14TH DEC 2023
This week, we saw a rise in cyber attacks by warring nation-states as well as a new threat vector that makes phishing detection by traditional anti-phishing tools difficult. We go into detail regarding how the Kyivstar, Russian Tax Agency, and BazarCall Attacks unfolded.
These cybersecurity developments affected the lives of millions of people this week:
Kyivstar, the largest telecommunications service provider in Ukraine with more than 25 million mobile and home internet subscribers, has experienced a cyberattack affecting mobile and data services.
Their official website remains inaccessible. The company has notified its subscribers through its social media channels that it fell victim to a cyberattack earlier today. This incident has resulted in a technical malfunction affecting mobile communication and internet access.
Kyivstar has reported the incident to law enforcement agencies and various state services. The Security Service of Ukraine (SSU) has initiated criminal proceedings under 8 articles of the Ukrainian criminal code and has announced the involvement of its special agents in the ongoing investigations.
Independent internet observatory NetBlocks has verified that Kyivstar's internet services are presently inaccessible.
Given the ongoing conflict between Ukraine and Russia, there is a possibility that Russian hackers may have orchestrated the attack, as indicated by statements from the SSU and Kyivstar's CEO. However, it's important to note that the precise origin of the attack has not been officially confirmed at this time.
The Ukrainian government's military intelligence service has claimed responsibility for a cyber intrusion into the Russian Federal Taxation Service (FNS). According to reports, the hack resulted in the complete removal of the agency's database and its backup copies.
In the aftermath of this operation, executed by cyber units affiliated with Ukraine's Defence Intelligence, military intelligence personnel successfully infiltrated the central servers of Russia's federal taxation service, as well as 2,300 regional servers situated both in Russia and in territories currently under Ukrainian control.
As a consequence of the breach, all affected Federal Taxation Service (FTS) servers fell victim to malware, and an associated attack targeted a Russian IT company responsible for providing data center services to the FNS. The impact of the incident extended further, reportedly causing the comprehensive removal of crucial configuration files essential for the operation of Russia's expansive taxation system. This action resulted in the erasure of both the primary database and its backup copies.
According to Ukraine's Main Directorate of Intelligence (GUR), the aftermath of the cyberattack has resulted in severe consequences, leading to a breakdown in communication between Moscow's central office and the 2,300 territorial departments that were also compromised in the attack.
GUR asserts that this has resulted in a virtual collapse of one of Russia's crucial governmental agencies, causing a substantial loss of tax-related data. Internet traffic related to tax data across Russia has reportedly fallen under the control of Ukraine's military hackers.
In the latest wave of BazarCall attacks, a novel technique involves the utilization of Google Forms to craft and dispatch payment receipts to victims. This method is employed in an effort to enhance the credibility of the phishing attempt by making it appear more legitimate.
BazarCall, initially identified in 2021, is a phishing attack strategy that involves sending deceptive emails designed to mimic payment notifications or subscription confirmations from reputable entities such as security software providers, computer support services, streaming platforms, and other widely recognized brands.
Within these emails, recipients are informed that they are being automatically enrolled in an exceedingly expensive subscription and are advised to cancel it promptly if they wish to avoid charges.
Traditionally, rather than providing a hyperlink to a website, the email historically features a phone number. This number purportedly connects to a customer service representative associated with the mentioned brand. Recipients are encouraged to contact this agent to dispute charges or initiate the subscription cancellation.
Upon calling the provided number, unsuspecting victims are met with a cybercriminal posing as a customer support representative. This deceptive interaction is designed to mislead victims into unwittingly installing malware on their computers through a carefully guided process.
The specific malware involved in this scheme is known as BazarLoader. As implied by its name, BazarLoader functions as a tool for installing additional payloads onto the victim's system, thereby compromising the security and integrity of their computer.
According to reports from email security firm Abnormal, a new variant of the BazarCall attack has surfaced, now leveraging Google Forms in its deceptive tactics.
Google Forms is a freely available online tool that enables users to create customized forms and quizzes, integrate them on websites, and share them with others.
In this updated attack method, the assailant constructs a Google Form containing fabricated details of a non-existent transaction, including the invoice number, date, payment method, and miscellaneous information related to the purported product or service used as bait.
Subsequently, the attacker activates the "response receipt" feature in the form settings, causing a duplicate of the completed form to be sent to the provided email address. Using the target's email address, a seemingly authentic payment confirmation, resembling a completed form, is dispatched to the target directly from Google's servers.
Given that Google Forms is a legitimate service, traditional email security tools may not raise flags or block the phishing email, ensuring successful delivery to the intended recipients.
The email's apparent legitimacy is further enhanced by its origin from a Google address ("[email protected]"), adding an additional layer of credibility to the phishing attempt.
The invoice copy attached to the email incorporates a phone number belonging to the threat actor. Recipients are instructed to call this number within a 24-hour window from receiving the email to address any disputes, introducing a sense of urgency to the scheme.
While Abnormal's report doesn't delve into the subsequent stages of the attack, it is worth noting that BazarCall has been historically employed to gain initial access to corporate networks, often serving as a precursor to ransomware attacks.
You can check out our coverage of weekly cyber incidents here:
Capital Health Hospitals, Staples and Dollar Tree cyber attacks
DarkGate, MGM Resorts Shutdown and Microsoft Word Maldoc attacks
