One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8573565 |
| Date de publication | 2024-09-10 00:52:06 (vue: 2024-09-10 01:19:53) |
| Titre | Les cyber-acteurs militaires russes ciblent les infrastructures critiques américaines et mondiales Russian Military Cyber Actors Target US and Global Critical Infrastructure |
| Texte | ## Snapshot The US Cybersecurity and Infrastructure Security Agency (CISA) published an advisory on Unit 29155, a Russian GRU military cyber unit, to provide updated information on the group\'s targeting priorities, tactics, techniques, and procedures (TTPs), mitigations, and IOCs. Unit 29155 overlaps with the group the Microsoft tracks as [Cadet Blizzard](https://sip.security.microsoft.com/intel-profiles/7980e315a8a86d56985f042666d1d48d8baa2d9db4ef3cacd3800591dd7500a5), also known as Ember Bear, Bleeding Bear, and Frozenvista. ## Description Unit 29155 has been conducting cyber operations since at least 2020, targeting sectors such as government services, financial services, transportation, energy, and healthcare in NATO members, EU countries, and nations in Latin America and Central Asia. The unit has deployed the [WhisperGate](https://www.microsoft.com/en-us/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/) malware against Ukrainian organizations since January 2022, which is a two-stage attack that corrupts the master boot record and encrypts files, distributed via Discord accounts. Unit 29155\'s activities include espionage, sabotage, reputational harm through data leaks, and sabotage by data destruction. The unit\'s TTPs involve using publicly available tools like Acunetix, Amass, Nmap, and Shodan for reconnaissance and vulnerability exploitation, and they have exploited a range of vulnerabilities, including CVE-2020-1472, CVE-2021-26084, CVE-2021-3156, CVE-2021-4034, CVE-2022-27666, and others for initial access. For lateral movement, they have used techniques such as exploiting default credentials in IoT devices, Pass-the-Hash, and tools like Impacket. Their command and control infrastructure employs VPSs, DNS tunneling tools, and ProxyChains to maintain anonymity and route traffic through proxies. The unit has also been observed targeting victims\' Microsoft OWA infrastructure through password spraying, exploiting vulnerable IP cameras, and exfiltrating data using tools like Rclone to cloud storage services. ## Microsoft Analysis Microsoft has been tracking Cadet Blizzard alongside other Russian threat actors who employ destructive attacks to support Moscow\'s political and military objectives. Russian threat actors\' continued use of destructive attacks in both Ukraine and other countries over a span of several years demonstrate continual adaptation to an ever-changing landscape of defensive measures in security solutions, uniquely diverse target environments, and increased visibility and awareness by the greater security industry. The nature of these destructive attacks against Ukraine reached a peak in sophistication in 2022, as seen in the use of [WhisperGate](https://www.microsoft.com/en-us/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/) ransomware-style destructive attacks conducted by [Cadet Blizzard](https://sip.security.microsoft.com/intel-profiles/7980e315a8a86d56985f042666d1d48d8baa2d9db4ef3cacd3800591dd7500a5), [Prestige](https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/) ransomware-style destructive attacks conducted by Seashell Blizzard, and the use of [FoxBlade](https://blogs.microsoft.com/on-the-issues/2022/02/28/ukraine-russia-digital-war-cyberattacks/) (also known as HermeticWiper), AprilAxe/CaddyWiper, and Sullivan ransomware-style destructive attacks by Russian-aligned threat actors. Read more about Russia\'s destructive cyber attacks in Ukraine [here](https://sip.security.microsoft.com/intel-explorer/articles/6dd6a218). ## Recommendations Activities linked to Cadet Blizzard indicate that they are comprehensive in their approach and have demonstrated an ability to hold networks at risk of continued compromise for an extended period of time. A comprehensive approach to incident response may be required in order to fully remediate from Cadet Blizzard operations. Organizations can bolster |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© 1472 2020 2021 2022 2024 2024** 249a 26084 27666 29155 29155 has 3156 365/security/defender 4034 ability about access accessed accounts activities activity actor actors acunetix adaptation advisories/aa24 advisory against agency aligned all alongside other also amass america analysis anomalous anonymity antivirus antivirus any approach aprilaxe/caddywiper are areas asia assess assets attack attacker attacks authentication authenticator authenticity available awareness based bear been bleeding blizzard block bolster boot both by cadet cameras can central cfa changing chosen cisa cloud com/account/authenticator/ com/en com/intel com/microsoft com/on command commands component components comprehensive compromise compromised conducted conducting configured confirm connectivity content continual continued control controlled copyright corrupts countries cover creations credentials critical customers cve cyber cyberattacks/ data default defender defensive delivered demonstrate demonstrated deployed description destruction destructive detections/hunting detects devices digital discord distributed distribution diverse dns dos:win32/whispergate download ember employ employs enable enable encourages encrypts endpoint/attack endpoint/configure endpoint/controlled energy enforced ensure enumerated environments equivalent espionage events/cybersecurity ever evolving exfiltrating expedite exploitation exploited exploiting explorer/articles/6dd6a218 extended factor files financial first focus focusing folder folders following foxblade from frozenvista fully global gov/news government greater group gru hacktool:vbs/killav harm has hash have healthcare here hermeticwiper hold https://blogs https://learn https://sip https://www huge impacket impacts incident include included including increased indicate indicators industry information infrastructure initial intrusion investigate involve iocs iot issues/2022/02/28/ukraine january known landscape lateral latin leaks learndoc learndoc#block learning least less like like linked machine maintain majority malware malware: master may mbr/vbr measures members mfa microsoft military mitigate mitigations modification more moscow movement multifactor nations nato nature networks new nmap objectives observed ocid=magicti of on operations order organizations organizations/ originating other others over overlaps owa part particular pass password peak period permission poland/ political potential potentially prestige prevent priorities procedures process product profiles/7980e315a8a86d56985f042666d1d48d8baa2d9db4ef3cacd3800591dd7500a5 prohibited protection protections provide proxies proxychains psexec publicly published queries range ransom:bat/disabledefender ransomware rapidly rclone reached read recommendations reconnaissance record reduction reference references remediate remote report reproduction reputational required reserved response review rights risk route rules russia russian sabotage seashell sectors secure security seen services several shodan sight since single site snapshot solutions sophistication span spraying stage stop storage strongly style such sullivan support surface s activities tactics target targeting techniques thereof these threat through time tools tracking tracks tradecraft traffic transportation trojan:msil/malgent trojan:script/psencod trojan:win32/casdet trojan:win32/killfiles trojandownloader:msil/agenttesla ttps tunneling turn turned two ukraine ukrainian uniquely unit unknown updated us/security/blog/2022/01/15/destructive us/security/blog/2022/10/14/new use used using us cybersecurity utilizing variants victims visibility vpss vulnerabilities vulnerability vulnerable war which whispergate who windows within without wmi wmiexec written years your **note:** microsoft in ransomware the to |
| Tags | Malware Tool Vulnerability Threat Medical Cloud |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.