What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-10-12 17:41:00 | Anomali Cyber Watch: Aerospace and Telecoms Targeted by Iranian MalKamak Group, Cozy Bear Refocuses on Cyberespionage, Wicked Panda is Traced by Malleable C2 Profiles, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data leak, Ransomware, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Russian Cyberattacks Pose Greater Risk to Governments and Other Insights from Our Annual Report
(published: October 7, 2021)
Approximately 58% of all nation-state attacks observed by Microsoft between July 2020 and June 2021 have been attributed to the Russian-sponsored threat groups, specifically to Cozy Bear (APT29, Nobelium) associated with the Russian Foreign Intelligence Service (SVR). The United States, Ukraine, and the UK were the top three targeted by them. Russian Advanced Persistent Threat (APT) actors increased their effectiveness from a 21% successful compromise rate to a 32% rate comparing year to year. They achieve it by starting an attack with supply-chain compromise, utilizing effective tools such as web shells, and increasing their skills with the cloud environment targeting. Russian APTs are increasingly targeting government agencies for intelligence gathering, which jumped from 3% of their targets a year ago to 53% – largely agencies involved in foreign policy, national security, or defense. Following Russia by the number of APT cyberattacks were North Korea (23%), Iran (11%), and China (8%).
Analyst Comment: As the collection of intrusions for potential disruption operations via critical infrastructure attacks became too risky for Russia, it refocused back to gaining access to and harvesting intelligence. The scale and growing effectiveness of the cyberespionage requires a defence-in-depth approach and tools such as Anomali Match that provide real-time forensics capability to identify potential breaches and known actor attributions.
MITRE ATT&CK: [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Brute Force - T1110
Tags: Fancy Bear, APT28, APT29, The Dukes, Strontium, Nobelium, Energetic Bear, Cozy Bear, Government, APT, Russia, SVR, China, North Korea, USA, UK, Ukraine, Iran
Ransomware in the CIS
(published: October 7, 2021)
Many prominent ransomware groups have members located in Russia and the Commonwealth of Independent States (CIS) - and they avoid targeting this region. Still, businesses in the CIS are under the risk of being targeted by dozens of lesser-known ransomware groups. Researchers from Kaspersky Labs have published a report detailing nine business-oriented ransomware trojans that were most active in the CIS in the first half of 2021. These ransomware families are BigBobRoss (TheDMR), Cryakl (CryLock), CryptConsole, Crysis (Dharma), Fonix (XINOF), Limbozar (VoidCrypt), Phobos (Eking), Thanos (Hakbit), and XMRLocker. The oldest, Cryakl, has been around since April 2014, and the newest, XMRLocker, was first detected in August 2020. Most of them were mainly distributed via the cracking of Remote Deskto |
Ransomware Malware Tool Threat Guideline Prediction | APT 41 APT 41 APT 39 APT 29 APT 29 APT 28 | |
 |
2021-07-31 18:00:04 | SolarWinds hackers breached 27 state attorneys\' offices (lien direct) | Microsoft Office 365 email accounts of employees at 27 US Attorneys’ offices were breached by the Russia-linked SVR group as part of the SolarWinds hack, DoJ warns. The US Department of Justice revealed that the Microsoft Office 365 email accounts of employees at 27 US Attorneys’ offices were hacked by the Russia-linked SVR (aka APT29, Cozy Bear, and The Dukes) during the SolarWinds attack. The […] | APT 29 | ||
 |
2021-07-30 15:25:25 | Russia\'s APT29 Still Actively Delivering Malware Used in COVID-19 Vaccine Spying (lien direct) | The Russian cyberespionage group known as APT29 and Cozy Bear is still actively delivering a piece of malware named WellMess, despite the fact that the malware was exposed and detailed last year by Western governments. | Malware | APT 29 APT 29 | |
 |
2021-07-30 03:00:54 | Experts Uncover Several C&C Servers Linked to WellMess Malware (lien direct) | Cybersecurity researchers on Friday unmasked new command-and-control (C2) infrastructure belonging to the Russian threat actor tracked as APT29, aka Cozy Bear, that has been spotted actively serving WellMess malware as part of an ongoing attack campaign.
More than 30 C2 servers operated by the Russian foreign intelligence have been uncovered, Microsoft-owned cybersecurity subsidiary RiskIQ said |
Malware Threat | APT 29 | |
 |
2021-07-29 10:00:46 | APT trends report Q2 2021 (lien direct) | This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc. | Threat | APT 29 APT 31 | |
 |
2021-07-01 10:47:40 | Smashing Security podcast #234: Cozy Bear, dildo scams, and robo hires and fires (lien direct) | Microsoft warns about a hacking gang that is far from cuddly, algorithms rather than managers are firing people, and our guest receives a surprising email from "Amazon"... And you will NOT want to miss checking out a very special "Pick of the week"! All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by David Bisson. | APT 29 | ||
|
2021-06-26 16:36:51 | Microsoft: Russia-linked SolarWinds hackers breached three new entities (lien direct) | Microsoft discovered that Russia-linked SolarWinds hackers, tracked as Nobelium, have breached the network of three new organizations. Microsoft revealed on Friday that Russia-linked SolarWinds hackers, tracked as Nobelium or APT29, have conducted news cyber attacks against other organizations. Threat actors carried out brute-force and password spraying attacks in an attempt to gain access to Microsoft customer accounts. […] | Threat | APT 29 | |
|
2021-06-08 15:00:00 | Anomali Cyber Watch: TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations, Necro Python Bots Adds New Tricks, US Seizes Domains Used by APT29 and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, APT29, FluBot, Necro Python, RoyalRoad, SharpPanda, TeaBot and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations
(published: June 4, 2021)
Researchers at Palo Alto have identified a malware repo belonging to TeamTNT, the prominent cloud focused threat group. The repo shows the expansion of TeamTNTs abilities, and includes scripts for scraping SSH keys, AWS IAM credentials and searching for config files that contain credentials. In addition to AWS credentials, TeamTNT are now also searching for Google Cloud credentials, which is the first instance of the group expanding to GCP.
Analyst Comment: Any internal only cloud assets & SSH/Privileged access for customer facing cloud infrastructure should only be accessible via company VPN. This ensures attackers don’t get any admin access from over the internet even if keys or credentials are compromised. Customers should monitor compromised credentials in public leaks & reset the passwords immediately for those accounts.
MITRE ATT&CK: [MITRE ATT&CK] Permission Groups Discovery - T1069
Tags: AWS, Cloud, Credential Harvesting, cryptojacking, Google Cloud, IAM, scraping, TeamTnT, Black-T, Peirates
Necro Python Bots Adds New Tricks
(published: June 3, 2021)
Researchers at Talos have identified updated functionality in the Necro Python bot. The core functionality is the same with a focus on Monero mining, however exploits to the latest vulnerabilities have been added. The main payloads are XMRig, traffic sniffing and DDoS attacks. Targeting small and home office routers, the bot uses python to support multiple platforms.
Analyst Comment: Users should ensure they always apply the latest patches as the bot is looking to exploit unpatched vulnerabilities. Users need to change default passwords for home routers to ensure potential malware on your personal devices don’t spread to your corporate devices through router takeover.
MITRE ATT&CK: [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Remote Access Tools - T1219
Tags: Bot, botnet, Exploit, Monero, Necro Python, Python, Vulnerabilities, XMRig
New SkinnyBoy Ma |
Ransomware Malware Vulnerability Threat Patching Guideline | APT 29 APT 28 | |
|
2021-06-02 07:46:43 | US seizes 2 domains used by APT29 in a recent phishing campaign (lien direct) | The US DoJ seized two domains used by APT29 group in recent attacks impersonating the U.S. USAID to spread malware. The US Department of Justice (DoJ) and the Federal Bureau of Investigation have seized two domains used by the Russia-linked APT29 group in spear-phishing attacks that targeted government agencies, think tanks, consultants, and NGOs. Russia-linked […] | APT 29 | ||
 |
2021-06-01 16:56:57 | US seizes domains used by APT29 in recent USAID phishing attacks (lien direct) | The US Department of Justice has seized two Internet domains used in recent phishing attacks impersonating the U.S. Agency for International Development (USAID) to distribute malware and gain access to internal networks. [...] | Malware | APT 29 | ★★★ |
|
2021-05-12 21:55:00 | Anomali Cyber Watch: Cozy Bear TTPs, Darkside Ransomware Shuts Down US Pipeline, Operation TunnelSnake Uses New Moriya Rootkit, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Fileless Malware, Malspam, Phishing, Ransomware, Rootkits, Targeted Attacks and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this agazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Darkside Ransomware Caused Major US Pipeline Shutdown
(published: May 8, 2021)
DarkSide ransomware attack caused Colonial Pipeline to shut down the biggest US gasoline pipeline on Friday, May 7th, 2021. The pipeline is the main source of gasoline, diesel and jet fuel for the US East Coast and runs from Texas to Tennessee and New Jersey serving up to 50 Million people. DarkSide group began their attack against the company a day earlier, stealing nearly 100 gigabytes of data before locking computers with ransomware and demanding payment.
Analyst Comment: While DarkSide's first known activity goes back only to August 2020, it is likely backed by experienced Eastern-European actors. Ransomware protection demands a multi-layered approach to include isolation, air-gaps, backup solutions, anti-phishing training and detection.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Inhibit System Recovery - T1490 | [MITRE ATT&CK] Scripting - T1064
Tags: DarkSide, ransomware, Oil and Gas, USA, Colonial Pipeline
Revealing The 'Cnip3' Crypter, A Highly Evasive RAT Loader
(published: May 7, 2021)
Morphisec has discovered a new stealthy crypter as a service dubbed Snip3. Its advanced anti-detection techniques include: 1) Executing PowerShell code with the ‘remotesigned’ parameter. 2) Validating the existence of Windows Sandbox and VMWare virtualization. 3) Using Pastebin and top4top for staging. 4) Compiling RunPE loaders on the endpoint in runtime. Several hackers were observed using Snip3 to deliver various payloads: AsyncRAT, NetWire RAT, RevengeRAT, and Agent Tesla.
Analyst Comment: The Snip3 Crypter’s ability to identify sandboxing and virtual environments make it especially capable of bypassing detection-centric solutions. It shows the value of investing in complex cybersecurity solutions.
MITRE ATT&CK: [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Process Injection - T1055
Tags: Snip3, crypter, Crypter-as-a-Service, VBS, RAT, AsyncRAT, NetWire RAT, RevengeRAT, Agent Tesla, NYANxCAT
Lemon Duck target Microsoft Exchange Servers, Incorporate New TTPs
(published: May 7, 2021)
The Lemon Duck cryptomining group has been active since at least |
Ransomware Malware Threat | APT 29 APT 29 | |
|
2021-05-07 21:03:42 | Russia-linked APT29 group changes TTPs following April advisories (lien direct) | The UK and US cybersecurity agencies have published a report detailing techniques used by Russia-linked cyberespionage group known APT29 (aka Cozy Bear). Today, UK NCSC and CISA-FBI-NSA cybersecurity agencies published a joint security advisory that warns organizations to patch systems immediately to mitigate the risk of attacks conducted by Russia-linked SVR group (aka APT29, Cozy Bear, and The Dukes)). The […] | APT 29 | ||
 |
2021-05-07 10:15:00 | NCSC, CISA publish new information on Russia\'s Cozy Bear (lien direct) | The UK and US cybersecurity agencies have published a report detailing techniques used by Russia-linked cyberespionage group known APT29 (aka Cozy Bear). Today, UK NCSC and CISA-FBI-NSA cybersecurity agencies published a joint security advisory that warns organizations to patch systems immediately to mitigate the risk of attacks conducted by Russia-linked SVR group (aka APT29, Cozy Bear, and The Dukes)). The […] | APT 29 APT 29 | ||
|
2021-04-27 19:33:22 | FBI/DHS Issue Guidance for Network Defenders to Mitigate Russian Gov Hacking (lien direct) | The FBI and DHS have issued a Joint Cybersecurity Advisory on the threat posed by the Russian Foreign Intelligence Service (SVR) via the cyber actor known as APT 29 (aka the Dukes, Cozy Bear, Yttrium and CozyDuke). | Threat | APT 29 APT 29 | |
|
2021-04-26 11:16:34 | US warns of Russian state hackers still targeting US, foreign orgs (lien direct) | The FBI, the US Department of Homeland Security (DHS), and the Cybersecurity and Infrastructure Security Agency (CISA) warned today of continued attacks coordinated by the Russian-backed APT 29 hacking group against US and foreign organizations. [...] | APT 29 | ||
|
2021-04-22 10:00:00 | Researchers shed more light on APT29 activity during SolarWinds attack (lien direct) | The FBI, the US Department of Homeland Security (DHS), and the Cybersecurity and Infrastructure Security Agency (CISA) warned today of continued attacks coordinated by the Russian-backed APT 29 hacking group against US and foreign organizations. [...] | APT 29 | ★★★★ | |
 |
2021-04-19 20:38:00 | Introducing AT&T\'s Managed Endpoint Security with SentinelOne (lien direct) | With 5G, edge solutions, and digital transformation all around us, every enterprise should be taking a closer look at their endpoint security and evaluate options that will be able to keep pace with this dynamic new environment.The newly introduced AT&T Managed Endpoint Security with SentinelOne™ offer brings world class managed services with comprehensive endpoint security. SentinelOne brings best-of-breed Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR) with deep integration into the AT&T Unified Security Management (USM) platform and Alien Labs Open Threat Exchange (OTX). This deep integration, along with AT&T’s 500+ partner integrations, can provide businesses Extended Detection and Response (XDR) capabilities from the endpoint to the network to the cloud. Plus, through the AT&T Security Operations Center, businesses can rely on world class monitoring and management of their endpoints. Here are the unique benefits it can bring to enterprises: Industry leading technology Joining forces with the best of the best is crucial especially when it comes to endpoint security. AT&T has teamed up with SentinelOne who provides next-generation endpoint security combining antivirus, EPP, and EDR into one agent. SentinelOne has been highly recognized in the industry and was number 1 in the 2020 MITRE ATT&CK test - APT 29 for most total detections and most correlated alerts through comprehensive storyline technology. This autonomous agent utilizes Artificial Intelligence (AI) and machine learning (ML) to help protect against known and unknown threats and eliminates reliance on external factors for protection. This faster, “machine-speed” detection & response provides continuous protection, even when offline. And, in the event of an attack, the SentinelOne agent can perform 1-click remediation and rollback with no custom scripting or re-imaging required. Deep integration with AT&T’s USM platform and Alien Labs OTX AT&T Cybersecurity and SentinelOne bring one of the most unique combinations in the market via the deep integrations between the SentinelOne platform and the AT&T USM platform. This deep integration allows for orchestrated and automated incident response on the endpoints. Additionally, deep integrations were built between the world’s largest open threat intelligence community, AT&T Alien Labs Open Threat Exchange (OTX), and the SentinelOne agent. The AT&T Alien Labs OTX encompasses over 145,000 security professionals submitting over 20 million threat indicators per day. Additional context is provided from the USM sensor network with an additional 20 million threat observations per day and AT&T’s Chief Security Office analyzing over 446 PB of traffic from 200 countries and territories. By correlating the incidents of compromise from AT&T Alien Labs OTX, AT&T is able to deliver added context that allows for faster responses. These same AT&T Alien Labs detections and threat intelligence also informs threat hunting on SentinelOne’s EDR data to help yield richer insights and easier detection of evasive threats. Expert management As one of the world's top MSSPs, AT&T Cybersecurity employs highly experienced and industry certified individuals for the Managed Endpoint Security with SentinelOne offering. AT&T brings over 25 years of experience in delivering managed security services and knows what it takes to keep pace with the dynamic threat landscape. To stay ahead, AT&T’s security analysts maintain security certifications including GSE, CISSP, CEH, and more. For the Managed Endpoint Security with SentinelOne offering, AT&T | Data Breach Threat Guideline | APT 29 | |
 |
2021-04-16 18:10:09 | NSA: 5 Security Bugs Under Active Nation-State Cyberattack (lien direct) | Widely deployed platforms from Citrix, Fortinet, Pulse Secure, Synacor and VMware are all in the crosshairs of APT29, bent on stealing credentials and more. | APT 29 | ||
|
2021-04-16 12:26:02 | Russia-linked APT SVR actively targets these 5 flaws (lien direct) | The US government warned that Russian cyber espionage group SVR is exploiting five known vulnerabilities in enterprise infrastructure products. The U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have published a joint advisory that warns that Russia-linked APT group SVR (aka APT29, Cozy Bear, and The Dukes). […] | APT 29 | ||
|
2021-04-15 22:20:58 | US Gov sanctions Russia and expels 10 diplomats over SolarWinds hack (lien direct) | The U.S. and UK attributed with “high confidence” the recently disclosed supply chain attack on SolarWinds to Russia’s Foreign Intelligence Service (SVR). The U.S. and U.K. attributed with “high confidence” the supply chain attack on SolarWinds to operatives working for Russia’s Foreign Intelligence Service (SVR) (ska APT29, Cozy Bear, and The Dukes). The UK, US […] | Hack | APT 29 | |
|
2021-03-07 14:54:02 | Russia-linked APT groups exploited Lithuanian infrastructure to launch attacks (lien direct) | Russia-linked APT groups leveraged the Lithuanian nation's technology infrastructure to launch cyber-attacks against targets worldwide. The annual national security threat assessment report released by Lithuania's State Security Department states that Russia-linked APT groups conducted cyber-attacks against top Lithuanian officials and decision-makers last in 2020. APT29 state-sponsored hackers also exploited Lithuania's information technology infrastructure to carry […] | Threat | APT 29 | |
|
2021-03-02 15:00:00 | Anomali Cyber Watch: APT Groups, Cobalt Strike, Russia, Malware, and More (lien direct) |
We are excited to announce Anomali Cyber Watch, your weekly intelligence digest. Replacing the Anomali Weekly Threat Briefing, Anomali Cyber Watch provides summaries of significant cybersecurity and threat intelligence events, analyst comments, and recommendations from Anomali Threat Research to increase situational awareness, and the associated tactics, techniques, and procedures (TTPs) to empower automated response actions proactively.
We hope you find this version informative and useful. If you haven’t already subscribed get signed up today so you can receive curated and summarized cybersecurity intelligence events weekly.
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Emotet, Go, Masslogger, Mustang Panda, OilRig, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
(published: February 26, 2021)
Recent reporting indicates that two prolific cybercrime threat groups, CARBON SPIDER and SPRITE SPIDER, have begun targeting ESXi, a hypervisor developed by VMWare to run and manage virtual machines. SPRITE SPIDER uses PyXie's LaZagne module to recover vCenter credentials stored in web browsers and runs Mimikatz to steal credentials from host memory. After authenticating to vCenter, SPRITE SPIDER enables ssh to permit persistent access to ESXi devices. In some cases, they also change the root account password or the host’s ssh keys. Before deploying Defray 777, SPRITE SPIDER’s ransomware of choice, they terminate running VMs to allow the ransomware to encrypt files associated with those VMs. CARBON SPIDER has traditionally targeted companies operating POS devices, with initial access being gained using low-volume phishing campaigns against this sector. But throughout 2020 they were observed shifting focus to “Big Game Hunting” with the introduction of the Darkside Ransomware. CARBON SPIDER gains access to ESXi servers using valid credentials and reportedly also logs in over ssh using the Plink utility to drop the Darkside
Recommendation: Both CARBON SPIDER and SPRITE SPIDER likely intend to use ransomware targeting ESXi to inflict greater harm – and hopefully realize larger profits – than traditional ransomware operations against Windows systems. Should these campaigns continue and prove to be profitable, we would expect more threat actors to imitate these activities.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Scheduled Transfer - T1029 | |
Ransomware Malware Threat | Wannacry Wannacry APT 29 APT 28 APT 31 APT 34 | |
 |
2021-01-19 14:00:00 | Les stratégies de remédiation et de durcissement pour Microsoft 365 pour se défendre contre UNC2452 |Blog Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 | Blog (lien direct) |
Mise à jour (mai 2022): Nous avons fusionné unc2452 avec apt29 .L'activité UNC2452 décrite dans ce post et ce rapport est désormais attribuée à APT29.
Mise à jour (28 octobre 2021): Mandiant a récemment observé des acteurs de menace ciblés utilisant l'identité EWS (via le rôle de l'impression d'application) pour maintenir un accès persistant aux boîtes aux lettres dans les environnements victimes.Une fois que l'acteur de menace a accès à ce rôle, ses abus sont difficiles à détecter et fournissent le contrôle de l'acteur de menace sur chaque boîte aux lettres d'un locataire victime.Mandiant a également observé des acteurs de menace ciblés abusant de la relation de confiance entre le cloud
UPDATE (May 2022): We have merged UNC2452 with APT29. The UNC2452 activity described in this post and report is now attributed to APT29. UPDATE (Oct. 28, 2021): Mandiant has recently observed targeted threat actors using EWS impersonation (via the ApplicationImpersonation role) to maintain persistent access to mailboxes in victim environments. Once the threat actor has access to this role, its abuse is hard to detect and provides the threat actor control over every mailbox in a victim tenant. Mandiant has also observed targeted threat actors abusing the trust relationship between Cloud |
Threat | APT 29 | ★★★★ |
|
2020-12-17 18:00:00 | FireEye, SolarWinds Hacks Show that Detection is Key to Solid Defense (lien direct) | Several years back, industry analyst firm Gartner began circulating the idea that almost every major enterprise and government agency was either compromised or would be compromised at some point in time. This week, when we woke up to the news that FireEye and SolarWinds had joined the ranks of the hacked, we learned once again that Gartner was right. Even companies with advanced security expertise and expansive resources can’t escape this inevitable fact of digital life.
Forensic experts and news outlets are now following the trail of digital clues, trying to make sense of how both companies ended up on the hacked side of the equation. At a high level, we know that FireEye was compromised by a state-sponsored adversary. In the case of SolarWinds, it is looking like an adversary was able to dwell in victims’ networks for as long as nine months and that the prime suspect is the Kremlin.
There are undoubtedly many organizations wondering if they are caught up in the attacks, either by design or indirectly. Fortunately, those that have effective threat detection capabilities in place can utilize the information FireEye, SolarWinds, Anomali and other threat research organizations are providing to determine if they’ve been hit.
Anomali customers are already ahead of the game. As soon as the world becomes aware of an attack, Anomali Threat Research immediately front-loads Anomali ThreatStream with a threat bulletin that provides a detailed and concise narrative of the situation along with a comprehensive list of the known indicators of compromise (IOCs). Once added, information relevant to the incident (IOCs, reports from the security community, signatures, etc.) are automatically delivered to customers. This gives them the ability to automate threat detection and blocking across their security controls, including EDR, firewalls, and SIEM. In addition, customers using Anomali Match, our threat detection and response product, are able to use the threat intelligence to do a retrospective search back to when the threat was active, getting real-time results showing whether the threat was seen in their network at that time.
To provide threat intelligence and security operations analysts with a look at what an Anomali threat bulletin looks like, we’ve added the first version of the FireEye threat bulletin to this blog. We are happy to discuss more deeply how Anomali customers are using this information and continual updates to detect the presence of related IOCs in their environments. Reach us at general@anomali.com.
To listen to a more in-depth conversation on the incident and how threat intelligence aids in detection, listen to this week’s Anomali Detect Podcast.
Key Findings
Unknown, sophisticated actors stole more than 300 FireEye Red Team tools and countermeasures (signatures) on an unspecified date.
An unnamed source for The Washington Post claimed Cozy Bear (APT29), is responsible, but provided no evidence.
Actor(s) were also interested in FireEye customers, specifically, government entities.
The Red Team countermeasures consisted of custom-versions of known tools, a prioritized Common Vulnerabilities and Exposures (CVE) list, and malware signatures in ClamAV, HXIOC, Snort, and Yara languages.
The stolen tools could be customized by actors, just as the FireEye Red Team did to existing tools.
|
Malware Threat Guideline | APT 29 | |
 |
2020-12-15 11:01:00 | 18 000 entreprises et organisations ont téléchargé la backdoor des hackers de Poutine (lien direct) | L'ampleur de l'infection orchestrée par APT19, alias Cozy Bear, est certes énorme, mais cela ne veut pas dire que toutes les victimes ont réellement été piratées.  |
APT 29 APT 19 | ||
 |
2020-12-15 03:44:00 | SolarWinds attack explained: And why it was so hard to detect (lien direct) | A group believed to be Russia's Cozy Bear gained access to government and other systems through a compromised update to SolarWinds' Orion software. Most organizations aren't prepared for this sort of software supply chain attack. | APT 29 | ||
 |
2020-12-14 21:36:39 | No One Knows How Deep Russia\'s Hacking Rampage Goes (lien direct) | A supply chain attack against IT company SolarWinds has exposed as many as 18,000 companies to Cozy Bear's attacks. | APT 29 | ||
|
2020-12-13 22:00:00 | L'attaquant très évasif exploite la chaîne d'approvisionnement de Solarwinds pour compromettre plusieurs victimes mondiales avec Sunburst Backdoor Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor (lien direct) |
Mise à jour (mai 2022): Nous avons fusionné unc2452 avec apt29 .L'activité UNC2452 décrite dans ce post est désormais attribuée à APT29.
Résumé de l'exécutif
Nous avons découvert une campagne mondiale d'intrusion.Nous suivons les acteurs derrière cette campagne sous le nom de UNC2452.
Fireeye a découvert une attaque de chaîne d'approvisionnement trrojanisant les mises à jour de logiciels commerciaux de Solarwinds Orion afin de distribuer des logiciels malveillants que nous appelons Sunburst.
L'activité post-compromis de l'attaquant exploite plusieurs techniques pour échapper à la détection et obscurcir leur activité, mais ces efforts offrent également quelques opportunités de détection.
le
UPDATE (May 2022): We have merged UNC2452 with APT29. The UNC2452 activity described in this post is now attributed to APT29. Executive Summary We have discovered a global intrusion campaign. We are tracking the actors behind this campaign as UNC2452. FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST. The attacker\'s post compromise activity leverages multiple techniques to evade detection and obscure their activity, but these efforts also offer some opportunities for detection. The |
Malware | Solardwinds APT 29 | ★★★ |
|
2020-12-13 21:44:40 | US Agencies and FireEye Were Hacked Using SolarWinds Software Backdoor (lien direct) | State-sponsored actors allegedly working for Russia have targeted the US Treasury, the Commerce Department's National Telecommunications and Information Administration (NTIA), and other government agencies to monitor internal email traffic as part of a widespread cyberespionage campaign.
The Washington Post, citing unnamed sources, said the latest attacks were the work of APT29 or Cozy Bear, the |
APT 29 | ||
 |
2020-07-17 11:55:00 | Experts On Russian Hackers Target Covid-19 Vaccine Research (lien direct) | Following the news that Russian state-sponsored hackers (a group known as “APT29” or “Cozy Bear”) targeted Covid-19 vaccine research, cybersecurity experts commented below. The ISBuzz Post: This Post Experts On Russian Hackers Target Covid-19 Vaccine Research | APT 29 | ||
|
2020-07-17 09:52:24 | Cozy Bear Hackers Target Covid-19 Research Centres in UK, US and Canada (lien direct) | An advisory published by the UK National Cyber Security Centre (NCSC) warns of activity by Russian hacking group APT29 and explicitly calls out efforts to target the US, UK, and Canadian vaccine research, according to CNN. Cyber actors from the Russian hacking group, which also goes by the name “the Dukes” or “Cozy Bear”, are … The ISBuzz Post: This Post Cozy Bear Hackers Target Covid-19 Research Centres in UK, US and Canada | APT 29 | ||
 |
2020-07-17 07:54:04 | COVID-19 Researchers Targeted by Russian State-Sponsored Hackers (lien direct) | According to an advisory issued by the National Cyber Security Centre (NCSC) and counterparts in Canada and America, Russian state-sponsored hackers, APT29 or Cozy Bear, have been attacking organisations working towards a coronavirus vaccine. The campaign has been targeting government agencies, diplomatic bodies, healthcare organisations, thinktanks and the energy sector looking to steal intellectual property. […] | APT 29 | ||
|
2020-07-16 14:45:58 | UK NCSC blames Russia-linked APT29 for attacks on COVID-19 vaccine research (lien direct) | The UK National Cyber Security Centre says that Russia-linked APT29 group is attempting to steal research data related to potential COVID-19 vaccines. The British National Cyber Security Centre revealed that Russia-linked group APT29 is conducting cyberespionage campaigns targeting UK, US, and Canadian organizations working of the development of a COVID-19 vaccine. “RUSSIAN cyber actors are targeting organisations […] | APT 29 | ||
|
2019-10-18 10:13:01 | (Déjà vu) Russian hackers noticed after being undetected for years (lien direct) | Cyber-espionage operations from Cozy Bear, a threat actor believed to work for the Russian government, continued undetected for the past years by using malware families previously unknown to security researchers. Relying on stealthy communication techniques between infected systems and the command and control (C2) servers, the group managed to keep their activity under the radar […] | Malware Threat | APT 29 | |
|
2019-10-17 15:33:16 | Experts Comments: Sophisticated Russian Hacking Group Is back In Action Again (lien direct) | A Russian cyberespionage operation which was one of the groups which hacked into Democratic National Committee in the run-up to the 2016 US Presidential election has been busy with attacks against government departments across Europe and beyond. The Cozy Bear hacking group – also known as APT29 – is believed to be associated with the Russian intelligence … The ISBuzz Post: This Post Experts Comments: Sophisticated Russian Hacking Group Is back In Action Again | APT 29 | ||
 |
2019-10-17 10:45:00 | Cozy Bear Emerges from Hibernation to Hack EU Ministries (lien direct) | The cyber-espionage group, linked to Russia and blamed for hacking the Democratic National Committee in 2016, has been using covert communications and other techniques to escape detection for at least two years. | Hack | APT 29 | |
|
2019-10-17 09:39:47 | Cozy Bear Russian Hackers Spotted After Staying Undetected for Years (lien direct) | Cyber-espionage operations from Cozy Bear, a threat actor believed to work for the Russian government, continued undetected for the past years by using malware families previously unknown to security researchers. [...] | Malware Threat | APT 29 | |
 |
2019-10-17 09:30:46 | Operation Ghost: The Dukes aren\'t back – they never left (lien direct) | ESET researchers describe recent activity of the infamous espionage group, the Dukes, including three new malware families | Malware | APT 29 | |
|
2019-10-17 09:30:00 | Russia\'s Cozy Bear Hackers Resurface With Clever New Tricks (lien direct) | Largely out of the spotlight since 2016, Cozy Bear hackers have been caught perpetrating a years-long campaign. | APT 29 | ||
|
2019-10-17 01:21:19 | Les cyberespions russes s\'attaquent aux diplomates européens par stéganographie (lien direct) | Des outils assez nouveaux et sophistiqués du groupe The Dukes, alias APT 29, ont été détectés récemment dans le cadre d'une opération d'espionnage qui remonte à 2013.  |
APT 29 | ★★ | |
 |
2019-01-19 00:27:03 | DNC says Russia tried to hack its servers again in November 2018 (lien direct) | Democrats say the spear-phishing attack, which was attributed to Russian group Cozy Bear, was unsuccessful. | Hack | APT 29 | |
|
2018-11-23 10:38:04 | Exclusive Cybaze ZLab – Yoroi – Hunting Cozy Bear, new campaign, old habits (lien direct) | The experts at Cybaze ZLab – Yoroi continue the analysis of new strain of malware used by the Russia-linked APT29 cyberespionage group (aka Cozy Bear) The experts at Cybaze ZLab – Yoroi continue the analysis of new strain of malware used by the Russia-linked APT29 cyberespionage group (aka The Dukes, Cozy Bear, and Cozy Duke). The researchers of Yoroi ZLab, on […] | Malware | APT 29 | |
|
2018-11-21 13:15:04 | Cozy Bear Returns With Post-Election Spear-Phishing Campaign (lien direct) | Attackers suspected of working for the Russian government masqueraded as a US State Department official in an attempt to infect dozens of organizations in government, military, defence contracting, media, and other industries, researchers from security firm FireEye have warned. The tactics, techniques and procedures are akin to those used previously by the Russian APT group … The ISBuzz Post: This Post Cozy Bear Returns With Post-Election Spear-Phishing Campaign | APT 29 | ||
 |
2018-11-20 18:03:04 | FireEye publie un nouveau rapport sur une activité de phishing probablement liée au groupe APT29 (lien direct) |  FireEye vient de publier un rapport concernant une nouvelle activité de Phishing qui aurait probablement un lien avec le groupe APT29. Ce rapport vient compléter la première découverte de FireEye, datant du 14 novembre 2018, en apportant plus de détails. |
APT 29 | ||
|
2018-11-20 18:01:01 | APT29 Re-Emerges After 2 Years with Widespread Espionage Campaign (lien direct) | The group is best-known for hacking the DNC ahead of the 2016 presidential election. | APT 29 | ||
|
2018-11-20 14:16:01 | Russia\'s Fancy Bear and Cozy Bear Hackers May Have New Phishing Tricks (lien direct) | Two new reports show an uptick in sophisticated phishing attacks originating from-where else-Russia. | APT 29 APT 28 | ||
|
2018-11-19 22:00:00 | Pas si confortable: un examen inconfortable d'une campagne de phishing présumée APT29 Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign (lien direct) |
Introduction
Les appareils Fireeye ont détecté des tentatives d'intrusion contre plusieurs industries, notamment le groupe de réflexion, l'application de la loi, les médias, les militaires américains, l'imagerie, le transport, la pharmaceutique, le gouvernement national et la contraction de défense.
Les tentatives concernaient un e-mail de phishing semblant provenir du département d'État américain avec des liens vers des fichiers zip contenant des raccourcis Windows malveillants qui ont livré une frappe de cobalt.
Artefacts techniques partagés;tactiques, techniques et procédures (TTPS);et cibler connectez cette activité à l'activité observée précédemment suspectée d'être APT29.
apt29
Introduction FireEye devices detected intrusion attempts against multiple industries, including think tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government, and defense contracting. The attempts involved a phishing email appearing to be from the U.S. Department of State with links to zip files containing malicious Windows shortcuts that delivered Cobalt Strike Beacon. Shared technical artifacts; tactics, techniques, and procedures (TTPs); and targeting connect this activity to previously observed activity suspected to be APT29. APT29 |
APT 29 APT 29 | ★★★★ | |
|
2018-11-19 13:27:04 | Cybaze ZLab – Yoroi team analyzed malware used in recent attacks on US entities attributed to APT29 (lien direct) | Malware researchers from Cybaze ZLab – Yoroi team have detected a new strain of malware that appears to be associated with a new wave of attacks carries out by Russia linked APT29 group. The researchers of Yoroi ZLab, on 16 November, accessed to a new APT29's dangerous malware which seems to be involved in the recent […] | Malware | APT 29 | |
|
2018-11-18 09:35:00 | Suspected APT29 hackers behind attacks on US gov agencies, think tanks, and businesses (lien direct) | Last week, security experts reported alleged APT29 hackers impersonating a State Department official in attacks aimed at U.S. government agencies, businesses and think tanks. Cyber security experts are warning of new attacks against U.S. government agencies, think tanks, and businesses. Threat actors carried out spear phishing attacks impersonating a State Department official to attempt compromising targets, […] | Threat | APT 29 | |
|
2018-11-16 23:40:00 | Russian APT comes back to life with new US spear-phishing campaign (lien direct) | Cozy Bear (APT29) makes a comeback after last year's Dutch and Norwegian hacking campaigns. | APT 29 |
To see everything:
Our RSS (filtrered)
