APT29 (Russia): New Tactics, Techniques, and Procedures (TTP’s) from the APT29 group, also known as The Dukes or Cozy Bear were publicly reported by the United Kingdom’s Security Centre (NCSC) and Canada’s Communications Security Establishment (CSE). APT29 was seen throughout 2020 targeting various organizations involved in researching a COVID-19 vaccine in Canada, the United States, and the United Kingdom. The report stated that it was “highly likely” that these attacks are being carried out for the group to steal information and intellectual property relating to the development and testing of a COVID-19 vaccine. APT29 is using malware known as WellMess and WellMail, both of which have not been attributed to APT29 in the past. The threat actor is also exploiting older vulnerabilities to gain a foothold into a network, including but not limited to
– Citrix (CVE-2019-18781)
– Pulse Secure (CVE-2019-11510)
– FortiGate 9CVE-2018-13379)
– Zimbra (CVE-2019-9670)