Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label SVR. Show all posts

Russia's APT29 is Actively Serving WellMess/WellMail Malware

 

A year ago, the United Kingdom, the USA, and Canada released a coordinated advisory, during the global pandemic, revealing a Russian espionage campaign targeting the vaccination research efforts of COVID-19 in their respective country. 

They have credited the operation to APT29 of Russia (The Dukes, Yttrium, and Cozy Bear) and have expressly designated it as a branch for the Foreign Intelligence Services of Russia (SVR). For the very first time, they officially connected the malware employed in the campaign with APT29 to WellMess and WellMail. 

RiskIQ has provided full information of the 30 servers which Russia's SVR-spy agency (aka APT29) has indeed been expected to utilize in its continued attempts to steal Western intellectual property. 

RiskIQ is a leading provider of Internet security information that provides the most comprehensive identification, intelligence, and mitigation of threats linked to the web presence of a company. RiskIQ offers businesses to have unified insight and control over Web, social and mobile exposures with over 75% of threats that originate outside firewalls. 

In 2018, the CERT in Japan recognized WellMess without mentioning targeting or involving a particular threat actor. Following the 2020 report by the Western Governments, RiskIQ's Team Atlas extended the campaign's familiar attacker footprint and identified more than a dozen additional control servers. 

The Atlas team of RiskIQ has now found yet another infrastructure that serves WellMess/WellMail effectively. Just a month earlier, the US and Russian chiefs of state conducted a summit in which the hostile cyber activities from Russia overtook the list of the key worries for President Biden. 

"Team Atlas assesses with high confidence that these IP addresses and certificates are in active use by APT29 at the time of this writeup," said RiskIQ in a blog post. "We were unable to locate any malware which communicated with this infrastructure, but we suspect it is likely similar to previously identified samples." 

SVR's campaigns against the West have been somewhat awkward, with replies ranging from silent alerts to explicit attribution — "they won't sodding well stop so we're telling you exactly what the naughty buggers have moved onto now" from a fed-up National Cyber Security Centre, in the United Kingdom. 

In November, the GCHQ branch also told national newspapers that perhaps the attempts of the SVR to enter into British research institutions were counteracted, suggesting that they deployed some type of encryption software (like ransomware without pay) against Russia.

With Safari Zero-Day Attacks, Russian SVR Hackers Targeted LinkedIn Users

 

Google security experts revealed details on four zero-day vulnerabilities that were undisclosed until they were exploited in the wild earlier this year. After discovering exploits leveraging zero-day vulnerabilities in Google Chrome, Internet Explorer, and WebKit, the engine used by Apple's Safari web browser, Google Threat Analysis Group (TAG), and Google Project Zero researchers discovered the four security issues. 

CVE-2021-21166 and CVE-2021-30551 in Chrome, CVE-2021-33742 in Internet Explorer, and CVE-2021-1879 in WebKit were the four zero-day exploits found by Google researchers earlier this year while being abused in the wild. "We tie three to a commercial surveillance vendor arming govt backed attackers and one to likely Russian APT," Google Threat Analysis Group's Director Shane Huntley said. "Halfway into 2021, there have been 33 0-day exploits used in attacks that have been publicly disclosed this year — 11 more than the total number from 2020," Google researchers added. "While there is an increase in the number of 0-day exploits being used, we believe greater detection and disclosure efforts are also contributing to the upward trend." 

Despite the fact that the zero-day flaws for Chrome and Internet Explorer were developed and sold by the same vendor to customers all over the world looking to improve their surveillance capabilities, they were not employed in any high-profile operations. The CVE-2021-1879 WebKit/Safari bug, according to Google, was used "to target government officials from Western European countries by sending them malicious links," via LinkedIn Messaging. 

The attackers were part of a likely Russian government-backed actor employing this zero-day to target iOS devices running older versions of iOS (12.4 through 13.7), according to Google experts. While Google did not link the exploit to a specific threat group, Microsoft claims it is Nobelium, the state-sponsored hacking group responsible for the SolarWinds supply-chain attack that resulted in the compromise of numerous US federal agencies last year. 

Volexity, a cybersecurity firm, also attributed the attacks to SVR operators based on strategies used in earlier attacks dating back to 2018. In April, the US government charged the Russian Foreign Intelligence Service (aka SVR) for conducting "a broad-scale cyber-espionage campaign" through its hacking group known as APT29, The Dukes, or Cozy Bear. The attacks were designed to "collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook, and Yahoo and send them via WebSocket to an attacker-controlled IP," according to Google.

U.S. Agencies Warn of Russian APT Operators Exploiting Five Publicly Known Vulnerabilities

 

The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) jointly published an advisory on Thursday warning that Russian APT operators are exploiting five publicly known and already fixed vulnerabilities in corporate VPN infrastructure products, insisting it is “critically important” to mitigate these issues immediately. 

The urgent advisory was issued by the U.S. authorities to call attention to a quintet of CVEs that are being actively exploited by a threat actor associated with Russia’s foreign intelligence service (SVR). According to the NSA, the five vulnerabilities should be prioritized for patching alongside the latest batch of Exchange Server updates published by Microsoft earlier this week.

NSA took up mitigation of known vulnerabilities in the SolarWinds Orion software supply chain, the use of WellMess malware against COVID-19 researchers, and network attacks exploiting VMware vulnerability. They left little doubt that quick action is necessary to protect against those attack vectors.

“Mitigation against these vulnerabilities is critically important as the U.S. and allied networks are constantly scanned, targeted, and exploited by Russian state-sponsored cyber actors,” NSA, CISA, and FBI said.

“NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations,” the agencies added.

 The vulnerabilities flagged by the agencies are:

• CVE-2018-13379 Fortinet FortiGate VPN 

• CVE-2019-9670 Synacor Zimbra Collaboration Suite

• CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN 

• CVE-2019-19781 Citrix Application Delivery Controller and Gateway

• CVE-2020-4006 VMware Workspace ONE Access

According to AP News, ten Russian diplomats are being expelled by the US State Department as a result of this activity and 32 individuals and entities are accused of attempting to influence last year’s presidential election, including by spreading disinformation are sanctioned. “We cannot allow a foreign power to interfere in our democratic process with impunity”, president Biden said. 

The US Department of the Treasury announced that it was sanctioning “16 entities and 16 individuals who attempted to influence the 2020 U.S. presidential election at the direction of the leadership of the Russian Government.” Four front media organizations associated with Russian intelligence services were identified as disinformation shops: SouthFront, NewsFront, InfoRos, and the Strategic Culture Foundation.