At a glance.
- Hacktivists take down Czech websites.
- Ransomware payments decline.
- FortiOS vulnerability exploited.
- Chinese cyberespionage against Iran.
Hacktivists take down Czech websites.
Check Point reports that the Russian hacktivist group NoName057(16) earlier this month used DDoS attacks to successfully bring down several websites associated with the Czech presidential election. The gang's stated motivation was the Czech Republic's plans to begin training Ukrainian soldiers. While the group has launched these types of attacks in the past, Check Point says this represents "the first time they have successfully attempted to disrupt the availability of key websites during democratic western elections."
Check Point concludes, "As the Czech presidential elections enter their second round on January 27-28, the DDoS attacks against the country persist. The hacktivist group is currently focusing its efforts on government websites as well as those in the private sector, with a recent emphasis on the manufacturing sector."
NoName057(16), a Russian patriotic hacktivist group that functions as an auxiliary of Russia's security and intelligence services, and probably under their direction, has been organizing distributed denial-of-service (DDoS) attacks and website defacements against Ukraine and its Western supporters since July at least. It pays operators between $315 and $1255 for their services. Radware described the operation last October, paying particular attention to a project "DDOSIA" that emerged in July. Researchers at Avast had earlier described the group's use of Bobik malware in its campaigns. They divided a typical NoName057(16) attack into reconnaissance and execution phases: first, find a vulnerable target with anti-Russian views, then hit it, and follow up as necessary.
Ransomware payments decline.
Chainalysis observed a steep decline in ransomware payments over the course of 2022. Attackers raked in $457 million last year, compared to $766 million in 2021. The researchers state that "the evidence suggests that this is due to victims’ increasing unwillingness to pay ransomware attackers rather than a decline in the actual number of attacks." Recorded Future intelligence analyst Allan Liska told Chainalysis that he believes victims are unwilling to pay due to increasing legal issues relating to sanctions, as well as increased protections required by cyber insurance firms.
FortiOS vulnerability exploited.
A suspected Chinese threat actor is exploiting a recently patched critical flaw in Fortinet's FortiOS SSL-VPN, according to researchers at Mandiant. The threat actor began exploiting the vulnerability in October 2022, months before the flaw was disclosed publicly. Fortinet issued an advisory on December 12th rating the vulnerability as “critical,” noting that the company was "aware of an instance where this vulnerability was exploited in the wild." Mandiant says the threat actor targeted "a European government entity and a managed service provider located in Africa." The researchers discovered a new malware dubbed “BOLDMOVE” that was developed to exploit this vulnerability.
Mandiant notes that the threat actor appears to be sophisticated and well-funded, stating, “The exploits required to compromise these devices can be resource intensive to develop, and thus they are most often used in operations against hardened and high priority targets; often in the government and defense sectors. With BOLDMOVE, the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats.”
Chinese cyberespionage against Iran.
Palo Alto Networks’ Unit 42 has published a report describing “Playful Taurus” (also known as APT15 or Vixen Panda), a Chinese threat actor known for carrying out cyberespionage campaigns against government and diplomatic entities around the world. In this case, Playful Taurus is targeting government entities in Iran with a new version of its Turian malware. The threat actor appears to have compromised the networks of at least four Iranian government organizations, including Iran’s Ministry of Foreign Affairs. The new version of the threat actor’s malware includes “some additional obfuscation and a modified network protocol.”