Tag: USAID | SpinSafe

What Microsoft Officials Know About Russia’s Phishing Hack Targeting USAID

May 31, 2021/in Computer Security

Microsoft says the same group that breached the software company SolarWinds seems to have launched another hack, this time using phishing attacks on a number of human rights agencies, including the U.S. Agency for International Development. Image: J. David Ake/AP

Microsoft officials say hackers linked to the Russian intelligence service, SVR, appear to have launched another supply chain attack — this time on a company that allowed the intruders to slip into the computer networks of a roster of human rights groups and think tanks.

Microsoft said it discovered the breach this week and believes it began with hackers breaking into an email marketing company called Constant Contact, which provides services to, among others, the United States Agency for International Development.

Once they had broken in, the hackers sent out emails that looked like they came from USAID. Those emails contained links, and when the recipients clicked on them, quietly loaded malware into their systems, allowing the hackers full access. They could read emails, steal information and even plant additional malware for use later.

Tom Burt, vice president of customer security and trust at Microsoft, told NPR in an interview that the hackers appeared to be learning as they went along, customizing their malware packages depending on the target. “Even before the malware gets installed,” he said, “they’re doing some things to help them understand the environment that they are going to try to install the malware into, so they can pick the right malware package.”

The reason that’s important is because it is yet another indication that a nation-state actor is involved. As a general matter, common cyber criminals don’t target these kinds of institutions or tailor their malware in this way. Microsoft said about 150 organizations may have fallen prey to the hack, with some 3,000 possible compromised accounts, though they think the number will probably end up much lower than that.

The latest attack follows the discovery earlier this year of a sweeping supply chain hack against a Texas software company called SolarWinds. In that case, hackers linked to the SVR are thought to have slipped into the company’s development…

Source…

Russian hackers used 4 new malware in USAID phishing

May 30, 2021/in Computer Security

Microsoft

Microsoft states that a Russian hacking group used four new malware families in recent phishing attacks impersonating the United States Agency for International Development (USAID).

Thursday night, the Microsoft Threat Intelligence Center (MSTIC) disclosed that the Russian-backed hacking group APT29, also known as Nobelium, had compromised the Contact Contact account for USAID.

Using this legitimate marketing account, the threat actors impersonated USAID in phishing emails sent to approximately 3,000 email accounts at more than 150 different organizations, including government agencies and organizations devoted to international development, humanitarian, and human rights work.

**Targeting phishing emails pretending to be from USAID**

New malware used by Nobelium

In a second blog post released Friday night, Microsoft provides details on four new malware families used by Nobelium in these recent attacks.

The four new families include an HTML attachment named ‘EnvyScout’, a downloader known as ‘BoomBox,’ a loader known as ‘NativeZone’, and a shellcode downloader and launcher named ‘VaporRage.’

EnvyScout

EnvyScout is a malicious HTML/JS file attachment used in spear-phishing emails that attempts to steal the NTLM credentials of Windows accounts and drops a malicious ISO on a victim’s device.

Distributed as a file named NV.html, when opened, the HTML file will attempt to load an image from a file:// URL. When doing this, Windows may send the logged-in user’s Windows NTLM credentials to the remote site, which attackers can capture and brute-force to reveal the plain text password.

**Loading a remote image using the file:// URL**

Microsoft states that the attachment is also used to convert an embedded text blob into a malicious ISO saved as NV.img to the local file system.

**NV.html attachment saving the ISO image**

“At this stage of infection, the user is expected to open the downloaded ISO, NV.img, by double clicking it,” explains Microsoft.

When the ISO image opens, Windows will show the user a shortcut named NV that executes the hidden BOOM.exe, which is part of the new BoomBox malware family described below.

Security researcher Florian Roth discovered…

Source…

Moscow compromises USAID Constant Contact account. Beijing continues to exploit PulseVPN vulnerabilities. Ransomware updates.

May 28, 2021/in Internet Security

Attacks, Threats, and Vulnerabilities

Russia Appears to Carry Out Hack Through System Used by U.S. Aid Agency (NYTimes) Microsoft reported that it had detected the intrusion and that the same hackers behind the earlier SolarWinds attack were responsible.

Microsoft says group behind SolarWinds hack now targeting government agencies, NGOs (Reuters) The group behind the SolarWinds (SWI.N) cyber attack identified late last year is now targeting government agencies, think tanks, consultants, and non-governmental organizations, Microsoft Corp (MSFT.O) said on Thursday.

Russian hackers launch major cyberattack through U.S. aid agency’s email system, Microsoft says (CNBC) The Russian hackers thought to be behind the catastrophic SolarWinds attack last year have launched another major cyberattack, Microsoft warned.

Russia-linked SolarWinds hackers target email accounts used by State Department aid agency (USA TODAY) Hackers with suspected ties to Moscow launch new assaults on email accounts used by the State Department’s international aid agency, Microsoft says.

Cozy Bear revisits one of its greatest hits, researchers say: election skulduggery (CyberScoop) It looks like the Russian government-linked hacking group Cozy Bear is back in the election trickery business. The security firm Volexity publicized a spearphishing campaign on Thursday that it identified only days ago, a scheme that uses an election fraud document as a lure.

Microsoft: SolarWinds hackers target 150 orgs with phishing (The Independent) Microsoft says the state-backed Russian cyber spies behind the SolarWinds hacking campaign launched a targeted spear-phishing assault on U.S. and foreign government agencies and think tanks this week

Another Nobelium Cyberattack (Microsoft On the Issues) This week, Microsoft observed cyberattacks by the threat actor Nobelium targeting government agencies, think tanks, consultants and non-governmental organizations. These attacks appear to be a continuation of Nobelium’s intelligence gathering efforts.

Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns (Volexity) On May 25, 2021, Volexity identified a phishing campaign targeting multiple organizations based in the…

Source…

SolarWinds hackers, linked to Russia, target USAID email accounts

May 28, 2021/in Computer Security

Hackers with suspected ties to the Russian government launched new assaults on human rights groups and government agencies, including email accounts used by the State Department’s international aid agency, Microsoft revealed late Thursday.

Microsoft Vice President Tom Burt disclosed the breach in a blog post, saying the “wave of attacks” targeted about 3,000 email accounts across 24 countries, at more than 150 organizations involved in international development and humanitarian work.

The U.S. received the largest share of attacks, Burt said.

The discovery of the cyberattack comes just a few weeks before President Joe Biden is due to meet with Russia’s President Vladimir Putin at a summit in Geneva and adds to the growing list of complaints Biden is likely to bring up with Putin in Switzerland.

Geneva summit: Biden to meet with Putin on June 16 in Switzerland

What is Nobelium?

“These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts,” Burt, who is Microsoft’s vice president of customer security and trust, wrote in the post.

Microsoft said Nobelium is the same group responsible for the SolarWinds hack, a sweeping cyberattack that compromised at least half a dozen U.S. federal agencies including the Department of Homeland Security and Energy Department, as well as thousands of companies in the private sector. U.S. intelligence agencies believe the SolarWinds hack is the work of SVR, Russia’s Foreign Intelligence Service.

Source…

Tag Archive for: USAID

New malware used by Nobelium

EnvyScout

Attacks, Threats, and Vulnerabilities