Russian state hackers swap malware with cloud-based attacks

By Vilius Petkauskas, Cybernews

Russian adversaries increasingly focus on targeting the cloud environment, Crowdstrike’s Global Threat Report on Cloud Security revealed.

Fancy Bear, a Russian adversary associated with Russia’s Main Intelligence Directorate (GRU), used to rely on malware-based spear-phishing attacks, the report claims. However, with their tactics exposed by the US Department of Justice (DoJ), hackers have refocused their attention on cloud service providers.

Since Fancy Bear’s primary source of intelligence comes from various credential harvesting practices that allow penetrating target organizations and individuals, it’s no surprise that the main targets are cloud-based email providers.

According to the report, Fancy Bear focused their attention on service providers such as Microsoft 365, Google’s GSuite, as well as webmail providers that individuals usually use.

Meanwhile, Cozy Bear, Russia’s state-sponsored hacker group controlled by the Federal Security service (FSB), has been busy snooping for ways to bypass multifactor authentication (MFA) practices their victims employ.

Report’s authors claim that Cozy Bear has been very effective in successful lateral movement operation within the cloud environments their tools penetrate. Crowdstrike’s researchers noted hackers using authentication cookies that allowed them to slit through MFA restrictions.

With the right keys, hackers manage to access user accounts in possession of enterprise cloud service privileges, allowing further movement deeper into the cloud. Researchers note that high on success, Cozy Bear affiliates will continue to focus on users with admin privileges in cloud environments.


Comments

Post a Comment

Popular posts from this blog

Why remote desktop tools are facing an onslaught of cyber threats

Image
By Solomon Klappholz, IT Pro Hackers are increasingly targeting remote desktop tools in their attacks, new research reveals, prompting warnings for enterprises globally In the era of hybrid work, remote desktop tools have become vital business enablers, but due to their pervasiveness on corporate networks they have become a popular entry point for cyber criminals. If successfully exploited, remote access tools can provide hackers with a direct pathway into a system or network, and once access is gained attackers can move laterally within the network, escalating privileges and maintaining persistence. In an investigation into which remote desktop tools are targeted the most, Jonathan Tanner, senior security researcher at Barracuda Networks, explained that remote desktop software poses a particular challenge to IT teams to secure. “Among the security challenges facing IT teams implementing remote desktop software is that there are many different tools available, each using different and ...
Read more

Ransomware gang starts leaking alleged stolen Change Healthcare data

Image
By Lawrence Abrams,  Bleeping Computer The RansomHub extortion gang has begun leaking what they claim is corporate and patient data stolen from United Health subsidiary Change Healthcare in what has been a long and convoluted extortion process for the company. In February, Change Healthcare suffered a cyberattack that caused massive disruption to the US healthcare system , preventing pharmacies and doctors from billing or sending claims to insurance companies. The attack was ultimately linked to the BlackCat / ALPHV ransomware operation, who later said they stole 6 TB of data during the attack . After facing increased pressure from law enforcement, the BlackCat gang shut down their operation . This occurred amid claims they were pulling an exit scam by stealing a $22 million Change Healthcare ransom payment from the affiliate who conducted the attack. While Change Healthcare has declined to comment on whether it has paid a ransom, the affiliate known as "Notchy" said they ...
Read more

FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks

Image
By Sergiu Gatlan,  Bleeping Computer Today, the FBI, CISA, and the Department of Health and Human Services (HHS) warned U.S. healthcare organizations of targeted ALPHV/Blackcat ransomware attacks. "ALPHV Blackcat affiliates have been observed primarily targeting the healthcare sector," the joint advisory cautions. Today's warning follows an April 2022 FBI flash alert and another advisory issued in December 2023 detailing the BlackCat cybercrime gang's activity since it surfaced in November 2021 as a suspected rebrand of the DarkSide and BlackMatter ransomware groups. The FBI linked BlackCat to over 60 breaches during its first four months of activity (between November 2021 and March 2022) and said the gang has raked in at least $300 million in ransoms from over 1,000 victims until September 2023. "Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized," the three federal agencies warned in today...
Read more