Sophisticated Cyber Tactics and Malware Deployment: Ukrainian military intelligence operatives infiltrated key central servers of the Russian Federal Taxation Service (FTS) and its regional servers, employing advanced cyber tactics. They used malware to infect these servers, completely erasing both the main database and its backup copies.
Systematic Server Targeting and Data Annihilation: The attack encompassed over 2,300 regional servers across Russia and occupied Crimea. The deletion of configuration files, essential for the functionality of the extensive tax system, signifies a focused effort to dismantle the foundational elements of Russia's tax infrastructure.
Impact on Governmental Data Infrastructure: The operation resulted in the paralysis of communication between Moscow's central office and its regional administrations, signifying a systemic collapse of a crucial government agency. This attack illustrates the effectiveness of cyber warfare in disrupting state operations, highlighting vulnerabilities in data management and security protocols.
Extended Recovery and Restoration Challenges: The estimated recovery period of at least a month, with doubts about full restoration, points to the severe impact of the cyberattack. This aspect underscores the long-term strategic objectives of the operation, aimed at causing enduring disruption to Russia's administrative capabilities.
Claim of Data Breach by Snatch Ransomware Group: The Snatch ransomware group publicly claimed to have breached Kraft Heinz, one of the world's largest food and beverage companies. The group listed Kraft Heinz on their data leak site, indicating they stole data and threatened to leak it unless a ransom was paid. This claim emerged on December 14, though the group alleged the attack occurred in August. However, Snatch has not yet provided concrete proof of the breach.
Kraft Heinz's Response and Investigation: Kraft Heinz confirmed that their internal systems are operating normally and found no evidence of a breach. The company is investigating a potential cyberattack on a decommissioned marketing website hosted externally, which might relate to Snatch's claims.
The Notoriety and Tactics of Snatch Ransomware: Snatch, operational since 2018, is known for its ransomware-as-a-service model and double-extortion tactics, involving data encryption and theft. The group has targeted various critical infrastructure sectors. Notably, Snatch is recognized for its unique method of forcing infected devices to reboot in Safe Mode to bypass security solutions and facilitate data exfiltration and encryption.
Cybersecurity Community's Perspective and Precautions: Security experts note that Snatch has evolved its tactics to leverage current cybercriminal trends. The FBI and CISA have issued advisories about Snatch, highlighting its threat to organizations. Experts recommend that large organizations emulate Snatch ransomware tactics to identify vulnerabilities and enhance threat detection and response capabilities as a countermeasure against such ransomware attacks.
Mandos Brief GPT
Analyze any cybersecurity topic 100 times faster by focusing on key takeaways and zero noise.
High-Level Exploitation by Russian Cyberespionage Group: APT29, also known as Cozy Bear, has been exploiting a critical TeamCity vulnerability (CVE-2023-42793, CVSS 9.8) since September 2023. The flaw, an authentication bypass in on-premises TeamCity instances, allows attackers to steal sensitive information and take control of servers without user interaction. APT29, linked to Russia's SVR, has a history of high-profile cyberattacks, including the 2016 US election hack and the 2020 SolarWinds breach.
Joint Advisory and Global Impact: The US, UK, and Polish agencies, along with CISA, the FBI, NSA, and others, issued a joint advisory, marking the second report on TeamCity exploitation by nation-state groups. The advisory revealed that Cozy Bear compromised several organizations, including more than 100 devices across various global regions, affecting sectors like energy, software, and IT. This widespread activity highlights the group's persistent threat to public and private networks worldwide.
Operational Tactics and Techniques: Post-exploitation, APT29 deployed backdoors for network persistence, conducted spear-phishing attacks, and targeted multiple sectors for cyberespionage. They used GraphicalProton malware and techniques like "bring your own vulnerable driver" to avoid detection. Tactics also included credential theft, Active Directory enumeration, tunneling tools, and disabling antivirus and EDR capabilities, reflecting a sophisticated modus operandi.
Mitigation Measures and Remaining Vulnerabilities: While JetBrains patched the vulnerability in TeamCity 2023.05.4, about 2% of instances remain unpatched, predominantly in the U.S. and Europe. CISA recommends patching, implementing multi-factor authentication, monitoring networks, and auditing log files to mitigate risks. The continued exploitation activity suggests that Cozy Bear is likely still in the operational preparatory phase, posing ongoing threats.
Widespread Malicious Package Discovery on PyPI: ESET Research identified 116 malicious Python packages on PyPI, the official Python package repository. These packages, downloaded over 10,000 times since May 2023, target both Windows and Linux systems. The payloads vary from custom backdoors to W4SP Stealer or clipboard monitors for cryptocurrency theft.
Deceptive Packaging and Delivery Mechanisms: PyPI packages, appearing as wheels (prebuilt) or source packages, often conceal malware in the built distribution while presenting a clean source distribution. The threat actors employ techniques like embedding lightly obfuscated malicious code in test.py scripts, PowerShell code in setup.py files, and direct inclusion of malicious code in packages.
Sophisticated Persistence Techniques on Windows and Linux: On Windows, persistence is achieved via VBScript Encoded files, scheduled to run periodically. Linux systems are compromised by placing malicious desktop entries in the autostart directory, deceivingly named to reduce suspicion. These methods ensure continuous operation of the malware.
Diverse Malware Capabilities and Final Payloads: The malware exhibits capabilities like remote command execution, data exfiltration, and screen capturing. The backdoor components are tailored for each OS—Python for Windows and Go for Linux. In certain cases, the final payload includes cryptocurrency-targeting clipboard monitors or variants of W4SP Stealer.
High-Risk File Upload System Vulnerability: CVE-2023-50164, a critical vulnerability in Apache Struts 2, scores 9.8 in severity. It exploits the file upload system, allowing attackers to perform unauthorized path traversal and upload malicious files. This vulnerability is challenging to exploit at scale but poses a significant risk to organizations using Apache Struts architecture, particularly in its file upload feature.
Widespread Impact Across Versions and Industries: Affecting Struts versions from 2.5.0 to 2.5.32 and 6.0.0 to 6.3.0, CVE-2023-50164 exposes various sectors to potential data breaches, operational disruptions, and financial losses. There's evidence of Proof of Concept (PoC) exploits in the wild, indicating a high risk and urgency for system administrators to secure their systems.
Similarities to Previous High-Profile Vulnerabilities: This vulnerability is comparable in impact to the Log4Shell and the 2017 Struts vulnerability exploited in the Equifax breach. Its widespread use in industries such as finance, healthcare, and government underscores its potential for global impact and severe operational consequences.
Immediate Actions for Mitigation: Urgent measures include updating Apache Struts to versions 2.5.33, 184.108.40.206, or higher. System administrators should immediately scan for and identify any instances of vulnerable Apache Struts versions within their networks. Critical steps include patching vulnerable systems, enforcing rigorous input validation and sanitization, particularly for file upload functionalities, and deploying intrusion detection systems to monitor for exploitation attempts.
Subscribe to Mandos Way
Join CISOs and Tech Leaders for Information Security Strategies & Weekly Briefs.