Threat Watch

US DOJ Seizes Two Domains used by APT29 for Spearphishing

In response to the recent attacks by APT29, the FBI and Department of Justice have seized two domains that were linked to spearphishing campaigns. According to Microsoft, the actors included a modified HTML document to embed an ISO file and, when the ISO was mounted, varied to include an RTF document or an LNK file which would both execute the CobaltStrike Beacon. APT29 is attributed to the Russian Federation’s SVR and was also named by government agencies and private security firms as the group responsible for the SolarWinds supply-chain attacks in 2020.

ANALYST NOTES

The details included in the Microsoft and Volexity blogs offer a trove of information to develop detections and ideas for further detections based on highly unusual behavior. ISO’s being written and mounted on non-IT workstations and servers can be highly unusual and may be a good behavior-based alarm if it is not seen often. It is always encouraged to gather logs from endpoints, both workstations and servers, to gain insight into what files are being written by Outlook or Web browsers. Furthermore, long-term storage can be invaluable and needed if investigations are reevaluated in the future.

https://therecord.media/us-seizes-two-domains-used-by-the-svr-in-recent-hacking-campaign/

https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/

Subscribe to Threat Watch

Daily summaries of threats, delivered straight to your inbox!


Click Here to Subscribe to Threat Watch
Facebook Twitter Instagram Youtube Linkedin
Solutions
Become a Reseller

Industries

Resources

About

Contact Us
Contact Support