Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
High
Microsoft and the Ukraine Computer Emergency Response Team (CERT-UA) have issued a critical warning about the activities of the Turla hacking group, believed to be state-sponsored by Russia’s Federal Security Service (FSB). The group, which goes by aliases such as Secret Blizzard, KRYPTON, and UAC-0003, has long been associated with advanced persistent threats (APTs) against Western interests. The latest attacks specifically target the defense industry and Microsoft Exchange servers in Ukraine and Eastern Europe, raising concerns about cybersecurity and espionage in the region.
The modus operandi of these new attacks involves the use of phishing emails carrying Excel XLSM attachments containing malicious macros. When activated, these macros execute a PowerShell command, which creates a scheduled task that masquerades as a Firefox browser updater. However, instead of updating the browser, this task downloads and launches the DeliveryCheck backdoor, also known as CapiBar and GAMEDAY. The DeliveryCheck backdoor connects to the threat actor’s command and control server, enabling them to issue further commands and deploy additional malware payloads.
Notably, what sets DeliveryCheck apart from typical malware is its server-side component that turns a compromised Microsoft Exchange server into a command and control server for the attackers. To achieve this, the threat actors exploit the Desired State Configuration (DSC), a powerful PowerShell module utilized by administrators to create standardized server configurations and apply them automatically to multiple devices. In this attack, the DSC is abused to load a base64-encoded Windows executable, effectively transforming the Exchange server into a hub for distributing malware across the targeted network.
Once the devices are infected, the Turla group employs the DeliveryCheck backdoor to exfiltrate data using the Rclone tool. Moreover, during the attack, the hackers deploy the KAZUAR information-stealing backdoor, which is a highly sophisticated tool designed for cyber espionage. KAZUAR allows the attackers to execute JavaScript on the compromised devices, collect data from event logs and system files, and harvest authentication tokens, cookies, and credentials from a wide array of programs, including browsers, FTP clients, VPN software, KeePass, Azure, AWS, and Outlook. Of particular concern is the attackers’ focus on exfiltrating files containing messages from the popular Signal Desktop messaging application, potentially granting them access to private Signal conversations, sensitive documents, images, and archive files.
In response to the threat, Microsoft and CERT-UA have taken action, sharing malware samples with various cybersecurity companies to aid in detection. However, the initial report reveals a concerning statistic – only 14 out of 70 vendors on VirusTotal currently detect the submitted DeliveryCheck sample as malware. This low detection rate underscores the importance of timely updates to security software and the need for ongoing collaboration between cybersecurity experts and organizations.
These recent findings emphasize the persistent and advanced nature of the Turla hacking group’s activities, posing significant challenges for cybersecurity professionals and national security agencies. Organizations operating in the defense sector and utilizing Microsoft Exchange servers must remain vigilant and proactive in implementing robust security measures to safeguard their networks from potential threats. As cyber threats continue to evolve, international cooperation and information sharing among CERTs, security vendors, and law enforcement agencies are vital to effectively combat state-sponsored cyber-espionage and protect critical infrastructure.