NJRAT – Active IOCsJune 24, 2024CVE-2024-38319 – IBM Security SOAR VulnerabilityJune 24, 2024
Analysis Summary
The French information security agency ANSSI reported that Russia-linked APT group APT29, also known as Nobelium, Cozy Bear, and other aliases, has been targeting French diplomatic entities. Despite grouping these attacks under Nobelium, ANSSI differentiates between threat clusters, including one named Dark Halo responsible for the 2020 SolarWinds attack.
APT29’s campaigns primarily target Western diplomatic entities but recent reports indicate that several IT companies have also been attacked in late 2023 and 2024. The agency’s report is based on elements collected by ANSSI evidence from national partners and publicly available reports highlighting phishing campaigns aimed at French public and diplomatic entities to gather strategic intelligence.
The report details how APT29 operates by using compromised legitimate email accounts of diplomatic staff to conduct phishing campaigns against diplomatic institutions, embassies, and consulates. This method called the “Diplomatic Orbiter” campaign involves attackers forging lure documents to target diplomatic staff. They aim to deliver custom loaders to drop post-exploitation tools like Cobalt Strike or Brute Ratel C4, enabling network access, lateral movements, payload deployment, persistence, and intelligence exfiltration.
ANSSI noted specific incidents where APT29 targeted French public organizations with phishing emails from compromised foreign institutions. For example, from February to May 2021, APT29 operators exploited compromised email accounts of the French Ministry of Culture and the National Agency for Territorial Cohesion (ANCT) to send phishing attachments titled “Strategic Review”.
Further attacks in March 2022 involved a European embassy in South Africa receiving a phishing email from a compromised French diplomat’s account and in April and May 2022, phishing messages were sent to the French Ministry of Foreign Affairs using themes related to Ukrainian embassy closures and meetings with Portuguese ambassadors.
Recent activities observed by ANSSI highlight a high level of APT29’s operations amid geopolitical tensions, particularly due to Russia’s aggression against Ukraine. Notable incidents include phishing campaigns targeting European embassies in Kyiv including the French embassy, emails about a “Diplomatic car for sale” in May 2023, and an attempted compromise of the French Embassy in Romania.
APT29’s consistent tactics and persistent targeting of government and diplomatic entities pose significant national security concerns especially as these operations potentially bolster the group’s offensive capabilities and the threat they represent to French and European diplomatic interests.
Impact
- Sensitive Data Theft
- Identity Theft
- Cyber Espionage
Indicators of Compromise
Domain Name
- siestakeying.com
- waterforvoiceless.org
MD5
- 8bd528d2b828c9289d9063eba2dc6aa0
- efafcd00b9157b4146506bd381326f39
- 7a465344a58a6c67d5a733a815ef4cb7
SHA-256
- d0a8fa332950b72968bdd1c8a1a0824dd479220d044e8c89a7dea4434b741750
- a0f183ea54cb25dd8bdba586935a258f0ecd3cba0d94657985bb1ea02af8d42c
- da72f270c60e07101368dfa087ad675ccaf0d5f167cc5cb50629a3ffa4e5399b
SHA-1
- 5d3f3113ef76af7c1a2447d35e8b09bd270b461e
- 5b6b25012fa541a227e1c20d9f3004ce4e7d4aee
- 30b2eb1fe6130b5a7f96ab208385d1c85d3ea657
URL
- https://siestakeying.com/auth.php
- https://waterforvoiceless.org/util.php
- https://waterforvoiceless.org/invite.php
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Apply the latest security patches and updates to the email server software and associated components to address any vulnerabilities that may have been exploited by APT29. Also, prioritize patching known exploited vulnerabilities and zero-days.
- Perform comprehensive security audits on the email server infrastructure to identify and address any potential weaknesses. This includes reviewing server configurations, access controls, and encryption protocols to ensure they meet industry best practices.
- Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
- Enable 2FA for user accounts on the email server to add an extra layer of security. This prevents unauthorized access even if usernames and passwords are compromised.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Implement network segmentation to isolate critical systems and sensitive data from the rest of the network. This limits the lateral movement of attackers in case of a breach and reduces the impact of potential future attacks.
- Implement a regular backup strategy for email servers and critical data. Ensure that backups are stored securely and regularly tested for data restoration.