Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Russian Hackers. Show all posts
Russian Hackers
COLDRIVER Coldriver hacker group Cyber Attacks cyber espionage data security espionage Hacker attack Malware Attack Malwares Russian Hackers

Lostkeys Malware: Russian Group Coldriver Targets Western Officials in Espionage Campaign

 

A new wave of cyber espionage has emerged, with Russian hackers deploying a sophisticated malware strain known as “Lostkeys” to infiltrate the systems of Western officials, journalists, and NGOs. According to researchers from Google’s Threat Intelligence Group, the malware is linked to Coldriver, also known as UNC4057, Star Blizzard, or Callisto—a threat actor believed to be part of Russia’s Federal Security Service (FSB), the successor to the KGB. 

Coldriver has traditionally been involved in phishing operations to steal credentials, but the emergence of Lostkeys demonstrates a significant leap in their cyber capabilities. Lostkeys appears to mark a shift in strategy for the group, moving beyond phishing and into deeper system infiltration. The malware is deployed in a targeted manner, reserved for high-value individuals such as political advisors, think tank members, journalists, and people with known connections to Ukraine.

Activity related to Lostkeys was observed by Google in the early months of 2024—specifically January, March, and April—with evidence suggesting its use might have started as far back as December 2023. The attack begins with a deceptive Captcha page, tricking victims into copying a malicious PowerShell script into the Windows Run dialog. This method, known as “ClickFix,” bypasses typical security filters and exploits user behavior rather than software vulnerabilities. 

Once executed, the script connects to a command-and-control server, downloading a series of payloads uniquely tailored to each victim. In an effort to avoid detection, the malware includes anti-sandbox measures. During the second stage of infection, the script checks the screen resolution of the host machine and halts if it matches known virtual machine environments used by analysts and cybersecurity researchers. If the device passes this check, the malware proceeds to the final stage—a Visual Basic Script that steals data, including specific file types, system details, and active processes. These are exfiltrated back to the attackers using an encoded system that applies a unique two-key substitution cipher for each infected machine. 

Lostkeys appears to be a more refined successor to a previous malware strain known as Spica, which Coldriver also deployed in 2024. While both strains focus on data exfiltration, Lostkeys features a more intricate delivery system and improved obfuscation techniques. Some earlier samples of Lostkeys mimicked legitimate software like Maltego and used executable files instead of PowerShell, though Google has not confirmed if these instances were part of the same campaign or the work of a different threat actor reusing Coldriver’s tactics. 

This development highlights an alarming evolution in state-backed cyber operations, where advanced social engineering and stealth techniques are being increasingly used to infiltrate high-profile targets. As geopolitical tensions persist, the risks posed by such targeted cyber espionage campaigns are expected to grow.
Read more »
Russian Hackers
Cobb County Cyberattacks CyberCrime Cyberhackers Cybersecurity CyberThreat Data Breach Ransomware Russian Hackers

Cobb County Suffers Alleged Data Breach by Russian Hackers

 


The recent cyber attacks against local governments have been concerning, with Cobb County in Georgia being targeted in March 2025 by a sophisticated ransomware attack. In an attempt to gain an edge over their competitors, the cybercriminals known as Qilin have claimed responsibility for a breach that resulted in the theft of approximately 150 gigabytes of sensitive data, totalling more than 400,000 files, and the unauthorised access to them. 

An autopsy photograph, Social Security number, driver's license photo, and confidential internal government documents are among the materials that have been compromised. Public sector cybersecurity has been under increased scrutiny since this incident occurred, as officials attempt to assess the extent of the damage and prevent further exposures. 

Cobb County School District has been informed that there has been an intrusion into the network and is currently collaborating with multiple cybersecurity partners to investigate the incident. This intrusion is considered a serious incident and is currently under active investigation. It has been reported that both the Georgia Emergency Management Agency and the Department of Homeland Security have been notified about the breach. 

Throughout the investigation, the school system has advised all employees not to use desktop computers, and certain network processes are expected to be temporarily disrupted for the next few days as a precautionary measure, however, school operations are still expected to proceed as scheduled, despite these technical challenges. 

It is anticipated that Advanced Placement (AP) testing will begin on Monday, May 5, and that the state Milestones Testing will be administered as scheduled on Tuesday. As of right now, there has been no indication that any personal informatio,- including information concerning students and employees, has been compromised, since the school remains operational and has not been affected by the breach. In addition, there is no indication that any personal information has been compromised. 

The school system, however, is currently conducting a comprehensive investigation to assess the full scope and impact of the unauthorised access. At approximately 7:00 p.m. on Friday, the school system first discovered abnormal network activity. In line with established cybersecurity protocols, the IT department and its external security partners responded rapidly to the intrusion by shutting down affected systems, containing it, and identifying its source as soon as possible. 

While the district's internal network remains restricted in the interim for forensic review to continue, and to ensure the security of critical systems is maintained, access is restricted to the district's internal network. As a result of the investigation, the school district has assured parents, staff, and community members that the district maintains close communication with federal, state, and local authorities. As more details come in, the district will provide regular updates to parents, staff, and the community. 

A ransomware attack on Cobb County is still being investigated, with officials still trying to figure out the extent of the breach and identify individuals who might have been affected by the attack. Even though it is still unclear what type of data has been compromised, preliminary reports indicate that three county employees have been confirmed to have been compromised. 

To combat this situation, the county has agreed to offer impacted residents access to credit monitoring services as well as identity theft protection services as a precautionary measure. Several online systems, including court records, jail databases, and Wi-Fi services, were closed down as a result of the cyberattack that was first discovered on March 21, prompting county officials to act immediately. It appears that these systems have gradually been restored over the last few days, and that full functionality is reported to have been restored as of March 27. 

County officials have been cautious in disclosing specific details regarding the nature of the compromise throughout this period. They had until recently not confirmed whether ransom demands had been involved in the incident. It has been announced that Cobb County Communications Director Ross Cavitt addressed concerns about the server outages during a press conference held during the outages by stating that once all servers have been securely reconnected, residents will not experience any disruptions in accessing data or services. 

As for whether the incident has been labelled as a ransomware attack, he refused to provide any further information on it. The Marietta Daily Journal has not been able to conduct an interview with county officials, which includes chairwoman Lisa Cupid and other members of staff, citing the sensitivity of the ongoing investigation as the reason for not doing so. During a recent email message that was released by the Cobb County Communications Department, it was made clear that it would be premature to comment publicly on this matter while the investigation is still underway.

In the meantime, Commissioner Keli Gambrill expressed confidence in the county's response, pointing out that staff members are performing well under challenging circumstances, despite the situation. Cybersecurity expert Allan Hudson confirmed in the aftermath of the ransomware attack that 16 files that were stolen from the data had already been published online by the attackers as a result of the ransomware attack in an apparent attempt to demonstrate how serious the breach was. 

There were at least three autopsy photographs that were exposed, along with sensitive personal identification documents such as driver's licenses and social security cards that were also revealed. Several additional records released by the county seem to be about private citizens, incarcerated individuals, as well as government employees, which raises serious security and privacy concerns for many individuals. 

Authorities at Cobb County reported to the public in April that ten individuals had been formally informed that their data had been compromised as a result of the breach. Hudson, however, emphasised that the extent of the breach is likely to be much wider than that, warning that anyone who has had an interaction with Cobb County government services in the past several years is at risk of experiencing a breach. He recommended that residents take immediate precautions to reduce their risk of identity theft by freezing their credit, updating their passwords, and enabling two-factor authentication across all of their online accounts. Several county officials reiterated their position against negotiating with cybercriminals in an official statement. 

Even though there may be difficult choices to make, the county refuses to support or enable criminal enterprises, even if faced with difficult choices. While this may not be comforting to those affected, standing firm sends the clear message that bad actors won't benefit from this crime at any cost." Despite the growing concern that the ransomware group known as Qilin may continue to release sensitive information, this firm position comes at the same time that there are increasing concerns about this group's continued release of sensitive information. 

Hudson described the group as highly aggressive and warned that more information could leak soon. Cobb County continues to encourage residents to monitor financial accounts and report any suspicious activity by staying vigilant. The county is assisting those impacted by the cyberattack, including credit monitoring and identity theft protection services, as part of the county's ongoing mitigation efforts. In light of the ongoing investigation into the ransomware attack on Cobb County, the incident has served as a stark reminder of the growing threats that public institutions face as a result of cyberattacks. 

Among the many implications of the breach, not only did it expose vulnerabilities in government systems, but it also made it clear that the implications for citizens whose personal data may be compromised could be far-reaching. As a significant amount of sensitive information has already been released, it is evident that there is an urgent need for heightened digital security at every level of local government. 

The authorities are working closely with cybersecurity experts and federal agencies to contain the situation and prevent further compromise. Despite the initial steps taken by officials to offer identity protection and credit monitoring services, it will likely be the effectiveness and swiftness with which mitigation efforts are initiated that will determine the long-term impact of this breach. Cobb County residents who have used Cobb County services in the past should be encouraged to take proactive measures to protect their personal information by doing so. 

It is important to ensure that users' financial accounts are monitored, that multifactor authentication is enabled, and that their credit profile is frozen where needed. Especially when such cyberattacks are perpetrated by persistent and organised groups such as Qilin, it highlights how important awareness and resilience are at the community level. As a result of this incident, the world, as well as government entities, industrial entities, and individuals, will be called upon to re-evaluate their approach to digital security, especially in a world where we are increasingly interconnected.
Read more »
Russian Hackers
Cyber Attacks Device Code Microsoft phishing Russian Hackers

Russian State Actors Target Microsoft 365 Accounts Via Device Code Phishing Campaign

 

A hacking outfit potentially linked to Russia is running an active operation that uses device code phishing to target Microsoft 365 accounts of individuals at organisations of interest. The targets are in the government, non-governmental organisations (NGOs), IT services and technology, defence, telecommunications, health, and energy/oil and gas sectors in Europe, North America, Africa, and the Middle East. 

Microsoft Threat Intelligence Centre is tracking the threat actors behind the device code phishing effort as 'Storm-237'. Based on targets, victimology, and tradecraft, the researchers are confident that the activity is linked to a nation-state operation that serves Russia's interests.

Device code phishing assaults 

Input-constrained devices, such as smart TVs and some IoTs, use a code authentication flow to allow users to sign into an app by typing an authorization code on a different device, such as a smartphone or computer.

Since last August, Microsoft researchers noticed that Storm-2372 has been exploiting this authentication flow by deceiving users into submitting attacker-generated device numbers on legitimate sign-in sites. The operatives launch the attack after "falsely posing as a prominent person relevant to the target" via messaging systems such as WhatsApp, Signal, and Microsoft Teams.

The malicious actor progressively builds rapport before sending a bogus online meeting invitation via email or messaging. According to the researchers, the victim receives a Teams meeting invitation including a device code generated by the attacker.

"The invitations lure the user into completing a device code authentication request emulating the experience of the messaging service, which provides Storm-2372 initial access to victim accounts and enables Graph API data collection activities, such as email harvesting," Microsoft noted. 

This allows the attackers to access the victim's Microsoft services (email, cloud storage) without requiring a password for as long as the stolen tokens are valid. However, Microsoft claims that the perpetrator is currently employing a specific client ID for Microsoft Authentication Broker during the device code sign-in flow, allowing them to issue fresh tokens. 

This opens up new attack and persistence opportunities, as the threat actor can utilise the client ID to register devices with Entra ID, Microsoft's cloud-based identity and access management product. "With the same refresh token and the new device identity, Storm-2372 is able to obtain a Primary Refresh Token (PRT) and access an organization’s resources. We have observed Storm-2372 using the connected device to collect emails," Microsoft added.
Read more »
WiFi Breach
Cyber Attacks Russian Hackers Threat Intelligence US Firm WiFi Breach

'Nearest Neighbour Attack': Russian Hackers Breach US Firm Wi-Fi

 

Russian state-sponsored hacking group APT28 (Fancy Bear/Forest Blizzard/Sofacy) has employed a novel "nearest neighbor attack" to breach enterprise WiFi networks from thousands of miles away. The attack, first detected on February 4, 2022, targeted a U.S. company in Washington, D.C., involved in Ukraine-related projects. Cybersecurity firm Volexity identified the intrusion, highlighting APT28’s innovative approach to bypass multi-factor authentication (MFA).

Details of the Attack

APT28 initiated the attack by breaching a nearby organization’s WiFi network, exploiting dual-home devices such as laptops or routers with both wired and wireless connections. These devices allowed the hackers to connect to the target’s WiFi network. By daisy-chaining access to multiple organizations, the hackers were able to connect to the victim's wireless network and move laterally across the system.

The hackers were able to bypass multi-factor authentication on the company’s WiFi network, despite being physically located thousands of miles away. Once within range, they compromised access to three wireless access points near the target’s conference room windows and used remote desktop protocol (RDP) from an unprivileged user to roam across the network.

Exfiltration and Data Theft

The attackers dumped Windows registry hives (SAM, Security, and System) using a script called servtask.bat, compressing them into a ZIP file for exfiltration. This process allowed APT28 to gather sensitive data without causing significant disruptions to the target network. The focus of the attack was on individuals and projects related to Ukraine, in line with Russia’s geopolitical interests.

Volexity's investigation revealed that APT28 was particularly interested in data from individuals with expertise in Ukraine-related projects. This highlights the targeted nature of the attack, aimed at collecting intelligence from a specific field of work.

Implications and Security Measures

The attack underscores the need for robust WiFi security and network segmentation. APT28’s ability to exploit physical proximity and dual-home devices highlights the growing sophistication of cyberattacks. Organizations should consider the following measures:

  • Enhance WiFi network encryption and authentication protocols.
  • Implement strict network segmentation to limit lateral movement.
  • Regularly audit devices with dual wired and wireless connections.
  • Monitor for unusual network activity and lateral movements.

APT28’s "nearest neighbor attack" serves as a reminder of the advanced techniques used by state-sponsored hackers. Vigilance, along with layered cybersecurity defenses, is crucial in defending against such sophisticated attacks.

Read more »
User Privacy
Data Breach Data Leak Russian Hackers Spam Folder User Privacy

Microsoft’s Breach Notification Emails Wind Up in Spam Folder

 

Midnight Blizzard, a Russian nation-state hacker gang, breached Microsoft's security last year, gaining access to the emails of multiple customers. In late June, Microsoft revealed that more organisations were affected than previously assumed. However, the company's attempts to notify users may not have reached the intended recipients. 

According to Kevin Beaumont, a cybersecurity expert and former senior threat intelligence analyst at Microsoft, the company chose to notify affected victims via email. 

“The notifications aren’t in the portal – they emailed tenant admins instead. The emails can go into spam, and tenant admin accounts are supposed to be secure breakglass accounts without email. They also haven’t informed orgs via account managers,” Beaumont stated on LinkedIn. 

Apart from Beaumont's warnings, there is some evidence that Microsoft customers are genuinely perplexed. In a Microsoft support page, one customer revealed the email their company received in an attempt to determine whether it was a real Microsoft email. 

Others commented on Beaumont's post, alleging that several organisations misunderstood Microsoft's email for a phishing attempt and deleted it or marked it as spam. The breach notification emails allegedly lacked basic email authentication tools including SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). 

“Well, at first glance, this did not inspire trust for the recipients, who started asking in forums or reaching out to Microsoft account managers to eventually confirm that the email was legitimate...weird way for a provider like this to communicate an important issue to potentially affected customers,” the Greece-based cybersecurity consultant noted. 

In January, Microsoft admitted that Midnight Blizzard attempted to hack the tech giant's internal systems. The same hacking group was behind the infamous SolarWinds hack, which caused havoc on US government installations in 2020.
Read more »
Windows Vulnerability
AI technology APT28 Backdoors CVE-2022-38028 Fancy Bear Forest Blizzard GooseEgg Microsoft Network Security Russian Hackers Threat Intelligence Windows Vulnerability

Microsoft Alerts Users as Russian Hackers Target Windows Systems

 

As advancements in AI technology continue to unfold, the specter of cybercrime looms larger each day. Among the chorus of cautionary voices, Microsoft, the eminent IT behemoth, adds its warning to the fray.

Microsoft's Threat Intelligence researchers have issued a stark advisory to Windows users regarding the targeted assaults orchestrated by Russian state-sponsored hackers wielding a sophisticated tool.

These hackers, known in some circles as APT28 or Fancy Bear, but tracked by Microsoft under the moniker Forest Blizzard, have close ties to Russia's GRU military intelligence agency.

GooseEgg, a tool wielded with the aim of siphoning data and surreptitiously establishing backdoors within computer systems. Forest Blizzard, alias APT28, has deployed GooseEgg in a series of calculated strikes targeting governmental entities, educational institutions, and transportation firms across the United States, Western Europe, and Ukraine.

Their modus operandi centers predominantly on the strategic acquisition of intelligence. Evidence suggests that the utilization of GooseEgg may have commenced as early as June 2020, with the possibility of earlier incursions dating back to April 2019.

In response to the threat landscape, a patch addressing a vulnerability identified as CVE-2022-38028 was released by Microsoft in October 2022. GooseEgg, the nefarious tool in the hackers' arsenal, exploits this particular weakness within the Windows Print Spooler service.

Despite its deceptively simple appearance, the GooseEgg program poses an outsized threat, granting attackers elevated permissions and enabling a litany of malicious activities. From the remote execution of malware to the surreptitious installation of backdoors and the seamless traversal of compromised networks, the ramifications are profound and far-reaching.
Read more »
Tech Giant
Cyber Attacks cyber intrusion Data Leak Russian Hackers Tech Giant

Microsoft Claims Russian Hackers are Attempting to Break into Company Networks.

 

Microsoft warned on Friday that hackers affiliated to Russia's foreign intelligence were attempting to break into its systems again, using data collected from corporate emails in January to seek new access to the software behemoth whose products are widely used throughout the US national security infrastructure.

Some experts were alarmed by the news, citing concerns about the security of systems and services at Microsoft, one of the world's major software companies that offers digital services and infrastructure to the United States government. 

The tech giant revealed that the intrusions were carried out by a Russian state-sponsored outfit known as Midnight Blizzard, or Nobelium.

The Russian embassy in Washington did not immediately respond to a request for comment on Microsoft's statement, nor on Microsoft's earlier statements regarding Midnight Blizzard activity.

Microsoft reported the incident in January, stating that hackers attempted to break into company email accounts, including those of senior company executives, as well as cybersecurity, legal, and other services. 

Microsoft's vast client network makes it unsurprising that it is being attacked, according to Jerome Segura, lead threat researcher at Malwarebytes' Threatdown Labs. He said that it was concerning that the attack was still ongoing, despite Microsoft's efforts to prevent access. 

Persistent Threat

Several experts who follow Midnight Blizzard claim that the group has a history of targeting political bodies, diplomatic missions, and non-governmental organisations. Microsoft claimed in a January statement that Midnight Blizzard was probably gunning after it since the company had conducted extensive study to analyse the hacking group's activities. 

Since at least 2021, when the group was discovered to be responsible for the SolarWinds cyberattack that compromised a number of U.S. federal agencies, Microsoft's threat intelligence team has been looking into and sharing research on Nobelium.

The company stated on Friday that the ongoing attempts to compromise Microsoft are indicative of a "sustained, significant commitment of the threat actor's resources, coordination, and focus.” 

"It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found," the company added. "Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.”
Read more »
State-backed cybercriminals
Cozy Bear Data Breach HP enterprise Microsoft software Russian Hackers State-backed cybercriminals

HP Enterprise Reveals Hack Conducted by State-backed Russian Hackers


Hewlett Packard (HP) enterprise reported on Wednesday that alleged state-backed Russian hackers have attacked its cloud-based email system and stolen security and employees’ data.

In a Security and Exchange filing, the IT product provider noted that the attack occurred on January 12. They suspect that Russia’s foreign intelligence service ‘Cozy Bear’ was behind the attack.

“Based on our investigation, we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions,” HPE, which is based in Spring, Texas, said in the filing.

HP’s spokesperson, Adam R. Bauer, was contacted through his email, however, he did not make it clear who exactly informed HPE of the breach. “We’re not sharing that information at this time,” Bauer noted the compromised email boxes were running Microsoft software.

In the filing, HPE said the intrusion was “likely related to earlier activity by this threat actor, of which we were notified in June 2023, involving unauthorized access to and exfiltration of a limited number of SharePoint files.” SharePoint is a component of Microsoft's Office 365 suite, which also contains word processing, spreadsheet, and email tools.

SharePoint is part of Microsoft’s 365 suite, formerly known as Office, which includes email, word-processing and spreadsheet apps.

HPE is unable to say whether the network compromise was connected to the intrusion that Microsoft revealed last week, since "we do not have the details of the incident Microsoft disclosed," according to Bauer.

Also, he did not specify where the affected employee, whose accounts the hackers had access to, belonged in the company’s hierarchy. 

According to the sources, “The total scope of mailboxes and emails accessed remains under investigation.” 

As per the report, HPE has ascertained that the intrusion has not had any significant effect on the company's financial stability or operations. Both announcements coincide with the implementation one month ago of a new rule by the U.S. Securities and Exchange Commission requiring publicly traded corporations to report security breaches that may hurt their operations. Unless they are granted a national security waiver, they have four days to comply with this.  

Read more »
Subscribe to: Posts (Atom)