How Fancy Bear is Undermining Arms Suppliers to Ukraine with Cyberattacks
Economic Assailants Harassing Ukraine's Arms Manufacturers - Cybercriminals Launch Attacks on Ukrainian Weapons Vendors
Gear up for a sneak peek into the latest tactics used by the notorious Russian hacker group, Fancy Bear. This group, known for causing chaos, has been systematically targeting arms companies that supply weapons to Ukraine. According to a recent study by Slovak security firm Eset, the attacks primarily focused on manufacturers of Soviet-era military equipment in Bulgaria, Romania, and Ukraine, with arms factories in Africa and South America not left untouched.
In the cyber world's newest espionage campaign, nicknamed "Operation RoundPress," hackers have resorted to exploiting vulnerabilities in popular webmail software like Roundcube, Zimbra, Horde, and MDaemon. While these vulnerabilities could have been silenced with regular software maintenance, some cases were so severe that affected companies were practically powerless to resist, with one instance involving an unknown vulnerability in MDaemon.
The usual modus operandi? Manipulated emails, masquerading as legitimate news articles, are the stroke of choice for these cyber miscreants. The seemingly genuine sources include the Kyiv Post or the Bulgarian news portal News.bg. When you click on the malicious content hidden within these emails, it triggers malware, skirting spam filters with startling ease.
A closer look at the malware revealed the presence of "SpyPress.MDAEMON," as identified by Eset researchers. This nifty hacking program isn't just about snooping on login credentials and emails, it can also bypass two-factor authentication (2FA), a secondary security measure when accessing sensitive data online. But hold your horses, the Fancy Bear hackers didn't stop there. In several cases, they successfully gained permanent access to victims' mailboxes using application passwords.
Matthieu Faou, an Eset researcher, shared his concerns about the lack of maintenance among many companies that use outdated webmail servers. "Just opening an email in the browser can be enough for malware to execute itself, without the recipient making any intentional clicks," Faou warns.
Now, let's dig a bit deeper into how Fancy Bear bypasses 2FA. By exploiting XSS vulnerabilities, they deploy JavaScript payloads into the system, such as SpyPress.MDAEMON. This clever hacking software can fetch and exfiltrate the 2FA secret, paving the way for attackers to create valid 2FA codes. Additionally, they're using various tools to capture passwords and usernames as they're typed, by embedding malicious websites or injecting harmful code into legitimate ones.
Armed with this knowledge, here are some preventive measures organizations should consider to stay several steps ahead of these cyber shenanigans:
- Implement robust email security: Strengthen your defense with advanced spam filtering and security software to detect and block malicious emails.
- Patch vulnerabilities: Regularly update your webmail systems to ensure they're immune to XSS attacks.
- Embrace stronger authentication methods: Opt for more secure authentication methods, like physical tokens or biometric authentication.
- Educate your users: Empower your employees to acknowledge and dodge suspicious emails and use stronger, unique passwords for each account.
- In light of the ongoing Operation RoundPress, EC countries that have arms suppliers sending weapons to Ukraine should strengthen their email security, implementing advanced spam filtering and security software to detect and block malicious emails containing cyberattacks from groups like Fancy Bear.
- Given the reliance on technology in today's world, particularly in war-and-conflicts, it is crucial for countries to prioritize the patching of vulnerabilities, especially in webmail systems, to protect against XSS attacks exploited by hackers like Fancy Bear.
- As politics and general news often mix with cyberattacks, as seen in Fancy Bear's manipulated news article emails, it is essential for organizations to educate their users about recognizing and avoiding suspicious emails, employing stronger, unique passwords for each account, and understanding the importance of secure authentication methods, like physical tokens or biometric authentication.
