Europe News

The company Coretrek was probably exposed to a denial of service attack on Monday, similar to what we saw against the Norwegian authorities last week. It affected several websites. A denial of service attack, also called a DDoS attack, takes place when someone uses a network of computers to send large amounts of traffic to a website. As a result, the website is unable to receive all the traffic and goes down. According to the Telegram channel of the Russian hacker network Killnet, Russian hackers are behind the attacks. This time it is the hacker group "NoName057" who will be behind it. On NoName057's Telegram channel it is claimed that they have hit Bastø Fosen and Boreal. These websites have also been down. They also have Coretrek as a supplier. Read more about it: here

The government detected cyber attacks against the FPS Home Affairs and Defence. They "significantly affected our sovereignty, democracy, security and society," according to the press release. According to the Ministry of Foreign Affairs, both attacks can be linked to Chinese hacker groups. The hackers had access to the network at the Interior for two years. The Center for Cybersecurity (CCB) had previously suggested that the attack appeared to be the work of an intelligence agency. Due to the cyber attack at Defense, the network was cut off from the internet for weeks and mail traffic with the outside world was interrupted.  Read more about it: here

Germany's Green political party was the victim to a large-scale cyberattack last week. The attackers gained access to the party's IT infrastructure and the party's internal platform called "Green network". The members of the political party use this platform to exchange about the ongoing negotiations within the coalition. Members’ email accounts were impacted as well as some of the party’s leaders. During the attack, several emails were allegedly forwarded to an external server. No malicious actor has yet claimed responsibility for the attack. However, without having technical details of the attack, it could be that a state-sponsored malicious actor was behind the attack. An investigation was conducted by the Federal Office for It Security (BSI) and a private company specializing in cybersecurity to obtain more information about the attack. Read more about it: here

A government-aligned attacker tried using a Microsoft vulnerability to attack U.S. and E.U. Researchers have added state-sponsored hackers to the list of adversaries attempting to exploit Microsoft’s now-patched Follina vulnerability. According to researchers at Proofpoint, statesponsored hackers have attempted to abuse the Follina vulnerability in Microsoft Office, aiming an email-based exploit at U.S. and E.U. Proofpoint researchers spotted the attacks and believe the adversaries have ties to a government, which it did not identify. The malicious attachment targets the remote code execution bug CVE-2022-30190 , dubbed Follina. Read more about it: here

While tracking the mobile banking trojan FluBot, F5 Labs recently discovered a new strain of Android malware which we have dubbed “MaliBot”. While its main targets are online banking customers in Spain and Italy, its ability to steal credentials, cookies, and bypass multi-factor authentication (MFA) codes, means that Android users all over the world must be vigilant. Some of MaliBot’s key characteristics include: ... Read more about it: here

The Ukraine’s computer emergency response team (CERTUA), in collaboration with researchers from ESET and Microsoft, last week foiled a cyberattack on an energy company that would have disconnected several high-voltage substations from a section of the country’s electric grid on April 8. The attack, by Russia’s infamous Sandworm group, involved the use of a new, more customized version of Industroyer, a malware tool that the threat actor first used in Dec. 2016 to cause a temporary power outage in Ukraine’s capital Kyiv. In addition to the ICS-capable malware, the latest attack also featured destructive disk-wiping tools for the energy company’s Windows, Linux, and Solaris operating system environments that were designed to complicate recovery efforts.   Read more about it: here

Iberdrola, a Spanish energy provider, has suffered a data breach affecting over one million customers, local reports suggest. The company is headquartered in Bilbao and is the parent company of Scottish Power. They have reported that the attack took place on March 15 this year. The breach reportedly resulted in the theft of customer ID numbers, phone numbers and home and email addresses. Fortunately, it does not seem as if financial information was stolen. Read more about it here.

The Governmental Computer Emergency Response Team of Ukraine CERT-UA received a notification from the coordinating entities about the mass distribution of e-mails on behalf of the state bodies of Ukraine with instructions on how to increase the level of information security. The body of the letter contains a link to the website hxxps: // forkscenter [.] Fr /, from which it is proposed to download "critical updates" in the form of a file "BitdefenderWindowsUpdatePackage.exe" of about 60 MB. Read more about it here. 

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to warn organizations that Russian state-sponsored cyber actors have gained network access through exploitation of default MFA protocols and a known vulnerability. Read more about it here.

An international law enforcement operation has seized the servers of VPNLab.net, a virtual private network provider that advertised its services on the criminal underground and catered to various cybercrime groups, including ransomware gangs. CYBER THREAT INTELLIGENCE –NEWSLETTER – 2021/01/19 Europol said it seized 15 servers operated by the VPNLab team in Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the US, and the UK. No arrests were announced, but the company’s services were rendered inoperable, and its main website now shows a Europol seizure banner.   Read more about it here.