The most important security news of the last days:

The most important security news of the last days:

Berlin, 5/2/2022

A joint cybersecurity advisory from CISA, NSA, FBI and the Department of Energy warns federal agencies of hacker groups capable of remotely controlling industrial equipment. The hack is being carried out using a new malware toolkit targeted at ICS.

The hackers could use specially designed malware to scan, compromise and take control of industrial control systems and supervisory control and data acquisition (SCADA) devices. ICS/SCADA devices at risk of being compromised and hijacked include:

► Schneider Electric’s MODICON and MODICON Nano programmable logic controllers,

► Omron Sysmac NJ and NX PLCs, and.

► Open Platform Communications Unified Architecture servers.

DOE, CISA, NSA, and the FBI also found that state-sponsored hackers also have malware that uses the CVE-2020-15368 vulnerability to attack Windows systems with ASRock motherboards.

The malware has been compared in strength to the malware that was able to cripple power plants in Ukraine or the malware that sabotaged Iran’s nuclear program.

A fast-growing malware called Fodcha is attacking routers, DVRs and servers around the world. This new threat targets more than 100 victims per day in DDoS attacks.

The malware spread to more than 62,000 devices between March 29 and April 10.

In China alone, there are more than 10,000 bots related to this malware every day.

Fodcha infects new devices by exploiting n-day vulnerabilities in multiple devices and a brute-force cracking tool called Crazyfia.

Wind turbine manufacturer Nordex is still trying to recover from a cyberattack it suffered on March 31. In early April, Nordex announced that it had shut down its IT systems at several sites and business units due to a cyberattack. Fortunately, the attack was detected at an early stage, a Nordex spokesperson said. The functionality of the turbines was unchanged, but the internal software was severely compromised, he said.

Evidence was found that cyber attackers used the LockBit ransomware to spy on the network of a regional U.S. government agency. This hack lasted at least five months.

Logs retrieved from the compromised devices show that two threat groups were involved in espionage and remote access operations. The attackers attempted to cover their tracks by deleting event logs.

The actors first gained access to the network through open remote desktop ports on a misconfigured firewall. They then used Chrome to download the tools needed for the attack. In the second phase of the hack, the hackers began stealing sensitive data by installing tools to extract information.

After a U.S. Justice Department seized the Tor server of the Revil ransomware gang last October, the net bandits disappeared from the scene. However, they reappeared when the Russians invaded Ukraine and in parallel withdrew from the negotiation process with the REvil gang. The old server was reopened, but users are redirected to a new server – to a configuration field „accs“. It contains the credentials of the victim targeted by the attack.

The US Department of Defense was tricked into paying $23.5 million to a phishing actor a few years ago. Nujn, the U.S. Department of Justice announced that Sercan Oyuntur, a 40-year-old California resident, was convicted on multiple counts in connection with a phishing operation that caused $23.5 million in damage to the Pentagon.

Oyuntur and his accomplices registered the domain dia-mil.com, which is very similar to the legitimate dla.mil, in October 2018 and used it to send phishing emails. Funds intended for the purchase of jet fuel were instead deposited into his bank account.

Russian hackers have compromised embassy emails. Their target is governments. Insiders suspect the APT29 hacking group is behind these actions.

APT29 is a Russian state-backed hacking group that focuses on cyber espionage and has been active since at least 2014. The phishing emails originated from a legitimate, compromised email address belonging to a diplomat.

The email used HTML smuggling techniques to deliver an IMG or ISO file to the recipient, which contained an infected file. Once clicked, it spreads worldwide in a fraction of a second.