A sophisticated threat cluster tracked as UAC-0212 has escalated efforts to compromise critical infrastructure systems in Ukraine, according to a recent advisory from CERT-UA (Government Computer Emergency Response Team of Ukraine). Computer Emergency Response Team of Ukraine noted that upon activation, these files download decoy documents while deploying modular malware such as SECONDBEST, EMPIREPAST, and SPARK in the background. The group employs destructive payloads, advanced persistence mechanisms, and novel evasion techniques to disrupt industrial control systems (ICS) and operational technology (OT). These PDFs disguise malicious LNK files (CV_Vitaliy_Klymenko_22.11.2024.pdf.lnk) that exploit CVE-2024-382, a critical Windows vulnerability enabling arbitrary PowerShell command execution. As UAC-0212 reuses compromised credentials for lateral movement, CERT-UA recommends rotating all administrative passwords and deploying endpoint detection for anomalous LNK file activity. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. These attacks, active since July 2024, focus on energy, water supply, grain logistics, and transportation sectors through coordinated supply-chain compromises. The attackers leverage legitimate network protocols like RSYNC (C:\Windows\Microsoft\Rsync\rsync.exe) for lateral movement and data exfiltration. Infrastructure targeting includes Ukrainian logistics firms specializing in hazardous material transport and grain storage systems. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The agency warns that mere “antivirus scans” or OS reinstalls are insufficient, as attackers rapidly establish backup persistence mechanisms.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 25 Feb 2025 17:00:17 +0000