Cookie Consent by Free Privacy Policy Generator ๐Ÿ“Œ AA21-148A: Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security



๐Ÿ“š AA21-148A: Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs


๐Ÿ’ก Newskategorie: Sicherheitslรผcken
๐Ÿ”— Quelle: us-cert.cisa.gov

Original release date: May 28, 2021

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are responding to a spearphishing campaign targeting government organizations, intergovernmental organizations (IGOs), and non-governmental organizations (NGOs). A sophisticated cyber threat actor leveraged a compromised end-user account from Constant Contact, a legitimate email marketing software company, to spoof a U.S.-based government organization and distribute links to malicious URLs.[1] Note: CISA and FBI acknowledge open-source reporting attributing the activity discussed in the report to APT29 (also known as Nobelium, The Dukes, and Cozy Bear).[2,3] However, CISA and FBI are investigating this activity and have not attributed it to any threat actor at this time. CISA and FBI will update this Joint Cybersecurity Advisory as new information becomes available.

This Joint Cybersecurity Advisory contains information on tactics, techniques, and procedures (TTPs) and malware associated with this campaign. For more information on the malware, refer to Malware Analysis Report MAR-10339794-1.v1: Cobalt Strike Beacon.

CISA and FBI urge governmental and international affairs organizations and individuals associated with such organizations to immediately adopt a heightened state of awareness and implement the recommendations in the Mitigations section of this advisory.

For a downloadable list of indicators of compromise (IOCs), refer to AA21-148A.stix, and MAR-10339794-1.v1.stix.

Technical Details

Based on incident reports, malware collection, and trusted third-party reporting, CISA and FBI are responding to a sophisticated spearphishing campaign. A cyber threat actor leveraged a compromised end-user account from Constant Contact, a legitimate email marketing software company, to send phishing emails to more than 7,000 accounts across approximately 350 government organizations, IGOs, and NGOs. The threat actor sent spoofed emails that appeared to originate from a U.S. Government organization. The emails contained a legitimate Constant Contact link that redirected to a malicious URL [T1566.002, T1204.001], from which a malicious ISO file was dropped onto the victimโ€™s machine.

The ISO file contained (1) a malicious Dynamic Link Library (DLL) named Documents.dll [T1055.001], which is a custom Cobalt Strike Beacon version 4 implant, (2) a malicious shortcut file that executes the Cobalt Strike Beacon loader [T1105], and (3) a benign decoy PDF titled โ€œForeign Threats to the 2020 US Federal Electionsโ€ with file name โ€œICA-declass.pdfโ€ (see figure 1). Note: The decoy file appears to be a copy of the declassified Intelligence Community Assessment pursuant to Executive Order 13848 Section 1(a), which is available at https://www.intelligence.gov/index.php/ic-on-the-record-database/results/1046-foreign-threats-to-the-2020-us-federal-elections-intelligence-community-assessment.

Figure 1: Decoy PDF: ICA-declass.pdf

Cobalt Strike is a commercial penetration testing tool used to conduct red team operations.[4] It contains a number of tools that complement the cyber threat actorโ€™s exploitation efforts, such as a keystroke logger, file injection capability, and network services scanners. The Cobalt Strike Beacon is the malicious implant that calls back to attacker-controlled infrastructure and checks for additional commands to execute on the compromised system [TA0011].

The configuration file for this Cobalt Strike Beacon implant contained communications protocols, an implant watermark, and the following hardcoded command and control (C2) domains:

  • dataplane.theyardservice[.]com/jquery-3.3.1.min.woff2
  • cdn.theyardservice[.]com/jquery-3.3.1.min.woff2
  • static.theyardservice[.]com/jquery-3.3.1.min.woff2
  • worldhomeoutlet[.]com/jquery-3.3.1.min.woff2

The configuration file was encoded via an XOR with the key 0x2e and a 16-bit byte swap.

For more information on the ISO file and Cobalt Strike Beacon implant, including IOCs, refer to Malware Analysis Report MAR-10339794-1.v1: Cobalt Strike Beacon.

Indicators of Compromise

The following IOCS were derived from trusted third parties and open-source research. For a downloadable list of IOCs, refer to AA21-148A.stix and MAR-10339794-1.v1.stix.

  • URL: https[:]//r20.rs6.net/tn.jsp?f=
    Host IP: 208.75.122[.]11 (US)
    Owner: Constant Contact, Inc.
    Activity: legitimate Constant Contact link found in phishing email that redirects victims to actor-controlled infrastructure at https[:]//usaid.theyardservice.com/d/<target_email_address>
    ย 
  • URL: https[:]//usaid.theyardservice.com/d/<target_email_address>
    Host IP: 83.171.237[.]173 (Germany)
    Owner: [redacted]
    First Seen: May 25, 2021
    Activity: actor-controlled URL that was redirected from https[:]//r20.rs6.net/tn.jsp?f=; the domain usaid[.]theyardservice.com was detected as a malware site; hosted a malicious ISO file "usaid[.]theyardservice.com"
    ย 
  • File: ICA-declass.iso [MD5: cbc1dc536cd6f4fb9648e229e5d23361]
    File Type: Macintosh Disk Image
    Detection: Artemis!7EDF943ED251, Trojan:Win32/Cobaltstrike!MSR, or other malware
    Activity: ISO file container; contains a custom Cobalt Strike Beacon loader; communicated with multiple URLs, domains, and IP addresses
    ย 
  • File: /d/ [MD5: ebe2f8df39b4a94fb408580a728d351f]
    File Type: Macintosh Disk Image
    Detection: Cobalt, Artemis!7EDF943ED251, or other malware
    Activity: ISO file container; contains a custom Cobalt Strike Beacon loader; communicated with multiple URLs, domains, and IP addresses
    ย 
  • File: ICA-declass.iso [MD5: 29e2ef8ef5c6ff95e98bff095e63dc05]
    File Type: Macintosh Disk Image
    Detection: Cobalt Strike, Rozena, or other malware
    Activity: ISO file container; contains a custom Cobalt Strike Beacon loader; communicated with multiple URLs, domains, and IP addresses
    ย 
  • File: Reports.lnk [MD5: dcfd60883c73c3d92fceb6ac910d5b80]
    File Type: LNK (Windows shortcut)
    Detection: Worm: Win32-Script.Save.df8efe7a, Static AI - Suspicious LNK, or other malware
    Activity: shortcut contained in malicious ISO files; executes a custom Cobalt Strike Beacon loader
    ย 
  • File: ICA-declass.pdf [MD5: b40b30329489d342b2aa5ef8309ad388]
    File Type: PDF
    Detection: undetected
    Activity: benign, password-protected PDF displayed to victim as a decoy; currently unrecognized by antivirus software
    ย 
  • File: DOCUMENT.DLL [MD5: 7edf943ed251fa480c5ca5abb2446c75]
    File Type: Win32 DLL
    Detection: Trojan: Win32/Cobaltstrike!MSR, Rozena, or other malware
    Activity: custom Cobalt Strike Beacon loader contained in malicious ISO files; communicating with multiple URLs, domains, and IP addresses by antivirus software
    ย 
  • File: DOCUMENT.DLL [MD5: 1c3b8ae594cb4ce24c2680b47cebf808]
    File Type: Win32 DLL
    Detection: Cobalt Strike, Razy, Khalesi, or other malware
    Activity: Custom Cobalt Strike Beacon loader contained in malicious ISO files; communicating with multiple URLs, domains, and IP addresses by antivirus software
    ย 
  • Domain: usaid[.]theyardservice.com
    Host IP: 83.171.237[.]173 (Germany)
    First Seen: May 25, 2021
    Owner: Withheld for Privacy Purposes
    Activity: subdomain used to distribute ISO file according to the trusted third party; detected as a malware site by antivirus programs
    ย 
  • Domain: worldhomeoutlet.com
    Host IP: 192.99.221[.]77 (Canada)
    Created Date: March 11, 2020
    Owner: Withheld for Privacy Purposes by Registrar
    Activity: Cobalt Strike C2 subdomain according to the trusted third party; categorized as suspicious and observed communicating with multiple malicious files according to antivirus software; associated with Cobalt Strike malware
    ย 
  • Domain: dataplane.theyardservice[.]com
    Host IP: 83.171.237[.]173 (Germany)
    First Seen: May 25, 2021
    Owner: [redacted]
    Activity: Cobalt Strike C2 subdomain according to the trusted third party; categorized as suspicious and observed communicating with multiple malicious files according to antivirus software; observed in phishing, malware, and spam activity
    ย 
  • Domain: cdn.theyardservice[.]com
    Host IP: 83.171.237[.]173 (Germany)
    First Seen: May 25, 2021
    Owner: Withheld for Privacy Purposes by Registrar
    Activity: Cobalt Strike C2 subdomain according to the trusted third party; categorized as suspicious and observed communicating with multiple malicious files according to antivirus software
    ย 
  • Domain: static.theyardservice[.]com
    Host IP: 83.171.237[.]173 (Germany)
    First Seen: May 25, 2021
    Owner: Withheld for Privacy Purposes
    Activity: Cobalt Strike C2 subdomain according to the trusted third party; categorized as suspicious and observed communicating with multiple malicious files according to antivirus software
    ย 
  • IP: 192.99.221[.]77
    Organization: OVH SAS
    Resolutions: 7
    Geolocation: Canada
    Activity: detected as a malware site; hosts a suspicious domain worldhomeoutlet[.]com; observed in Cobalt Strike activity
    ย 
  • IP: 83.171.237[.]173
    Organization: Droptop GmbH
    Resolutions: 15
    Geolocation: Germany
    Activity: Categorized as malicious by antivirus software; hosted multiple suspicious domains and multiple malicious files were observed downloaded from this IP address; observed in Cobalt Strike and activity
    ย 
  • Domain: theyardservice[.]com
    Host IP: 83.171.237[.]173 (Germany)
    Created Date: January 27, 2010
    Owner: Withheld for Privacy Purposes
    Activity: Threat actor controlled domain according to the trusted third party; categorized as suspicious by antivirus software; observed in Cobalt Strike activity

ย 

Table 1 provides a summary of the MITRE ATT&CK techniques observed.

Table 1: MITRE ATT&CK techniques observed

Technique Title

Technique ID

Process Injection: Dynamic-link Library Injection

T1055.001

Ingress Tool Transfer

T1105

User Execution: Malicious Link

T1204.001

Phishing: Spearphishing Link

T1566.002

Mitigations

CISA and FBI urge CI owners and operators to apply the following mitigations.

  • Implement multi-factor authentication (MFA) for every account. While privileged accounts and remote access systems are critical, it is also important to ensure full coverage across SaaS solutions. Enabling MFA for corporate communications platforms (as with all other accounts) provides vital defense against these types of attacks and, in many cases, can prevent them.
  • Keep all software up to date. The most effective cybersecurity programs quickly update all of their software as soon as patches are available. If your organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited.
  • Implement endpoint and detection response (EDR) tools. EDR allows a high degree of visibility into the security status of endpoints and is can be an effective tool against threat actors.
    Note: Organizations using Microsoft Defender for Endpoint or Microsoft 365 Defense should refer to Microsoft: Use attack surface reduction rules to prevent malware infection for more information on hardening the enterprise attack surface.
  • Implement centralized log management for host monitoring. A centralized logging application allows technicians to look out for anomalous activity in the network environment, such as new applications running on hosts, out-of-place communication between devices, or unaccountable login failures on machines. It also aids in troubleshooting applications or equipment in the event of a fault. CISA and the FBI recommend that organizations:
    • Forward logs from local hosts to a centralized log management serverโ€”often referred to as a security information and event management (SIEM) tool.
    • Ensure logs are searchable. The ability to search, analyze, and visualize communications will help analysts diagnose issues and may lead to detection of anomalous activity.
    • Correlate logs from both network and host security devices. By reviewing logs from multiple sources, an organization can better triage an individual event and determine its impact to the organization as a whole.
    • Review both centralized and local log management policies to maximize efficiency and retain historical data. Organizations should retain critical logs for a minimum of 30 days.
  • Deploy signatures to detect and/or block inbound connection from Cobalt Strike servers and other post-exploitation tools.
  • Implement unauthorized execution prevention by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
  • Configure and maintain user and administrative accounts using a strong account management policy.
    • Use administrative accounts on dedicated administration workstations.
    • Limit access to and use of administrative accounts.
    • Use strong passwords. For more information on strong passwords, refer to CISA Tip: Choosing and Protecting Passwords and National Institute of Standards (NIST) SP 800-63: Digital Identity Guidelines: Authentication and Lifecycle Management.
    • Remove default accounts if unneeded. Change the password of default accounts that are needed.
    • Disable all unused accounts.
  • Implement a user training program and simulated attacks for spearphishing to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails.

RESOURCES

Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBIโ€™s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [email protected]. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [email protected].

This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp/.

ย 

References

Revisions

  • Initial version: May 28, 2021

This product is provided subject to this Notification and this Privacy & Use policy.

...



๐Ÿ“Œ Sophisticated 'Dark Pink' APT Targets Government, Military Organizations


๐Ÿ“ˆ 39.76 Punkte

๐Ÿ“Œ Chinese Cycldek APT targets Vietnamese Military and Government in sophisticated attacks


๐Ÿ“ˆ 31.87 Punkte

๐Ÿ“Œ More U.S. Utility Firms Targeted in Evolving LookBack Spearphishing Campaign


๐Ÿ“ˆ 31.49 Punkte

๐Ÿ“Œ Spearphishing Campaign Exploits COVID-19 To Spread Lokibot Infostealer


๐Ÿ“ˆ 31.49 Punkte

๐Ÿ“Œ ANAF Spearphishing Campaign Zeroes in on Romanian Businesses


๐Ÿ“ˆ 31.49 Punkte

๐Ÿ“Œ VIP3R: Dissecting A New Venomous Spearphishing Campaign


๐Ÿ“ˆ 31.49 Punkte

๐Ÿ“Œ Spearphishing targets in Latin America โ€“ Week in security with Tony Anscombe


๐Ÿ“ˆ 31.23 Punkte

๐Ÿ“Œ Sophisticated Covert Cyberattack Campaign Targets Military Contractors


๐Ÿ“ˆ 30.73 Punkte

๐Ÿ“Œ Sophisticated New Phishing Campaign Targets The C-suite


๐Ÿ“ˆ 30.73 Punkte

๐Ÿ“Œ AA21-116A: Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders


๐Ÿ“ˆ 28.77 Punkte

๐Ÿ“Œ Russia-linked APT29 targets diplomatic and government organizations


๐Ÿ“ˆ 27.7 Punkte

๐Ÿ“Œ AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments


๐Ÿ“ˆ 26.97 Punkte

๐Ÿ“Œ AA21-042A: Compromise of U.S. Water Treatment Facility


๐Ÿ“ˆ 26.97 Punkte

๐Ÿ“Œ AA21-048A: AppleJeus: Analysis of North Koreaโ€™s Cryptocurrency Malware


๐Ÿ“ˆ 26.97 Punkte

๐Ÿ“Œ AA21-055A: Exploitation of Accellion File Transfer Appliance


๐Ÿ“ˆ 26.97 Punkte

๐Ÿ“Œ AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities


๐Ÿ“ˆ 26.97 Punkte

๐Ÿ“Œ AA21-076A: TrickBot Malware


๐Ÿ“ˆ 26.97 Punkte

๐Ÿ“Œ AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool


๐Ÿ“ˆ 26.97 Punkte

๐Ÿ“Œ AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities


๐Ÿ“ˆ 26.97 Punkte

๐Ÿ“Œ AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks


๐Ÿ“ˆ 26.97 Punkte

๐Ÿ“Œ Phishing Campaign Targets 400 Industrial Organizations


๐Ÿ“ˆ 26.56 Punkte

๐Ÿ“Œ A Brand New Ursnif/ISFB Campaign Targets Italian Organizations


๐Ÿ“ˆ 26.56 Punkte

๐Ÿ“Œ Mysterious phishing campaign targets organizations in COVID-19 vaccine cold chain


๐Ÿ“ˆ 26.56 Punkte

๐Ÿ“Œ Mysterious Phishing Campaign Targets Organizations in COVID-19 Vaccine Cold Chain


๐Ÿ“ˆ 26.56 Punkte

๐Ÿ“Œ Office 365 phishing campaign that can bypass MFA targets 10,000 organizations


๐Ÿ“ˆ 26.56 Punkte

๐Ÿ“Œ Russian government organizations infected by never-before-seen ransomware variants; possible cyberwarfare campaign


๐Ÿ“ˆ 26.16 Punkte

๐Ÿ“Œ Cyberspy Group 'Gallmaker' Targets Military, Government Organizations


๐Ÿ“ˆ 25.91 Punkte

๐Ÿ“Œ New Phishing Campaign Targets Saudi Government Service Portal


๐Ÿ“ˆ 24.79 Punkte

๐Ÿ“Œ Cyberespionage Campaign Targets Government, Energy Entities in India


๐Ÿ“ˆ 24.79 Punkte

๐Ÿ“Œ Credential Harvesting Campaign Targets Government Procurement Services


๐Ÿ“ˆ 24.79 Punkte

๐Ÿ“Œ Phishing campaign targets government institution in Moldova


๐Ÿ“ˆ 24.79 Punkte

๐Ÿ“Œ AI-enabled future crimes ranked: Deepfakes, spearphishing, and more


๐Ÿ“ˆ 24.72 Punkte

๐Ÿ“Œ Spearphishing attacks hit the oil and gas industry sector


๐Ÿ“ˆ 24.72 Punkte

๐Ÿ“Œ Sophisticated hacking campaign uses Windows and Android zero-days


๐Ÿ“ˆ 24.21 Punkte

๐Ÿ“Œ Sophisticated JaskaGO info stealer targets macOS and Windows


๐Ÿ“ˆ 23.96 Punkte











matomo