The Five Eyes intelligence alliance has issued a warning that APT29 Russian hackers, also known as Cozy Bear, have shifted their focus to targeting victims' cloud services, using various tactics such as exploiting compromised credentials, dormant accounts, and stolen access tokens. The alliance advises network defenders to implement multi-factor authentication, strong passwords, least privilege access, and other security measures to mitigate the threat of APT29's cloud attacks.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory detailing the tactics, techniques, and procedures (TTPs) of the SVR-attributed cyber espionage group APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear. The advisory outlines how these actors have adapted to target cloud-based infrastructure, including accessing cloud environments, using service and dormant accounts, employing cloud-based token authentication, enrolling new devices to the cloud, and utilizing residential proxies to stay covert. The report also provides mitigation and detection strategies to defend against these tactics.
Microsoft warns that APT29, a Russian state-sponsored threat actor, has been targeting global organizations, primarily in the U.S. and Europe, using tactics such as compromised accounts and OAuth applications to gather sensitive information. The scale of the campaign may be larger than previously thought, with the threat actor using diverse initial access methods and residential proxies to obfuscate connections. Organizations are advised to defend against rogue OAuth applications and password spraying.
Russian state-sponsored hackers linked to APT29, also known as BlueBravo and Cozy Bear, infiltrated Hewlett Packard Enterprise's (HPE) cloud email environment, exfiltrating mailbox data from a small percentage of HPE mailboxes over a six-month period. The attack, attributed to the Russian Foreign Intelligence Service (SVR), is suspected to be connected to a prior security event involving unauthorized access to SharePoint files. HPE stated that the incident has not materially impacted its operations, and the exact scale and nature of the accessed email information were not disclosed.
Microsoft discloses a sophisticated nation-state cyber attack by a Russian APT group, Midnight Blizzard, resulting in the theft of emails and attachments from senior executives and other individuals in the company's cybersecurity and legal departments. The attack, which began in late November 2023, involved a password spray attack to compromise a legacy non-production test tenant account. While the exact number of email accounts infiltrated and the information accessed were not disclosed, Microsoft emphasized that the breach did not stem from any security vulnerability in its products and that there is no evidence of access to customer environments, production systems, source code, or AI systems.
Microsoft disclosed that the Russian government-sponsored hacking group APT29, also known as Cozy Bear, breached some corporate email accounts to access information related to themselves, rather than traditional corporate or customer data. The hackers used a "password spray attack" to access a small percentage of Microsoft corporate email accounts. Microsoft did not disclose the number of breached accounts or the exact information accessed. The company emphasized the need to enhance security measures and adapt to the new reality, while APT29 is widely known for high-profile cyber attacks.
A state-sponsored Russian hacker group known as APT29, or various other names including Cozy Bear and SolarStorm, has been exploiting the CVE-2023-38831 vulnerability in WinRAR to target embassy entities. They have been using a BMW car sale lure to deliver a malicious ZIP archive that runs a script in the background, allowing them to download and execute a payload. APT29 has also been utilizing Ngrok's new feature of free static domains to hide their communication with compromised systems. The Ukrainian National Security and Defense Council (NDSC) has provided indicators of compromise (IoCs) for detection.
Russian state-sponsored hacking group APT29, also known as Cozy Bear, used a social engineering campaign on Microsoft Teams to compromise dozens of global organizations, including government agencies. The hackers posed as technical support staff and sent messages to manipulate users into granting approval for multi-factor authentication prompts, allowing them to gain full access to user accounts and exfiltrate sensitive information. Microsoft has mitigated the use of the domains and is investigating the activity, which targeted fewer than 40 organizations across various sectors. This incident follows recent Chinese hacking exploiting a flaw in Microsoft's cloud email service.
Russian hackers, believed to be working for Russia's foreign intelligence agency, targeted diplomats in nearly two dozen embassies in Ukraine by intercepting and editing a legitimate flyer advertising a used BMW for sale in Kyiv. The hackers embedded malicious software in the flyer and emailed it to other diplomats, attempting to gain remote access to their computers. The scheme, uncovered by cybersecurity firm Palo Alto Networks, reached at least 22 of the 80 foreign missions in Ukraine's capital. The hacking group, known as APT29, has been linked to Russia's SVR foreign intelligence agency. The extent of the impact is unclear, but the U.S. State Department stated that its systems were not affected.
Russian hackers, suspected to be working for Russia's foreign intelligence agency, targeted diplomats at embassies in Ukraine by sending them a fake used car advertisement for a cheap BMW. The hackers intercepted a legitimate flyer advertising the car, embedded it with malicious software, and sent it to dozens of diplomats. The campaign, attributed to the hacking group APT29 or "Cozy Bear," targeted diplomats from at least 22 foreign missions in Kyiv. The cybersecurity firm report highlights the extensive scope of the espionage operation and ties it back to the Russian SVR.
