According to the NKTsKI, a CERT-like arm of the FSB, an entity believed to have acted in the interest of a foreign state, attacked Rostelecom-Solar, the cybersecurity division of the telecom company Rostelecom. According to the report, the unnamed actors were able to collect confidential information from mail servers, document management servers, and various workstations. Once the attackers landed on the systems, the deployment of two attack tools called Mail-O and Webdav-O wer deployed. It could bypass Kaspersky AV and masquerade communications as Mail.ru’s Disk-O and Yandex’s Yandex.Disk applications. While this is no attribution as to who the attackers worked for or are from, this attack will likely garner attention as time goes on.
Analyst Notes
The untranslated report shows possible evidence of a webshell put on a Microsoft Exchange server which may indicate that the ProxyLogon vulnerability was exploited. On top of that, it also appears that CVE-2020-1472 also known as ZeroLogon was also exploited for credential access and eventually mimikatz was also used to create a Golden Ticket. As more eyes investigate the report, samples will likely be found and thus more information concerning the actors at play. This is an opportunity to see how well-known vulnerabilities are being used to gain and maintain access for sophisticated threat actors. As more information develops updates will be provided.
https://rt-solar.ru/analytics/reports/2203/
https://therecord.media/fsb-nktski-foreign-cyber-mercenaries-breached-russian-federal-agencies/
