Russian state-sponsored hackers have wiped information from gadgets belonging to Ukrainian state networks due to poorly protected VPNs, and malware (opens in new tab) that abuses well-liked archiving program WinRAR.
The Ukrainian Authorities Laptop Emergency Response Crew (CERT-UA) not too long ago claimed a Russian menace actor, considered from the Sandworm group, managed to compromise Ukrainian state networks by utilizing compromised VPN accounts that didn’t have multi-factor authentication (MFA) arrange.
After getting entry, the hacker would deploy malware dubbed “RoarBat” which basically wipes the affected drives.
Deleting all the pieces
What the malware does is searches the drive for recordsdata with totally different extensions, together with .doc, .txt, .jpg, and .xlsx. It then requires WinRAR to archive all these recordsdata, and provides the “-df” command-line choice, which deletes the entire recordsdata which might be being archived.
As soon as the work is completed, the malware deletes the archive itself, basically wiping the entire information discovered on the disk in a single fell swoop.
The menace actors are additionally focusing on Linux gadgets, the company additional acknowledged, saying that for that OS, they’re utilizing a Bash script and the “dd” utility to overwrite goal recordsdata with zero bytes. “As a result of this information substitute, restoration for recordsdata “emptied” utilizing the dd device is unlikely, if not completely inconceivable,” BleepingComputer states.
This isn’t the primary time such an assault focused Ukrainian state networks, CERT-UA claims. In January 2023, the nation’s state information company, Ukrinform, was additionally focused by Sandworm:
“The tactic of implementation of the malicious plan, the IP addresses of the entry topics, in addition to the very fact of utilizing a modified model of RoarBat testify to the similarity with the cyberattack on Ukrinform, details about which was printed within the Telegram channel “CyberArmyofRussia_Reborn” on January 17, 2023.” CERT-UA stated.
The easiest way to defend in opposition to such assaults is to maintain the {hardware} and software program up to date, to allow MFA at any time when potential, and restrict entry to administration interfaces as a lot as potential.
By way of: BleepingComputer (opens in new tab)
#Russian #hackers #blast #Home windows #launch #cyberattacks
#geekleap #geekleapnews
