Ukrainian Website Threat Landscape Throughout 2022

The Russian invasion of Ukraine began on February 20, 2022. By mid-March it was clear the cyber-war had begun, and the attacks have been consistent ever since. Prior to this, on March 1, 2022, Wordfence reported on an attack campaign on Ukrainian university websites. In response, we deployed our real-time threat intelligence to all sites running Wordfence with a .ua top-level domain (TLD). In the following months, we have continued to monitor the situation, and to block attack attempts aimed at Ukrainian websites.

Based on the data we have tracked, it has become clear that most of the attacks being levied against Ukrainian entities since the initial campaign are fairly routine, though regularly increasing in quantity. While there are some more sophisticated attacks, the vast majority of what we are seeing is routine spam content and defacements. These types of attacks are often perpetrated by lesser-skilled actors probing for easily exploitable random web targets with simple scripts. What we are seeing does not indicate the highly skilled and coordinated attacks that would be seen from larger criminal organizations or nation-state attackers.

Today’s post will focus on the quantitative threat landscape targeting Ukrainian websites that we’ve monitored in 2022, while next week we will follow-up with an article diving deeper into the attack data and exploits we are seeing targeting Ukrainian domains.

Broader Attacks Increasing in Volume

As we approach the six-month mark since the initial invasion, the cyber-front remains a volatile but constant battleground. Just after the invasion officially began, there was a spike in attacks against Ukrainian websites, then things were quiet for almost a week. At that point, on March 3, 2022, a barrage of attack attempts were brought against Ukrainian websites, with these attacks not only continuing, but generally increasing as the war continued. At first, the attack attempts were close to normal levels, but quickly increased to more than 50,000 attempts per day.

In the six months leading up to February 20, 2022 there were an average of just over 52,480 attack attempts against .ua websites blocked by the Wordfence firewall per day. The average during the conflict has increased almost 50% to nearly 75,000 attack attempts blocked per day, excluding any exploits coming from blocklisted IP Addresses.

blocked attacks by date

The largest spike we have seen at this point began on June 24th, and subsided on the 28th. During this spike, we blocked 1,875,045 total attack attempts. In this time, most of the attack attempts were coming from known malicious IP addresses, with a substantial number of the attempts being brute force attacks. Directory traversal, file uploads, and information disclosure rounded out the most common attack types. There are no indicators in our data that these attacks were connected, meaning it is likely that this was not a large attacking organization, but rather a concerted effort from many smaller groups and individuals.

Wordfence deployed its real-time threat intelligence, which includes an IP Blocklist, to all .ua domains on March 1, 2022. The IP blocklist is updated in real-time to block the latest active known threats and is very effective at doing so. It provides a drastic increase in protection on any sites running the Wordfence firewall due to the simple fact that an IP that targets several sites will end up on the blocklist before they can target many more. As such, we excluded this data from our attack data trends to demonstrate the general threat landscape, without the added benefit of Wordfence real-time Threat Intelligence, a feature of Wordfence PremiumWordfence Care, and Wordfence Response, to be comparative with the attack data we saw before we made that deployment. Astonishingly, once we added the real-time IP blocklist attack data to our analysis, the percentage of attacks the Wordfence firewall blocked on all .ua domains jumped nearly 450% demonstrating the effectiveness of deploying our real-time Threat Intelligence to those domains.

Attack types in June spike

The spike at the beginning of the invasion largely consisted of attacks against Ukrainian educational institutions as part of a defacement campaign. While these institutions have continued to experience attack attempts, they have not been as directly targeted since the initial attack on Universities in February. At the same time, the rate of attacks brought against educational institutions has remained higher than pre-invasion levels, with (comparatively small) spikes primarily in March, April, and July. The trend continues upward, with the average number of daily attack attempts per day nearing the 100,000 mark. Since the invasion began, we have logged 46,698,709 attack attempts against .ua domains. Of those attempts, 2,903,923 were against .edu.ua domains, and 1,903,806 were against .gov.ua domains.

Ukrainian universities attack rates

A Shift In The Threat Landscape

When we first wrote about the attack on Ukrainian universities, there was one IP address, 185.193.127.179, that stood out as the primary attacking IP. The IP address was registered through Njalla, a hosting company that is run by the co-founder of Pirate Bay. After the initial attack against the universities subsided, there is no indication that this IP address has been reused in further attacks against Ukraine.

The top attacking IP currently is 62.233.50.223, which is assigned to Chang Way Technologies. The company is based in Hong Kong, but the IP address is assigned to a server located in Russia and registered to the Russian organization Sierra LLC. The IP block this address is a part of was registered to Sierra LLC on October 13, 2021. In contrast to the 104,098 attack attempts in a single day by the Njalla IP address that attacked universities in February, the Sierra LLC. IP address is only responsible for 205,223 attack attempts in 30 days, and those attempts were not targeted against a specific type of potential victim.

Despite the fact that this IP address does not appear to be targeting victims in any particular industry, the attacks coming from this address are relatively consistent. The majority of what we are seeing from this IP address is SQL injection attacks, sending a GET request to the site with the payload in a URL encoded string, as seen here.

SQL injection payload

With this string decoded, it begins to look more like a normal SQL query, though portions are using character encoding which we see here as CHR encoded strings.

character encoding

When we convert this and combine the string as is the purpose of the || operator, we end with this final payload string.

SQL injection decoded

This is essentially using the SQL CASE statement to iterate through options to determine if specific content exists within the database, and uses the CAST statement to convert content to a specific data type. As with many attacks, this does not mean that a SQL injection vulnerability is present, or that the desired content is in the database. This is the malicious actor fishing for information, and hoping they get something in return.

Similar to the lack of focus we are seeing with the types of attacks, there does not appear to be any primary attacker in recent attempts. While the top nine attacking IP addresses are responsible for more than 50,000 attack attempts each, there is a long tail of IP addresses responsible for just under 50,000 attacks each and slowly working down to sub-100 volumes. This is a fairly typical pattern in attack data, rather than having one attacking organization stand out above the others.

Top attacking IPs

Conclusion

In this post, we reviewed the data collected from attack attempts against Ukrainian domains with a .ua TLD since the beginning of the Russian invasion of Ukraine on February 20, 2022. The initial attacks we saw were very targeted around educational institutions, however the attacks we have been blocking since the initial campaign have been much more varied. Attack attempts are coming from a variety of malicious actors, in varying locations. The volume of attack attempts has remained high compared to pre-invasion levels, but with our continued protection these attempts are blocked, preventing damage to Ukrainian websites.

If you want to know more about the types of attacks we are blocking on Ukrainian websites, keep an eye on the Wordfence blog. A post next week will discuss these attacks, the vulnerabilities they are attempting to exploit, and how malicious actors can use them to damage an affected website.

Wordfence deployed Real-Time Threat Intelligence, an exclusive feature of Wordfence Premium, Wordfence Care, and Wordfence Response, to all .ua domain names regardless of their product tier. This means that all .ua domains, including those running Wordfence Free, have the latest protection against the newest threats, including vulnerabilities, IP addresses, and malware.

Source: https://www.wordfence.com/blog/2022/08/ukrainian-website-threat-landscape-throughout-2022

Google can now remove search results containing your phone number, address, or email

Helping to prevent doxxing

What just happened? You can find out a lot about a person just by Googling their name, but Google is now letting people remove more of their personal information from these results that could pose a danger, including physical addresses, phone numbers, and passwords.

Google has long allowed people to request certain sensitive, personally identifiable content be removed from its search results, such as confidential government identification, images of handwritten signatures, and bank account/credit card details.

Now, Google has expanded its list to include images of ID docs, confidential login credentials, and personal contact info (physical addresses, phone numbers, and email addresses). Additionally, Google will remove non-consensual explicit or intimate personal images, Deepfakes, images of minors, and doxxing content, which requires explicit or implicit threats or explicit or implicit calls to action for others to harm or harass.

“Research has told us there’s a larger amount of personally identifiable information that users consider as sensitive,” Michelle Chang, global policy lead for Google search, told Reuters. “They are increasingly unwilling to tolerate this content online.”

Asking Google to remove something from its search results involves sending in URLs that include your personal information and search pages that surface the links. The company will then decide if it warrants removal from the search results but warns that it will try to preserve anything newsworthy, professionally relevant, from the government (part of the public record), or is determined to be in the public interest.

Google does remind people that the information is only being removed from its search results, not from the sites hosting it, and can be surfaced through other search engines.

Google approves only about 13% of the tens of thousands of removal requests it receives each year, though it expects the removal rate to increase in light of the expanded options.

Source: https://www.techspot.com/news/94388-google-can-now-remove-search-results-containing-phone.html

Google Crushes YouTube Cookie-Stealing Channel Hijackers

Google has caught and brushed off a bunch of cookie-stealing YouTube channel hijackers who were running cryptocurrency scams on the ripped-off channels.

In a Wednesday post, Ashley Shen, with Google’s Threat Analysis Group (TAG), said that TAG attributes the assaults to a group of attackers recruited from a Russian-speaking forum. Since late 2019, they’ve been luring targets with fake collaboration come-ons, including requests to purchase ads on their targets’ channels.

(The collaboration pitch is similar to how [now-shuttered] Twitter accounts have been used to catfish security researchers by setting their traps with zero days and collaboration invitations.)

The YouTube channel hijackers are financially motivated, Shen said, looking to either auction off the stolen channels or use them to broadcast cryptocurrency scams.

Cookie Monsters

In order to elbow rightful channel owners out of the way, the attackers have been targeting YouTubers with cookie theft malware.

Cookie theft, which is also called session hijacking or pass-the-cookie attack, involves a crook inserting themself between a computer and a server in order to steal what’s known as a magic cookie: a session that authenticates a user to a remote server. After stealing the cookie, an intruder can monitor and potentially capture everything from the account and can take full control of the connection.

Cookie thieves can, for example, change existing codes, modify server settings or install new programs in order to steal data, set up a back-door entry for attackers, and lock legitimate users out of their own accounts.

More at: https://threatpost.com/google-youtube-channel-hijackers-cryptocurrency-scams/175617/

Phishing attacks: Police make 106 arrests as they break up online fraud group

Organised crime operation used phishing and business email compromise attacks.

Police have dismantled an organised crime group linked to the Italian mafia that defrauded hundreds of victims through phishing attacks and other types of online fraud.

The joint operation was led by the Spanish National Police (Policía Nacional), with support from the Italian National Police (Polizia di Stato), Europol and Eurojust and has resulted in 106 arrests across Spain and Italy. 

According to Europol, the crime operation used phishingSIM swapping and business email compromise (BEC) attacks and it’s estimated that this led to profits of around €10 million ($11.7 million) during last year alone. 

Described as “very well organised”, the group included a number of experts in computer crime tasked with creating phishing domains and carrying out cyber fraud. Other individuals involved in the criminal network included money mules and money-laundering experts, including experts in cryptocurrency. 

Working out of the Canary Islands, Spain, the criminals tricked victims – mostly from Italy – into sending large sums of money to bank accounts they controlled, before laundering the proceeds through money mules and shell companies. 

More at: https://www.zdnet.com/article/phishing-attacks-police-make-106-arrests-as-they-break-up-online-fraud-group/

Apple Delays Plans to Scan Devices for Child Abuse Images After Privacy Backlash

Apple is temporarily hitting the pause button on its controversial plans to screen users’ devices for child sexual abuse material (CSAM) after receiving sustained blowback over worries that the tool could be weaponized for mass surveillance and erode the privacy of users.

“Based on feedback from customers, advocacy groups, researchers, and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features,” the iPhone maker said in a statement on its website.

The announcement, however, doesn’t make it clear as to the kind of inputs it would be gathering, the nature of changes it aims to devise, or how it intends to implement the system in a way that mitigates the privacy and security concerns that could arise once it’s deployed.

The changes were originally slated to go live with iOS 15 and macOS Monterey later this year, starting with the U.S.

Full article: https://thehackernews.com/2021/09/apple-delays-plans-to-scan-devices-for.html

Hacker returns $600M to Poly Network, is offered position as Chief Security Advisor

Last week, a hacker who stole more than $600 million in various cryptocurrencies began returning the ill-gotten gains. The hacker had exploited a weakness in the Poly Network platform of multiple blockchains to pull off the heist. At the time, he had returned almost half of the funds stolen.

This week nearly all of the crypto stolen from Poly Network has been returned, but then something bizarre happened. Instead of turning the thief, who Poly Network refers to as Mr. White Hat, over to authorities, the company hired him to be its Chief Security Advisor and gave him a $500,000 bug bounty for finding the exploit.

Poly Network said that it maintained constant communication with Mr. White Hat as he returned the crypto. He expressed concerns with the platform’s “security and overall development strategy.” The company was impressed enough with his abilities that it offered him a senior-level position at Poly Network. “We are also counting on more experts like Mr. White Hat to be involved in the future development of Poly Network since we believe that we share the vision to build a secure and robust distributed system,” Poly Network wrote in a blog post. “Also, to extend our thanks and encourage Mr. White Hat to continue contributing to security advancement in the blockchain world together with Poly Network, we cordially invite Mr. White Hat to be the Chief Security Advisor of Poly Network.”

Estonian Citizen Pleads Guilty to Computer Fraud and Abuse

At least 60 devices and internet routers were compromised in Alaska

ANCHORAGE – An Estonian national pleaded guilty today in the District of Alaska to two counts of computer fraud and abuse.   

According to court documents, Pavel Tsurkan, 33, operated a criminal proxy botnet by remotely accessing and compromising more than 1,000 computer devices and internet routers worldwide, including at least 60 victims in Alaska. He used the victims’ devices to build and operate an Internet of Things (IoT)-based botnet dubbed the “Russian2015” using the domain Russian2015.ru. He modified the operation of each compromised internet router so it could be used as a proxy to transmit third-party internet traffic without the owners’ knowledge or consent. He then sold access to global cybercriminals who channeled their traffic through the victims’ home routers, using the victims’ devices to engage in spam campaigns and other criminal activity. The Alaska victims experienced significant data overages even when there were no home computers connected to the victims’ home networks. The data overages resulted in hundreds to thousands of dollars per victim.   

“Today’s cybercriminals rely on increasingly sophisticated techniques to hijack computers and personal electronic devices for their criminal activities. Botnets like the ‘Russian2015’ are a dangerous threat to all Americans and today’s guilty plea demonstrates we can and will hold accountable foreign cybercriminals and their enablers,” said Acting U.S. Attorney Bryan Wilson, District of Alaska. “Our success in disrupting this botnet was the result of a strong partnership between private industry experts and law enforcement.”

Tsurkan is scheduled to be sentenced on November 10, 2021 and faces a maximum penalty of 10 years in prison. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

The FBI’s Anchorage Field Office is investigating the case with support from GCI and Palo Alto Networks Unit 42. The FBI’s New Haven, Connecticut, Field Office provided assistance during the investigation.

Assistant U.S. Attorney Adam Alexander and Trial Attorney Alden Pelker of the Criminal Division’s Computer Crime and Intellectual Property Section are prosecuting the case.

Press release from: https://www.justice.gov/usao-ak/pr/estonian-citizen-pleads-guilty-computer-fraud-and-abuse

‘Have I Been Pwned’ Code Base Now Open Source

Founder Troy Hunt also announces the platform will receive compromised passwords the FBI finds in its investigations.

Have I Been Pwned (HIBP), the free website used by millions to check whether their credentials have been compromised, has open sourced its code base, founder Troy Hunt announced today.

Hunt first mentioned plans to open source the HIBP code base last summer. Now, as requests for the website’s Pwned Passwords approach 1 billion per month, he has confirmed it is officially open source via the .NET Foundation, an independent 501(c) nonprofit organization.

Hunt also announced today that HIBP will receive compromised passwords discovered as part of FBI investigations. The website will provide officials with a way to feed the passwords into HIBP and surface them via the Pwned Passwords tool, he explained.

Source: https://beta.darkreading.com/threat-intelligence/-have-i-been-pwned-code-base-now-open-source

False Positive Vulnerability Report on Events Manager

The popular calendar plugin Events Manager was reported as containing a Cross-Site Scripting vulnerability, which turned out to be a false positive (no such vulnerability). Several vulnerability reporting sites are still listing it as vulnerable, and if you have it installed you may have been notified.

However, it is not an actual problem and you can safely continue using version 5.9.8.1 or later.