VPNLab[.]net Service Shutdown, Aftermath of Kronos Attack, Public Sector Ransomware Attacks in 2021, Data-wiping Software Targets Ukraine, APT35 Uses PowerShell Log4j Backdoor

Law enforcement agencies across 10 nations, including the FBI shut down a 15-server VPN operation used by cybercriminals to anonymize ransomware attacks. According to Ukranian law enforcement, VPNLab[.]net provided cover for at least 150 ransomware attacks that had netted 60 million euros in ransom. The nations involved in the takedown included Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States and the United Kingdom. Europol described VPNLab[.]net as “a popular choice for cybercriminals.” 

10 Nations Coordinate Shutdown of Ransomware VPN Service 

A month-old ransomware attack that took down Kronos Private Cloud continues to cause problems for companies that use the popular workforce management software. The attack has resulted in paychecks short by hundreds or thousands of dollars for thousands of public transit workers in New York, public service workers in Cleveland workers at companies like FedEx and Whole Foods and medical workers at hospitals across the country. Besides paychecks, the ransomware attacks have also affected companies’ ability to manage schedules and track hours. The company that makes Kronos expects systems to be back by the end of January. The extended disruption has prompted some employers to consider lawsuits against the software maker.  

Hackers disrupt payroll for thousands of employers—including hospitals 

According to their ransomware study of 2021, Emisoft notes that the US public sector endured over 2,300 attacks of local government entities, schools and healthcare providers. Healthcare providers topped the list with over 1,200 while schools suffered 1,043 ransomware attacks in 2021. As alarming as those numbers may seem, the number of schools attacked decreased from 1,681 in 2020. One reason according to the security vendor: threat actors are no longer acting with impunity. It credited the May attacks on the Colonial Pipeline and meat supplier JBS focused the US government’s attention on the problem of ransomware.  

Thousands of US Public Sector Ransomware Victims in 2021  

Microsoft’s Threat Intelligence Center recently observed a series of destructive attacks in Ukraine using data wiper malware disguised as ransomware. These attacks focus on Ukranian government agencies, non-profits and IT (Information Technology) organizations. Like NotPetya and BadRabbit wipers, the malware strain I corrupts files and includes a component that rewrites a computer’s Master Boot Record (MBR) to prevent it from booting and replaces the boot-up screen with a ransom note. Microsoft suspects but has not confirmed that these recent attacks are being carried out by Russian cyber-espionage groups.  

Microsoft: Data-wiping malware disguised as ransomware targets Ukraine again 

According to researchers from Check Point, hackers believed to be part of the Iranian APT35 state-backed group are suspected to be leveraging Log4Shell attacks to drop a new PowerShell backdoor known as ‘CharmPower.’ Researchers believe hackers were able to use the widespread vulnerability before targets had the opportunity to apply security updates. The CharmPower module can be used to validate a network connection, retrieve a C&C domain, receive, decrypt and execute follow-up modules and more.  

State hackers use new PowerShell backdoor in Log4j attacks 

This post was first first published on Forcepoint website by Jeff Birnbaum. You can view it by clicking here