The Pc Emergency Response Staff of Ukraine (CERT-UA) is warning of ongoing makes an attempt by unknown risk actors to impersonate the cybersecurity company by sending AnyDesk connection requests.
The AnyDesk requests declare to be for conducting an audit to evaluate the “stage of safety,” CERT-UA added, cautioning organizations to be looking out for such social engineering makes an attempt that search to use consumer belief.
“You will need to be aware that CERT-UA might, below sure circumstances, use distant entry software program comparable to AnyDesk,” CERT-UA mentioned. “Nevertheless, such actions are taken solely after prior settlement with the homeowners of objects of cyber protection by means of formally accredited communication channels.”
Nevertheless, for this assault to succeed, it’s a necessity that the AnyDesk distant entry software program is put in and operational on the goal’s pc. It additionally requires the attacker to be in possession of the goal’s AnyDesk identifier, suggesting that they might need to first receive the identifier by means of different strategies.
To mitigate the chance posed by these assaults, it is important that distant entry packages are enabled solely at some point of their use and the distant entry is coordinated by means of official communication channels.
Information of the marketing campaign comes as Ukraine’s State Service for Particular Communications and Data Safety (SSSCIP) revealed that the cyber company’s incident response middle detected over 1,042 incidents in 2024, with malicious code and intrusion efforts accounting for greater than 75% of all of the occasions.
“In 2024, essentially the most lively cyber risk clusters have been UAC-0010, UAC-0050, and UAC-0006, specializing in cyber espionage, monetary theft, and information-psychological operations,” the SSSCIP mentioned.
UAC-0010, also referred to as Aqua Blizzard and Gamaredon, is estimated to be behind 277 incidents. UAC-0050 and UAC-0006 have been discovered to be linked to 99 and 174 incidents, respectively.
The event additionally follows the invention of 24 beforehand unreported .store top-level domains probably related to the pro-Russian hacking group often called GhostWriter (aka TA445, UAC-0057, and UNC1151) by connecting disparate campaigns concentrating on Ukraine final yr.
An evaluation undertaken by safety researcher Will Thomas (@BushidoToken) discovered that the domains utilized in these campaigns used the identical generic top-level area (gTLD), the PublicDomainsRegistry registrar, and Cloudflare title servers. All of the recognized servers even have a robots.txt listing configured.
Because the Russo-Ukrainian warfare approaches the tip of its third yr, cyber-attacks have additionally been recorded towards Russia with an intention to steal delicate knowledge and disrupt enterprise operations by deploying ransomware.
Final week, cybersecurity firm F.A.C.C.T. attributed the Sticky Werewolf actor to a spear-phishing marketing campaign directed towards Russian analysis and manufacturing enterprises to ship a distant entry trojan often called Ozone that is able to granting distant entry to contaminated Home windows techniques.
It additionally described Sticky Werewolf as a pro-Ukrainian cyberspy group that primarily singles out state establishments, analysis institutes, and industrial enterprises in Russia. Nevertheless, a earlier evaluation from Israeli cybersecurity firm Morphisec identified that this connection “stays unsure.”
It isn’t recognized how profitable these assaults have been. A number of the different risk exercise clusters which have been noticed concentrating on Russian entities in latest months embody Core Werewolf, Enterprise Wolf, and Paper Werewolf (aka GOFFEE), the final of which has leveraged a malicious IIS module known as Owowa to facilitate credential theft.
