https://bit.ly/3qXad6I - 🌐 Cybersecurity firm Bitdefender has conducted an extensive investigation into a targeted cyber attack against East-Asian infrastructure, uncovering the workings of a sophisticated, presumably custom malware dubbed as Logutil backdoor. This operation reportedly ran for over a year, aiming to compromise credentials and exfiltrate data. #Cybersecurity #Bitdefender #LogutilBackdoor 🕵️‍♀️The operation, traced back to early 2022, leveraged multiple tools to achieve its nefarious ends, Logutil being the primary one. Notably, AsyncRat was used during the initial stages of infection. The investigation suggests that CobaltStrike was part of the attackers' arsenal too. The victim of this operation was a company operating in the Technology/IT Services industry in East Asia. #CyberAttack #AsyncRat #CobaltStrike 💾 Modern cybercrime syndicates are increasingly leveraging legitimate components to perpetrate their attacks. For instance, DLL hijacking and misuse of legitimate scheduled tasks and services are commonly employed tactics. Notably, state-affiliated actors such as the APT29 group have used this strategy effectively, substituting a binary responsible for updating Adobe Reader with a malicious component, thus achieving persistence. #CybercrimeTactics #APT29 #AdobeReader 📍 These stealthy tactics were evident in the recent incident as well. The perpetrators deployed malware in locations less likely to be suspected of hosting such threats and more likely to be excluded from the security systems' scrutiny. #MalwareDeployment #CybersecurityChallenge 🔐 In this attack, the actors demonstrated capabilities of collecting credentials from various applications including MobaXterm, mRemoteNG, KeePass, and even Chrome passwords and history. They also attempted data exfiltration from mysql servers by accessing server process memory, and made attempts to dump LSASS memory. #DataExfiltration #CredentialTheft 🔁 The investigation also found that the attackers could infect other systems if an RDP session was established with the infected system, by placing malicious components in \tsclient\c\ subfolders if tsclient share was enabled. This highlights the extent of the attack's complexity and potential for propagation.

TeamViewer Hacked: Russian State-Sponsored Group APT29 Behind Cyberattack

TeamViewer, a popular remote access software company, has disclosed a security breach affecting its corporate IT environment. The breach, which occurred on June 26, 2024, has now been attributed to the Russian state-sponsored hacking group known as APT29, Midnight Blizzard, or Cozy Bear. Initial Detection and Response TeamViewer's security team detected an "irregularity" in their internal corporate IT systems on Wednesday, June 26. The company promptly activated its incident response procedures, engaging a team of cybersecurity experts to investigate and implement necessary remediation measures. Scope of the Breach According to TeamViewer, their internal corporate IT environment is completely separate from the product environment. The company stated that there is no evidence suggesting that the product environment or customer data has been affected. However, investigations are ongoing, and the company's primary focus remains ensuring its systems' integrity. APT29 Involvement Confirmed In an update released on Friday, June 28, TeamViewer officially attributed the attack to APT29. The company revealed that the threat actors targeted credentials associated with an employee account within the corporate IT environment. TeamViewer's security teams identified suspicious behavior related to this account and immediately implemented incident response measures. Widespread Implications TeamViewer's software is used by over 640,000 customers worldwide and has been installed on more than 2.5 billion devices since the company's inception. This extensive user base makes any potential breach a significant concern, as it could potentially provide access to numerous internal networks. Industry Alerts and Warnings Before TeamViewer's official attribution, several cybersecurity entities had already raised alarms about the incident: - NCC Group's Global Threat Intelligence team warned of a "significant compromise" of the TeamViewer platform by an APT group. - Health-ISAC, a community for healthcare professionals, issued an alert stating that APT29 was actively exploiting TeamViewer. - The Dutch Digital Trust Center shared information about the cybersecurity threat on its web portal. APT29: A Persistent Threat APT29, also known as Cozy Bear, NOBELIUM, and Midnight Blizzard, is a Russian advanced persistent threat group linked to Russia's Foreign Intelligence Service (SVR). The group is notorious for its cyberespionage capabilities and has been implicated in numerous high-profile attacks, including recent breaches of Microsoft's and Hewlett Packard Enterprise's corporate email environments. Transparency and Communication TeamViewer has pledged to maintain transparency throughout the investigation and will provide continuous updates as more information becomes available. However, it's worth noting that the company initially included a "noindex" HTML tag on their update page, which prevented search engines from indexing the document. TeamViewer has since removed this tag, making the information more accessible. Recommendations and Precautions Given the widespread use of TeamViewer software and the potential implications of this breach, cybersecurity experts recommend the following precautions: - Review logs for any unusual remote desktop traffic. - Be vigilant for potential exploitation of remote access tools. - Consider temporarily removing TeamViewer software until more details about the compromise are known. As investigations continue, users and organizations relying on TeamViewer should stay alert for further updates and guidance from the company and cybersecurity authorities. Read the full article

APT44, Cyber Espionage & More In NATO Cyber Threats

Emboldened and Evolving: NATO Cyber Threats snapshot

As NATO members and partners prepare for a landmark summit, the cyber threat must be considered. Empowered state-sponsored actors, hacktivists, and criminals are willing to cross lines and commit acts previously unthinkable to attack the Alliance. Besides military targets, NATO must address hybrid threats including APT44, Cyber Espionage & More harmful cyber activities against hospitals, civic society, and other targets, which could affect contingency resilience. The Ukraine crisis is linked to rising cyber risks, but many will grow separately and simultaneously.

NATO faces clandestine, aggressive cyber actors that gather intelligence, assault key infrastructure, and spread disinformation. Google is closely watching cyber threats, including those in this report, to safeguard its customers and businesses, but this is just a snapshot of a bigger and developing world.

What is Cyber espionage?

Cyber espionage is the act of stealing information without permission over the internet. It’s the digital version of traditional espionage

Cyber espionage

NATO’s enemies have long used Cyber Espionage to gain political, diplomatic, and military insight and acquire defence technologies and economic secrets. However, Alliance intelligence will be crucial in the coming months. This summit represents a transition time, with Mark Rutte as Secretary General and other changes planned to strengthen the Alliance’s defence posture and long-term support for Ukraine. Threat actor Cyber Espionage might weaken NATO’s strategic advantage and inform opponent leadership on how to oppose NATO’s investments and ambitions.

NATO faces global Cyber Espionage from various actors. Many still use simple but successful approaches like social engineering. Others have advanced their tradecraft to become formidable opponents for even the most skilled defenders.

APT29 (ICECAP)

APT29, attributed to the Russian Foreign Intelligence Services (SVR) by various governments, collects diplomatic and political intelligence on Europe and NATO member states. APT29 has committed several high-profile compromises of technology corporations that give public sector access. In the past year, Mandiant has seen APT29 target NATO member technology businesses and IT service providers to compromise government and policy organisations’ third-party and software supply chains.The actor is skilled in cloud environments and adept at disguising their tracks, making them hard to detect, monitor, and expel from infiltrated networks.

In addition to spear-phishing NATO members, APT29 has traditionally targeted diplomatic bodies. The actor has breached European and U.S. executive authorities multiple times. They have also targeted political parties in Germany and the U.S. to gather intelligence on potential government policy.

Cyberespionage from China

Recently, Chinese Cyber Espionage has shifted from noisy, easily identifiable operations to stealth. Technical advances have made defending harder and helped NATO member states attack government, military, and commercial targets.

Chinese Cyber Espionage increasingly uses:

Targeting the network edge and exploiting zero-day vulnerabilities in security devices and other internet-facing network infrastructure to limit defence detection. These operators have lowered their risk of user or control identification by using less social engineering. These hackers exploited 12 zero-days (software or hardware vulnerabilities unknown to the vendor, with no patch or fix available, and can be exploited before they can be addressed) in 2023, several in network edge security products. These devices are suitable beachheads in hacked networks because they lack endpoint detection.

Hiding harmful communications via operational relay box (ORB) networks. Threat actors use proxies to mask their malicious traffic on the internet, but proxy tracking is easy. Large ephemeral ORB networks of shared and hacked proxies are used by actors. These networks are hard to trace and hinder infrastructure intelligence sharing for defenders.

Live off the land to avoid defence detection. Some actors utilise non-malware means to break in. Live-off-the-land tactics exploit legitimate system tools, features, and functionalities to traverse networks and commit crimes. Without malware detection and intelligence sharing, defenders are at a disadvantage.

Not just Chinese threat actors use these methods. Russian actors APT29, APT28, and APT44 have employed them.

Cyberattacks that disrupt and destroy

Cyberattacks are increasing, threatening NATO directly and indirectly. Iranian and Russian state actors have been eager to attack NATO countries in recent years, but they have concealed behind phoney fronts that take credit. Mandiant described a 2022 damaging attack on Albania by a purported hacktivist group called “HomeLand Justice” that the U.S. Government subsequently ascribed to Iranian actors.

While demonstrating their ability to launch complex strikes on extremely sensitive operational technology systems in Ukraine, state actors are compromising NATO countries’ key infrastructure for future disruptions. These actors have the means and motivation to disrupt NATO’s key infrastructure.

In addition to state cyberattacks, hacktivist and criminal disruptions are no longer ignorable. Global hacktivist resurgence has caused major attacks on the public and private sectors, making illegal activity a national security threat.

APT44 Sandworm, Frozenbarents

Highly advanced cyber threat outfit APT44, also known as Sandworm, is thought to be backed by Russian military intelligence.

Espionage, disruption, and disinformation efforts are APT44’s specialties. For over a decade, they’ve carried out disruptive malware attacks including BlackEnergy and Industroyer.

APT44 summary:

APT44 has targeted essential infrastructure, government agencies, and international sports organisations. Since the Russia conflict, Ukraine has been a top target.

Tactics: APT44 has many tools to achieve its goals. Supply chain attacks, phishing emails, and software flaws are examples. They may use wiper malware to delete data and disrupt operations.

The range of APT44’s capabilities makes it worrisome. APT44 conducts espionage, sabotage, and influence operations, unlike many APT groups.

The global devastating hack NotPetya, Pyeongchang Olympic games strikes, and Ukraine outages have all been carried out by APT44. Russian military intelligence-linked actor has carried out technically complicated interruptions of sensitive operational systems and broad-effect damaging strikes. APT44 has carried out most disruptive assaults in Ukraine and minor attacks in NATO nations since the war.

PRESSTEA (Prestige) ransomware was used against Polish and Ukrainian logistics companies by APT44 in October 2022. The malware was unbreakable and damaging, maybe to demonstrate the group’s ability to harm supply routes carrying lethal aid to Ukraine. APT44’s risk-taking in using a disruptive capacity against a NATO member country is evident in this operation.

Hacktivists

Geopolitical flashpoints like the Russian invasion of Ukraine have sparked a global hacktivism revival. Despite focusing on NATO members, these actors have had mixed results. Many surgeries are meant to draw attention and create a false sense of uneasiness but cause no lasting damage.

These actors cannot be disregarded despite their flaws. Their attacks draw media attention in target countries and sometimes have catastrophic effects. One of their preferred methods, distributed denial-of-service (DDOS) attacks, are cosmetic but might be used to greater effect during elections. Hacktivists like pro-Russian organisation Cyber Army Russia Reborn (CARR) are also testing larger strikes on key infrastructure. CARR, which has questionable ties to APT44, has affected U.S., Polish, and French water systems in a series of basic but aggressive acts.

Cybercriminals

Ransomware-related financial disruptions are already disrupting NATO states’ essential infrastructure, causing hospital patient care, energy, and government service failures. Many crooks target this crucial infrastructure despite their promises. Russian-speaking criminals and North Korean state actors seeking espionage funding have regularly attacked U.S. and European healthcare institutions. This threat will likely grow due to these actors’ ability to operate from states with low cyber crime enforcement or extradition agreements and the lucrative nature of ransomware operations.

Information Operations and Disinformation

Information operations have grown in cyber threat activities over the past decade as wars and geopolitical tensions have increased. These operations range from “troll farm” social media manipulation to intricate network intrusions. Russian and Belarusian information operations have targeted NATO member nations to weaken the Alliance’s cohesiveness and goals.

Some Cyber Espionage operators who acquire clandestine intelligence also conduct information operations. In hack-and-leak activities, APT28 and COLDRIVER have used stolen data, while UNC1151 has used infiltration capabilities in more complicated information operations. False and misleading information is used to influence public opinion, foment strife, and advance political goals.

Google vigorously counters these activities across products, teams, and geographies where they break our standards and disrupt overt and covert information operations campaigns. They report quarterly in the TAG Bulletin on YouTube channel disruptions, blogs, AdSense accounts, and URLs deleted from Google News surfaces.

Information Operations of Prigozhin Survive

Former Russian industrialist Yevgeniy Prigozhin’s disinformation empire continues, albeit less efficiently, after his death. These campaigns continue to spread disinformation and pro-Russia narratives on many social media platforms, recently emphasising alternative sites, across multiple regions.

These efforts advocate for NATO’s disarmament and claim it causes global instability. They criticise NATO leaders too. These commercials’ substance is heavily influenced by geopolitical events like Russia’s 2022 invasion of Ukraine and other Russian strategic aims. NATO and its member states’ backing for Ukraine has made the Alliance a major target directly and indirectly by becoming involved in matters against Russia’s strategic interests.

COLDRIVER

Russian Cyber Espionage actor COLDRIVER has been linked to the Federal Security Service. The actor often conducts credential phishing attempts against prominent NGOs and retired intelligence and military leaders. The hack-and-leak operation employed victim mailbox data stolen by COLDRIVER. In 2022, COLDRIVER leaked information to deepen Brexit-related political divides in the UK.

Before that, the actor revealed U.S.-UK trade deals before the 2019 UK election. Originally targeting NATO countries, COLDRIVER expanded in 2022 to include the Ukrainian government and conflict supporters. In March 2022, COLDRIVER campaigns targeted numerous European militaries and a NATO Centre of Excellence for the first time.

Read more on govindhtech.com

When the activities of Russian hacker groups are exposed in a major public report and tied to a government agency—such as the Russian military's Sandworm unit, which has targeted Ukrainian electrical utilities to trigger three blackouts over the past decade, or the Russian foreign intelligence service's APT29, which is believed to have carried out the notorious SolarWinds supply chain attack—they tend to slink into the shadows and lay low until their next operation.

When the cybersecurity firm Mandiant last month highlighted the Cyber Army of Russia, by contrast, noting its haphazard attacks on Western critical infrastructure and the group's loose ties to the Russian military, the hackers took a very different approach. “Comrades, today the collective rotten West recognized us as the most reckless hacker group 🏆, on which I actually congratulate all of us 🎉," the group posted in Russian to its Telegram channel, along with a screenshot of WIRED's article about the hackers, in which we had described them with that “most reckless” superlative. “As long as they are afraid of us, let them hate us as much as they want.”

After that initial, less-than-friendly exchange of ideas, WIRED reached out to Cyber Army of Russia's Telegram account to continue the conversation. So began a strange, two-week-long interview with the group's spokesperson, “Julia," represented by an apparently AI-generated image of a woman standing in front of Red Square's St. Basil's Cathedral. Over days of intermittent Telegram messages, often interspersed with unsolicited Russian nationalist political talking points, Julia answered WIRED's questions—or at least some of them—laid out the group's ethos and motivations, and explained the rationale for the hackers' months-long cyber sabotage rampage, which initially focused on Ukrainian networks but has more recently included an unprecedented string of attacks hitting US and European water and wastewater systems.

“We have united with the goal and mission of protecting our country in the information space against the background of unprecedented pressure from the United States, the European Union and Ukraine,” Julia wrote in a long opening statement in response to WIRED's questions.

“Our movement finds and hits the vulnerabilities of the Internet resources of both Ukraine and the countries that openly support the gang of terrorists and extremists, led by Zelensky, who are entrenched in power in Kiev,” Julia continued, using a typical Russian government description of the Ukrainian regime that has, in fact, led the defense against a brutal and unprovoked Russian invasion since 2022 that has led to close to 500,000 dead or wounded. “The most important battle is going on here and now for the minds and hearts of people, both living in Russia and Ukraine, and outside the warring countries. And the main weapon in this battle is information technology.”

Sending a Message to … Muleshoe?

Whether or not it's winning hearts and minds, Cyber Army of Russia—which also at times calls itself the Cyber Army of Russia Reborn or People's Cyber Army of Russia—seems to at least be getting some of the attention it seeks. Last week, a group of government bodies including the US National Security Agency, the FBI, the Cybersecurity and Infrastructure Security Agency, the UK's National Cybersecurity Center, and several others issued a joint report warning of “Russian hacktivists” targeting so-called operational technology targets like control systems for water and wastewater utilities. The report warned that victims had “experienced minor tank overflow events” and other disruptions—although it noted the effects were temporary, and the hacktivists had historically exaggerated their hacking's impact.

Those agencies didn't name Cyber Army of Russia. But their warning followed another report from Mandiant that had highlighted the group by name, as well as its attacks on civilian critical infrastructure targets including multiple US-based water utilities and a Polish wastewater utility. In the case of the small West Texas town of Muleshoe, The Washington Post subsequently reported that the group's manipulation of control systems had gone so far as to cause a leak of tens of thousands of gallons of water. In that case and several others, Cyber Army of Russia even posted to the group's Telegram account a screen-capture video of the hacking. In their attack on the Polish wastewater facility, for instance, they set the video to a Super Mario Bros. soundtrack.

So what is the endgame of the group's trollish acts of sabotage? “Our actions on attacks and hacks of websites and computer systems for remote control of mechanisms … is a really powerful and in some cases very effective method of influencing (and not only psychological) the authorities of the countries of Europe and the USA, as well as their regional authorities,” Cyber Army of Russia's representative Julia told WIRED. “With these attacks we are trying to send the following message to the US authorities: If you continue to supply military equipment and make financial injections into the leadership of Ukraine … be prepared for the fact that in any of your settlements, in any industrial system or at a critical infrastructure facility, something may suddenly fail.”

Yet as unprecedented and disturbing as it may be for a Russian hacker group to trigger a significant water leak at a US utility, Cyber Army of Russia still seems at times to comically overestimate the clarity of its threat against Ukraine's allies. In response to a question about the Muleshoe water utility attack specifically, Julia noted that the group's operation is intended to persuade “mainly representatives of the Democratic Party [because] their support for Ukraine is the most significant"—a head-scratching statement given that Muleshoe is in a Texas congressional district that hasn't elected a Democratic representative since 1982.

In other hacking operations like its targeting of a Polish wastewater utility, cybersecurity researchers who watched the video of the attack told WIRED that Cyber Army of Russia appeared to be arbitrarily changing values in the utility's control system software, with no actual disruptive effect. In another case, the hackers posted a video to their Telegram channel claiming that, in response to French president Emmanuel Macron's threat of sending French military personnel to Ukraine, it had hacked a French hydroelectric dam and caused it to stop generating power. In fact, French newspaper Le Monde reported, the group had actually hacked a water mill in a small village and caused its water level to drop by 20 centimeters.

When WIRED pointed out this mistake to Julia, she acknowledged the error but wrote that the group was undeterred by the setback. “It would be correct to consider it experimental,” she wrote of the attempted dam-hacking operation. “In other words, as it often happens in life, the real result did not match the expectation at all. However, we are not very saddened by this fact, there are many hydroelectric power plants in France, so we will still have the opportunity to gain more experience to commit more large-scale sabotage.”

Despite this relatively amateurish track record, Mandiant pointed in its report to evidence linking Cyber Army of Russia to the hacker group known as Sandworm, a cyberwarfare unit of Russia's military intelligence agency the GRU tied to many of Russia's most disruptive cyberattacks of the last decade. Cyber Army of Russia's short-lived YouTube channel, for instance, was created from a computer with an IP address that Mandiant—itself a subsidiary of YouTube's owner Google—had previously tied to Sandworm. Over the last year, Cyber Army of Russia also repeatedly dumped data to its Telegram channel that appeared to have been stolen from Ukrainian hacking targets breached by Sandworm not long before.

When WIRED asked about those ties to Sandworm and the GRU, Julia denied them without directly addressing Mandiant's evidence. “Hundreds of people of different ages, different nationalities, different professions (not related to IT), different levels of computer literacy, different levels of financial wealth and political beliefs joined the ranks of the Cyber Army,” Julia wrote. “We emphasize that despite the fact that there are individual representatives of the Russian security forces in our ranks and some of our participants are professionals in the field of information security, we are a completely people's project that has nothing to do with the GRU, or with any other military special forces, or with hacker groups like Sandworm.”

She later added, somewhat confusingly, that “the Sandworm hacker group does have something in common [with us] … This is the commander-in-chief of our Cyber Army.” It wasn't clear, however, whether that comment was referring to a shared leader overseeing the two groups—or even a kind of imagined ideological leader such as Russian president Vladimir Putin—or whether Julia meant that Sandworm itself gives the Cyber Army its orders, in contradiction to her previous statements. Julia didn't respond to WIRED's requests for clarification on that question or, in fact, to any questions following that comment.

A Hacktivist Hype Machine

Russian information warfare and influence operations experts with whom WIRED shared the full text of the interview noted that, despite Cyber Army of Russia's claims of acting as an independent grassroots organization, it closely adheres to both Russian government talking points as well the Russian military's published information warfare doctrine. The group's rhetoric about changing “minds and hearts” beyond the front lines of a conflict through attacks targeting civilian infrastructure mirrors a well-known paper on “information confrontation” by Russian military general Valery Gerasimov, for instance. Other portions of Julia's comments—an unprompted polemic against “non-traditional sexual relations” and a description of Russia as a conservative cultural “Noah's Ark of the 21st century”—echo similar statements made by Russian leaders and Russian state media.

None of that proves that Cyber Army of Russia has anything more than the thin ties to the GRU that Mandiant uncovered, says Gavin Wilde, a Russia-focused senior fellow at the Carnegie Endowment for International Peace. He argues instead that the group's comments appear to be an attempt to score points with a potential government sponsor, perhaps in the hopes of gaining a more official relationship. “They're really trying to hone their messaging, but not for a Western audience, necessarily, so much as to try to put points on the board domestically and with potential political or financial benefactors in Moscow,” he says.

At one point in the interview with WIRED, in fact, Julia explicitly voiced that request for more official government support. “I really hope that the People's Cyber Army of Russia will have great prospects, that our government agencies will not just pay attention to us, but support our actions, both financially and through the formation of full-fledged cyber troops as part of the Russian Armed Forces,” she wrote.

Outside of the conversation with WIRED, Cyber Army of Russia posts to its Telegram channel in Russian, not English—a strange move for a group that claims to be trying to influence Western politics in its favor. Other Russian influence operations created by the GRU itself, such as the Guccifer 2.0 and DCLeaks fronts created to influence the 2016 presidential election, wrote in English. Even other “hacktivist” groups targeting civilian critical infrastructure, such as Israel-linked Predatory Sparrow, take credit for their attacks in the language of their targets—in Predatory Sparrow's case, posting to Telegram in Persian in an apparent attempt to influence Iranians.

All of that suggests that, despite its claims, Cyber Army of Russia may be currently functioning more as a cheerleading campaign for Russians domestically than a real influence operation targeting the West, says Olga Belogolova, a Russia-focused influence operations researcher at the Johns Hopkins School of Advanced International Studies. If the group is as grassroots and decentralized as it claims to be, it may not even be aware of that disconnect. “These patriotic keyboard warrior types are going to try to curry favor with the government, but they also might be true believers of these talking points,” says Belogolova, adding that the group's Telegram account “feels like a marketing exercise or a tech bro hype machine.”

She points out, though, that the group's exposure by Mandiant and an alert from a half-dozen government agencies suggests that, regardless of the group's intended audience, it's now on Americans' radar, too. As it gains the West's attention, she notes, we shouldn't overblow the threat it represents—and in doing so succumb to its hit-and-miss attempts at instilling fear through its disruptive hacking.

“The more time I spend working on Russia and Russian influence operations,” Belogolova says, "the more I've become a believer that they're very into just hyping themselves up. And then we sometimes fall for the hype, too.”

「宮崎正弘の国際情勢解題」　

令和六年（２０２４）４月１６日（火曜日）

　　　　　通巻第８２１７号

　 ロシアのハッカーー部隊がマイクロを攻撃を攻撃

　　　具体的に何が盗まれたのか、公式発表は伏せられた

＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊＊

米国ＣＩＳＡ（サイバーセキュリティ・インフラセキュリティ庁）は、４月１１日に「ロシアのハッカー集団「ミッドナイト・ブリザード」（真夜中の吹雪）が、マイクロソフト幹部らの電子メールアカウントを侵害し、ＦＣＥＢ（連邦文民行政府）とマイクロソフトとの通信を窃取した」と発表した。またＨＰ（ヒューレット・パッカード）も同様の被害があった。

　「ミッドナイト・ブリザード」は２０２３年11月からマイクロソフトへの攻撃を開始した。　

　２０２４年3月8日、マイクロソフトは「ロシアのハッカー部隊が、同社のソースコード・リポジトリとシステムに不正にアクセスしたか、もしくはアクセスを試みた」した。「その攻撃で得た情報を駆使している形跡がある」と米証券取引委員会（SEC）に届けた。

　顧客との通信の暗号が盗まれたという報道もある。

　ミッドナイト・ブリザードは、ノーベリウム、APT29、コージー・ベアなど幾つもの別名がある。とくに「コージー・ベア」は２０１６年の米大統領選挙で民主党全国大会（DNC）に攻撃を仕かけた。

もう1つのハッカー集団「ファンシー・ベア」は、ロシア軍参謀本部情報総局（GRU）とつながっている

一方、コージー・ベアはロシアの対外情報機関である対外情報庁（SVR）とつながっている。

ともかくモスクワが支援するハッカー集団は、2023年11月以降、マイクロソフトを標的としていた。

Microsoftは、ロシアのハッカー集団「Midnight Blizzard」が最近、1月のサイバー攻撃で盗まれた認証秘密を使用して社内システムとソースコードリポジトリの一部にアクセスしたと発表した。 1 月、Microsoft は、Midnight Blizzard (別名 NOBELIUM) が、 従来の非運用テスト テナント アカウントへのアクセスを許可するパスワード スプレー攻撃を実行した後、企業の電子メール サーバーに侵入したこと を明らかにしました。 その後 のブログ投稿で、 このテスト アカウントでは多要素認証が有効になっていないため、攻撃者がアクセスして Microsoft のシステムに侵入できることが明らかになりました。 この���スト テナント アカウントは、Microsoft の企業環境への昇格されたアクセス権を備えた OAuth アプリケーションにもアクセスでき、攻撃者が Microsoft の経営陣のメンバーやサイバーセキュリティ部門や法務部門の従業員を含む企業のメールボックスにアクセスしてデータを盗むことができました。 同社は、攻撃者がこれらの電子メール アカウントの一部に侵入して、Microsoft が知っている情報を入手したと考えています。 Midnight Blizzard が再び Microsoft をハッキング Microsoftは本日、Midnight Blizzardがここ数週間、盗まれたデータに含まれる秘密を利用して同社のシステムとソースコードリポジトリの一部にアクセスしていると発表した。 には、「ここ数週間、Midnight Blizzard が当社の電子メール システムから最初に流出した情報を使用して、不正アクセスを取得している、または取得しようとしているという証拠を確認しました」と書かれています Microsoft Security Response Center の新しいブログ投稿 。 「これには、会社のソース コード リポジトリや内部システムの一部へのアクセスが含まれています。これまでのところ、Microsoft がホストする顧客向けシステムが侵害されたという証拠は見つかりませんでした。」 Microsoft はこれらの「シークレット」に何が含まれるかを正確に説明していませんが、おそらく認証トークン、API キー、または資格情報であると考えられます。 Microsoft は、Microsoft との間で盗まれたメールで秘密が攻撃者に公開された顧客との連絡を開始したと述べています。 「Midnight Blizzard が発見したさまざまな種類のシークレットを使用しようとしているのは明らかです。これらのシークレットの一部は電子メールで顧客と Microsoft の間で共有されており、流出した電子メールでそれらを発見したため、当社はこれまでも、そして今後も連絡を取ろうとしています」これらの顧客が緩和策を講じられるよう支援する必要がある」とマイクロソフトは続けた。 同社によれば、Midnight Blizzard は標的システムに対するパスワード スプレー攻撃も強化しており、2 月には 2024 年 1 月の攻撃量と比較して 10 倍の増加が観察されています。 パスワード スプレーはブルート フォース攻撃の一種で、攻撃者が潜在的なログイン名のリストを収集し、可能性のあるパスワードの長いリストを使用してすべての名前にログインしようとします。 1 つのパスワードが失敗すると、パスワードがなくなるかアカウントの侵害に成功するまで、他のパスワードを使用してこのプロセスを繰り返します。 このため、企業は、資格情報が正しく推測された場合でも、アクセスを防ぐためにすべてのアカウントに MFA を構成する必要があります。 Microsoft は SEC に提出した修正された Form 8-K 提出書類の中で、組織全体のセキュリティを強化して、高度で持続的な攻撃者に対するセキュリティを強化したと述べています。 「当社はセキュリティへの投資、企業間の連携と動員を強化し、この高度で持続的な脅威に対して自らを守り、環境を保護し強化する能力を強化しました」と 8-Kの申請書に は書かれている。 「私たちは、脅威アクターと事件の進行中の捜査に関して連邦法執行機関と引き続き調整を続けます。」 ミッドナイトブリザードとは誰ですか Midnight Blizzard (別名 Nobelium、APT29、Cozy Bear) は、ロシアの対外情報局 (SVR) に関連する国家支援のハッキング グループです。 を実行してから有名になりました このハッカーは、 2020 年に SolarWinds サプライ チェーン攻撃 。これにより、攻撃者は Microsoft を含む 多数の企業に侵入できるようになりました。 Microsoft は後に、この攻撃により、 Midnight Blizzard が 限られた数の Azure、Intune、Exchange コンポーネントのソース コードを盗むことができたことを認めました。 2021 年 6 月、ハッキング グループは再び Microsoft 企業アカウントに侵入し 、カスタマー サポート ツールにアクセスできるようにしました。 多数のサイバースパイ攻撃に関与しています NATO および EU 諸国に対する を標的とした、 それ以来、このハッカー グループは、大使館 や 政府機関 。 Nobelium は、サイバースパイ活動やデータ盗難攻撃の実行に加えて、 マルウェアを開発している カスタム 攻撃に使用する ことでも知られています。

マイクロソフト、ロシアのハッカーが同社のシステムに侵入し、ソースコードにアクセスしたと発表

They used comments on Britney Spears' instagram account as a malware command-and-control mechanism.

APT29/Cozy Bear had done this trick first. Then, the Scientology church copied their technique because their idiotic managers and dumb followers have zero creativity to expand their bullshit Happiness *technology* and their Dianetics brainwashing program.

Lagebericht: Starke KI-Nutzung durch Cyberkriminelle 

In seinem aktuellen Lagebericht über die wichtigsten IT-Sicherheitstrends im ersten Halbjahr 2024 fasst Trend Micro interessante Fakten zusammen. Trotz einiger erfolgreicher Operationen von Strafverfolgungsbehörden gegen Ransomware und Phishing bleibt das Bedrohungsniveau hoch. Cyberkriminelle haben aus den jüngsten Erfolgen der Polizei gelernt und passen ihre Taktiken an. Dabei setzen sie neben altbewährten Angriffsmethoden zunehmend auf Künstliche Intelligenz (KI) und nutzen globale Ereignisse wie die Olympischen Spiele und nationale Wahlen für ihre Zwecke aus. Das sind alles Erkenntnisse aus dem Trend Micro 2024 Midyear Cybersecurity Threat Report. Cyberangriffe: Auch in 2024 keine Entspannung zu sehen Auch im ersten Halbjahr 2024 bleibt ein Hauptziel von Cyberkriminellen, schnelle, unauffällige und gleichzeitig ausgeklügelte Bedrohungen und Kampagnen zu entwickeln. Der japanische Cybersecurity-Spezialist beobachtete in der ersten Jahreshälfte wie Cyberkriminelle auf falsch konfigurierte und ungeschützte Assets abzielten, um heimlich in Systeme einzudringen und sensible Daten zu stehlen. Insgesamt dominiert der Zugriff auf gefährdete Cloud-Anwendungen die Liste der Risikoereignisse in der ersten Jahreshälfte von 2024. In vielen Fällen setzte auch ein fehlender Endpoint-Schutz auf nicht verwalteten Geräten Unternehmen unnötigen Risiken aus. Trotz Erfolgen der Strafverfolgungsbehörden bleibt Bedrohungslage komplex Die Ransomware-Familie mit den meisten Datei-Erkennungen war in der ersten Jahreshälfte 2024 LockBit, wobei die Erkennungszahlen in Folge der Polizeiaktion „Operation Cronos“ massiv zurückgingen. Finanzinstitute waren am stärksten von Ransomware-Angriffen betroffen, dicht gefolgt von Unternehmen der Technologiebranche. Ungeachtet der erfolgreichen Strafverfolgungsmaßnahmen im ersten Halbjahr 2024 bleibt die Bedrohungslage komplex: - LockBit: Trotz erheblicher Disruption und Sanktionen versucht LockBit, seine Position zu halten. Trend Micro analysierte eine neue Version, LockBit-NG-Dev, die in .NET geschrieben ist und plattformunabhängig sein könnte. - Dropper-Malware-Netzwerke: Auch nach der Zerschlagung von Botnetzen wie IcedID und Trickbot finden Ransomware-Gruppen weiterhin Wege, Systeme zu infiltrieren, etwa durch die Ausnutzung kritischer Schwachstellen, den Missbrauch von Tools zur Fernüberwachung und -verwaltung (RMM), Bring-Your-Own-Vulnerable-Driver (BYOVD)-Angriffe sowie die Verwendung benutzerdefinierter Shell-Skripte. - Neue Werkzeuge und Taktiken: Sowohl staatlich unterstützte Akteure als auch Cyberkriminelle setzten kompromittierte Router als Anonymisierungsebene ein. Während Gruppen wie Sandworm eigene Proxy-Botnets verwenden, greifen andere wie APT29 auf kommerzielle Proxy-Netzwerke zurück. Die APT-Gruppe Earth Lusca nutzte in einer untersuchten Kampagne die angespannten Beziehungen zwischen China und Taiwan als Social-Engineering-Köder, um gezielt Opfer zu infizieren. Akteure reizen Grenzen von KI weiter aus Trend Micro beobachtete, dass Bedrohungsakteure Malware in legitimer KI-Software verstecken, kriminelle LLMs (Large Language Models) betreiben und sogar Jailbreak-as-a-Service-Angebote verkaufen. Letztere ermöglichen es Cyberkriminellen, generative KI-Bots so auszutricksen, dass sie Fragen beantworten, die gegen ihre eigenen Richtlinien verstoßen – besonders, um Malware und Social-Engineering-Köder zu entwickeln. Auch Deepfake-Angebote haben die Akteure verfeinert, um virtuelle Entführungen durchzuführen, gezielten Betrug in Form von BEC (Business-E-Mail-Compromise) zu begehen und KYC (Know-Your-Customer)-Kontrollen zu umgehen. Für Letzteres wurde zudem Malware entwickelt, die biometrische Daten abfängt. „Die Cybersicherheit hat sich in den vergangenen Jahren weiterentwickelt, um den zunehmend komplexen und gezielten Angriffen gewachsen zu sein“, erklärt Udo Schneider, Governance, Risk & Compliance Lead Europe bei Trend Micro. „In den kommenden Jahren wird es für die Sicherheitsbranche unerlässlich werden, proaktiv zu agieren. Geschäftsführungen und Sicherheitsteams müssen die sich ständig verändernden Bedrohungen und Risiken mit einem resilienzorientierten, datengestützten Ansatz und einer umfassenden Strategie zum (Cyber) Risk Management bewältigen.“     Passende Artikel zum Thema Lesen Sie den ganzen Artikel

Russia-linked APT29 reused iOS and Chrome exploits previously developed by NSO Group and Intellexa

http://i.securitythinkingcap.com/TCYJ4k

"Inmediatamente activamos nuestro equipo de respuesta y nuestros procedimientos, iniciamos investigaciones junto con un equipo de expertos en ciberseguridad de renombre mundial e implementamos las medidas correctivas necesarias", dijo la compañía en un comunicado.

Además, señaló que su entorno de TI corporativo está completamente aislado del entorno del producto y que no hay evidencia que indique que los datos de los clientes se hayan visto afectados como resultado del incidente.

https://bit.ly/3DDMV8X - 🎯 Microsoft Threat Intelligence reports a highly targeted social engineering attack by the threat actor known as Midnight Blizzard (previously tracked as NOBELIUM). This latest effort utilizes credential theft phishing lures sent via Microsoft Teams chats, where compromised Microsoft 365 tenants are used to create domains that appear as technical support entities. The lures attempt to steal credentials by engaging users and eliciting approval of multifactor authentication (MFA) prompts. #MicrosoftTeams #Cybersecurity #MidnightBlizzard 🌍 Fewer than 40 unique global organizations have been affected by this campaign, with likely specific espionage objectives aimed at government, non-government organizations (NGOs), IT services, technology, manufacturing, and media sectors. Microsoft has taken steps to mitigate the attack and has provided affected customers with essential information to secure their environments. #Espionage #ThreatIntelligence 🇷🇺 Midnight Blizzard is attributed as the Foreign Intelligence Service of Russia and is known to primarily target entities mainly in the US and Europe. Their strategies range from stolen credentials to advanced techniques to compromise authentication mechanisms, showing consistent and persistent operational targeting. #APT29 #UNC2452 #CozyBear 🔒 The recent phishing attack illustrates Midnight Blizzard's diverse methodologies, including token theft and social engineering lures using compromised tenants to create security-themed domain names. The attack chain involves using Microsoft Teams to deceive the targeted user into providing authentication codes. #Phishing #SocialEngineering #Authentication ⚠️ Microsoft recommends deploying phishing-resistant authentication methods, implementing Conditional Access, defining trusted organizations, keeping auditing enabled, understanding access settings, adhering to security baselines, educating users about social engineering and phishing attacks, and using Conditional Access App Control in Microsoft Defender for Cloud Apps to reduce the risk of this threat.

Remote access giant TeamViewer says Russian spies hacked its corporate network

The remote access giant linked the cyberattack to government-backed hackers working for Russian intelligence, known as APT29. © 2024 TechCrunch. All rights reserved. For personal use only. Source: TechCrunch Remote access giant TeamViewer says Russian spies hacked its corporate network

View On WordPress

TeamViewer заявляют, что их сеть была взломана TeamViewer сообщили о возможном инциденте безопасности, однако уточнил, что клиентские и корпоративные данные, по всей видимости, не постра... #PC #TeamViewer #ПК #смартфон #телефон https://daboom.ru/teamviewer-zajavljajut-chto-ih-set-byla-vzlomana/?feed_id=31275&_unique_id=667ec112d2af7

At its campus in Kirkland, Washington, Google is rolling out a face recognition system to detect “unauthorized individuals” and block their access to its offices, according to a document about the plan viewed by CNBC. Security cameras inside Google spaces have already been collecting face data and comparing it to employee badge photos in an attempt to flag people who are not regular employees or part of the broader Google workforce. If the system identifies a person of interest, Google’s “Security and Resilience Services” team will work to identify would-be intruders “who may pose a security risk to Google’s people, products, or locations,” according to the document. People who work at or visit the Kirkland campus will not be able to opt out of having their face data collected by the system, but the document notes that data is collected “strictly for immediate use and not stored.” It adds that employees can opt out of having their badge images stored by Google and that this cache of images is only being used to test the system. The document says that the goal of the program is to “maintain safety and security of our people and spaces.”

French Diplomatic Entities Targeted in Russian-Linked Cyber Attacks

The Hacker News : State-sponsored actors with ties to Russia have been linked to targeted cyber attacks aimed at French diplomatic entities, the country's information security agency ANSSI said in an advisory. The attacks have been attributed to a cluster tracked by Microsoft under the name Midnight Blizzard (formerly Nobelium), which overlaps with activity tracked as APT29, BlueBravo, Cloaked Ursa, Cozy Bear, http://dlvr.it/T8XvQM Posted by : Mohit Kumar ( Hacker )

新たなフィッシング攻撃は、Microsoft Teams のグループ チャット リクエストを悪用して、被害者のシステムに DarkGate マルウェア ペイロードをインストールする悪意のある添付ファイルをプッシュします。 AT&T サイバーセキュリティの調査によると、攻撃者は侵害された Teams ユーザー (またはドメイン) と思われるものを使用して、1,000 件を超える悪意のある Teams グループ チャットの招待を送信しました。 ターゲットがチャット リクエストを受け入れると、攻撃者はターゲットをだまして、「Navigating Future Changes October 2023.pdf.msi」という���前の二重拡張子を使用してファイルをダウンロードさせます。これは DarkGate の一般的な戦術です。 インストールされると、マルウェアは hgfdytrywq[.]com にあるコマンド アンド コントロール サーバーにアクセスします。これは パロ アルト ネットワークス によって DarkGate マルウェア インフラストラクチャの一部であることがすでに確認されています。 Microsoft では、外部の Microsoft Teams ユーザーが他のテナントのユーザーにメッセージを送信することをデフォルトで許可しているため、このフィッシング攻撃が可能になります。 AT&T Cyber​​security のネットワーク セキュリティ エンジニアである Peter Boyle氏は、「日常的な業務利用に絶対に必要な場合を除き、ほとんどの企業では Microsoft Teams での外部アクセスを無効にすることをお勧めします。一般的に電子メールはより安全で、より厳重に監視されている通信チャネルだからです」と 警告しました 。 「いつものように、エンドユーザーは迷惑メッセージの送信元に注意を払うよう訓練されるべきであり、フィッシングは通常の電子メール以外にもさまざまな形で行われる可能性があることを思い出すべきです。」 Teams のグループ チャット フィッシング (読みやすいように拡大表示) 画像: AT&T サイバーセキュリティ を誇るため、脅威アクターにとって魅力的な標的となっています Microsoft Teams は、月間 2 億 8,000 万人の膨大なユーザー数 。 DarkGate オペレーターはこれを利用して、管理者が外部アクセス設定を無効にしてテナントを保護していない組織を標的とした攻撃で、Microsoft Teams を通じてマルウェアをプッシュします。 昨年も、 侵害された外部の Office 365 アカウント や Skype アカウントを介して DarkGate マルウェアをプッシュする同様のキャンペーンが観察されました。 VBA ローダー スクリプトの添付ファイルを含むメッセージを送信する、 Storm-0324 のような初期アクセス ブローカーは、Microsoft Teams のセキュリティ問題を悪用する TeamsPhisher と呼ばれる一般公開されているツールを利用して企業ネットワークに侵入するフィッシングにも Microsoft Teams を 使用しました。 TeamsPhisher を使用すると、外部テナント アカウントからのファイル配信をブロックする必要があるクライアント側の保護にもかかわらず、攻撃者が悪意のあるペイロードを送信できるようになります。 ロシア対外情報局 (SVR) のハッキング部門である APT29 は、 同じ問題を悪用して 、政府機関を含む世界中の数十の組織を標的にしました。

Microsoft Teams フィッシングにより、グループ チャット経由で DarkGate マルウェアがプッシュされる