CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

KillNet, Anonymous Sudan, and REvil Unveil Plans for Attacks on US and European Banking Systems

In a recent development, Russian hackers have declared their intention to launch cyberattacks on the European financial system within the next 48 hours. The announcement was made late on Wednesday, June 14 and came through a video threat posted on the Mash Telegram channel, a very popular channel for Russian news. This operation appears to be a collaborative effort between the hacking groups KillNet, REvil, and Anonymous Sudan. The post was subsequently reposted on the official Telegram channels of Anonymous Sudan and KillNet groups.

The hackers say they will target the financial system, following the formula of "no money - no weapons - no Kyiv regime." Additional information provided in the Telegram post indicates potential targets such as US banks and the US Federal Reserve System.

BSL_20121_picture1hh

Figure 1. Threat video reposted on Telegram channels of Anonymous Sudan and KillNet.

The video from Mash was uploaded to YouTube: https://www.youtube.com/watch?v=uIY_iUsXg9Y.

Here is a screenshot from its opening:

BSL_20122_picture2hh

Figure 2. Video posted on Mash.

As SpiderLabs has previously reported, there is a strong possibility Anonymous Sudan is in fact a KillNet subgroup and SpiderLabs cannot confirm that the group is based in Sudan, nor if any of its members are from that nation, but based on the evidence available, it seems quite likely that Anonymous Sudan is a KillNet project, possibly including some Eastern European members.

KillNet has been on SpiderLabs radar since late last year when they claimed responsibility for the DDoS attack targeting Starlink. In a November 2022 report, SpiderLabs noted that despite its efforts, interest, collaboration, and major bragging, the group does not seem to have advanced any skills beyond very targeted and limited DDoS attacks.

In that report SpiderLab’s research anticipated KillNet would continue to conduct low-skill attacks from KillNet targeting an ever-growing list of targets that it considers to be in opposition to Russian interests. However, it remains to be seen whether the group can graduate to attacks that cause damage, exfiltrate data, or do more than take down a website for a short period of time.

BSL_20123_picture3hh

Figure 3. Anonymous Sudan Claiming Responsibility for DDoS Attacks on FAB, Chase, and Deutsche Bank Website.

Attack Vectors

KillNet and Anonymous Sudan groups focus on Distributed Denial of Service (DDoS). The groups are known for orchestrating large-scale DDoS attacks on various entities including airports, banks, energy providers, and government agencies.

A report by Forescout provided insights into other tactics employed by the KillNet group. Using a network of honeypots, the study uncovered credential brute-force attacks on common TCP ports, including 21 (FTP), 80 (HTTP), 443 (HTTPS), and 22 (SSH). The attacks relied primarily on dictionary-based techniques, targeting widely used and default credentials. The two most frequently targeted usernames were 'root' and 'postgres'. The analysis of the attackers' IP addresses revealed their reliance on TOR nodes and the utilization of proxies.

REvil is widely known for their ransomware attacks, affecting some large organizations around the world. You might recognize them as the ransomware group that leveraged a zero-day vulnerability in Kaseya IT Management Software in 2021. Back in January 2022, Russia made a lot of noise about “taking down” the REvil group. Back then, SpiderLabs wrote up an analysis where we stated that “The long-term impact of the REvil arrests remains to be seen.” It seems obvious now that that “takedown” did very little. REvil is known to leverage phishing attacks and exploits to gain initial access.

Conclusion

KillNet and Anonymous Sudan are known for DDoS attacks which typically last only a short while; long enough for a screenshot to post on Telegram. REvil, however, has a history of more damaging attacks. While this may not result in any actual attacks, the inclusion of REvil to the KillNet/AnonSudan collective should raise some eyebrows. Regardless of the coming days, this is probably a good time to revisit your threat posture and public facing services. Trustwave is actively monitoring the situation and will provide updates here as we have them.

Latest SpiderLabs Blogs

Fake Dialog Boxes to Make Malware More Convincing

Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...

Read More

The Secret Cipher: Modern Data Loss Prevention Solutions

This is Part 7 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here. Far too many organizations place Data Loss Prevention (DLP) and Data...

Read More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

UPDATE: Palo Alto Networks confirmed on Tuesday (4/16) that disabling device telemetry is no longer considered an effective mitigation. On Wednesday (4/17), the company released new threat signatures...

Read More