Russian cyberthreat actors have been attributed to state-sponsored campaigns targeting western logistics entities and technology companies since 2022.
This activity is rated as being coordinated by APT28 (aka Bluedelta, Fancy Bear, or Forest Blizzard). This is linked to the Russian General Staff Main Intelligence Bureau (GRU) 85th Main Special Service Center, Military Unit 26165.
Targets for the campaign include companies involved in coordinating, transporting and delivering foreign aid to Ukraine, according to a joint consultation released by Australia, Canada, the Czech Republic, Denmark, Estonia, France, Germany, the Netherlands, Poland, the UK and the US.
“This cyberspy-oriented campaign targeting logistics entities and technology companies uses a previously disclosed combination of TTPs and is likely linked to the large-scale targeting of these actors adjacent to Ukraine and NATO countries,” the bulletin said.
The vigilance comes weeks after the French Ministry of Foreign Affairs accused APT28 of increasing cyberattacks on 12 entities, including ministries, defense companies, research institutes and think tanks, in an attempt to destabilise the country since 2021.
Then last week, ESET removed what it called a campaign that it said has been in progress since 2023 by leveraging cross-site scripting (XSS) vulnerabilities in various webmail services such as Round Cube, Hold, Mdaemon, and Zimbra.
According to the latest advisory, the cyber attacks organized by APT28 include a combination of password spray, spear phishing and Microsoft Exchange Mailbox Permissions for spying purposes.
The main goals of the campaign include organizations within NATO member states and Ukraine, as well as vertically spanning defense, transport, maritime, air traffic management and IT services. It is estimated that many entities from Bulgaria, the Czech Republic, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine and the United States have been targeted.
Initial access to the target network is said to have been promoted by utilizing seven different methods –
Brute Force Attack provides a SOHO device compromise spear phishing attack to infer credentials and provide malware exploitation of Outlook NTLM Vulnerability (CVE-2023-23397) using fake login pages that impersonate a western cloud mail provider hosted on a SOHO device hosted on a free third-party service or a compromised SOHO device. (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026) Exploiting Internet infrastructure such as corporate VPNs, such as public vulnerabilities of WINRAR vulnerabilities and the use of SQL injection (CVE-2023-38831)
If an actor in Unit 26165 acquires scaffolding using any of the methods above, the attack proceeds to the post-explosion stage. This involves reconnaissance to identify individuals responsible for coordinating the transport, as well as other companies working with the victim entities.
It has also been observed that attackers remove information from the Active Directory using tools for lateral movements such as Impacket, Psexec, and Remote Desktop Protocol (RDP), as well as Actipy and Adexplorer.exe.
“The actors will take steps to find and remove the list of Office 365 users and set up a sustained email collection,” the agency noted. “The actors used the mailbox permissions operation to establish a persistent email collection with compromised logistics entities.”
Another notable feature of intrusion is the use of malware families such as headlace and macipie to establish the persistence of compromised hosts and harvest sensitive information. There is no evidence that malware variations such as OceanMap and Steelhooks are used to directly target the logistics or IT sector.
During data removal, threat actors rely on a variety of methods based on the victim environment, often using PowerShell commands to create ZIP archives to upload the collected data to their own infrastructure, or employing Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) for Siphon information from email servers.
“As Russian military failed to meet its military targets and Western countries provided assistance to support Ukraine’s territorial defense, Unit 26165 expanded targeting of logistics entities and technology companies involved in providing assistance,” the agency said. “These actors are targeting internet-connected cameras at Ukraine’s border crossings to monitor and track aid shipments.”
Disclosure occurs as it has become clear that the CATO network is leveraging Tigris Object Storage, Oracle Cloud Infrastructure (OCI) Object Storage, and Scaleway Object Storage, which uses clickfix-style lures to download Lumma Steeler using Clickfix-style lures.
“Recent campaigns leveraging Tigris Object Storage, OCI Object Storage, and Scaleway Object Storage are built on previous methods and introduce new distribution mechanisms aimed at avoiding and targeting technically skilled users.”
Source link
