The Pc Emergency Response Workforce of Ukraine (CERT-UA) is warning of ongoing makes an attempt by unknown menace actors to impersonate the cybersecurity company by sending AnyDesk connection requests.
The AnyDesk requests declare to be for conducting an audit to evaluate the “stage of safety,” CERT-UA added, cautioning organizations to be looking out for such social engineering makes an attempt that search to take advantage of consumer belief.
“You will need to be aware that CERT-UA could, underneath sure circumstances, use distant entry software program comparable to AnyDesk,” CERT-UA stated. “Nevertheless, such actions are taken solely after prior settlement with the homeowners of objects of cyber protection by formally accredited communication channels.”
Nevertheless, for this assault to succeed, it’s a necessity that the AnyDesk distant entry software program is put in and operational on the goal’s pc. It additionally requires the attacker to be in possession of the goal’s AnyDesk identifier, suggesting that they could need to first acquire the identifier by different strategies.
To mitigate the chance posed by these assaults, it is important that distant entry applications are enabled solely at some point of their use and the distant entry is coordinated by official communication channels.
Information of the marketing campaign comes as Ukraine’s State Service for Particular Communications and Info Safety (SSSCIP) revealed that the cyber company’s incident response middle detected over 1,042 incidents in 2024, with malicious code and intrusion efforts accounting for greater than 75% of all of the occasions.
“In 2024, probably the most lively cyber menace clusters have been UAC-0010, UAC-0050, and UAC-0006, specializing in cyber espionage, monetary theft, and information-psychological operations,” the SSSCIP stated.
UAC-0010, often known as Aqua Blizzard and Gamaredon, is estimated to be behind 277 incidents. UAC-0050 and UAC-0006 have been discovered to be linked to 99 and 174 incidents, respectively.
The event additionally follows the invention of 24 beforehand unreported .store top-level domains seemingly related to the pro-Russian hacking group generally known as GhostWriter (aka TA445, UAC-0057, and UNC1151) by connecting disparate campaigns focusing on Ukraine final 12 months.
An evaluation undertaken by safety researcher Will Thomas (@BushidoToken) discovered that the domains utilized in these campaigns used the identical generic top-level area (gTLD), the PublicDomainsRegistry registrar, and Cloudflare identify servers. All of the recognized servers even have a robots.txt listing configured.
Because the Russo-Ukrainian struggle approaches the top of its third 12 months, cyber-attacks have additionally been recorded in opposition to Russia with an intention to steal delicate information and disrupt enterprise operations by deploying ransomware.
Final week, cybersecurity firm F.A.C.C.T. attributed the Sticky Werewolf actor to a spear-phishing marketing campaign directed in opposition to Russian analysis and manufacturing enterprises to ship a distant entry trojan generally known as Ozone that is able to granting distant entry to contaminated Home windows techniques.
It additionally described Sticky Werewolf as a pro-Ukrainian cyberspy group that primarily singles out state establishments, analysis institutes, and industrial enterprises in Russia. Nevertheless, a earlier evaluation from Israeli cybersecurity firm Morphisec identified that this connection “stays unsure.”
It isn’t identified how profitable these assaults have been. A number of the different menace exercise clusters which have been noticed focusing on Russian entities in latest months embrace Core Werewolf, Enterprise Wolf, and Paper Werewolf (aka GOFFEE), the final of which has leveraged a malicious IIS module referred to as Owowa to facilitate credential theft.