCX. CaddyWiper bears no major code similarities to either HermeticWiper or IsaacWiper, the other two new data wipers that have struck organizations in Ukraine since February 23rd. Much like with HermeticWiper, however, there’s evidence to suggest that the bad actors behind CaddyWiper infiltrated the target’s network before unleashing the wiper."
MuddyWater composed of smaller subgroups.
Cisco Talos has observed a new campaign targeting organizations in Turkey and the Arabian Peninsula. The researchers attribute the campaign with high confidence to "groups operating under the MuddyWater umbrella of APT groups." MuddyWater has been attributed to Iran's Ministry of Intelligence and Security (MOIS) by US Cyber Command. Talos believes the recent campaign presents more evidence that Muddy is composed of a set of subgroups and contractors that share some techniques and tooling with each other:
"We assess that MuddyWater is a conglomerate of smaller teams, with each team using different targeting tactics against specific regions of the world. They appear to share some techniques and evolve them as needed. This sharing is possibly the result of contractors that move from team to team, or the use of the same development and operational contractors across each team. The latter also explains why we have seen simple indicators such as unique strings and watermarks shared between MuddyWater and the Phosphorus (aka APT35 and Charming Kitten) APT groups. These groups are attributed to different Iranian state organizations — the MOIS and IRGC, respectively."
Vulnerability allows for record-breaking DDoS packet amplification ratio.
Researchers from Akamai, Cloudflare, Lumen Black Lotus Labs, Mitel, NETSCOUT, Team Cymru, TELUS, and the Shadowserver Foundation have issued a joint advisory concerning DDoS attacks launched from Mitel's MiCollab and MiVoice Business Express collaboration systems. The attacks are launched via a vulnerability (CVE-2022-26143) that allows for a packet amplification ratio of more than four billion to one.
"Approximately 2600 of these systems have been incorrectly provisioned so that an unauthenticated system test facility has been inadvertently exposed to the public Internet, allowing attackers to leverage these PBX VoIP gateways as DDoS reflectors/amplifiers.
"Mitel is aware that these systems are being abused to facilitate high-pps DDoS attacks, and have been actively working with customers to remediate abusable devices with patched software that disables public access to the system test facility."
The researchers add that this technique has been used in attacks against "broadband access ISPs, financial institutions, logistics companies, gaming companies, and organizations in other vertical markets."
Analysis of the Conti leaks.
Check Point has published an analysis of the Conti ransomware group leaks, noting that in many ways the gang operates like a legitimate tech startup, with an "HR department, a hiring process, offline office premises, salaries, and bonus payments." The researchers have also published a graph mapping out Conti members' apparent roles within the organization.