The Laptop Emergency Response Group of Ukraine (CERT-UA) is warning of ongoing makes an attempt by unknown risk actors to impersonate the cybersecurity company by sending AnyDesk connection requests.
The AnyDesk requests declare to be for conducting an audit to evaluate the “level of security,” CERT-UA added, cautioning organizations to be looking out for such social engineering makes an attempt that search to take advantage of person belief.
“It is important to note that CERT-UA may, under certain circumstances, use remote access software such as AnyDesk,” CERT-UA stated. “However, such actions are taken only after prior agreement with the owners of objects of cyber defense through officially approved communication channels.”
Nevertheless, for this assault to succeed, it’s a necessity that the AnyDesk distant entry software program is put in and operational on the goal’s laptop. It additionally requires the attacker to be in possession of the goal’s AnyDesk identifier, suggesting that they might need to first acquire the identifier by different strategies.
To mitigate the chance posed by these assaults, it is important that distant entry packages are enabled solely throughout their use and the distant entry is coordinated by official communication channels.
Information of the marketing campaign comes as Ukraine’s State Service for Particular Communications and Data Safety (SSSCIP) revealed that the cyber company’s incident response middle detected over 1,042 incidents in 2024, with malicious code and intrusion efforts accounting for greater than 75% of all of the occasions.
“In 2024, essentially the most energetic cyber risk clusters had been UAC-0010, UAC-0050, and UAC-0006, specializing in cyber espionage, monetary theft, and information-psychological operations,” the SSSCIP stated.
UAC-0010, also referred to as Aqua Blizzard and Gamaredon, is estimated to be behind 277 incidents. UAC-0050 and UAC-0006 have been discovered to be linked to 99 and 174 incidents, respectively.
The event additionally follows the invention of 24 beforehand unreported .store top-level domains possible related to the pro-Russian hacking group often known as GhostWriter (aka TA445, UAC-0057, and UNC1151) by connecting disparate campaigns concentrating on Ukraine final yr.
An evaluation undertaken by safety researcher Will Thomas (@BushidoToken) discovered that the domains utilized in these campaigns used the identical generic top-level area (gTLD), the PublicDomainsRegistry registrar, and Cloudflare identify servers. All of the recognized servers even have a robots.txt listing configured.
Because the Russo-Ukrainian battle approaches the tip of its third yr, cyber-attacks have additionally been recorded towards Russia with an purpose to steal delicate information and disrupt enterprise operations by deploying ransomware.
Final week, cybersecurity firm F.A.C.C.T. attributed the Sticky Werewolf actor to a spear-phishing marketing campaign directed towards Russian analysis and manufacturing enterprises to ship a distant entry trojan often known as Ozone that is able to granting distant entry to contaminated Home windows methods.
It additionally described Sticky Werewolf as a pro-Ukrainian cyberspy group that primarily singles out state establishments, analysis institutes, and industrial enterprises in Russia. Nevertheless, a earlier evaluation from Israeli cybersecurity firm Morphisec identified that this connection “remains uncertain.”
It is not recognized how profitable these assaults had been. A few of the different risk exercise clusters which have been noticed concentrating on Russian entities in current months embrace Core Werewolf, Enterprise Wolf, and Paper Werewolf (aka GOFFEE), the final of which has leveraged a malicious IIS module known as Owowa to facilitate credential theft.
