Browser-in-the-Browser Technique Being Used In Ukraine Hacking Attacks

A Belarusian threat actor that is known as Ghostwriter (aka UNC1151) has been observed leveraging a browser-in-the-browser technique. This method simulates a browser window in order to launch convincing social engineering campaigns.

The Ghostwriter hacking group has used this technique, which masquerades as a legitimate domain by simulating a browser window over the website, to trick users into entering their credentials. Then they combine it with a previously observed technique, hosting phishing pages on compromised sites.

Phishing campaigns have become a popular way for criminals to deceive targets into clicking on links or downloading malware in the form of emails. Some of these phishing campaigns target targets with schemes about the war in Ukraine, like the groups Mustang Panda, Scarab, Curious Gorge, and nation-state actors from Iran, North Korea, and Russia.

The third wave of attacks observed over the past two-week period has been traced back to a Russia-based hacking group known as COLDRIVER, which targeted U.S.-based NGOs and think tanks.

The group, which is called based on the string “ColDriver”, has attacked armies and defense contractors in at least three countries, including a Balkans country and an unknown Ukrainian defense contractor. TAG researchers have now observed that the group is targeting military forces in multiple Eastern European countries, as well as one NATO Centre of Excellence. It’s unclear whether their Gmail-based attack campaign has been successful yet.

KA-SAT network attack on February 24, 2022

Viasat, a U.S.-based telecommunications company that provides satellite services to business and consumer customers in the United States, Russia, and 13 other countries as of September 2013, announced details of a cyber attack against its KA-SAT network on February 24, 2022. This announcement came shortly after Russia’s military invasion of Ukraine.

Tens of thousands of modems were disconnected from the network when a satellite providing broadband service to Ukraine and several European countries was attacked. This had an impact on 5,800 wind turbines in a Central European country operated by the German company Enercon.



the attack was for disrupting services, the company explained. There is no evidence that any customer data was accessed or compromised, nor customer personal devices (laptops, phones) were improperly accessed, nor is there any evidence that the satellite itself or its infrastructure was involved in the attack.

Viasat believes a VPN misconfiguration allowed an intruder to gain remote access to a part of the KA-SAT network, which the individual then destroyed by overwriting “key data in flash memory.” This person was not able to do more harm to the network, but they did manage to render all the modems on KA-SAT temporarily unable to connect.

If you want to learn more about Browser-in-the-browser attacks watch Mr.d0xs Youtube Video where he walks you through how this type of attack works and how you can protect yourself from it.



Enjoy our content? Follow HackingVision on Facebook