SoylentNews is people
SoylentNews
Arthur T Knackerbracket has processed the following story:
One year after the disruptive supply-chain attacks, researchers have observed two new clusters of activity from the Russia-based actors that signal a significant threat may be brewing.
One year after the notorious and far-reaching SolarWinds supply-chain attacks, its orchestrators are on the offensive again. Researchers said they’ve seen the threat group – which Microsoft refers to as “Nobelium” and which is linked to Russia’s spy agency – compromising global business and government targets with novel tactics and custom malware, stealing data and moving laterally across networks.
Researchers from Mandiant have identified two distinct clusters of activity that can be “plausibly” attributed to the threat group, which they track as UNC2452, they said in a report published Monday.
Mandiant has tracked the latest activity as UNC3004 and UNC2652 since last year and throughout 2021, observing the compromise of a range of companies that provide technology solutions, cloud and other services as well as resellers, they said.
Indeed, resellers were the target of a campaign by Nobelium that Microsoft revealed in October, in which the group was seen using credential-stuffing and phishing, as well as API abuse and token theft, to gather legitimate account credentials and privileged access to reseller networks. The ultimate goal of this campaign seemed to be to reach downstream customer networks, researchers said at the time.
Nobelium also engaged in credential theft in April using a backdoor called FoggyWeb to attack ActiveDirectory servers, Microsoft revealed in September.
In the latest clusters observed by Mandiant, stolen credentials also facilitated initial access to the targeted organizations. However, researchers believe the threat actors acquired the credentials from an info-stealer malware campaign of a third party rather than one of their own, they said.
Attackers have added a number of novel tactics, techniques and procedures (TTPs) to bypass security restrictions within environments, including the extraction of virtual machines to determine internal routing configurations, researchers wrote.
They also have new malware in their arsenal: a new, bespoke downloader that researchers have called Ceeloader. The malware, which is heavily obfuscated, is written in C and can execute shellcode payloads directly in memory, they wrote.
(Score: 0, Insightful) by Anonymous Coward on Thursday December 09 2021, @05:38AM (3 children)
Why would anybody believe this shit when anything can be spoofed?
(Score: 3, Touché) by Mojibake Tengu on Thursday December 09 2021, @06:19AM (2 children)
Because it's the most convenient method to cover Israel and NATO 'allies'.
The edge of 太玄 cannot be defined, for it is beyond every aspect of design
(Score: 1, Funny) by Anonymous Coward on Thursday December 09 2021, @12:12PM (1 child)
That's exactly what the Russians want you to believe!
(Score: 3, Touché) by Mojibake Tengu on Thursday December 09 2021, @02:24PM
Knowing personally some Dutch and Czech state hackers with military background pretending being Russians in the past does not help me to debunk such belief.
The edge of 太玄 cannot be defined, for it is beyond every aspect of design
(Score: 0) by Anonymous Coward on Thursday December 09 2021, @07:50PM
It's not Russia's fault you are criminally negligent whores and slaves. Stop using that ridiculous slaveware, you pitiful fucks. You deserve to be compromised, because you support the enemies of freedom every chance you get. Now that you find out you are also a slave you want sympathy? Fuck you bitches..