Thursday, August 11, 2022
LetsAskBinu.com
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things
No Result
View All Result
LetsAskBinu.com
No Result
View All Result
Home Cybersecurity

Russian hacker group APT29 targeting diplomats 

Researcher by Researcher
May 3, 2022
in Cybersecurity
0
Russian hacker group APT29 targeting diplomats 
189
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


The state-supported group behind the SolarWinds supply chain attack is going after diplomats using spear phishing to deploy a novel strain of malware.

security global network
Image: Getty Images/iStockphoto

Threat analysts at the cybersecurity firm Mandiant have uncovered a new APT29 cyber attack once again aimed at diplomats and government agencies.

APT29 is a cyber espionage group widely believed to be sponsored by the Russian Foreign Intelligence Service, the SVR. APT29 activity is also publicly referred to as Nobelium by Microsoft, Mandiant said. APT29 is the group responsible for the 2021 SolarWinds supply chain attack.

SEE: Hiring kit: Data scientist (TechRepublic Premium)

Must-read security coverage

While Mandiant has been tracking APT29 phishing activities aimed at diplomats around the globe since early 202o, this year’s attackers are using two new malware families, BEATDROP, BEACON and BOOMMIC to carry out attacks. APT29 malware uses Atlassian’s popular Trello project management tool for command and control (C2), storing victim information and retrieving AES-encrypted shellcode payloads.

“For anyone involved in politics, it is critical to understand that they may be targeted due to information they have, or even just the contacts they may have,” said Erich Kron, security awareness advocate, at cybersecurity training firm KnowBe4. “In situations like embassies, which act as sovereign soil in foreign countries, and for the diplomats within them, the information about activities occurring within the region would be a gold mine for adversaries.”

To trick victims into downloading malware-laden files, APT29 sent spear-phishing emails disguised as embassy administrative updates, Manidant said in a blog post about the attacks. To get past spam filters, APT29 used legitimate email addresses from other diplomatic entities and targeted large publicly available lists of embassy personnel.

The emails used the malicious HTML dropper ROOTSAW (also known as EnvyScout) to deliver and decode IMG or ISO files, either of which can be written to disk and execute a malicious .DLL file that contains the BEATDROP downloader. APT29 also is using the BEACON downloader for similar purposes.

Once BEATDROP or BEACON open backdoors to the victim’s network, they quickly deploy BOOMMIC to gain deeper access into the victim’s environment. BOOMMIC (also called VaporRage by Microsoft), is a shellcode downloader that communicates using HTTP to a C2 server. Once activated, its main job is to download shellcode payloads into memory on a target machine, Mandiant said.

BEACON is a multi-purpose tool that also captures keystrokes and screenshots and can act as a proxy server. It may also harvest system credentials, conduct  port scanning and enumerate systems on a network.

Once inside the network, attackers are able to escalate privileges and move laterally within hours using Kerberos tickets in Pass the Ticket attacks, exploiting misconfigured certificate templates to impersonate admins, and creating malicious certificates to escalate directly from low level privileges to domain admin status. Malicious certificates can also give the attacker long-term persistence with the victim’s environment. APT29 performs extensive reconnaissance of hosts and the Active Directory environment looking for credentials, Mandiant said.

“This campaign highlights the importance of implementing a culture of cybersecurity that goes beyond relying on first line preventative controls,” said Chris Clements, vice president of solutions architecture at Cerberus Sentinel. “Controls like [network] segmentation, proactive system and application hardening, and restricting users’ access to only what’s necessary for their job functions make an attacker’s job much more difficult. In-depth monitoring for suspicious activities and threat hunting likewise increases the chances an attacker can be quickly detected and eradicated by the incident response team before widespread damage can be done.”

 



Source link

Related articles

U.S. Gov Offers $5M Reward For North Korean Cybercrime Intel

How Three Ransomware Groups Targeted One Vulnerable Network

August 11, 2022
High-Severity Flaw in Argo CD is Information Leak Risk

Organizations Warned of Critical Vulnerabilities in NetModule Routers

August 11, 2022
Tags: APT29diplomatsGrouphackerRussianTargeting
Share76Tweet47

Related Posts

U.S. Gov Offers $5M Reward For North Korean Cybercrime Intel

How Three Ransomware Groups Targeted One Vulnerable Network

August 11, 2022
0

“This is something we’re seeing affecting more and more organizations, and it’s likely due to an increasingly crowded market for...

High-Severity Flaw in Argo CD is Information Leak Risk

Organizations Warned of Critical Vulnerabilities in NetModule Routers

August 11, 2022
0

Flashpoint is warning organizations of two newly identified critical vulnerabilities in NetModule Router Software (NRSW) that could be exploited in...

Top 5 best backup practices

Top 5 best backup practices

August 10, 2022
0

Give yourself peace of mind by implementing a new backup strategy with our tips. Image: apinan/Adobe Stock You know that...

NVIDIA Fixes High-Severity Flaws in Graphics Drivers For Windows, Linux

Microsoft Fixes Known, Exploited Flaw in Windows Diagnostic Tool

August 10, 2022
0

Microsoft said it fixed a variant of a publicly known vulnerability that was first reported to the company in 2019....

Musk Threatens to Walk Away From Twitter Deal

Jury Finds Ex-Twitter Worker Spied for Saudi Royals

August 10, 2022
0

A former Twitter worker was found guilty on Tuesday of spying for Saudi officials keen to unmask critics on the...

Load More
  • Trending
  • Comments
  • Latest
Brave browser’s Tor mode exposed users’ dark web activity

Brave browser’s Tor mode exposed users’ dark web activity

February 18, 2022
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 15/03

March 15, 2022
QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

March 15, 2022
A first look at threat intelligence and threat hunting tools

A first look at threat intelligence and threat hunting tools

March 15, 2022
Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Beware! Facebook accounts being hijacked via Messenger prize phishing chats

0
Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

0
Remote work causing security issues for system and IT administrators

Remote work causing security issues for system and IT administrators

0
Elementor WordPress plugin has a gaping security hole – update now – Naked Security

Elementor WordPress plugin has a gaping security hole – update now – Naked Security

0
U.S. Gov Offers $5M Reward For North Korean Cybercrime Intel

How Three Ransomware Groups Targeted One Vulnerable Network

August 11, 2022
High-Severity Flaw in Argo CD is Information Leak Risk

Organizations Warned of Critical Vulnerabilities in NetModule Routers

August 11, 2022
Join the SD-WAN webinar: How to Extend Network Visibility and Optimize the SaaS Experience

Join the SD-WAN webinar: How to Extend Network Visibility and Optimize the SaaS Experience

August 11, 2022
Makulu Linux Shift makes shifting between desktop layouts easy

Makulu Linux Shift makes shifting between desktop layouts easy

August 10, 2022

Recent Posts

U.S. Gov Offers $5M Reward For North Korean Cybercrime Intel

How Three Ransomware Groups Targeted One Vulnerable Network

August 11, 2022
High-Severity Flaw in Argo CD is Information Leak Risk

Organizations Warned of Critical Vulnerabilities in NetModule Routers

August 11, 2022
Join the SD-WAN webinar: How to Extend Network Visibility and Optimize the SaaS Experience

Join the SD-WAN webinar: How to Extend Network Visibility and Optimize the SaaS Experience

August 11, 2022

Categories

  • Cyber Threats
  • Cybersecurity
  • Fintech
  • Hacking
  • Internet Of Things
  • Malware
  • Networking
  • Protection

Tags

Access Android attack Attacks banking BiWeekly bug Cisco critical Cyber Cybersecurity Data devices Digital exploited financial Finds Fintech Flaw flaws Google Group Hackers Krebs Latest malware Microsoft million Network News open Payments phishing Ransomware RoundUp security Software TFT Threat Top vulnerability warns Week Windows zeroday

© 2022 Lets Ask Binu All Rights Reserved

No Result
View All Result
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things

© 2022 Lets Ask Binu All Rights Reserved