The state-backed group behind the SolarWinds supply chain attack is going after diplomats who use spear phishing to deploy a new strain of malware.
Threat analysts at cybersecurity firm Mandiant have discovered a new APT29 cyberattack once again targeting diplomats and government agencies.
APT29 is a cyber espionage group believed to be sponsored by the Russian Foreign Intelligence Service, the SVR. Microsoft also publicly refers to APT29 activity as Nobelium, Mandiant said. APT29 is the group responsible for the 2021 SolarWinds supply chain attack.
WATCH: Hiring Kit: Data Scientist (TechRepublic Premium)
While Mandiant has been tracking APT29 phishing activities targeting diplomats around the world since early 2020, attackers this year are using two new malware families, BEATDROP, BEACON and BOOMMIC to carry out the attacks. The APT29 malware uses Atlassian’s popular Trello project management tool for command and control (C2), stores victim information, and retrieves AES-encrypted shellcode payloads.
“For anyone involved in politics, it’s critical to understand that they may be targeted because of the information they have, or even just the contacts they may have,” said Erich Kron, a security awareness advocate at the online training firm. cyber security KnowBe4. “In situations like embassies, which act as sovereign soil in foreign countries, and for diplomats within them, information about activities occurring within the region would be a gold mine for adversaries.”
To trick victims into downloading malware-laden files, APT29 sent phishing emails disguised as administrative updates from the embassy, Manidant said in a statement. blog post about the attacks. To get past spam filters, APT29 used legitimate email addresses of other diplomatic entities and targeted large lists of publicly available embassy personnel.
The emails used the malicious HTML dropper ROOTSAW (also known as EnvyScout) to deliver and decode IMG or ISO files, either of which can write to disk and execute a malicious .DLL file containing the BEATDROP downloader. APT29 also uses the BEACON downloader for similar purposes.
Once BEATDROP or BEACON open backdoors into the victim’s network, they quickly implement BOOMMIC to gain deeper access to the victim’s environment. BOOMMIC (also called VaporRage by Microsoft), is a shellcode downloader that communicates via HTTP to a C2 server. Once activated, its main job is to download shellcode payloads into the memory of a target machine, Mandiant said.
BEACON is a multipurpose tool that also captures keystrokes and screenshots and can act as a proxy server. It can also collect system credentials, perform port scans, and list systems on a network.
Once inside the network, attackers can escalate privileges and move laterally in a matter of hours by using Kerberos tickets in Pass the Ticket attacks, exploiting misconfigured certificate templates to impersonate administrators, and creating malicious certificates to pass directly from low-level privileges to domain administrator status. Malicious certificates can also provide the attacker with long-term persistence in the victim’s environment. APT29 performs extensive reconnaissance of hosts and the Active Directory environment for credentials, Mandiant said.
“This campaign highlights the importance of implementing a cybersecurity culture that goes beyond relying on top-of-the-line preventative controls,” said Chris Clements, vice president of solutions architecture at Cerberus Sentinel. “Controls like [network] segmentation, proactive system and application hardening, and restricting user access to only what is necessary for their job functions make an attacker’s job much more difficult. In-depth monitoring for suspicious activity and threat hunting also increases the chances that an attacker can be quickly detected and rooted out by the incident response team before widespread damage is done.”