Mandiant: SolarWinds Attackers Continue to Innovate –

Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management

Suspected Russian Group Hitting Cloud, Managed Service Providers

Mandiant: SolarWinds Attackers Continue to Innovate
Russian state hackers are using new stealth tactics. (Picture: Pixabay)

A suspected Russian group blamed for the SolarWinds compromise in 2020 is continuing to innovate and has been infiltrating technology services and resellers, according to a new report from Mandiant.

See Also: Live Discussion | Securing Business Growth: The Road to 24/7 Threat Detection and Response

Mandiant says the group, which it calls UNC2452 and Microsoft calls Nobelium, practices “top-notch operational security and advanced tradecraft.” Mandiant says the group is “one of the toughest actors we have encountered” (see Nobelium Makes Russia Leader in Cyberattacks).

“However, they are fallible, and we continue to uncover their activity and learn from their mistakes,” Mandiant says in a report released Monday. “Ultimately, they remain an adaptable and evolving threat that must be closely studied by defenders seeking to stay one step ahead.”

The U.S. government has connected the group to Russia’s foreign intelligence services. Mandiant says it has been seeing clusters of activity likely related to UNC2452 that is targeting multiple cloud solution providers and managed service providers. The attackers are using credentials likely obtained from an information-stealer malware campaign by a third-party actor to gain initial access to organizations.

“We have seen this threat actor ultimately target government entities, consulting organizations and NGOs in North America and Europe who directly have data of interest to the Russian government,” says Douglas Bienstock, manager, consulting at Mandiant.

Bienstock says that the adversaries in some cases first compromised technology solutions, services and reseller companies in North America and Europe that have access to targets that are of interest to them.

The researchers discovered that post-compromise activities by these groups included the theft of data relevant to Russian interests. They also used the stolen data to create new routes to access other victim environments.

“The threat actors continue to innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection, and confuse attribution efforts,” according to Mandiant’s report.

Custom-Made Malware

Researchers identified a Cobalt Strike Beacon — a backdoor written in C/C++ that is part of the Cobalt Strike framework — that supports backdoor commands, such as shell command execution, file transfer, file execution and file management.

Beacon is also capable of capturing keystrokes and screenshots as well as acting as a proxy server.

“Beacon may also be tasked with harvesting system credentials, port scanning and enumerating systems on a network. Beacon communicates with a command and control server via HTTP(S) or DNS,” the researchers write.

Another custom-developed malware dubbed Ceeloader, written in the C programming language, supports shellcode payloads that are executed in memory.

“An obfuscation tool has been used to hide the code in Ceeloader in between large blocks of junk code with meaningless calls to the Windows API. The meaningful calls to the Windows API are hidden within obfuscated wrapper functions that decrypt the name of the API and dynamically resolve it before calling,” the researchers say.

How the malware is distributed is still unknown.

Intrusion Activities

The researchers observed multiple instances in which threat actors compromised service providers and used privileged access and credentials belonging to these providers to compromise further downstream customers.

One instance observed by Mandiant researchers included a threat actor compromising a local VPN account and using this VPN account to perform reconnaissance and gain access to internal resources within the victim’s cloud service provider environment. This led to the compromise of internal domain accounts.

In another campaign, Mandiant observed the threat actors gaining access to the victim organization’s Microsoft 365 environment using a stolen session token.

The researchers assess with moderate confidence that the threat actor obtained the session token from the operators of the info-stealer malware. The tokens were used via public VPN providers to authenticate to the target’s Microsoft 365 environment.

Mandiant researchers say that they found evidence that the actors used Remote Desktop Protocol to pivot between systems that had limited internet access and used several devices to execute native Windows commands.

Operational Security

There is evidence of the threat actors compromising several accounts for reconnaissance, while the others were reserved for lateral movement within the organization, Mandiant reports.

“Mandiant identified attempts to compromise multiple accounts within an environment and kept use of each account separated by function. This reduced the likelihood that detecting one activity could expose the entire scope of the intrusion,” the researchers write.

The researchers previously reported that the threat actors used strict operational security for a specific account or systems in a victim environment for higher-risk activities, such as data theft and large-scale reconnaissance.

Once they enter an environment, the threat actors pivot to on-premises servers and crawl through them for technical documentation and credentials. Mandiant says that helps them to identify a route to gain access to their ultimate target’s network.

“This reconnaissance shows that the threat actor had a clear end goal in mind and was able to identify and exploit an opportunity to obtain required intelligence to further their goals,” the researchers say.

The Mandiant researchers also observed the threat actors avoid detection by deleting system logging within the victim’s environment. The threat actors also disabled SysInternals Sysmon and Splunk forwarders on victim machines that they accessed via Microsoft Remote Desktop.

Mandiant also saw the threat actors use residential IP address ranges to authenticate to victim environments. By doing so, the source logon IP address will belong to a major internet service provider that serves customers in the same country as the victim environment and may be less likely to raise suspicion.

The researchers also say that they identified the threat actors hosting second-stage payloads as encrypted blobs on legitimate websites running WordPress, and in multiple campaigns researchers witnessed the use of TOR, Virtual Private Servers — or VPS, and public Virtual Private Networks — or VPNs — to access victim environments.

Source of this news:

Related posts:

How to Run Etherpad Lite on Ubuntu 20.04 LTS - BollyInside
This tutorial is about the How to Run Etherpad Lite on Ubuntu 20.04 LTS. We will try our best so that you understand this guide. I hope you like this blog How to Run Etherpad Lite on Ubuntu 20.04 LTS...
Dallas Invents: 129 Patents Granted for Week of March 2 » Dallas Innovates -
Dallas Invents is a weekly look at U.S. patents granted with a connection to the Dallas-Fort Worth-Arlington metro area. Listings include patents granted to local assignees and/or those with a N...
Be pressent Microsoft's new Bug Attack and win rewards 1st WindowsReport. com
by Alexandru Poloboc News Editor With an overpowering decision to always get to the bottom involving things and uncover the fact remains, Alex spent most of the puppy's time working ...
Five secret Signal tips and tricks you might not know about - The Indian Express
Signal is one of the more popular messaging applications right now. While it isn’t the most feature-packed app, like its rivals WhatsApp and Telegram, Signal is big on all things privacy. The app’s m...
Windows 11 VPN not working? Here's how to fix it -
by Matthew Adams Windows & Software Expert Matthew is a freelancer who has produced a variety of articles on various topics related to technology. His main focus is the Windows OS an...
Network Server Management: Datadog vs. NetCrunch | ENP - EnterpriseNetworkingPlanet
A server is a segment of computer hardware or software that provides functionality such as computing resources, data, programs, and services for other programs or devices called clients. This archite...
What's new with the Settings app on Windows 11 - Windows Central
Source: Windows Central Windows 11 also comes with a wholly redesigned Settings app that accounts for a large percentage of the visual changes in this new OS. The new application features an updated ...
Roblox Teleport Failed Error Codes 769, 770, 772, 773 on Windows PC - TWCN Tech News
If when you try to use the Roblox Teleport Function to teleport in Roblox the online game platform on your Windows 11 or Windows 10 computer, but you receive any of the following Error Codes 769, 770...
Russia's Attempts to Ban Twitter, Telegram, and Other Sites Keep Failing - Foreign Policy
On March 16, Russia’s internet and media regulator, Roskomnadzor, threatened to block access to Twitter from within Russia in 30 days if the platform failed to comply with government demands to dele...
What's Microsoft Defender for Identity and Why Should I Use It? - Virtualization Review
What's Microsoft Defender for Identity and Why Should I Use It? By Paul Schnackenburg02/28/2022 As the threat of increased cyberattacks looms, many businesses are looking at different tools to ...
Building Networks on the Fly - IEEE Spectrum
By the early 1990s, IBM and Hewlett-Packard, as well as Canon, Hitachi, Ricoh, and other large makers of office equipment, had realized that customers expanding their networks with new copiers and o...
Xbox game app not downloading and / or installing on Windows LAPTOP OR COMPUTER - TWCN Tech Data
Some sort of Xbox software for Windows 11/10 allows users to take part in games against the Microsoft Store with other Xbox players, create scoreboards, share their social advertising content, a...
iOS 15 Privacy Guide: Private Relay, Hide My Email, Mail Privacy Protection, App Reports and More - ...
With every new version of iOS, Apple makes an effort to provide new privacy and security-focused features to make the iPhone and iPad more secure, and iOS 15 is no exception. It is, in fact, a huge l...
NordVPN Black Friday Sale: Save 72% on a 2-Year Plan / PCMag UK
Get two years about secure browsing for as little as £2. 44 per month. NordVPN is offering these two years of service for £2. 44 per month — that's 72% there are many regular retail price a...
A pre‐systematic review on the use of masks as a protection material for SARS‐COV‐2 during the COVID...
PubMed 16 To evaluate the effectiveness of protective equipment (UK)12 Effectiveness of protective equipment 1 volunteer (healthy) Three tests: Hat, goggles, mask and gown (Test 1); Hat, gogg...
X-Force Threat Intelligence: Monthly Malware Roundup - Security Intelligence
X-Force Threat Intelligence: Monthly Malware Roundup <!-- --> Today’s reality means that organiz...
SUPPORT TALK WITH MIKE: Use CloudFlare to speed up your business own site - Washington Times Herald
There are three key components that are important when obtaining a host for your business net page: speed, security and scalability. A fast website can encourage search engine ranking, improve t...
Exactly what GeyserMC and how to install it to suit Minecraft - Sportskeeda
Playing much more than a multiplayer server is one of the a great deal more entertaining things Minecraft grinders can do, but the game's needs on platforms can still end up in issues. Despite t...

IP Rotating Proxy Onsale


First month free with coupon code FREE30