[Security Weekly] Killnet Launches Massive DDoS on Lithuania Over Sanctions Against Russia

lithuania ddos

July 2022, Issue I


1. Killnet launches massive DDoS attacks on Lithuania over sanctions against Russia

Killnet, a Russian-linked threat group named after its extensive use of the DDoS tool “Killnet”, claimed responsibility for a series of massive DDoS attacks launched on June 27 against the Lithuanian government and private companies.

The attacks came after Lithuania blocked sanctioned Russian goods from traveling through its territory into the Russian exclave of Kaliningrad, which is surrounded by Lithuania and Poland. Killnet warned that it would not stop the attacks until Lithuania removes the sanction.

The National Cyber Security Center (NKSC) of Lithuania disclosed that the country’s Secure National Data Transfer Network was under intensive attack, disrupting all users including government agencies and private companies. Some of the victims included State Tax Inspectorate (STI) and a large accounting service provider.

DDoS attacks are commonly used by threat actors for political purposes. The current situation in Ukraine has led to increasingly frequent attacks all across Europe. Right after Killnet was identified and warned by Five Eyes governments in a joint advisory in April, the tool was utilized for DDoS attacks against Germany, Italy, the Czech Republic, Romania, and Latvia.

Learn more about how a logical web application firewall (WAF) can protect against DDoS attacks and automated botnets.

Sources: Threatpost, Reuters, Politico


2. Android banking trojan “Revive” steals 2FA info from users of BBVA bank

A new Android banking trojan dubbed “Revive” was discovered by security researchers at Cleafy, capable of stealing two-factor authentication (2FA) information from mobile banking customers of Spain-based BBVA, one of the largest financial institutions in the world with presence in both Europe and the Americas.

The attackers begin with social engineering, sending emails to BBVA users about a new 2FA app that must be installed to replace the embedded 2FA functionality of the BBVA banking app. After users download the corrupted app, they are prompted to accept permissions for the app to access SMS and phone calls, which most users would accept as it is commonly required by many apps.

When the user opens the legitimate BBVA app, the corrupted app would intercept with a cloned BBVA login page, asking users to enter their login credentials, then taking the user back to the legitimate BBVA login page. The login credentials are sent to the command and control (C2) infrastructure of the attackers. Now, when the user receives their OTP code from the legitimate app, the corrupted app is able to retrieve the code from their SMS, giving the attackers everything they need to compromise the account.

Since Revive only targets a specific bank, it has been capable of staying under the radar of antivirus software. As banking trojans become increasingly common, all online banking users should stay extra cautious of emails that claim to come from the bank. It is important to always confirm the email address and never enter login details into any link or app given by the email.

Sources: Infosecurity, Bleeping Computer


3. RansomHouse claims to have stolen 450 GB of data from AMD

Advanced Micro Devices (AMD), one of the largest chipmakers in the world, is investigating a data breach claim made by the RansomHouse hacker group, who claimed recently on its leak site to have stolen 450 GB of data from the company.

Despite its name, RansomHouse is not a ransomware operator, but uses stolen data as leverage to demand ransom payments. Active since December 2021, the group claims to target companies with weak security measures.

According to its leak site, RansomHouse claimed that one of its partners breached AMD’s network on January 5, 2022, exfiltrating 450 GB of data including R&D and financial information. Although RansomHouse did not provide any screenshots to prove its claim, it did release a list of 70,000 devices that belong to AMD’s internal network, along with a list of AMD employee login credentials with weak passwords.

The threat actor said that it did not contact AMD for a ransom demand because selling the data to third parties would be much easier and more profitable. It remains unconfirmed whether these claims are true, exaggerated, or completely made up. Nevertheless, other victims on RansomHouse’s leak site have mostly been confirmed.

Sources: Bleeping Computer, TechCrunch, TechRadar


4. Automotive hose maker Nichirin hit by ransomware attack

Nichirin, a Japanese manufacturer of automotive hoses for brakes, air conditioning, and power steering, suffered a ransomware attack at its Texas-based subsidiary Nichirin-Flex USA, forcing it to take its network offline.

The attack took place on June 14. Fortunately, the subsidiary responded as soon as it noticed the intrusion and isolated its network from the rest of the company, containing the attack within its boundary. However, the subsidiary was forced to shut down its systems and switch to manual operation. Product distribution was also impacted, leading to delays in order fulfillment. The company’s website was temporarily taken down as well. The degree of data exposure is under investigation.

Ransomware attacks against the automotive supply chain have become increasingly common. As the automotive industry faces one of the worst supply chain crises in history, automakers and suppliers are very vulnerable to ransomware as they have very little time to spare.

Sources: SC Media, Help Net Security


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: iSIGN+ 

Car, Energy, Factory, City Solutions: Penta IoT Security