Global cyber security authorities issue advisory on APT29's advanced cloud exploitation tactics
The UK National Cyber Security Centre (NCSC), alongside international partners, has issued a detailed advisory on the tactics, techniques, and procedures (TTPs) of APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear. The group is suspected to be a part of the Russian SVR intelligence services, as agreed upon by the US NSA, CISA, CNMF, FBI, ASD’s ACSC, CCCS, and the New Zealand NCSC.
APT29 has been implicated in cyber espionage activities targeting a variety of sectors, including governmental, think tank, healthcare, energy, aviation, education, law enforcement, and military organisations for intelligence gains.
This advisory highlights APT29's shift towards cloud environments as organisations modernise their infrastructure. The group has adapted its TTPs to target cloud services directly, moving away from traditional software vulnerability exploitation.
Tactics such as brute forcing, password spraying, and exploiting service and dormant accounts have been observed. Additionally, APT29 has utilized cloud-based token authentication and bypassed multi-factor authentication (MFA) through techniques like 'MFA bombing'. Registering new devices on cloud tenants and using residential proxies to mask malicious internet traffic are also part of their evolved strategies.
The advisory emphasises the importance of cyber security fundamentals in preventing access by sophisticated threats like APT29. It advises organisations to protect initial access points into cloud infrastructures and suggests that following the outlined mitigations can strengthen defenses against such actors. The report concludes that preventing initial access by APT29 is crucial, as post-compromise, the actor can deploy advanced capabilities, highlighting the significance of guarding against these initial access TTPs for network defenders.
FBI, CISA, and HHS issue alert on ALPHV/Blackcat Ransomware targeting U.S. healthcare sector
On Tuesday, joint advisory was issued from the FBI, CISA, and the Department of Health and Human Services (HHS) highlighting the threat of ALPHV/Blackcat ransomware attacks, focusing on the healthcare sector in the U.S.
This alert builds on previous warnings, showcasing the persistent threat posed by the BlackCat cybercrime gang, believed to be an evolution of the DarkSide and BlackMatter groups. Since its emergence in November 2021, BlackCat was linked to over 60 breaches in its first four months and is reported to have extorted at least $300 million from more than 1,000 victims by September 2023.
The advisory indicates that the healthcare sector has been notably targeted since mid-December 2023, following the ALPHV Blackcat administrator's encouragement for affiliates to focus on hospitals. This strategic targeting comes after operational actions against the group's infrastructure. The federal agencies have emphasised the importance of implementing cyber security measures to mitigate the risks and effects of such ransomware and data extortion incidents.
Furthermore, the advisory sheds light on the BlackCat ransomware's recent tactics, including exploiting the ScreenConnect auth bypass vulnerability (CVE-2024-1709) for network access. This method was reportedly used in an attack on UnitedHealth Group's subsidiary Optum, impacting Change Healthcare's operations. Despite disruptions to the BlackCat gang's infrastructure by law enforcement in December, the group has managed to continue its operations, indicating a resilient and adaptable threat landscape. The U.S. State Department has offered substantial rewards for information leading to the apprehension of the gang's leaders or associates, underscoring the severity of the threat posed by BlackCat to the healthcare sector and beyond.
LockBit Ransomware Rebounds with New Leak Site After Global Law Enforcement Takedown
Following the significant law enforcement takedown on February 19th, which claimed to have disrupted the LockBit ransomware operation across North America, Europe, and Asia, the group has launched a new leak site, signalling a rapid comeback.
The operation seized 34 servers, took over Tor-based leak sites, froze cryptocurrency accounts, and resulted in the arrest of two individuals suspected of involvement with LockBit. Authorities also acquired 1,000 decryption keys to aid victims in data recovery without paying ransoms. In response to these setbacks, the US government has offered substantial rewards for information leading to the capture of LockBit leaders and affiliates.
Despite these challenges, "LockBitSupp," an individual associated with the ransomware-as-a-service (RaaS), announced the restoration of their infrastructure and invited affiliates to rejoin. The new leak site lists hundreds of victims and contains a message from LockBitSupp discussing the takedown's details and their plans to enhance the operation's security and decentralisation. However, the future of LockBit remains uncertain, with declining affiliate interest and technical issues plaguing the group, alongside competition from other cybercrime entities.
ThyssenKrupp Automotive Division Hit by Cyberattack, Initiates Swift Containment Measures
ThyssenKrupp AG, a leading global steel manufacturer, confirmed a cyber security breach within its Automotive division, leading to a temporary shutdown of its IT systems to mitigate the attack. The incident, which targeted the Automotive Body Solutions unit, was swiftly identified by the company's IT security team, allowing for immediate containment measures. Although specific systems and applications were taken offline to prevent further unauthorised access, ThyssenKrupp assured that the breach was confined to the automotive sector and did not affect its other business segments. The company's prompt response aims to minimize disruption and ensure a quick return to normal operations.
Despite previous cyberattacks targeting ThyssenKrupp for espionage and operational disruption, the recent breach's nature and the responsible parties remain unclear.
RCMP website temporarily brought down by cyber attack
The Royal Canadian Mounted Police (RCMP) recently experienced a data breach that led to the temporary unavailability of its website. Despite this cyber security incident, the RCMP assures that its operations remain unaffected and there is no imminent risk to Canadian citizens. Following the breach, the RCMP promptly issued a notification to its employees to detail the circumstances of the incident.
A spokesperson for the RCMP also confirmed the breach to the media, emphasizing the organisation's quick response to manage the situation. The RCMP's statement highlights their commitment to maintaining the safety and security of Canadians, indicating that the breach has not compromised their ability to protect and serve the public.
