Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
High
The Russia-linked threat-state actor BlueBravo, also known as APT29, Cloaked Ursa, Midnight Blizzard, and Nobelium, has been detected targeting diplomatic entities in Eastern Europe through a spear-phishing campaign. The group’s objective is to infect recipients with a newly identified backdoor called GraphicalProton. This campaign was observed between March and May 2023.
To obfuscate their command-and-control (C2) communications, the threat actors are abusing legitimate internet services (LIS), expanding the range of services misused for this purpose. In January 2023, BlueBravo was observed using a themed lure to deliver another type of malware called GraphicalNeutrino. However, GraphicalProton differs from GraphicalNeutrino in terms of C2 communication, as it now uses Microsoft’s OneDrive or Dropbox for this purpose instead of Notion.
Both GraphicalNeutrino and GraphicalProton serve as loaders, with the latter being staged within ISO or ZIP files delivered via phishing emails. The attackers distribute ISO files containing .LNK files disguised as .PNG images of a BMW car supposedly for sale. When clicked, the .LNK file triggers the GraphicalProton infection chain. The attackers utilize Microsoft OneDrive as their C2 server and periodically poll a folder in the storage service to fetch additional payloads.
The analysis by researchers suggests that BlueBravo prioritizes cyber-espionage efforts against European government sector entities, potentially due to the Russian government’s interest in strategic data during and after the war in Ukraine. Given the ongoing conflict in Ukraine, it is expected that BlueBravo will continue to view government and diplomatic institutions as high-value targets in the foreseeable future. These organizations may provide valuable insights into the decision-making processes of governments allied with Ukraine, which makes them attractive targets for BlueBravo and its Russian intelligence consumers.