The Computer Emergency Response Team of Ukraine (CERT-UA) said that Russia-linked threat actors have breached multiple government websites this week. The government experts attribute the attack to UAC-0056 group (DEV-0586, unc2589, Nodaria, or Lorec53).
“the Government Computer Emergency Response Team of Ukraine CERT-UA is taking measures to investigate the circumstances of the incident on February 23, 2023.” reads the alert published by Ukraine’s Computer Emergency Response Team. “As of 11:00 on 02/23/2023, a previously known encrypted web shell was detected on one of the websites, and the fact of its use was confirmed in the period from 22:00 on 02/22/2023 to 05:30 on 02/23/2023, as a result of which, among other things , the file “index.php” was created in the root web directory, which provided modification of the content of the main page of the web resource.”
The SSSCIP’s National Cybersecurity Coordination Center along with the Cyber Police are working together to lock out the threats and investigate the security breaches.
“Today, on February 23, an attack was detected on a number of websites of Ukrainian central and local authorities, resulting in a modification of the content of some of their webpages.” reads the advisory published by Ukraine’s cybersecurity defense and security agency SSSCIP.
The state-sponsored hackers used a web shell created no later than December 23, 2021, to deploy multiple backdoors.
The nation-state actor employed the SSH backdoor CredPump (PAM module) to achieve remote SSH access (with a static password value) and logging of logins and passwords when connecting via SSH.
The attackers also used the HoaxPen and HoaxApe backdoors, experts discovered that the malicious codes were in the form of a module for the Apache web server and were installed in February 2022.
The alert states that attackers employed GOST (Go Simple Tunnel) and the Ngrok program in the early stages of the attack.
The alert also includes Indicators of compromise (IoCs) for the attacks.
The UAC-0056 APT group has been active since at least March 2021, it focuses on Ukraine, despite it has been involved in attacks on targets in Kyrgyzstan and Georgia.
In early February, the UAC-0056 group has been observed deploying a new information stealer dubbed Graphiron in attacks against Ukraine.
In early February 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) warned of a phishing campaign aimed at state authorities that involves the use of the legitimate remote access software Remcos.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Ukraine)
A critical vulnerability in the WordPress Automatic plugin is being exploited to inject backdoors and…
As cryptocurrencies have grown in popularity, there has also been growing concern about cybercrime involvement…
Healthcare service provider Kaiser Permanente disclosed a security breach that may impact 13.4 million individuals…
Over 1,400 CrushFTP internet-facing servers are vulnerable to attacks exploiting recently disclosed CVE-2024-4040 vulnerability. Over…
A ransomware attack on a Swedish logistics company Skanlog severely impacted the country's liquor supply. …
CISA adds Cisco ASA and FTD and CrushFTP VFS vulnerabilities to its Known Exploited Vulnerabilities…
This website uses cookies.