"Breach Report" from UAC-0099 (CERT-UA#12463)

216.73.216.6

"Breach Report" from UAC-0099 (CERT-UA#12463)

· Published 18/12/2024 19:48 · Modified 18/12/2024 20:08

Essential information

Published: 18/12/2024 19:48
Modified: 18/12/2024 20:08
Tags: 2024-12-18 CVE-2023-38831 cloudflare lnk files lonepage program powershell winrar
Related entities: 25 observables, 1 intrusion sets (apt), 10 techniques (mitre), 1 malware

Description

The Ukrainian CERT-UA investigated cyberattacks by UAC-0099 against government organizations during November-December 2024. The attacks involved emails with malicious attachments, including exploits for CVE-2023-38831. The LONEPAGE program, used for command execution, has evolved to use encrypted files and .NET programs for decryption and in-memory execution. The group's espionage activities continue to evolve, with changing targets and infrastructure. The attackers use Cloudflare for hiding and ensuring fault tolerance. The report emphasizes the importance of implementing proper cyber defense measures to protect state information resources.

External references

https://otx.alienvault.com/pulse/67632706a78b585404652d93