Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label APT29. Show all posts
WinRAR
Aerospace APT29 CVE vulnerability Data Breach Foreign policy Russia-Ukraine War Russian Hacker Software Bug supply chain security Ukraine WinRAR

APT29 Strikes: WinRAR Exploits in Embassy Cyber Attacks

During the latest wave of cyberattacks, foreign embassies have been the target of a malicious group known as APT29. They have employed a highly complex attack method that takes advantage of weaknesses in WinRAR, a widely used file compression software. There have been shockwaves throughout the cybersecurity world due to this worrisome disclosure, leading to immediate action to strengthen digital defenses.

According to reports from cybersecurity experts, APT29 has ingeniously employed the NGROK feature in conjunction with a WinRAR exploit to infiltrate embassy networks. The NGROK service, designed for secure tunneling to localhost, has been repurposed by hackers to conceal their malicious activities, making detection and attribution a formidable challenge.

WinRAR, a widely used application for compressing and decompressing files, has been targeted due to a specific vulnerability, identified as CVE-2023-38831. This flaw allows the attackers to execute arbitrary code on the targeted systems, giving them unfettered access to sensitive information stored within embassy networks.

The attacks, initially discovered by cybersecurity researchers, have been corroborated by the Ukrainian National Security and Defense Council (RNBO). Their November report outlines the APT29 campaigns, shedding light on the extent of the damage inflicted by these cyber intruders.

The fact that foreign embassies are specifically being targeted by this onslaught is very disturbing. Because these organizations handle so much private, political, and diplomatic data, they are often the focus of state-sponsored cyber espionage. The attackers' capacity to take advantage of flaws in popular software, such as WinRAR, emphasizes the necessity of constant watchfulness and timely software updates to reduce any threats.

Cybersecurity professionals advise companies, particularly those in delicate industries like diplomacy, to conduct extensive security assessments, quickly fix holes, and strengthen their defenses against ever-evolving cyber attacks in reaction to these disclosures. The APT29 attacks highlight the significance of a multi-pronged cybersecurity strategy that incorporates advanced threat detection methods, personnel awareness training, and strong software security procedures.

International cybersecurity organizations must work together as governments struggle with the ever-changing world of cyber threats. The APT29 attacks are a sobering reminder that the digital sphere has turned into a combat zone and that, in order to preserve diplomatic relations and maintain national interests, defense against such threats necessitates a united front.

Read more »
SolarWinds
APT29 Cyber Security MagicWeb Microsoft SolarWinds

Microsoft Alert: APT29 is Back With its New Tool MagicWeb


Actors responsible for SolarWinds' are back

The attackers behind the Solar Winds supply chain attack APT29 are back and have included a latest weapon to their attack inventory. Known as MagicWeb, a post compromise capability, it is used to keep continuous access to breached environments and moves laterally. 

Experts at Microsoft noticed the Russia-backed Nobelium APT using the backdoor after gaining administrative rights to an Active Directory Federated Services (AD FS) server. 

Use of MagicWeb to get privileged access 

With the help of privileged access, the hackers change a genuine DLL with the malicious MagicWeb DLL, to load the malware with AD FS and make it look legitimate. 

Similar to domain controllers, AD FS servers can verify users. MagicWeb enables this on the behalf of hackers by letting the manipulation of the claims that pass through verification tokens generated by an AD FS server, therefore, they can verify as any user on the system. 

MagicWeb is better than previous versions 

As per Microsoft, MagicWeb is a better version of the earlier used FoggyWeb tool, which also makes a steady foothold inside the target networks. 

Researchers at Microsoft say that MagicWeb goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly. It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML.

In the report, Microsoft mentioned that the hackers are targeting corporate networks with the latest verification technique MagicWeb. It is highly sophisticated and allows hackers to take control of the victim's network even after the defender tries to eject them. 

Stealing data isn't the only aim

We should also note that the hackers are not depending on supply chain attacks, this time, they are exploiting admin credentials to execute MagicWeb. 

The backdoor secretly adds advanced access capability so that the threat actors can execute different exploits other than stealing data. For example, the threat actor can log in to the device's Active Director as any user. 

A lot of cybersecurity agencies have found sophisticated tools, this includes backdoors used by SolarWinds' hackers, among which MagicWeb is the latest one discovered and identified by Microsoft. 

How to protect yourself?

To stay safe from such attacks Microsoft recommends "practicing credential hygiene is critical for protecting and preventing the exposure of highly privileged administrator accounts. This especially applies on more easily compromised systems like workstations with controls like logon restrictions and preventing lateral movement to these systems with controls like the Windows Firewall."

Read more »
Spy Agency
APT29 Cyber Attacks Russia Slovak Spy Agency

Researchers Uncovered Russian Spy Agencies Targeting Slovak Government

 

For months, the Slovak government has been targeted by a cyber-espionage group associated with a Russian intelligence agency, Slovak security companies ESET and IstroSec stated this week. The Slovak internet security firm ESET develops anti-virus and firewall products. With headquarters in Bratislava, Slovakia, ESET earned the award for the most successful Slovakian company in 2008, 2009, and 2010. 

Additional revelations targetting the Slovak Government including the Cobalt Strike Infrastructure operation employed by the attackers were provided by the companies. Dukes, Nobelium, and APT29 are the organizations that are held responsible for the attacks. These are affiliated with the Russian Foreign Intelligence Service (SVR). Their activities date back to 2008, typically targeting government networks in NATO and European countries, research institutes, and think tanks. 

The SVR hackers are believed to have spear-phished senior government officials using publicly available information, community threat intelligence sources (VirusTotal), and their investigations. The security firms IstroSec and ESET claimed that the SVR targeted the Slovak officials through spear-phishing campaigns. 

Researchers at the Def Con conference reported that SVR operators sent spear-phishing attacks to Slovak diplomats in the form of emails posing as the National Security Authority (NBU) of Slovak to infect their systems. The ISO/IMG attachment in the email looked like a Word document. 

IstroSec researchers have described how the SVR command-and-control servers used during these assaults have been uncovered. The ISOC report stresses certain C&C servers used by SVR also had papers directed against the government representatives in the Czech Republic. 

Furthermore, European diplomats in 13 countries have been targeted by the group, as stated by the security firm ESET. All the cyberattacks in these events employed the same strategy, according to ESET: email -> ISO disk image -> LNK shortcut file -> Cobalt Strike backdoor. Volexity and Microsoft have previously described this tactic in their respective reports. 

Cobalt Strike is an Adversary Simulations and Red Team Operations Software. It has been used by numerous Pen-testers and red staff and sophisticated actors like APT19, APT29, APT32, Leviathan, The Cobalt Group, and FIN6, and it costs $3,500 per year per user for a commercial tool. 

As part of its malware attack on iOS devices, the Russian cyber espionage group employed a huge variety of tactics against them. One such attack has exploited a zero-day Safari iOS flaw to steal information and data of diplomats that read their emails on their iPhones. 

Local authorities, for instance, the computer security incident response committee, were notified of the incidents and outcomes. The study includes the collected compromise signs such as hashes and IP addresses.
Read more »
WellMess and WellMail
APT29 malware RiskIQ SVR WellMess and WellMail

Russia's APT29 is Actively Serving WellMess/WellMail Malware

 

A year ago, the United Kingdom, the USA, and Canada released a coordinated advisory, during the global pandemic, revealing a Russian espionage campaign targeting the vaccination research efforts of COVID-19 in their respective country. 

They have credited the operation to APT29 of Russia (The Dukes, Yttrium, and Cozy Bear) and have expressly designated it as a branch for the Foreign Intelligence Services of Russia (SVR). For the very first time, they officially connected the malware employed in the campaign with APT29 to WellMess and WellMail. 

RiskIQ has provided full information of the 30 servers which Russia's SVR-spy agency (aka APT29) has indeed been expected to utilize in its continued attempts to steal Western intellectual property. 

RiskIQ is a leading provider of Internet security information that provides the most comprehensive identification, intelligence, and mitigation of threats linked to the web presence of a company. RiskIQ offers businesses to have unified insight and control over Web, social and mobile exposures with over 75% of threats that originate outside firewalls. 

In 2018, the CERT in Japan recognized WellMess without mentioning targeting or involving a particular threat actor. Following the 2020 report by the Western Governments, RiskIQ's Team Atlas extended the campaign's familiar attacker footprint and identified more than a dozen additional control servers. 

The Atlas team of RiskIQ has now found yet another infrastructure that serves WellMess/WellMail effectively. Just a month earlier, the US and Russian chiefs of state conducted a summit in which the hostile cyber activities from Russia overtook the list of the key worries for President Biden. 

"Team Atlas assesses with high confidence that these IP addresses and certificates are in active use by APT29 at the time of this writeup," said RiskIQ in a blog post. "We were unable to locate any malware which communicated with this infrastructure, but we suspect it is likely similar to previously identified samples." 

SVR's campaigns against the West have been somewhat awkward, with replies ranging from silent alerts to explicit attribution — "they won't sodding well stop so we're telling you exactly what the naughty buggers have moved onto now" from a fed-up National Cyber Security Centre, in the United Kingdom. 

In November, the GCHQ branch also told national newspapers that perhaps the attempts of the SVR to enter into British research institutions were counteracted, suggesting that they deployed some type of encryption software (like ransomware without pay) against Russia.
Read more »
WellMess
APT29 malware RiskIQ Russia USA WellMess

Evidence Indicates Russia's SVR is Still Using 'WellMess' Malware, Despite US Warnings

 

President Joe Biden's appeal for Vladimir Putin to crack down on cyberattacks emanating from within Russia appears to have failed to persuade the Kremlin to give it up. 

In a report published Friday, RiskIQ stated it discovered ongoing hacking infrastructure that Western governments associated last summer to the Russian SVR intelligence agency-linked APT29 or Cozy Bear, which it utilized to obtain Covid-19 research data.

The malware, also known as WellMess or WellMail, led to official warnings in the United States, the United Kingdom, and Canada in July 2020. In April, the FBI urged companies to fix five known vulnerabilities that the SVR had exploited, according to US officials. 

RiskIQ detected three dozen command and control servers supplying WellMess which were under APT29 control, as per the firm. Following a US-Russia summit at which cyberattacks were discussed, the focus was on infrastructure. 

“The behaviour found was noteworthy considering the circumstances in which it emerged, following on the heels of President Biden's public condemnation of Russian hacking at a recent summit with President Putin,” stated RiskIQ's Team Atlas. 

Cozy Bear has not been openly accused of being involved in any recent ransomware operations, which were the focus of the White House's discussions with Russia. The organization has set itself apart by executing cyber-espionage against targets like the federal contractor SolarWinds and the Democratic National Committee. 

RiskIQ is perplexed as to how Russian agents are now utilizing the WellMess malware. The company stated, “Readers should note that much of this infrastructure is still in active use by APT29, though we do not have enough information to say how it is being used or who the targets are.” 

Biden has been urging Putin both personally and in public statements, to stop malicious cyber activities originating from Russia, notably ransomware assaults are believed to be conducted by criminal groups.

A phone call between the two men came after a series of high-profile ransomware attacks with suspected Russian roots, the most recent of which has affected hundreds of people as a result of an incident at the software company Kaseya. 

“I made it very clear to him that the United States expects, when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Biden stated reporters about the call. 

In a speech last week, Biden told intelligence officials that if the US finds itself in a “shooting war” with a significant foreign power, it will probably come in response to a cyber attack.
Read more »
Subscribe to: Posts (Atom)