Iranian hackers are targeting organizations with a sophisticated multi-factor authentication (MFA) push-bombing attack, aiming to compromise their Microsoft 365, Azure, and Citrix Systems accounts. This attack involves sending a barrage of MFA push notifications to a victim’s device, overwhelming them with authentication requests and potentially tricking them into approving a malicious login.
The attackers exploit the user’s trust in MFA and their desire to quickly clear the notifications. This attack highlights the importance of implementing robust MFA strategies, including the use of advanced MFA solutions and security awareness training for employees. Organizations should also be wary of suspicious activity related to MFA notifications and promptly investigate any unusual behavior.
The U.S. Department of Justice has indicted two Sudanese brothers suspected of being the operators of Anonymous Sudan, a notorious hacktivist group known for conducting over 35,000 DDoS attacks in a year. The group has been responsible for targeting various entities, including hospitals, government facilities, and critical infrastructure in Los Angeles and around the world. The indictment marks a significant step towards disrupting the group’s activities and holding its members accountable for their actions.
A new pro-Russian hacktivist group, known as ZPentest, has emerged, and has already made a significant impact on the cyber security landscape. This group has claimed responsibility for an OT attack in Arkansas City, USA, which targeted a water treatment facility. The attack was likely an attempt to disrupt critical infrastructure and demonstrate the group’s capabilities. The instant alliance formed between ZPentest, Cyber Army Russia and Noname05716, two other pro-Russian hacktivist groups, suggests a coordinated effort to destabilize the US. This suggests that the group may be an offshoot of one of the existing groups, rather than a completely new entity.
The hacktivist group SkidSec, known for politically-charged cyberattacks, launched a significant campaign targeting printers across South Korea. The group exploited vulnerabilities in the Internet Printing Protocol (IPP) systems of thousands of printers to distribute propaganda materials featuring North Korean leader Kim Jong-un. SkidSec’s actions highlight the growing threat posed by hacktivist groups with ideological agendas, as well as the vulnerability of internet-connected devices (IoT) to exploitation. The campaign, dubbed the “North Korean Propaganda Distribution Campaign,” demonstrated the potential for malicious actors to weaponize seemingly innocuous devices for their own purposes. The attack’s success underscores the importance of implementing robust security measures for all IoT devices, including printers, to prevent such incidents. SkidSec, active since October 2023, utilized the Censys platform to identify printers lacking proper authentication, allowing them to remotely control the printing process and distribute their propaganda. This incident highlights the global risks associated with vulnerable IoT devices and serves as a stark reminder of the need for increased security awareness and vigilance in the interconnected world.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a cybersecurity alert highlighting ongoing cyber threats targeting operational technology (OT) devices, particularly in water and wastewater systems. The alert emphasizes the critical need to safeguard OT assets and prioritize fundamental cybersecurity protocols, including changing default credentials, ensuring network segmentation, and mitigating internet exposure. The alert specifically mentions pro-Russia hacktivist groups, including the People’s Cyber Army (PCA), which have been targeting water utilities in North America and Europe. These hacktivist groups have been using vulnerabilities in VNC protocols to access HMI systems and exploit SCADAView CSX, a SCADA software widely used in water utilities. CISA recommends that organizations implement robust cybersecurity measures, including threat intelligence, vulnerability assessments, and incident response plans, to protect their OT infrastructure from these growing threats. Operational technology (OT) is a critical component of industrial control systems and is used to manage physical processes in various sectors, including water utilities, power plants, and manufacturing facilities.
Kaspersky researchers have uncovered a strong connection between two hacktivist groups, BlackJack and Twelve, both of which target Russian organizations. They have been found to employ overlapping tactics, techniques, and procedures (TTPs), including the use of the Shamoon wiper and a leaked version of the LockBit ransomware, as well as legitimate tools such as PuTTY, AnyDesk, and ngrok for remote access and persistence. This shared toolkit and operational similarity strongly suggest these two groups are part of a unified cluster of activity. Both groups are primarily motivated by hacktivism and utilize publicly available tools, lacking the advanced resources typically associated with larger APT groups. Their focus is on causing disruption and damage to their victims, rather than financial gain.
Austria has been subjected to pro-Russian DDoS attacks. The attackers have disrupted the websites of the country’s financial service entities, airports, and stock exchange. The hacktivist groups NoName057(16) and OverFlame have been linked to the attacks. The attacks are likely motivated by the ongoing conflict between Russia and Ukraine and are a reminder of the vulnerability of critical infrastructure to cyberattacks. These attacks have targeted the websites of Austria’s OVP and SPO political parties as well.