Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
High
Russian threat actors are reportedly involved in an ongoing campaign that targets the foreign affairs ministries of NATO-aligned nations. This campaign employs phishing attacks that utilize PDF documents with diplomatic-themed lures, some of which are crafted to appear as if they originate from Germany. The purpose is to deliver a variant of the Duke malware, which has been attributed to the APT29 group, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes.
“The threat actor used Zulip – an open-source chat application – for command-and-control, to evade and hide its activities behind legitimate web traffic.”, researchers added
The attack sequence involves an attachment named “Farewell to Ambassador of Germany,” which includes JavaScript code to initiate a multi-stage process for establishing a persistent backdoor within compromised networks. The use of Zulip, an open-source chat application, for command-and-control purposes allows the threat actor to hide their activities behind legitimate web traffic. The compromised networks communicate with an actor-controlled chat room, indicating remote control over the compromised hosts.
The involvement of APT29 is further corroborated by the use of the domain “bahamas.gov[.]bs” across intrusion sets, aligning with previous research. The group’s modus operandi includes leveraging legitimate internet services for their command-and-control infrastructure, such as Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, and Trello.
APT29 typically targets governments, government subcontractors, political organizations, research firms, and critical industries in the U.S. and Europe. Notably, a separate, unidentified adversary has been observed using APT29-like tactics to breach Chinese-speaking users through Cobalt Strike.
Simultaneously, Ukraine’s Computer Emergency Response Team (CERT-UA) has reported phishing attacks against state organizations using the open-source post-exploitation toolkit called Merlin. The country has faced sustained cyberattacks from Sandworm, a Russian military intelligence-affiliated hacking unit, known for disrupting operations and gathering intelligence.
The Security Service of Ukraine recently revealed attempts by threat actors to gain unauthorized access to Android tablets belonging to Ukrainian military personnel. This underscores the strategic importance of capturing and examining devices on the battlefield, with malware strains such as NETD, DROPBEAR, STL, DEBLIND, and Mirai being used to achieve persistence, remote access, data gathering, exfiltration, and control via a TOR hidden service.
In summary, the campaign by Russian threat actors targeting foreign affairs ministries highlights their use of diplomatic-themed lures and advanced malware to compromise sensitive networks. These actors exhibit a history of using diverse techniques and legitimate services for their attacks, underscoring the need for robust cybersecurity measures and vigilance against evolving threats.