apt29 - X-Industry - Red Sky Alliance2024-03-28T21:52:07Zhttps://redskyalliance.org/xindustry/feed/tag/apt29Microsoft Warns of APT29 Espionage Attackshttps://redskyalliance.org/xindustry/microsoft-warns-of-apt29-espionage-attacks2024-01-30T13:00:00.000Z2024-01-30T13:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12368645483,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12368645483,RESIZE_400x{{/staticFileLink}}" width="250" alt="12368645483?profile=RESIZE_400x" /></a>Researchers from Microsoft reported on 25 January 2024 that the Russian state-sponsored threat actors responsible for a cyberattack on its systems in late November 2023 have been targeting other organizations and that it's currently beginning to notify them. The development comes a day after Hewlett Packard Enterprise (HPE) revealed that it had been the victim of an attack perpetrated by a hacking crew tracked as APT29, which is also known as BlueBravo, Cloaked Ursa, <strong>Cozy Bear</strong>, Midnight Blizzard (formerly Nobelium), and The Dukes. This threat actor is known to target governments, diplomatic entities, non-governmental organizations (NGOs), and IT service providers, primarily in the US and Europe," the Microsoft Threat Intelligence team said in a new advisory.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/magicweb">https://redskyalliance.org/xindustry/magicweb</a></p>
<p>The primary goal of these espionage missions is to gather sensitive information that is of strategic interest to Russia by maintaining footholds for extended periods of time without attracting any attention. The latest disclosure indicates that the scale of the campaign may have been bigger than previously thought. Researchers did not reveal which other entities were singled out.<a href="#_ftn1">[1]</a></p>
<p>APT29's operations involve using legitimate but compromised accounts to gain and expand access within a target environment and fly under the radar. It's also known to identify and abuse OAuth applications to move laterally across cloud infrastructures and for post-compromise activity, such as email collection. They utilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of on-premises environments to move to the cloud laterally, and exploitation of service providers' trust chains to gain access to downstream customers.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/hackers-exploiting-oauth-for-cryptocurrency-mining-phishing">https://redskyalliance.org/xindustry/hackers-exploiting-oauth-for-cryptocurrency-mining-phishing</a></p>
<p>Another tactic uses breached user accounts to create, modify, and grant high permissions to OAuth applications that they can misuse to hide malicious activity. The company pointed out that this enables threat actors to maintain access to applications, even if they lose access to the initially compromised account. These malicious OAuth applications are ultimately used to authenticate to Microsoft Exchange Online and target Microsoft corporate email accounts to exfiltrate data of interest.</p>
<p>In the incident targeting Microsoft in November 2023, the threat actor used a password spray attack to infiltrate a legacy successfully non-production test tenant account that did not have multi-factor authentication (MFA) enabled. In this observed Midnight Blizzard activity, the actor tailored their password spray attacks to a limited number of accounts, using few attempts to evade detection and avoid account blocks based on the volume of failures.</p>
<p>The intruders then leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment, weaponizing it to create additional malicious OAuth applications and grant them the Office 365 Exchange Online full_access_as_app role to obtain access to mailboxes.</p>
<p>Such attacks are launched from a distributed residential proxy infrastructure to conceal their origins, allowing the threat actor to interact with the compromised tenant and Exchange Online via a vast network of IP addresses that legitimate users use. Midnight Blizzard's use of residential proxies to obfuscate connections makes traditional indicators of compromise (IoC)-based detection infeasible due to the high changeover rate of IP addresses, forcing organizations to take steps to defend against rogue OAuth applications and password spraying.</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p><strong>Weekly Cyber Intelligence Briefings:</strong></p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2024/01/microsoft-warns-of-widening-apt29.html">https://thehackernews.com/2024/01/microsoft-warns-of-widening-apt29.html</a></p></div>Turla Now Using 2 Backdoors Causing Double Trouble for Targetshttps://redskyalliance.org/xindustry/turla-now-using-2-backdoors-causing-double-trouble-for-targets2021-09-28T15:27:39.000Z2021-09-28T15:27:39.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}9621446463,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9621446463,RESIZE_400x{{/staticFileLink}}" width="250" alt="9621446463?profile=RESIZE_400x" /></a>A Russian-linked group known as Turla has been deploying a secondary backdoor against numerous targets to maintain persistence within compromised devices even after the primary malware has been discovered and removed from the infrastructure, according to a research report released by Cisco Talos this week.</p>
<p>The newly discovered backdoor, which the researchers call "TinyTurla," has been deployed against targets in the U.S. and Germany over the last two years. More recently, however, Turla has used the malware against government organizations and agencies in Afghanistan before the country was overtaken by the Taliban in August, according to the report.<a href="#_ftn1">[1]</a></p>
<p>"This malware specifically caught our eye when it targeted Afghanistan prior to the Taliban's recent takeover of the government there and the pullout of Western-backed military forces," according to the analysis. "Based on forensic evidence, Cisco Talos assesses with moderate confidence that this was used to target the previous Afghan government."</p>
<p>Turla has been active since the mid-1990s and is one of the oldest operating advanced persistent threat groups that have links to Russia's FSB formerly called the KGB according to a study published in February 2021 by security researchers at VMware. The group, which typically targets government or military agencies, is also called Belugasturgeon, Ouroboros, Snake, Venomous Bear, and Waterbug and is known for constantly changing techniques and methods to avoid detection.</p>
<p>"Through the years, researchers have observed that Turla continues to advance their methods and operations - most prominently, the clandestine techniques that were leveraged to exfiltrate sensitive data and operationalize compromised infrastructure," according to the VMware report, which includes Turla in a list of Russian-backed APT groups that includes APT28, APT29, and Sandworm.</p>
<p>In the secondary backdoor that Cisco Talos uncovered, Turla disguises the malware as a legitimate Microsoft file that is named "Windows Time Service." That file allows the malicious code to run in the background and blend in with legitimate apps on a compromised device.</p>
<p>"This is a good example of how easy malicious services can be overlooked on today's systems that are clouded by the myriad of legit services running in the background at all times," according to Cisco Talos. "It's often difficult for an administrator to verify that all running services are legitimate. It is important to have software and/or automated systems detecting unknown running services and a team of skilled professionals who can perform proper forensic analysis on potentially infected systems."</p>
<p>While the Cisco Talos researchers discovered TinyTurla, it's not clear from the analysis exactly how the attackers initially install the backdoor within a compromised device. Once the initial compromise step is complete, however, the attackers use a . BAT file to install the backdoor within a device. As mentioned previously, the malware is disguised as a dynamic link library that is similar to the w32time.dll file a legitimate Windows Time Service, according to the report.<a href="#_ftn2">[2]</a></p>
<p>The TinyTurla backdoor itself has limited functionality, and it's mainly designed to download, upload and execute files. Once installed, the malware will attempt to contact the attackers' command-and-control server over an HTTPS encrypted channel and will continue to contact that server every five seconds to check for new instructions, according to the report.</p>
<p>Besides functioning as a backdoor, TinyTurla can act as a dropper to allow the attackers to install other malicious code within an infected device. Since this secondary backdoor does not have a large footprint and blends in with other background files, security tools can overlook the malware, according to Cisco Talos.</p>
<p>"It is not easy for anti-malware systems to detect it as malware. We found evidence in our telemetry that this software has been used by adversaries since at least 2020," the report notes.</p>
<p>The Cisco Talos researchers were able to attribute the TinyTurla backdoor to Turla since the group used infrastructure deployed in previous attacks. Over the years, numerous researchers have traced Turla's various cyber espionage as well as the tools and techniques the group uses. In February, for example, Palo Alto Networks' Unit 42 found the APT deploying an IronPython-based malware loader called "IronNetInjector" as part of a campaign</p>
<p>In January 2021, researchers with Kaspersky published a report that found similarities between the Sunburst backdoor used during the SolarWinds supply chain attack and another malware variant called Kazuar, which had been previously attributed to Turla by researchers.</p>
<p>The Biden administration officially attributed the SolarWinds attack to the Russian Foreign Intelligence Service, or SVR, in April 2021 and specifically to the group called APT29 or Cozy Bear. The Kaspersky report noted that over the years, there have been links and code overlap between APT29 and Turla.</p>
<p>See: <a href="https://redskyalliance.org/redshorts2020/4-global-internet-disruptors-russian-gru-hackers-indicted">https://redskyalliance.org/redshorts2020/4-global-internet-disruptors-russian-gru-hackers-indicted</a></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2021/09/russian-turla-apt-group-deploying-new.html">https://thehackernews.com/2021/09/russian-turla-apt-group-deploying-new.html</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.bankinfosecurity.com/russian-linked-group-using-secondary-backdoor-against-targets-a-17592">https://www.bankinfosecurity.com/russian-linked-group-using-secondary-backdoor-against-targets-a-17592</a></p></div>