Menu Close

Cyber Monitoring #7 (December & January 2023)

Chinese researchers identified new variant of leaked CIA malware in the wild

Chinese security company Qihoo 360 recently discovered a new variant of the Hive malware framework, named XDR33. The original Hive framework was allegedly developed by the CIA, is an extremely powerful cyberespionage tool, and had its documentation leaked by WikiLeaks in 2017.
This is the first time that a variant of this CIA malware has been found in the wild by the company. While Netlab did not attribute the recent attacks to the CIA, it should be noted that China’s CERT agency had previously issued an alert last April linking the CIA to attacks carried out using the Hive malware. Password is: il0veOS1nT

New commitments to strengthen hospital cybersecurity

Gérald Darmanin (Minister of the Interior and Overseas Territories), François Braun (Minister of Health and Prevention) and Jean-Noël Barrot (Minister for Digital Transition and Telecommunications) organized a working group on cybersecurity in healthcare in late December.
They announced the launch of a plan to prepare for cyber incidents affecting these medical structures.  The digital health roadmap will devote an important part to cybersecurity. To this end, a task force bringing together all the relevant authorities should be created by March 2023. 

Nordic states develop a defense-focused cybersecurity strategy
Northern Europe

Following a meeting in December, the member countries of the Nordic Council have signed a multinational agreement to develop joint cybersecurity defense and intelligence sharing capabilities. This initiative, led by Norway, aims to develop a common Nordic cybersecurity strategy.

Threats actors increasingly leverage sponsored websites and Google ads to deploy their malware

An increasing trend among financially motivated actors consists in relying on Google Ads to spread malware to unsuspecting users searching for various popular software products. While this technique is not new, it has certainly gained in popularity recently. Indeed, an increasing number of threat actors leverage credible advertisement sites, generally irrelevant but benign, which then redirect users that click on ads to a series of malicious pages ultimately impersonating a software and dropping a malicious payload. For instance, this technique is used to download malware such as IcedId, BatLoader, QakBot, Raccoon Stealer, SocGholish or even Rhadamanthys and Vidar. Most of them are information stealing tools.

Massive cyberattacks reported by Serbian authorities against their interior ministry

The Serbian Ministry of Interior suffered a wave of DDOS attacks paralyzing its website for more than 48 hours and several cyber attacks directly targeting its IT infrastructure in early January. The country’s Ministry of Defense had already been the target of a recent cyberattack claimed by the group Anonymous. This latest attack has not been claimed but comes in a context of criticism of Serbia’s position in relation to Russia and its invasion of Ukrainian territory by hacker groups such as Anonymous. This group publicly declared its intention to attack the IT infrastructure of the country’s administrations on its Twitter account.

US nuclear research laboratories targeted by Russian hackers
USA – Russia

Cold River, a Russian hacking team has targeted three nuclear research laboratories in the USA between August and September 2022. The hackers created fake login pages for the three institutions and emailed nuclear scientists in order to scam them and to make them reveal their passwords. Official authorities did not express themselves on this subject so we don’t know if these attempts were successful or not. Cold River, a group of highly skilled hackers, involved in several high-profile hacking incidents and suspected of being closely linked to the Kremlin has intensified its hacking campaign against Ukraine’s allies since the invasion of the country in February 2022.

Russian hackers attempt to access ChatGPT for malicious purposes 

Russian cybercriminals are trying to gain access to OpenAI’s ChatGPT tool. The famous chatbot is unavailable in Russia, and VPN is not enough to circumvent this restriction. In order to use it, one must confirm their geolocation via both a credit card and an SMS to their phone number. As documented by Check Point Research, tips are being exchanged on Russian hacker forums on how to bypass the geo controls, including how to get a temporary phone number and use stolen credit cards for verification. It is suspected the hackers seek access to the chatbot to make their criminal activities more cost-efficient.  

Revenue from ransomware down by 40% in 2022

Ransomware was 40% less profitable for cybercriminals in 2022 than in two previous years. According to Chainalysis, in both 2020 and 2021, the revenue reached record high, standing at around 765 million USD in confirmed transactions. In 2022, that number “only” amounted to 457 million USD. Despite the number of attacks not decreasing, many more victims now refuse to pay the ransom. This can be explained by cyber insurance companies demanding higher security standards before reimbursing a client, as well as possible legal sanctions a victim may face for paying blacklisted threat actors.