One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8595736 |
| Date de publication | 2024-10-11 00:28:23 (vue: 2024-10-11 01:18:09) |
| Titre | Mise à jour sur les opérations de cyber et des exploitations de vulnérabilité SVR Update on SVR Cyber Operations and Vulnerability Exploitations |
| Texte | #### Targeted Industries - Government Agencies & Services - Information Technology - Financial Services ## Snapshot Russia\'s Foreign Intelligence Service (SVR), also tracked as [Midnight Blizzard](https://sip.security.microsoft.com/intel-profiles/d825313b053efea45228ff1f4cb17c8b5433dcd2f86353e28be2d484ce874616) or APT29, has persistently targeted global entities in defense, technology, and finance sectors to gather intelligence and support cyber operations, including those related to the invasion of Ukraine. The U.S. and U.K. cyber agencies, including the NSA, FBI, U.S. Cyber Command\'s Cyber National Mission Force, and the U.K.\'s NCSC, have issued a joint advisory warning network defenders of these ongoing attacks. ## Description SVR actors exploit vulnerabilities for initial access, use techniques such as spearphishing and password spraying, and rely on obfuscation methods, including The Onion Router (TOR) network and proxies, to evade detection. The group\'s tactics, techniques, and procedures (TTPs) highlight a focus on exploiting known vulnerabilities, particularly through unpatched systems and weak authentication measures. For initial access, the actors leverage vulnerabilities like [CVE-2022-27924](https://sip.security.microsoft.com/intel-explorer/cves/CVE-2022-27924/) (Zimbra mail server) and [CVE-2023-42793](https://sip.security.microsoft.com/intel-profiles/CVE-2023-42793) (JetBrains TeamCity), allowing them to bypass authentication and execute arbitrary code. These vulnerabilities enable access to credentials, emails, and other sensitive data without victim interaction. Furthermore, SVR cyber actors engage in mass scanning to identify exposed systems and prioritize targets based on opportunity, often using compromised systems as infrastructure for subsequent attacks or as a launchpad for deeper network compromises. SVR also employs a range of techniques to maintain persistence and escalate privileges in victim networks. These include spearphishing via platforms like Microsoft Teams, where they impersonate technical support to gain account access, and password spraying to infiltrate poorly secured accounts. Once inside a network, SVR actors utilize living-off-the-land techniques, leveraging existing tools and software to blend into normal operations and evade detection. They also frequently lease infrastructure through resellers, relying on compromised accounts to maintain anonymity. In cases where detection is suspected, they act swiftly to destroy infrastructure and erase evidence, demonstrating a sophisticated approach to operational security. ## Microsoft Analysis Midnight Blizzard (NOBELIUM) is known to primarily target governments, diplomatic entities, NGOs, and IT service providers in primarily the United States and Europe. Their focus is to collect intelligence through longstanding and dedicated espionage of foreign interests that can be traced to early 2018 by leveraging the use of identity. Midnight Blizzard (NOBELIUM) is consistent and persistent in their operational targeting and their objectives rarely change. They utilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of on-premises environments to laterally move to the cloud, exploitation of service providers\' trust chain to gain access to downstream customers, and the Active Directory Federation Services (ADFS) malware known as FOGGYWEB and MAGICWEB. Midnight Blizzard is tracked by partner security companies as APT29, UNC2452, and Cozy Bear. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. While multi-factor authentication (MFA) has largely reduced the number of compromised organizations, threat actors like Midnight Blizzard constantly seek new ways to circumvent this barrier. Piloting and deploying [phishing-resistant authentication methods](https://l |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 0c7ea947 2018 2022 2023 2024 2024** 27924 27924/ 365 365/security/defender 365/security/defender/microsoft 3bd9 42793 42aa 430e1f860a44 7184 8e3f 9e7d108c aad abuse ac3a access access/concept access/howto accessed account accounts across act action active activity activity: actor actors adfs adhere advanced advisory against age agencies alert alerts all allow allowing also always analysis and anonymity anti antivirus any app applications approach apps apps/anomaly apps/proxy apt29 arbitrary are artifacts as attack attacks attempt attempts audit auditing authenticating authentication authority automated automatically azure b2b ba98 bad ban barrier based baselines bca892898972 bear behind best billing/view blend blizzard block breach breaches browsers bypass campaign can card cases center centralizing chain change changes check child circumvent cloud code collaboration collaboration collect com/account com/azure/active com/defender com/deployedge/microsoft com/entra/external com/entra/identity/authentication/concept com/intel com/mem/intune/protect/security com/microsoft com/purview/audit com/windows/protect command commands companies compliant compromised compromises conditional configured configure connecting consistent constantly content control copyright could cover cozy creating creations credential credentials criterion critical customers cve cyber data dedicated deeper defender defenders defense delivered demonstrating deploy deploying deployment description destroy detect detected detection detections detections/hunting device devices diplomatic directory directory/authentication/concept directory/authentication/tutorial directory/conditional distribution diverse does domain downstream early edge edr educate eliminate email emails employ employees employs enable endpoint endpoint/attack endpoint/automated endpoint/configure endpoint/edr enforce engage entities entra environments equivalent erase escalate espionage europe evade even evidence evolving exe executable execute execution existing exploit exploitation exploitations exploiting explorer/articles/7e3c16f3 explorer/cves/cve exposed external factor falls fbi federation files finance financial first focus foggyweb following force foreign frequently from full fundamentals furthermore gain gather general global gov/media/news/2024/241010 government governments group had hands hardening has have highlight highly https://learn https://sip https://support https://www ic3 id/b2b identify identities identity immediate impact impact: impersonate implement implement importance incident include including incoming indicate industries industry infection infiltrate information infrastructure initial ins insecure inside intelligence interaction interests intro invasion invest investigated investigation investigations issued jetbrains joint keep keyboard known land largely laterally launch launchpad learndoc learndoc#block learning lease leverage leveraging like like linkplacement list living local longstanding lsass machine magicweb mail maintain majority malicious malware management mark mass master mdo mdti measures meet methods mfa microsoft midnight might mission mitigate mitigations mode monitor monitored move multi national ncsc network network: networks never new ngos nobelium non normal not nsa number obfuscated obfuscation objectives observed ocid=magicti ocid=team off offer office often once ongoing onion only on on how operated operational operations opportunity organization organizations originating other our overview owned part particularly partner partners passive password passwords payload pdf permission persistence persistent persistently phishing piloting platforms please policies policy poorly post potentially practices premises prevalence prevent prevented primarily prioritize privileged privileges procedures process processes product profile profiles/cve profiles/d825313b053efea45228ff1f4cb17c8b5433dcd2f86353e28be2d484ce874616 prohibited protection protections provide providers proxies psexec querie |
| Tags | Malware Tool Vulnerability Threat Cloud Technical |
| Stories | APT 29 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.