Lucy @lucy

OTX BotRussian State Actors: Development in Group AttributionsThis analysis explores the evolution of Russian state-backed cyber actors and their operations. It highlights the activities of several prominent groups, including UNC2589, APT44 (Sandworm), APT29, and APT28. These actors, associated with various Russian intelligence agencies, have been involved in global espionage, sabotage, and influence operations. The report details their targets, which include government organizations, critical infrastructure, and diplomatic entities across multiple countries. It also describes the groups' adaptation to new security measures and their use of advanced techniques such as zero-day exploits, social engineering, and living off the land tactics. The analysis emphasizes the importance of understanding these actors' methods for improving global cybersecurity resilience.Pulse ID: 67cc2ca27d4672d04ef4eb01 Pulse Link: <a href="https://otx.alienvault.com/pulse/67cc2ca27d4672d04ef4eb01" rel="nofollow noopener" translate="no" target="_blank">https://otx.alienvault.com/pulse/67cc2ca27d4672d04ef4eb01</a> Pulse Author: AlienVault Created: 2025-03-08 11:40:18Be advised, this data is unverified and should be considered preliminary. Always do further verification.<a href="https://social.raytec.co/tags/APT28" class="mention hashtag" rel="nofollow noopener" target="_blank">#APT28</a> <a href="https://social.raytec.co/tags/APT29" class="mention hashtag" rel="nofollow noopener" target="_blank">#APT29</a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#CyberSecurity</a> <a href="https://social.raytec.co/tags/Espionage" class="mention hashtag" rel="nofollow noopener" target="_blank">#Espionage</a> <a href="https://social.raytec.co/tags/Government" class="mention hashtag" rel="nofollow noopener" target="_blank">#Government</a> <a href="https://social.raytec.co/tags/ICS" class="mention hashtag" rel="nofollow noopener" target="_blank">#ICS</a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#InfoSec</a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener" target="_blank">#OTX</a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener" target="_blank">#OpenThreatExchange</a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#RAT</a> <a href="https://social.raytec.co/tags/Russia" class="mention hashtag" rel="nofollow noopener" target="_blank">#Russia</a> <a href="https://social.raytec.co/tags/Sandworm" class="mention hashtag" rel="nofollow noopener" target="_blank">#Sandworm</a> <a href="https://social.raytec.co/tags/SocialEngineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#SocialEngineering</a> <a href="https://social.raytec.co/tags/Worm" class="mention hashtag" rel="nofollow noopener" target="_blank">#Worm</a> <a href="https://social.raytec.co/tags/ZeroDay" class="mention hashtag" rel="nofollow noopener" target="_blank">#ZeroDay</a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener" target="_blank">#bot</a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener" target="_blank">#AlienVault</a>

Just Another Blue TeamerHappy Friday everyone!A Joint Advisory from the National Security Agency, Federal Bureau of Investigation (FBI), Cyber National Mission Force, and the National Cyber Security Centre provides updates on the Russian Federation's Foreign Intelligence Service, or <a href="https://ioc.exchange/tags/SVR" class="mention hashtag" rel="nofollow noopener" target="_blank">#SVR</a>. According to the advisory, <a href="https://ioc.exchange/tags/APT29" class="mention hashtag" rel="nofollow noopener" target="_blank">#APT29</a> (a.k.a Midnight Blizzard, Cozy Bear, and the Dukes) has targeted the defense, technology, and finance sectors to collect foreign intelligence and enable future cyber operations. They aim to exploit software vulnerabilities for initial access and escalate privileges. They also utilize spearphishing campaigns, password spraying, abuse of supply chain and trusted relationships. They also utilize custom malware and living-off-the-land (LOLBINs) techniques for multiple techniques. The report includes a list of <a href="https://ioc.exchange/tags/CVEs" class="mention hashtag" rel="nofollow noopener" target="_blank">#CVEs</a> that APT29 has been observed exploiting and attach the vendor and product that are effected with details that describe the vulnerability along with a section of mitigations that your organization can take to increase your security posture. If you are looking for behaviors that are attributed to APT29, look no further than the MITRE ATT&CK Matrix! This resource has collected historic <a href="https://ioc.exchange/tags/TTPs" class="mention hashtag" rel="nofollow noopener" target="_blank">#TTPs</a> and behaviors and referenced them as well. So while you are working on hardening your environment you can also hunt for their activity as well! Enjoy and Happy Hunting! Article Source: Update on SVR Cyber Operations and Vulnerability Exploitation <a href="https://www.ic3.gov/Media/News/2024/241010.pdf" rel="nofollow noopener" translate="no" target="_blank">https://www.ic3.gov/Media/News/2024/241010.pdf</a>Mitre source: <a href="https://attack.mitre.org/groups/G0016/" rel="nofollow noopener" translate="no" target="_blank">https://attack.mitre.org/groups/G0016/</a>Intel 471 <a href="https://ioc.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatIntel</a> <a href="https://ioc.exchange/tags/ThreatHunting" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatHunting</a> <a href="https://ioc.exchange/tags/ThreatDetection" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatDetection</a> <a href="https://ioc.exchange/tags/HappyHunting" class="mention hashtag" rel="nofollow noopener" target="_blank">#HappyHunting</a> <a href="https://ioc.exchange/tags/readoftheday" class="mention hashtag" rel="nofollow noopener" target="_blank">#readoftheday</a> <a href="https://ioc.exchange/tags/huntoftheday" class="mention hashtag" rel="nofollow noopener" target="_blank">#huntoftheday</a> <a href="https://ioc.exchange/tags/gethunting" class="mention hashtag" rel="nofollow noopener" target="_blank">#gethunting</a> Cyborg Security, Now Part of Intel 471

Prof. Dr. Dennis-Kenji KipkerWie war das nochmal mit dem Thema "staatliches <a href="https://chaos.social/tags/Schwachstellenmanagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#Schwachstellenmanagement</a>"? Für diese Erkenntnis hätten wir keine Jahre gebraucht:"Russische <a href="https://chaos.social/tags/Hacker" class="mention hashtag" rel="nofollow noopener" target="_blank">#Hacker</a> nutzen die gleichen Lücken wie <a href="https://chaos.social/tags/Staatstrojaner" class="mention hashtag" rel="nofollow noopener" target="_blank">#Staatstrojaner</a>""<a href="https://chaos.social/tags/APT29" class="mention hashtag" rel="nofollow noopener" target="_blank">#APT29</a> habe dabei "identische oder auffallend ähnliche" Exploits genutzt, wie die Spysoftware-Anbieter Intellexa Alliance und <a href="https://chaos.social/tags/NSO" class="mention hashtag" rel="nofollow noopener" target="_blank">#NSO</a> Group."<a href="https://futurezone.at/netzpolitik/russische-hacker-staatstrojaner-messenger-ueberwachung-sicherheit-nso-pegasus-predator-apt29/402941959" rel="nofollow noopener" translate="no" target="_blank">https://futurezone.at/netzpolitik/russische-hacker-staatstrojaner-messenger-ueberwachung-sicherheit-nso-pegasus-predator-apt29/402941959</a>

Marcel SIneM(S)USCyberkriminelle nehmen <a href="https://social.tchncs.de/tags/Spyware" class="mention hashtag" rel="nofollow noopener" target="_blank">#Spyware</a>-Hersteller als Vorbild bei Angriff auf Browser | Security <a href="https://www.heise.de/news/Cyberkriminelle-nehmen-Spyware-Hersteller-als-Vorbild-bei-Angriff-auf-Browser-9852070.html" rel="nofollow noopener" translate="no" target="_blank">https://www.heise.de/news/Cyberkriminelle-nehmen-Spyware-Hersteller-als-Vorbild-bei-Angriff-auf-Browser-9852070.html</a> <a href="https://social.tchncs.de/tags/CyberCrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#CyberCrime</a> <a href="https://social.tchncs.de/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#Malware</a> <a href="https://social.tchncs.de/tags/APT29" class="mention hashtag" rel="nofollow noopener" target="_blank">#APT29</a> <a href="https://social.tchncs.de/tags/CozyBear" class="mention hashtag" rel="nofollow noopener" target="_blank">#CozyBear</a>

Chuck DarwinRussian government hackers are using exploits that are “identical or strikingly similar” to those previously made by spyware makers Intellexa and NSO Group.In a blog post on Thursday, Google said it is not sure how the Russian government acquired the exploits, but said this is an example of how exploits developed by spyware makers can end up in the hands of “dangerous threat actors.”In this case, Google says the threat actors are <a href="https://c.im/tags/APT29" class="mention hashtag" rel="nofollow noopener" target="_blank">#APT29</a>, a group of hackers widely attributed to Russia’s Foreign Intelligence Service, or the <a href="https://c.im/tags/SVR" class="mention hashtag" rel="nofollow noopener" target="_blank">#SVR</a>. APT29 is a highly capable group of hackers, known for its long-running and persistent campaigns aimed at conducting espionage and data theft against a range of targets, including tech giants Microsoft and SolarWinds, as well as foreign governments.Google said it found the hidden exploit code embedded on Mongolian government websites between November 2023 and July 2024. During this time, anyone who visited these sites using an iPhone or Android device could have had their phone hacked and data stolen, including passwords, in what is known as a “watering hole” attack.<a href="https://techcrunch.com/2024/08/29/russian-government-hackers-found-using-exploits-made-by-spyware-companies-nso-and-intellexa/" rel="nofollow noopener" translate="no" target="_blank">https://techcrunch.com/2024/08/29/russian-government-hackers-found-using-exploits-made-by-spyware-companies-nso-and-intellexa/</a>

Richi JenningsRemote access service hacked—by <a href="https://vmst.io/tags/APT29" class="mention hashtag" rel="nofollow noopener" target="_blank">#APT29</a>, says <a href="https://vmst.io/tags/TeamViewer" class="mention hashtag" rel="nofollow noopener" target="_blank">#TeamViewer</a>.TeamViewer says “a compromised employee account” led to a <a href="https://vmst.io/tags/Russian" class="mention hashtag" rel="nofollow noopener" target="_blank">#Russian</a> breach. While the company makes reassuring noises about its segmented network, it also said the tool was installed on more than 2.5 billion devices.And that’s a worry, despite the calming PR. In <a href="https://vmst.io/tags/SBBlogwatch" class="mention hashtag" rel="nofollow noopener" target="_blank">#SBBlogwatch</a>, we wonder why TeamViewer didn’t enforce <a href="https://vmst.io/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#MFA</a> for employees (see also: Snowflake, Okta, Uber, etc., etc.) At @TechstrongGroup’s @SecurityBlvd: <a href="https://securityboulevard.com/2024/07/teamviewer-apt29-richixbw/?utm_source=richisoc&utm_medium=social&utm_content=richisoc&utm_campaign=richisoc" rel="nofollow noopener" translate="no" target="_blank">https://securityboulevard.com/2024/07/teamviewer-apt29-richixbw/?utm_source=richisoc&utm_medium=social&utm_content=richisoc&utm_campaign=richisoc</a>

Marcel SIneM(S)US<a href="https://social.tchncs.de/tags/TeamViewer" class="mention hashtag" rel="nofollow noopener" target="_blank">#TeamViewer</a>-Angriff: Die Spur führt nach <a href="https://social.tchncs.de/tags/Russland" class="mention hashtag" rel="nofollow noopener" target="_blank">#Russland</a> 🇷🇺 | Security <a href="https://www.heise.de/news/TeamViewer-Angriff-Die-Spur-fuehrt-nach-Russland-9782630.html" rel="nofollow noopener" translate="no" target="_blank">https://www.heise.de/news/TeamViewer-Angriff-Die-Spur-fuehrt-nach-Russland-9782630.html</a> <a href="https://social.tchncs.de/tags/Russia" class="mention hashtag" rel="nofollow noopener" target="_blank">#Russia</a> 🇷🇺 <a href="https://social.tchncs.de/tags/APT29" class="mention hashtag" rel="nofollow noopener" target="_blank">#APT29</a> <a href="https://social.tchncs.de/tags/CozyBear" class="mention hashtag" rel="nofollow noopener" target="_blank">#CozyBear</a> <a href="https://social.tchncs.de/tags/MidnightBlizzard" class="mention hashtag" rel="nofollow noopener" target="_blank">#MidnightBlizzard</a> <a href="https://social.tchncs.de/tags/CyberCrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#CyberCrime</a>

jbz🪆 TeamViewer links corporate cyberattack to Russian state hackers - Bleeping Computer"Based on continuous security monitoring, our teams identified suspicious behavior of this account and immediately put incident response measures into action. Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29 / Midnight Blizzard" <a href="https://www.bleepingcomputer.com/news/security/teamviewer-links-corporate-cyberattack-to-russian-state-hackers/" rel="nofollow noopener" translate="no" target="_blank">https://www.bleepingcomputer.com/news/security/teamviewer-links-corporate-cyberattack-to-russian-state-hackers/</a><a href="https://indieweb.social/tags/TeamViewer" class="mention hashtag" rel="nofollow noopener" target="_blank">#TeamViewer</a> <a href="https://indieweb.social/tags/Russia" class="mention hashtag" rel="nofollow noopener" target="_blank">#Russia</a> <a href="https://indieweb.social/tags/APT29" class="mention hashtag" rel="nofollow noopener" target="_blank">#APT29</a> <a href="https://indieweb.social/tags/MidnightBlizzard" class="mention hashtag" rel="nofollow noopener" target="_blank">#MidnightBlizzard</a> <a href="https://indieweb.social/tags/Hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#Hacking</a> <a href="https://indieweb.social/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cybersecurity</a> <a href="https://indieweb.social/tags/Infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#Infosec</a>

hackmacFernwartungszugänge sind regelmäßig Thema, wenn es um Cyber-Sicherheit von Unternehmen geht. Sehr häufig nutzen Unternehmen den TeamViewer. Dort hat es wohl einen Angriff der russischen Hackergruppe Cozy Bear bzw. APT29 gegeben. Wie weitreichend der Angriff war, wird gerade untersucht. <a href="https://mastodon.social/tags/teamviewer" class="mention hashtag" rel="nofollow noopener" target="_blank">#teamviewer</a> <a href="https://mastodon.social/tags/hackerangriff" class="mention hashtag" rel="nofollow noopener" target="_blank">#hackerangriff</a> <a href="https://mastodon.social/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybercrime</a> <a href="https://mastodon.social/tags/fernwartung" class="mention hashtag" rel="nofollow noopener" target="_blank">#fernwartung</a> <a href="https://mastodon.social/tags/cozybear" class="mention hashtag" rel="nofollow noopener" target="_blank">#cozybear</a> <a href="https://mastodon.social/tags/apt29" class="mention hashtag" rel="nofollow noopener" target="_blank">#apt29</a> <a href="https://mastodon.social/tags/russia" class="mention hashtag" rel="nofollow noopener" target="_blank">#russia</a> <a href="https://mastodon.social/tags/russland" class="mention hashtag" rel="nofollow noopener" target="_blank">#russland</a><a href="https://www.welt.de/newsticker/dpa_nt/infoline_nt/netzwelt/article252248950/Cyberangriff-auf-Fernwartungssoftware-Anbieter-Teamviewer.html" rel="nofollow noopener" translate="no" target="_blank">https://www.welt.de/newsticker/dpa_nt/infoline_nt/netzwelt/article252248950/Cyberangriff-auf-Fernwartungssoftware-Anbieter-Teamviewer.html</a>

Tarnkappe.info📬 Sicherheitsvorfall bei TeamViewer: Steckt der russische Geheimdienst dahinter? <a href="https://social.tchncs.de/tags/ITSicherheit" class="mention hashtag" rel="nofollow noopener" target="_blank">#ITSicherheit</a> <a href="https://social.tchncs.de/tags/APT29" class="mention hashtag" rel="nofollow noopener" target="_blank">#APT29</a> <a href="https://social.tchncs.de/tags/CozyBear" class="mention hashtag" rel="nofollow noopener" target="_blank">#CozyBear</a> <a href="https://social.tchncs.de/tags/HealthISAC" class="mention hashtag" rel="nofollow noopener" target="_blank">#HealthISAC</a> <a href="https://social.tchncs.de/tags/NCCGroup" class="mention hashtag" rel="nofollow noopener" target="_blank">#NCCGroup</a> <a href="https://social.tchncs.de/tags/Sicherheitsvorfall" class="mention hashtag" rel="nofollow noopener" target="_blank">#Sicherheitsvorfall</a> <a href="https://social.tchncs.de/tags/TeamViewer" class="mention hashtag" rel="nofollow noopener" target="_blank">#TeamViewer</a> <a href="https://sc.tarnkappe.info/ce70e5" rel="nofollow noopener" translate="no" target="_blank">https://sc.tarnkappe.info/ce70e5</a>

Not SimonSplunk provides a detailed analysis of the tactics, techniques, and procedures (TTPs) employed by APT29 in the campaign targeting German political parties with the new WINELOADER backdoor. APT29, aka Midnight Blizzard and Cozy Bear, is publicly attributed to Russian Foreign Intelligence Service (SVR). IOC and Yara rules provided.🔗 <a href="https://www.splunk.com/en_us/blog/security/wineloader-analysis.html" rel="nofollow noopener" translate="no" target="_blank">https://www.splunk.com/en_us/blog/security/wineloader-analysis.html</a><a href="https://infosec.exchange/tags/APT29" class="mention hashtag" rel="nofollow noopener" target="_blank">#APT29</a> <a href="https://infosec.exchange/tags/MidnightBlizzard" class="mention hashtag" rel="nofollow noopener" target="_blank">#MidnightBlizzard</a> <a href="https://infosec.exchange/tags/CozyBear" class="mention hashtag" rel="nofollow noopener" target="_blank">#CozyBear</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/WINELOADER" class="mention hashtag" rel="nofollow noopener" target="_blank">#WINELOADER</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/IOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#IOC</a> <a href="https://infosec.exchange/tags/Russia" class="mention hashtag" rel="nofollow noopener" target="_blank">#Russia</a> <a href="https://infosec.exchange/tags/cyberespionage" class="mention hashtag" rel="nofollow noopener" target="_blank">#cyberespionage</a>

Not SimonHot off the press! CISA issues Emergency Directive (ED) 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System. Affected agencies are required to take immediate remediation action for tokens, passwords, API keys, or other authentication credentials known or suspected to be compromised; identify the full content of the agency correspondence with compromised Microsoft accounts, etc. 🔗 <a href="https://www.cisa.gov/news-events/directives/ed-24-02-mitigating-significant-risk-nation-state-compromise-microsoft-corporate-email-system" rel="nofollow noopener" translate="no" target="_blank">https://www.cisa.gov/news-events/directives/ed-24-02-mitigating-significant-risk-nation-state-compromise-microsoft-corporate-email-system</a>cc: <a href="https://infosec.exchange/@briankrebs" class="u-url mention" rel="nofollow noopener" target="_blank">@briankrebs</a> <a href="https://mastodon.social/@campuscodi" class="u-url mention" rel="nofollow noopener" target="_blank">@campuscodi</a> <a href="https://infosec.exchange/tags/Russia" class="mention hashtag" rel="nofollow noopener" target="_blank">#Russia</a> <a href="https://infosec.exchange/tags/CISA" class="mention hashtag" rel="nofollow noopener" target="_blank">#CISA</a> <a href="https://infosec.exchange/tags/cyberespionage" class="mention hashtag" rel="nofollow noopener" target="_blank">#cyberespionage</a> <a href="https://infosec.exchange/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#Microsoft</a> <a href="https://infosec.exchange/tags/APT29" class="mention hashtag" rel="nofollow noopener" target="_blank">#APT29</a>

WinFuture.deExperten des US-IT-Sicherheitsunternehmens <a href="https://mastodon.social/tags/Mandiant" class="mention hashtag" rel="nofollow noopener" target="_blank">#Mandiant</a> haben entdeckt, dass die Hackergruppe <a href="https://mastodon.social/tags/APT29" class="mention hashtag" rel="nofollow noopener" target="_blank">#APT29</a> zum ersten Mal politische Parteien in Deutschland ins Visier nimmt. Geködert wird mit einem Essen bei der <a href="https://mastodon.social/tags/CDU" class="mention hashtag" rel="nofollow noopener" target="_blank">#CDU</a>. <a href="https://winfuture.de/news,141882.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia" rel="nofollow noopener" translate="no" target="_blank">https://winfuture.de/news,141882.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia</a>

Bodo MenkeFive Eyes warning, that APT29 is going after MS customersWhy do I need a Wapo article to stumble over it? Were there any alerts in EU I missed (BSI?)? Any news on this already in European media outlets?„Microsoft attributed the ongoing attacks to an SVR group that it calls Midnight Blizzard and that other security companies refer to as APT29 or Cozy Bear.“<a href="https://hessen.social/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#Microsoft</a> <a href="https://hessen.social/tags/M365" class="mention hashtag" rel="nofollow noopener" target="_blank">#M365</a> <a href="https://hessen.social/tags/O365" class="mention hashtag" rel="nofollow noopener" target="_blank">#O365</a> <a href="https://hessen.social/tags/EntraID" class="mention hashtag" rel="nofollow noopener" target="_blank">#EntraID</a> <a href="https://hessen.social/tags/AzureAD" class="mention hashtag" rel="nofollow noopener" target="_blank">#AzureAD</a> <a href="https://hessen.social/tags/Russia" class="mention hashtag" rel="nofollow noopener" target="_blank">#Russia</a> <a href="https://hessen.social/tags/SVR" class="mention hashtag" rel="nofollow noopener" target="_blank">#SVR</a> <a href="https://hessen.social/tags/APT29" class="mention hashtag" rel="nofollow noopener" target="_blank">#APT29</a> <a href="https://hessen.social/tags/MidnightBlizzard" class="mention hashtag" rel="nofollow noopener" target="_blank">#MidnightBlizzard</a> <a href="https://infosec.exchange/@JosephMenn/112062526327167579" rel="nofollow noopener" translate="no" target="_blank">https://infosec.exchange/@JosephMenn/112062526327167579</a>

Recent searches

Search options

Administered by:

Server stats:

#apt29