Tag Archive for: German

Russian Hackers Use ‘WINELOADER’ Malware to Target German Political Parties

/in


Mar 23, 2024NewsroomCyber Espionage / Cyber Warfare

Malware

The WINELOADER backdoor used in recent cyber attacks targeting diplomatic entities with wine-tasting phishing lures has been attributed as the handiwork of a hacking group with links to Russia’s Foreign Intelligence Service (SVR), which was responsible for breaching SolarWinds and Microsoft.

The findings come from Mandiant, which said Midnight Blizzard (aka APT29, BlueBravo, or Cozy Bear) used the malware to target German political parties with phishing emails bearing a logo from the Christian Democratic Union (CDU) around February 26, 2024.

“This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions,” researchers Luke Jenkins and Dan Black said.

Cybersecurity

WINELOADER was first disclosed by Zscaler ThreatLabz last month as part of a cyber espionage campaign that’s believed to have been ongoing since at least July 2023. It attributed the activity to a cluster dubbed SPIKEDWINE.

Attack chains leverage phishing emails with German-language lure content that purports to be an invite for a dinner reception to trick recipients into clicking on a phony link and downloading a rogue HTML Application (HTA) file, a first-stage dropper called ROOTSAW (aka EnvyScout) that acts as a conduit to deliver WINELOADER from a remote server.

“The German-language lure document contains a phishing link directing victims to a malicious ZIP file containing a ROOTSAW dropper hosted on an actor-controlled compromised website,” the researchers said. “ROOTSAW delivered a second-stage CDU-themed lure document and a next stage WINELOADER payload.”

WINELOADER, invoked via a technique called DLL side-loading using the legitimate sqldumper.exe, comes equipped with abilities to contact an actor-controlled server and fetch additional modules for execution on the compromised hosts.

It’s said to share similarities with known APT29 malware families like BURNTBATTER, MUSKYBEAT, and BEATDROP, suggesting the work of a common developer.

WINELOADER, per the Google Cloud subsidiary, has also been employed in an operation targeting diplomatic…

Source…

Hacker exposed weakness in German electronic ID, magazine reports

/in


A hacker has reportedly uncovered security gaps in the online functions of Germany’s new national ID cards, according to the news magazine Der Spiegel.

Using his own software instead of the official government AusweisApp, the hacker managed to access login data for the so-called eID function of Germany’s identity card, which is intended to allow German citizens to securely identify themselves online.

According to the report, this is activated for more than 50 million ID card holders and serves as the basis for digital administrative procedures. It is also used for identification at banks, among other things.

The hacker, who goes by the pseudonym “CtrlAlt,” used the trick to open an account at a major German bank under someone else’s name.

A spokesman for the Chaos Computer Club (CCC), a well-known German hacker and computer security group, confirmed to Der Spiegel that the hacker had exposed a critical point in the eID procedure on mobile devices.

“This is a realistic attack scenario,” the spokesman told the news magazine. “It must be prevented that an ID app other than the officially approved one can register and log into the cell phone for eID authentication.”

The hacker had already informed Germany’s Federal Office for Information Security (BSI) of his findings on December 31.

The agency told Der Spiegel that it saw no reason to “change the risk assessment for the use of the eID,” since the vulnerability appeared to be not in the eID system itself but in devices used by consumers.

However, the agency said it would still examine a possible adjustment to the system.

Source…

German Police Raid DDoS-Friendly Host ‘FlyHosting’

/in


Authorities in Germany this week seized Internet servers that powered FlyHosting, a dark web offering that catered to cybercriminals operating DDoS-for-hire services, KrebsOnSecurity has learned. FlyHosting first advertised on cybercrime forums in November 2022, saying it was a Germany-based hosting firm that was open for business to anyone looking for a reliable place to host malware, botnet controllers, or DDoS-for-hire infrastructure.

A seizure notice left on the FlyHosting domains.

A statement released today by the German Federal Criminal Police Office says they served eight search warrants on March 30, and identified five individuals aged 16-24 suspected of operating “an internet service” since mid-2021. The German authorities did not name the suspects or the Internet service in question.

“Previously unknown perpetrators used the Internet service provided by the suspects in particular for so-called ‘DDoS attacks’, i.e. the simultaneous sending of a large number of data packets via the Internet for the purpose of disrupting other data processing systems,” the statement reads.

News of a raid on FlyHosting first surfaced Thursday in a Telegram chat channel that is frequented by people interested or involved in the DDoS-for-hire industry, where a user by the name Dstatcc broke the news to Fly Hosting customers:

“So Flyhosting made a ‘migration’ with it[s] systems to new rooms of the police ;),” the warning read. “Police says: They support ddos attacks, C&C/C2 and stresser a bit too much. We expect the police will take a deeper look into the files, payment logs and IP’s. If you had a server from them and they could find ‘bad things’ connected with you (payed with private paypal) you may ask a lawyer.”

An ad for FlyHosting posted by the the user “bnt” on the now-defunct cybercrime forum BreachForums. Image: Ke-la.com.

The German authorities said that as a result of the DDoS attacks facilitated by the defendants, the websites of various companies as well as those of the Hesse police have been overloaded in several cases since mid-2021, “so that they could only be operated to a limited extent or no longer at times.”

The statement says police…

Source…

German politicians hail capture of suspected Russian ‘mole’ – DW – 12/23/2022

/in


German politicians of various stripes lined up on Friday to warn against the dangers of Russia’s hybrid warfare strategy, after the arrest of an alleged Russian spy working inside Germany’s foreign intelligence agency, the BND.

The man, a German national named only as Carsten L., is thought to have passed classified information to Russia while working for the BND. For security reasons, the intelligence agency has refused to release any further details about the suspect, the extent of the leaks, or about any further contacts he may have had. His home and offices have been searched by prosecutors.

“This is a wake-up call to everyone that Russia makes no exception to spying on us, too. To destabilize our system, the Federal Republic. And all the stops are being pulled out,” said Marie-Agnes Strack-Zimmermann, head of the parliament’s defense committee and member of the neoliberal Free Democratic Party (FDP), the smallest member of the three-party coalition government.

“This makes it clear, regardless of whether you are a top or middle or whoever agent, that Russia is trying to obtain information using all methods,” she told public broadcaster BR. “This second battlefield, as I call it, has existed for decades. Namely, the espionage, the cyber war, to influence us or to get information.”

Marie-Agnes Strack-Zimmermann speaking into DW microphone
FDP defense spokesperson Marie-Agnes Strack-Zimmermann calls the latest expionage incident a “wake-up call’

Hybrid warfare

Nils Schmid, a foreign policy spokesman for Chancellor Olaf Scholz’s center-left Social Democratic Party (SPD), struck a similar note. “This indicates that the temptation to spy is also present in Germany and that we have to be very attentive to the influence of Russia in Germany,” he said to DLF public broadcaster on Friday. “So it’s not just about the military threat, it’s about hybrid warfare.”

Schmid agreed with BND President Bruno Kahl, who said the case underlined the unscrupulous nature of Russia’s methods. “Russia has seen itself in a conflict, indeed in a war with the West for years and thinks that all means are permissible,” he said. “Murder of opposition members on German soil and, indeed, espionage.”

Bruno Kahl
BND President Bruno Kahl is worried about Russian spying…

Source…