menu
techminis

A naukri.com initiative

google-web-stories
source image

Socprime

7d

read

12

img
dot

Image Credit: Socprime

UAC-0125 Attack Detection: Hackers Use Fake Websites on Cloudflare Workers to Exploit the “Army+” Application

  • Another hacking collective has evolved in the cyber threat arena to target Ukrainian organizations.
  • CERT-UA notifies defenders about the discovery of fake websites that mimic the official page of the “Army+” application and are hosted using the Cloudflare Workers service.
  • UAC-0125 group is highly likely associated with the nefarious russia-backed hacking collective tracked as UAC-0002 (aka APT44 aka Sandworm).
  • The increasing number of cyber attacks targeting government bodies, military and defense agencies and critical infrastructure sector has been causing a stir on the cyber front line since russia’s full-fledged war against Ukraine.
  • SOC Prime Platform for collective cyber defense equips security teams with a relevant detection stack to proactively thwart attacks covered in the CERT-UA#12559 alert.
  • UAC-0125 Attack Analysis: Users are prompted to download the executable file “ArmyPlusInstaller-v.0.10.23722.exe” when visiting fake websites.
  • The executable file runs a PowerShell script to install OpenSSH on compromised system and generate an RSA key pair.
  • The adversary activity is tracked under the UAC-0125 identifier and is highly likely associated with the russia-linked UAC-0002 cluster (aka Sandworm).
  • The notorious Sandworm APT group has been targeting Ukrainian state bodies and critical infrastructure organizations for over a decade.
  • MITRE ATT&CK Context: Security teams can gain valuable insights into the UAC-0125 TTPs involved in the latest malicious campaign against Ukraine.

Read Full Article

like

Like

For uninterrupted reading, download the app