When it was believed that a threat was bad enough, there were signs that it could come double, stronger and more sneaky. These are some of the conclusions of a security report that revealed details of the actions of Cozy Bear, also known as Nobelium and one of the main cybercriminal groups in activity today, with probable links to the Russian government and involvement in the disastrous attack on SolarWinds systems, last year.
The publication was made by Mandiant, a company specializing in digital security, and shows that the group continues to evolve its attack vectors while maintaining its focus on suppliers of cloud computing and supply chains. The idea is always the same, using attack tools to, from these networks, gain access to customer environments to steal sensitive data, perform spying tasks, deploy malware and carry out ransomware attacks.
Among these operations, researchers found a new pest, which was named as Ceeloader. The malware allows the execution of code directly in device memory and is able to evade detection of security software from useless programming, all while exploiting Windows APIs to gather information and communicate with control servers run by criminals.
Want to catch up on the best tech news of the day? Access and subscribe to our new youtube channel, Kenyannews News. Every day a summary of the main news from the tech world for you!
Ceeloader has also shown an evolution in Cozy Bear’s obfuscation practices, with the use of zombie computer networks, VPNs and Tor networks teaming up with WordPress sites and legitimate servers on the Azure platform. The cases serve both as a way to hide the very origin of attacks and make detection more difficult, as well as to evade the monitoring of networks, which can let close connections with the appearance of trustworthiness pass through.
To make matters worse, Mandiant’s report separates Nobelium’s performance into two distinct centers of activity, called UNC3004 and UNC2652, which could indicate both a gang variation in their actions and the existence of separate groups of criminals acting together. In both cases, however, the focus seems to be more on information that interests the Russian government than on financial gain.
In addition to the attack on SolarWinds, Cozy Bear would be involved in operations against vaccine development and distribution centers, as well as attacks aimed at official agencies of the United States government. While US and European intelligence agencies point to the relationship with the Russian government, the Kremlin denies any involvement with cybercriminals.
root of exploration
The Mandiant survey also brings some case studies of attacks carried out by Cozy Bear, which can serve as a warning for preferred vectors and systems. In a case analyzed by experts, a VPN account with compromised credentials was used in a complete reconnaissance of a victim’s network, leading to the exposure of more profiles and also internal domains, which allowed access to data of interest to the bad guys.
In another case, a password-stealing malware, CryptBot, was used to obtain a victim’s credentials and access tokens to Microsoft 365 systems, also opening the door for viewing internal documents and data. In both cases, the focus has always been on obtaining multiple access vectors, used individually and in different activities, so that the discovery of one does not compromise the others and, above that, the ongoing operation.
Mandiant speaks of Cozy Bear as one of the most resilient and powerful threat actors it has ever faced, but with operations that have flaws and patterns that can be identified and used in defense operations. On the other hand, the moment is of attention, mainly, regarding the tools’ ability to adapt quickly, much faster than developer updates and security measures.
The report also provides security recommendations for internal networks and infrastructure, as well as indicators of compromise such as used IPs, VPN systems and techniques used to evade monitoring.