Actors of Russian cyber threats have been held responsible for a state-proposed campaign targeting Western logistics institutions and technology companies since 2022.
The evaluation of the activity has been orchestrated by APT28 (aka Bloodleta, Fancy Bear, or One urgent storm), which is connected to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Services Center, Military Unit 26165.
The goals of the campaign include companies involved in the distribution of foreign aid for coordination, transportation and foreign aid, according to a joint advisor issued by Australia, Canada, Czechia, Denmark, Estonia, France, Germany, Netherlands, Poland, United Kingdom and United States agencies.
Bulletin said, “This cyber espionage-oriented campaign targeted logistics entities and technology companies use a mixture of already mentioned TTPs and possibly connected to the extensive targeting of these actors of IP cameras in Ukraine and the limits of NATO nations.”
French Foreign Ministry said weeks after accusing APT28 of increasing cyber attacks on a dozen institutions that tanks have been included in an attempt to destabilize the nation since 2021, including ministries, defense firms, research institutions and think tanks.
Then last week, ESET removed an operation roundpress from a campaign dubbed from a campaign, stating that it is being exploited by exploiting the weaknesses of Cross-Site Scripting (XSS) in various webmail services in Roundcube, hoarde, Mediomone, and Zimbra since 2023, which is going on to make the reports in Eastern Europe and rescues in East Europe, as well as in East Europe, as well as Africa, Europe. For.
According to the latest advisor, the orchestrated cyber attacks by APT28 stated that it includes a combination for modifying the Microsoft Exchange Melbox permissions, spending and modifying the Microsoft Exchange Melbox permissions.
The primary goals of the campaign include the tenure of defense, transport, maritime, air traffic management and IT services in NATO member states and Ukraine. Bulgaria, Chechia, France, Germany, Greece, Italy, Moldova, Netherlands, Poland, Romania, Slovakia, Ukraine and the United States have less than dozens of institutions to estimate that they have been targeted.
The initial access to the targeted network is said to have been facilitated by taking advantage of seven different methods –
- Bruet-Force attacks to estimate credentials
- Government agencies and western cloud email providers for free for free third-party services or fake login pages hosted on compromised SOHO devices for a spear-fisting attacks for harvesting credentials
- Spear-fisting attacks to give malware
- Outlook NTLM vulnerable exploitation (cve-2023-23397)
- Exploitation of Roundcube vulnerabilities (cve-2020-12641, cve-2020-35730, cve-2021-44026)
- Exploitation of infrastructure such as internet-related infrastructure such as corporate VPN using public weaknesses and SQL injections
- Winrar exploitation of vulnerability (cve-2023-38831)
Once Unit 26165 actors begin to set foot using one of the above methods, attacks proceed to the post-exploitation phase, including to operate the reconnaissance to identify additional goals in major positions, the person responsible for the coordination of transport, and other companies to collaborate with the afflicted unit.
The attackers have also been seen using devices such as impact, PSEXEC, and Remote Desktop Protocol (RDP) for the lateral movement, as well as certificate and adexplorer.exe to exfiltrate information from the active directory.
“Actor office will take steps to detect and exfiltrate the list of 365 users,” agencies said and set up email collections. ” “The actors used manipulation of melbox permissions to set up email collections in compromised logistics institutions.”
Another notable feature of infiltration is that the use of malware families such as the headlaces and masepy, to establish firmness on the compromised hosts and to harvest sensitive information. There is no evidence that malware variants such as Oceanmap and Steelhook have been used directly to target logistics or IT sectors.
During the data exfoliation, the danger actors have rely on various methods based on the afflicted environment, often the powerrashel command is used to create a zip archives to upload the data collected on their own infrastructure, or to provide information from email server to Email Services (IMAP).
“As the Russian military forces failed to meet their military objectives and Western countries assisted to support the regional defense of Ukraine, Unit 26165 expanded its targeting of the logistics institutions and technology companies involved in the distribution of assistance,” said the agencies. “These actors have also targeted the Internet -related cameras at the Ukrainian border crossing to monitor and track support.”
This disclosure comes when Cato Networks has shown that suspected Russian threat actor Tigris Object Storage, Oracle Cloud Infrastructure (OCI) Object Storage, and Scalway are taking advantage of the object storage, which are using fake ricapcha pages that are using clicking-ricking pages that uses clicking-leasons. Which users do to trick Lumma Steeler.
Researchers said, “The recent campaign took advantage of Tigris Object Storage, OCI object storage, and scalvewee object storage, which produces on earlier methods, introduces new delivery mechanisms, with the aim of detecting and targeting technically skilled users,” The domino, “the domino,” Agayev said.
