Russian state-sponsored hackers have wiped information from units belonging to Ukrainian state networks because of poorly protected VPNs, and malware (opens in new tab) that abuses fashionable archiving program WinRAR.
The Ukrainian Authorities Laptop Emergency Response Staff (CERT-UA) just lately claimed a Russian risk actor, considered from the Sandworm group, managed to compromise Ukrainian state networks by utilizing compromised VPN accounts that didn’t have multi-factor authentication (MFA) arrange.
After getting entry, the hacker would deploy malware dubbed “RoarBat” which primarily wipes the affected drives.
Deleting all the things
What the malware does is searches the drive for information with totally different extensions, together with .doc, .txt, .jpg, and .xlsx. It then requires WinRAR to archive all these information, and provides the “-df” command-line possibility, which deletes all the information which might be being archived.
As soon as the work is completed, the malware deletes the archive itself, primarily wiping all the information discovered on the disk in a single fell swoop.
The risk actors are additionally focusing on Linux units, the company additional said, saying that for that OS, they’re utilizing a Bash script and the “dd” utility to overwrite goal information with zero bytes. “Attributable to this information alternative, restoration for information “emptied” utilizing the dd software is unlikely, if not solely inconceivable,” BleepingComputer states.
This isn’t the primary time such an assault focused Ukrainian state networks, CERT-UA claims. In January 2023, the nation’s state information company, Ukrinform, was additionally focused by Sandworm:
“The strategy of implementation of the malicious plan, the IP addresses of the entry topics, in addition to the actual fact of utilizing a modified model of RoarBat testify to the similarity with the cyberattack on Ukrinform, details about which was printed within the Telegram channel “CyberArmyofRussia_Reborn” on January 17, 2023.” CERT-UA stated.
One of the simplest ways to defend towards such assaults is to maintain the {hardware} and software program up to date, to allow MFA every time doable, and restrict entry to administration interfaces as a lot as doable.
By way of: BleepingComputer (opens in new tab)