Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label RiskIQ. Show all posts

Russia's APT29 is Actively Serving WellMess/WellMail Malware

 

A year ago, the United Kingdom, the USA, and Canada released a coordinated advisory, during the global pandemic, revealing a Russian espionage campaign targeting the vaccination research efforts of COVID-19 in their respective country. 

They have credited the operation to APT29 of Russia (The Dukes, Yttrium, and Cozy Bear) and have expressly designated it as a branch for the Foreign Intelligence Services of Russia (SVR). For the very first time, they officially connected the malware employed in the campaign with APT29 to WellMess and WellMail. 

RiskIQ has provided full information of the 30 servers which Russia's SVR-spy agency (aka APT29) has indeed been expected to utilize in its continued attempts to steal Western intellectual property. 

RiskIQ is a leading provider of Internet security information that provides the most comprehensive identification, intelligence, and mitigation of threats linked to the web presence of a company. RiskIQ offers businesses to have unified insight and control over Web, social and mobile exposures with over 75% of threats that originate outside firewalls. 

In 2018, the CERT in Japan recognized WellMess without mentioning targeting or involving a particular threat actor. Following the 2020 report by the Western Governments, RiskIQ's Team Atlas extended the campaign's familiar attacker footprint and identified more than a dozen additional control servers. 

The Atlas team of RiskIQ has now found yet another infrastructure that serves WellMess/WellMail effectively. Just a month earlier, the US and Russian chiefs of state conducted a summit in which the hostile cyber activities from Russia overtook the list of the key worries for President Biden. 

"Team Atlas assesses with high confidence that these IP addresses and certificates are in active use by APT29 at the time of this writeup," said RiskIQ in a blog post. "We were unable to locate any malware which communicated with this infrastructure, but we suspect it is likely similar to previously identified samples." 

SVR's campaigns against the West have been somewhat awkward, with replies ranging from silent alerts to explicit attribution — "they won't sodding well stop so we're telling you exactly what the naughty buggers have moved onto now" from a fed-up National Cyber Security Centre, in the United Kingdom. 

In November, the GCHQ branch also told national newspapers that perhaps the attempts of the SVR to enter into British research institutions were counteracted, suggesting that they deployed some type of encryption software (like ransomware without pay) against Russia.

Evidence Indicates Russia's SVR is Still Using 'WellMess' Malware, Despite US Warnings

 

President Joe Biden's appeal for Vladimir Putin to crack down on cyberattacks emanating from within Russia appears to have failed to persuade the Kremlin to give it up. 

In a report published Friday, RiskIQ stated it discovered ongoing hacking infrastructure that Western governments associated last summer to the Russian SVR intelligence agency-linked APT29 or Cozy Bear, which it utilized to obtain Covid-19 research data.

The malware, also known as WellMess or WellMail, led to official warnings in the United States, the United Kingdom, and Canada in July 2020. In April, the FBI urged companies to fix five known vulnerabilities that the SVR had exploited, according to US officials. 

RiskIQ detected three dozen command and control servers supplying WellMess which were under APT29 control, as per the firm. Following a US-Russia summit at which cyberattacks were discussed, the focus was on infrastructure. 

“The behaviour found was noteworthy considering the circumstances in which it emerged, following on the heels of President Biden's public condemnation of Russian hacking at a recent summit with President Putin,” stated RiskIQ's Team Atlas. 

Cozy Bear has not been openly accused of being involved in any recent ransomware operations, which were the focus of the White House's discussions with Russia. The organization has set itself apart by executing cyber-espionage against targets like the federal contractor SolarWinds and the Democratic National Committee. 

RiskIQ is perplexed as to how Russian agents are now utilizing the WellMess malware. The company stated, “Readers should note that much of this infrastructure is still in active use by APT29, though we do not have enough information to say how it is being used or who the targets are.” 

Biden has been urging Putin both personally and in public statements, to stop malicious cyber activities originating from Russia, notably ransomware assaults are believed to be conducted by criminal groups.

A phone call between the two men came after a series of high-profile ransomware attacks with suspected Russian roots, the most recent of which has affected hundreds of people as a result of an incident at the software company Kaseya. 

“I made it very clear to him that the United States expects, when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Biden stated reporters about the call. 

In a speech last week, Biden told intelligence officials that if the US finds itself in a “shooting war” with a significant foreign power, it will probably come in response to a cyber attack.

Stolen Card Validation Service Illuminated A New Corner of the Skimming Ecosystem

 

In the recent analysis, experts discovered that the digital credit card skimming ecosystem evolves as experts identify new players, tooling, services, and economies that make it up in much of the recent threat infrastructure studies. Experts also noticed that significant patterns emerge in the infrastructure that these groups utilize and share. 

Many domains used for digital skimming and other criminal activities have been hosted on Alibaba IP space in recent years. Because bulletproof hosting companies host a large percentage of skimming campaigns, Alibaba IP space's popularity could be due to one of these bulletproof services exploiting Alibaba hosting services. Some of these domains have recently been accused of abusing Google's user content hosting service. 

While looking into the MobileInter skimmer's infrastructure, the analysts discovered that one of its skimmer domains was temporarily hosted by a Google IP address. This IP then hosted a domain that offered card skimmers a useful service that allowed them to validate stolen payment data for a fee. The experts were able to discover multiple associated websites, services, and social media accounts connected to this authentication activity known as bit2check using RiskIQ's Internet Intelligence Graph. Some bit2check names have been spotted abusing Alibaba and Google hosting services in the same way as that of Magecart domains.

Following additional investigation, the analysts discovered that the person behind bit2check is a Kurdish actor who goes by the name Hama. There was no apparent relationship between an individual and the bulletproof hosting operation seen on Alibaba. On the other hand, this connection could lead to more information about who is providing these malicious hosting services. 

The bit2check website advertises a bit2check Telegram group and promotes itself as the "greatest CVV/cc checker in town." Many Kurdish language telegram channels also link to the bit2check site and others, including bin-checker[.]net, which is a free version of bit2check. These card-skimming services promote each other through links on their websites and Telegram channels. 

The domains and accounts linked to Hama are also associated with the activities of other players in the carding sector. Code produced by another actor known as namso can be seen on some of Hama's websites. A directory called namso_files can be found in Hama's Github source. 

Since RiskIQ first reported on Magecart in 2016 and its historic attack against British Airways in 2018, they have been investigating browser-based card skimming. 

Bit2check is another part of this vast ecosystem that caters to skimmers looking to validate their loot or buy more stolen information. Many of the companies in this ecosystem network, both the skimmers and the services that cater to them, are using the same strategies and infrastructure, according to RiskIQ.

LogoKit Can Manipulate Phishing Pages in Real Time

 

A recently uncovered phishing kit, named LogoKit, eliminates headaches for cybercriminals via automatically pulling victims' organization logos onto the phishing login page. This gives assailants the tools expected to effectively emulate organization login pages, a task that can now and again be intricate. Cybercriminals have depended on LogoKit to dispatch phishing assaults on in excess of 700 unique domains in the course of 30 days (including 300 in the past week). These focused on services range from generic login portals to bogus SharePoint, Adobe Document Cloud, OneDrive, Office 365, and cryptocurrency exchange login portals. 

“With LogoKit’s intended functionality to be centered around singular emails per URL and extracting company logos, this dramatically improves ease of carrying out targeted attacks against organizations; and reusing pretexts without changing templates,” said Adam Castleman, security researcher with RiskIQ on Wednesday. 

Phishing kits, which can be bought by cybercriminals for anything in the range of $20 and $880, require minimal technical knowledge to work past modest programming skills. These kits are used to steal various information from victims – including usernames, passwords, credit card numbers, social security numbers, and more.

In some cases, for instance, attackers have been noticed facilitating their phishing pages on Google Firebase as a feature of the LogoKit assault. While LogoKit has been discovered utilizing these authentic facilitating services, researchers have likewise noticed compromised sites – many running WordPress — to have LogoKit variations. Cybercriminals send victims a specially created URL containing their email address. An illustration of a crafted URL that contains the email would be: "phishingpage[.]site/login.html#victim@company.com." 

On the off chance that the victim clicks on the URL, LogoKit at that point brings the organization logo from a third-party service, for example, marketing data engine Clearbit or Google's database for favicons (the graphic icons associated with particular webpages). 

Besides, since LogoKit is a collection of JavaScript files, its assets can likewise be facilitated on public trusted services like Firebase, GitHub, Oracle Cloud, and others, the greater part of which will be whitelisted inside corporate environments and trigger little alerts when loaded inside an employee's browser. RiskIQ said it is following this new threat intently because of the kit's simplicity, which the security firm accepts improves its odds of an effective phish.