Home Cyber Crime Spear-phishing campaign linked to SolarWinds attackers halted following domain seizure

Spear-phishing campaign linked to SolarWinds attackers halted following domain seizure


APT29 accused of compromising USAID electronic mail account

Domain seizure blocks spear-phishing campaign linked to SolarWinds attackers

US authorities have seized two command and management hubs linked to a current spate of spear-phishing emails that posed as messages from the Company for Worldwide Improvement (USAID).

The courtroom motion and enforcement from the US Justice Division follows a warning by Microsoft of malicious exercise by the so-called Nobelium Group – the identical group of cyber-spies blamed for final yr’s notorious SolarWinds hack.

RELATED Multiple new flaws uncovered in SolarWinds software just weeks after high-profile supply chain attack

Nobelium – tracked as APT29 and extra generally often called ‘Cozy Bear’ – is suspected to be a unity of Russian intelligence linked to its Overseas Intelligence Service (SVR) and related to its Overseas Intelligence Service (FSB).

The net area seizure enforcement motion goals to clamp down on the group’s newest marketing campaign.

Compromised account

On or round Could 25, malicious events abused a compromised USAID account at a legit mass mailing service to launch a spear-phishing marketing campaign despatched to “1000’s of electronic mail accounts at over 100 entities”.

These malicious messages presupposed to comprise a “particular alert” from USAID which was designed to trick potential victims into clicking on a hyperlink and visiting a malicious website loaded with malware.

Catch up on the latest cyber-attack news

“The seizure of the 2 domains was geared toward disrupting the malicious actors’ follow-on exploitation of victims, in addition to figuring out compromised victims,” in accordance with a US Division of Justice assertion on the case.

“Nonetheless, the actors might have deployed further backdoor accesses between the time of the preliminary compromises and final week’s seizures.”

The assault was finally geared in the direction of planting a backdoor on PCs and getting victims contaminated with the Cobalt Strike assault device.

DEEP DIVE A guide to spear-phishing – how to protect against targeted attacks

As detailed in Microsoft’s blog post, the assault was beneath improvement for weeks previous to the mass mailing.

For instance, in March, the attackers tried to compromise methods by an HTML file connected to a spear-phishing email, as Microsoft explains:

When opened by the focused person, a JavaScript inside the HTML wrote an ISO file to disc and inspired the goal to open it, ensuing within the ISO file being mounted very similar to an exterior or community drive.

From right here, a shortcut file would execute an accompanying DLL, which might lead to Cobalt Strike Beacon executing on the system.

The Cobalt Strike device obtained command and management communications through subdomains of theyardservice[.]com, in addition to the area worldhomeoutlet[.]com, the 2 seized domains.

RELATED Ransomware attack on world’s biggest meat supplier JBS ‘came from Russia’

Source link