Ukrainian hackers of the Ukrainian Cyber ​​​​Alliance broke the servers of Russian cybercriminals

Ukrainian hackers of the Ukrainian Cyber ​​​​Alliance broke the servers of Russian cybercriminals

A group of Ukrainian cyber activists Ukrainian Cyber ​​​​Alliance hacked the servers of the Trigona extortion gang and destroyed them, copying all available information, Bleeping Computer reports.

Ukrainian Cyber ​​​​Alliance hackers gained access to the Trigona ransomware infrastructure using a public exploit for CVE-2023-22515, a critical vulnerability in the data center and Confluence server that can be remotely exploited for elevation of privilege.

The vulnerability has been exploited in zero-day attacks since September 14 by at least one threat group that Microsoft tracks as Storm-0062 (also known as DarkShadow and Oro0lxy).

The Ukrainian Cyber ​​Alliance (UCA) hacked the Confluence server of the Trigona ransomware about six days ago, established resilience, and mapped the cybercriminal’s infrastructure completely undetected.

After a UCA activist who used the handle herm1t posted screenshots of the ransomware group’s internal support documents, BleepingComputer reported that the Trigona ransomware initially panicked and responded by changing its password and crashing its public infrastructure.

However, over the next week, activists managed to obtain all information from the threat actor’s administration and victim panels, his blog and data leak site, as well as internal tools (Rocket.Chat, Jira, and Confluence servers).

herm1t told BleepingComputer that they also stole a developer environment, hot cryptocurrency wallets, and source code and database records.

Activists don’t know if the information they shared contains the decryption keys, but they said they would make them public if they were found.

After gathering all available data on the ransomware gang, UCA activists removed and defaced their sites and handed over the key to the site’s admin panel.

The UCA says it was able to recover three backup copies containing hundreds of gigabytes of allegedly stolen documents.

The details of the operation were also shared by Andrii Baranovych (Sean Thousend), the speaker of the Ukrainian Cyber ​​Alliance.

“We just took down one such gang and did to them the same way they do to others. They downloaded their servers (ten pieces), deleted everything and finally defaced it. Neither TOR helped them, nor did they know they had a hole. All their infrastructure was completely blown away. Such a “hunt forward”, says Andriy Baranovych’s page.

Backup copies of Trigona ransomware have been removed by the Ukrainian Cyber ​​​​AllianceSource: herm1t

Since 2014, numerous hacktivists in Ukraine and around the world have started working together to protect the country’s cyberspace from Russian aggression.

About two years later, individual hackers and several hacker groups united in the Ukrainian Cyber ​​Alliance. Members of the UCA have conducted several successful hacking operations that have exposed information about Russian activities and propaganda efforts in Ukraine and other countries, as well as its control over various individuals and entities.

UCA conducted two hacking attacks on the Ministry of Defense of the Russian Federation in 2016 and leaked state defense contracts and confidential data on the provision of state defense orders in 2015-2016. Another success was the hacking of the e-mail of ex-assistant to the President of the Russian Federation Vladislav Surkov.

The Trigona ransomware operation came under this name in late October last year, when the gang launched a Tor site to negotiate Monero ransom payments with victims of their attacks.

Previously, the malware samples did not have a specific name and were observed in the public domain since the beginning of 2022. Before the Trigona brand, operators used e-mail to negotiate ransom payments.

For a while, cybercriminals were active enough to compromise at least 15 companies in the manufacturing, finance, construction, agriculture, marketing, and high-tech industries in one month.

Earlier this year, Trigona hackers attacked Microsoft SQL servers exposed on the public Internet using brute force or dictionary attacks to obtain access credentials.

Currently, due to the recent actions of the Ukrainian Cyber ​​Alliance, none of the publicly accessible Trigona ransomware websites and services are online.

Earlier this month, the Ukrainian IT Army brought Russia’s largest airports to a standstill by hacking the ticket reservation system.

Subscribe to ProIT in Telegramso you don’t miss a post!

Related posts