Ukrenergo confirmed that preliminary results of its investigation showed that the Ukraine power outage occurred in December was caused by hackers.

In December 2016, the Government Ukraine energy company Ukrenergo suffered a severe power outage that affected the ”North” substation at Pivnichna. The incident caused blackouts in the city of Kiev and neighboring regions.

The head of the NEC “Ukrenergo” Vsevolod Kovalchuk explained in a message posted on Facebook that experts at the company were able to restore power in 30 minutes with a manual procedure. According to Kovalchuk, the operations were fully restored after just over an hour.

Kovalchuk pointed out that an equipment malfunction or a cyber attack can be the cause of the problem. According to Kovalchuk, an “external interference through the data network” could have caused the power outage.

Ukraine power outage

 

In a statement sent via email to SecurityWeek on this, Ukrenergo confirmed that preliminary results of its investigation showed that the normal operation of workstations and SCADA systems had been disrupted due to “external influences.”

Once broken in the target network, attackers used a malware to gain a remote control of systems at the power plant. Experts are still investigating to establish a timeline of events and identify the entry point of the hackers. They don’t exclude that the threat could still be inside the target network in a dormant state.

The company is working to secure its system by implementing organizational and technological measures that would make its systems resilient to further attacks.

“The cyber-security company Information Systems Security Partners (ISSP) has linked the incident to a hack and blackout in 2015 that affected 225,000.” reported the BBC. “ISSP, a Ukrainian company investigating the incidents on behalf of Ukrenergo, now appears to be suggesting a firmer link.

It said that both the 2015 and 2016 attacks were connected, along with a series of hacks on other state institutions this December, including the national railway system, several government ministries and a national pension fund.

Oleksii Yasnskiy, head of ISSP labs, said: “The attacks in 2016 and 2015 were not much different – the only distinction was that the attacks of 2016 became more complex and were much better organised.“”

Who is behind the power outage?

Intelligence experts suspect blames the Russia one again.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Ukrenergo, hacking)

The post 2016 Christmas Ukraine power outage was caused by hackers appeared first on Security Affairs.

Source: securityaffairs

The infamous Carbanak cybercrime gang is back and is leveraging Google services for command-and-control of its malicious codes.

The dreaded Carbanak cybercrime gang is back and is adopting a new tactic for its attacks, it is leveraging Google services for command-and-control of its malware.

The criminal organization is named Carbanak cybergang because of the name of the malware they used to compromise computers at banks and other financial institutions, experts estimated that the hackers swiped over $1 Billion from their victims.

 The majority of financial institutions victims of the gang are located in Russia, but many other attacks have been detected in other countries, including Japan, Europe and in the United States.

Carbanak targets

Figure 1 – Map of Infections, 2015 Attacks against financial Institutions (Kaspersky Lab)

The investigators discovered that the “Carbanak cybergang” hit more than 100 financial institutions in 30 countries, it has been active at least since 2013 and there are strong indications that it may still be ongoing.

Now researchers from Forcepoint Security Labs have spotted a new campaign conducted by the Carbanak gang that exploits Google’s Apps Script, Sheets, and Forms cloud-based services to control their malicious code.

The attack vector is a trojanized RTF document with an encoded Visual Basic script that is spread via email.

Forcepoint Security Labs™ recently investigated a trojanized RTF document which we tied to the Carbank criminal gang. The document contains an encoded Visual Basic Script (VBScript) typical of previous Carbanak malware. Recent samples of the malware have now included the ability to use Google services for command-and-control (C&C) communication. We have notified Google of the abuse and are working with them to share additional information.” reads the analysis published by Forcepoint.

“For each infected user a unique Google Sheets spreadsheet is dynamically created in order to manage each victim. The use of a legitimate third party service like this one gives the attacker the ability to hide in plain sight,” Forcepoint wrote in a blog post today.

 Carbanak

 

 

The crooks used the “ggldr” script to send and receive commands to and from Google Apps Script, Google Sheets, and Google Forms services.

Hackers used to create a unique Google Sheets spreadsheet for each infected user, in this way they attempted to avoid detection.

“The use of a legitimate third party service like this one gives the attacker the ability to hide in plain sight. It is unlikely that these hosted Google services are blocked by default in an organization, so it is more likely that the attacker will establish a C&C channel successfully.” states the report.

The following diagram describes the way the Carbanak cybercrime gang exploited the Google Services as C&C.

 

Once infected the victim’s machine, the malware first attempt to contact the hard-coded Google Apps Script URL with the user’s unique infection ID. Because no spreadsheet currently exists for the specific victim, the malware will then send two requests to another hard-coded Google Forms URL which will result in the creation of unique Google Sheets spreadsheet and Google Form IDs for the victim.

The second time the Google Apps Script is requested by the malicious code, the C&C will return the unique Google Sheet and Google Form ID values.

“The “entry” value is also a unique ID which is sent with each subsequent Google Forms C&C request.” 

Let me suggest to read the report that also includes the IoCs for this specific threat.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs –  bank hacking, Carbanak cybergang)

The post The Carbanak gang is with a new modus operandi, Google services as C&C appeared first on Security Affairs.

Source: securityaffairs

Due to Google’s public release of information about an actively exploited Windows zero-day, Microsoft was forced to offer its own view of things and more information about the attack. The vulnerability is just one part of the attack chain leveraged by the Strontium (aka Fancy Bear, aka APT28) hacker group, which is widely believed to be behind the DNC and John Podesta email hacks, and backed by the Russian government. “This attack campaign, originally identified … More
Source: helpnetsecurity

Microsoft said Russian APT group Sofacy, which has ties to the country’s military intelligence operations, has been using Windows kernel and Adobe Flash zero day vulnerabilities in targeted attacks.
Source: Threatpost

A cyber espionage group that has been targeting organizations in Southeast Asia for years is misusing a legitimate conference invite as a phishing lure to trigger the download of backdoor malware. The APT in question is Lotus Blossom, and the security conference is Palo Alto Networks’ CyberSecurity Summit that is scheduled to take place in Jakarta, Indonesia, on November 3. About Lotus Blossom Lotus Blossom is a group that has been operating at least since … More
Source: helpnetsecurity

Kaspersky Lab researchers have uncovered the StrongPity APT, a group that uses watering hole attacks to infect machines of users seeking encryption technologies such as WinRAR and TrueCrypt.
Source: Threatpost