Ukrainian CERT Warns of Minesweeper Attacks Targeting Financial and Insurance Organizations
The CERT of Ukraine (CERT-UA) has issued a warning about targeted attacks aimed at gaining unauthorized access to computers, particularly targeting European and US financial and insurance organizations. These attacks, which took place between February and March of this year, involved the use of a legitimate remote management software called SuperOps RMM.
During their analysis of a cyberattack on a Ukrainian organization, CERT-UA and CSIRT-NBU discovered that the attackers had sent emails to employees containing a link to Dropbox, which led to an executable SCR file disguised as a game of Minesweeper. This file contained legitimate Python code for the game, as well as a base64-encoded string that downloaded additional Python code from an online service, ultimately providing the attackers with unauthorized access to the targeted computers.
Further investigations revealed that the attackers had targeted financial and insurance institutions in Europe and the USA, although specific names were not provided. CERT-UA has shared Indicators of Compromise (IOCs) for IT managers to use in checking their networks for any signs of compromise, such as unexpected connections to *.superops.com or *.superops.ai.
This incident comes in the wake of previous attacks on Ukraine’s critical infrastructure, with the Russian cyber gang Sandworm being implicated in cyber sabotage plans targeting around 20 critical objects in the country.
SuperOps RMM Software Used in Targeted Cyber Attacks by Ukrainian CERT
The Ukrainian CERT (CERT-UA) has raised concerns about a series of targeted cyber attacks involving the use of the SuperOps RMM remote management software. These attacks, which occurred between February and March, were aimed at gaining unauthorized access to computers, particularly those belonging to European and US financial and insurance organizations.
The attackers used emails containing links to Dropbox, which led to the download of an executable SCR file disguised as a Minesweeper game. This file contained legitimate Python code for the game, as well as a base64-encoded string that downloaded additional Python code from an online service, ultimately allowing the attackers to access the targeted computers remotely.
CERT-UA has identified Indicators of Compromise (IOCs) for IT managers to use in checking their networks for any signs of compromise, such as unexpected connections to *.superops.com or *.superops.ai. The agency has also highlighted the importance of monitoring network traffic for any suspicious activity.
The incident underscores the ongoing threat of cyber attacks targeting critical infrastructure, with previous attacks on Ukraine’s critical infrastructure linked to the Russian cyber gang Sandworm.
Cyber Security Incident Response Team in Ukraine Detects Minesweeper Attacks on Financial Institutions
The Cyber Security Incident Response Team in Ukraine (CSIRT-NBU) has detected a series of cyber attacks targeting financial institutions in Europe and the USA. The attacks, which took place between February and March, involved the use of a legitimate remote management software called SuperOps RMM.
The attackers used emails containing links to Dropbox, which led to the download of an executable SCR file disguised as a Minesweeper game. This file contained legitimate Python code for the game, as well as a base64-encoded string that downloaded additional Python code from an online service, ultimately providing the attackers with unauthorized access to the targeted computers.
CSIRT-NBU has advised IT managers to check their networks for any signs of compromise, such as unexpected connections to *.superops.com or *.superops.ai. The agency has also shared Indicators of Compromise (IOCs) to assist in identifying any affected machines.
This incident highlights the ongoing threat of cyber attacks targeting financial institutions, with previous attacks on Ukraine’s critical infrastructure also being attributed to cyber criminals.
