One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8617948 |
| Date de publication | 2024-11-26 21:02:38 (vue: 2024-11-26 22:08:27) |
| Titre | CyberVolk: A Deep Dive into the Hacktivists, Tools and Ransomware Fueling Pro-Russian Cyber Attacks |
| Texte | ## Snapshot CyberVolk, also known as GLORIAMIST, is a pro-Russia hacktivist collective that has been targeting entities in multiple countries with ransomware attacks since May 2024. The group, which has ties to other hacktivist groups such as [LAPSUS$](https://sip.security.microsoft.com/intel-profiles/d8a488ebb705e1b6bf64d3bd0c6e67344faf89546a63c30035b2cf9a250de421), Anonymous, Moroccan Dragons, and NONAME057(16), primarily aims to exploit geopolitical tensions to justify and carry out attacks on public and governmental organizations, serving the interests of the Russian government. ## Description CyberVolk launched its [Ransomware-as-a-Service (RaaS)](https://sip.security.microsoft.com/intel-explorer/articles/f61c0dea) in June 2024. Their ransomware, derived from [AzzaSec](https://sip.security.microsoft.com/intel-explorer/articles/a8648a54)\'s code, is written in C++ and uses encryption algorithms like AES, RSA, and quantum-resistant algorithms. It is designed to terminate processes related to system management tools before encrypting files and demanding a ransom in cryptocurrency with a 5-hour deadline. CyberVolk is associated with ransomware families like HexaLocker and Parano. HexaLocker, developed by a former LAPSUS$ associate, ZZART3XX, targets Windows systems and is known for its advanced evasion techniques, including anti-debugging capabilities, EDR/XDR/AV-Killer, and UAC bypass improvements. Parano Ransomware, promoted in October 2024, also features advanced anti-analysis features and uses AES-128 and RSA-4096 for encryption. In addition to ransomware, CyberVolk develops [infostealer](https://sip.security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6) malware and webshells, which allow attackers to manipulate files and directories on compromised servers. In early November 2024, CyberVolk\'s presence on Telegram ended due to a mass ban of hacktivist groups, prompting them to move to the X platform for future communications. Despite the ban, CyberVolk continues to pose a significant threat due to their ability to leverage and enhance commodity tools, creating challenges for cybersecurity teams in tracking their activities. ## Microsoft Analysis and Additional OSINT Context Pro-Russian hacktivists have emerged as prominent actors in cyberattacks, targeting critical infrastructure and launching widespread DDoS campaigns to advance their political, social, or ideological agendas. These activities often blur the lines between independent hacktivism and state-sponsored operations, as Russia leverages and sometimes impersonates hacktivist and cybercriminal groups to obscure its cyber activities and amplify their effects. The Kremlin\'s tacit support and leniency toward cybercriminal groups operating within its borders further enable these actors to carry out attacks that align with Russian interests. For example, the Russian hacktivist group NoName057(16), along with pro-Russian groups Cyber Army of Russia Reborn and Alixsec, [launched DDoS attacks against South Korean government](https://sip.security.microsoft.com/intel-explorer/articles/8eac574e) agencies in November 2024. These attacks were in response to South Korean political statements regarding the supply of weapons to Ukraine. Additionally, in May 2024, CISA issued a joint statement highlighting ongoing [pro-Russia hacktivist activity targeting ICS and small-scale OT systems](https://www.cisa.gov/resources-tools/resources/defending-ot-operations-against-ongoing-pro-russia-hacktivist-activity) across North American and European critical infrastructure sectors, including Water and Wastewater Systems, Dams, Energy, and Food and Agriculture. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of RaaS threats. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus) in Microsoft Defender Antivirus or the equivalent for your antivir |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | **© 128 2024 2024** 4096 ability accessed action activities activity actors addition additional advance advanced aes against age agencies agendas agriculture aims alert alerts algorithms align alixsec all allow along also american amplify analysis anonymous anti antivirus any are army artifacts associate associated attack attacker attackers attacks attacks/ automated azzasec ban based been before behind between block blur borders breach breaches but bypass c++ campaigns can capabilities carry certain challenges changes cisa classes cloud code collective com/en com/intel com/labs/cybervolk commands commodity common communications compatibility compromised content context continues copyright countries cover creating creations criterion critical cryptocurrency customers cyber cyberattacks cybercriminal cybersecurity cybervolk cybervolk: cybervolk launched dams ddos deadline debugging deep defender delivered demanding deploy derived description designed despite detect detected detection developed develops directories distribution dive doesn dragons due early edr edr/xdr/av effective effects emerged enable enable encrypting encryption ended endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/prevent energy enhance entire entities equivalent european evasion even evolving example executable experience exploit explorer/articles/8eac574e explorer/articles/a8648a54 explorer/articles/f61c0dea families features files following food former from fueling full further future geopolitical gloriamist gov/resources government governmental group groups hacktivism hacktivist hacktivists has have hexalocker highlighting hour https://learn https://sip https://www huge ics ideological immediate impact impersonates improvements including independent infostealer infrastructure interests investigation investigations issued issues its joint june justify killer known korean kremlin lapsus$ lateral launched launching learning leniency leverage leverages like lines list machine majority malicious malware management manipulate mass may meet microsoft mitigations mode moroccan move movement multiple new non noname057 north november obscure october often ongoing ongoing on operating operations organizations originating osint other out parano part passive permission platform political pose post presence prevalence prevent primarily pro process processes product profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6 profiles/d8a488ebb705e1b6bf64d3bd0c6e67344faf89546a63c30035b2cf9a250de421 prohibited prominent promoted prompting protection protections psexec public quantum raas ransom ransomware rapidly reborn recommendations recommends reduce reducing reduction reference references regarding related remediate remediation reproduction reserved resistant resolve response rights rsa rule rules running run russia russian scale scenes sectors security sentinelone server servers service services serving settings should significant significantly since site small snapshot social some sometimes south sponsored stage: state statement statements stopping such supply support surface sweeping system systems tacit take tamper targeting targets teams techniques telegram tensions terminate them thereof these threat threats ties tools tools/resources/defending toward tracking trusted turn uac ukraine unknown unless us/defender use used uses variants volume wastewater water weapons webshells when which widespread windows within without wmi works written your zzart3xx across additionally features for in sentinellabs to |
| Tags | Ransomware Malware Tool Threat Industrial |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.