The Ukrainian Computer Emergency Response Team (CERT) has issued a statement on a new attack campaign by suspected Russian threat actors which are compromised victims’ VPN accounts to access and encrypt networked resources. More details are available here:
Initial compromise is achieved by tricking victims into downloading “Advanced IP Scanner” software which actually contains Vidar malware. CERTU-UA believes this was achieved by initial access brokers (IABs) working for the Russians.
“It should be noted that the Vidar stealer, among other things, steals Telegram session data, which, in the absence of configured two-factor authentication and a passcode, allows unauthorized access to the victim’s account,” the statement continued.
“As it turned out, the victim’s Telegram was used to transfer VPN connection configuration files (including certificates and authentication data) to users. Given the lack of two-factor authentication when establishing a VPN connection, attackers were able to gain an unauthorized connection to the corporate network.”
Once inside, attackers conducted reconnaissance work using the Netscan tool and then launched Cobalt Strike Beacon, exfiltrating data using the Rclone program. There are also signs of the threat actors using Anydesk and Ngrok at this stage.
It’s unclear how widespread the campaign was, although “several” Ukrainian organizations are thought to have been impacted since spring 2022.
Most pointedly, CERT-UA confirmed that the end goal is not to generate profits from a ransom but to destroy victim environments.
Dr. Darren Williams, CEO and Founder, BlackFog had this comment:
“This is another great example of a clever phishing technique to disguise the attack vector inside another application. These are very difficult to detect with existing solutions because of the mechanism of action that steals VPN session information to ultimately exfiltrate data from the device. VPN’s have been routinely targeted in the past because they contain a treasure trove of valuable data for extortion and a centralized repository of data from the victim and the organization. Once the attacker has gained access it is very easy to spread laterally within the organization. This emphasizes why companies need to not only provide defense strategies but also proactive ones that protect an organization and its devices from unauthorized data exfiltration.”
This is clearly an attack meant to hurt Ukraine. Hopefully they are doing their best to make sure that attacks like this are not successful going forward. I say that because while they are winning on the the battlefield, the battlefield has changed to being cyberspace. And for the rest of us, I would say that 2FA for your VPN connections is a must to stop this sort of thing from happening to you.