Cisco Blogs
Share

Not So Crystal Clear – Zeus Variant Spoils Ukrainian Holiday

- January 4, 2018 - 0 Comments

This post was authored by Edmund Brumaghin with contributions from Ben Baker, Dave Maynor and Matthew Molyett.

Introduction

Talos has observed a cyber attack which was launched using the official website of the Ukraine-based accounting software developer Crystal Finance Millennium (CFM). This vector is similar to the attack outlined by Talos in the Nyetya and companion MeDoc blog post. Ukrainian authorities and businesses were alerted by local security firm (ISSP) that another accounting software maker had been compromised. However, the attackers did not compromise the firm’s update servers and did not have the level of access noted in the Nyetya compromise. CFM’s website was being used to distribute malware that was retrieved by malware downloaders attached to messages associated with a concurrent spam campaign. Websites being compromised to serve malicious content is common and it appears that CFM’s website was leveraged in the same way. This can be achieved through exploitation of existing vulnerabilities in server-side software or brute-forcing weak credentials, allowing attackers to gain remote administrative access. The fact that it is an accounting software company in Ukraine and the timing of the attack increased visibility.

This attack occurred in August 2017, during the time frame associated with the observance of the Independence Day holiday in Ukraine. The details of the specific malware infection process itself have been previously documented here. Talos was able to register and sinkhole one of the Command and Control (C2) domains and through this, obtain additional details regarding the scope of this attack and associated victims. This blog provides additional information related to the geographic regions that were targeted by this attack as well as the size and scope of of systems that were successfully compromised.

Read More >>

Leave a comment

We'd love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed and HTML formatting will not appear.

Share