Ukrainian safety researchers have revealed a significant new Russian cyber-espionage marketing campaign which they declare might have been designed to reap info on Azerbaijan’s navy technique.
APT29 (aka Cozy Bear, Nobelium and plenty of different monikers) was behind the assaults, based on a brand new report from the Ukrainian Nationwide Safety and Protection Council (NDSC).
It focused embassies in Azerbaijan, Greece, Romania and Italy, in addition to worldwide establishments such because the World Financial institution, European Fee, Council of Europe, WHO, UN and others.
“The geopolitical implications are profound. Among the many a number of conceivable motives, one of the obvious goals of the SVR may be to assemble intelligence regarding Azerbaijan’s strategic actions, particularly within the lead-up to the Azerbaijani invasion of Nagorno-Karabakh,” stated the NDSC.
“It’s noteworthy that the nations focused – Azerbaijan, Greece, Romania, and Italy – preserve important political and financial ties with Azerbaijan.”
Learn extra on APT29: Diplomats in Ukraine Focused by “Staggering” BMW Phishing Marketing campaign
The marketing campaign itself started as a spear-phishing electronic mail, utilizing the lure of a diplomatic automobile on the market. The RAR attachment featured CVE-2023-3883, a bug which allows risk actors to insert malicious folders with the identical identify as benign information in a .zip archive.
“In the midst of the person’s effort to open the innocent file, the system unwittingly processes the hid malicious content material throughout the folder with an identical identify, thus enabling the execution of arbitrary code,” the NDSC defined.
On this assault, when a person clicks on the RAR archive contained within the phishing electronic mail it should execute a script to show a PDF of the automobile ‘on the market,’ while concurrently downloading and executing a PowerShell script. The risk actors apparently use a Ngrok free static area to entry their malicious payload server hosted on a Ngrok occasion.
“By exploiting Ngrok’s capabilities on this method, risk actors can additional complicate cybersecurity efforts and stay underneath the radar, making protection and attribution tougher,” famous the report.
This isn’t the primary time hackers have exploited CVE-2023-3883. It was noticed being exploited by the Russian Sednit APT group (APT28) in August, shortly after Group-IB first notified about what was then a zero-day vulnerability.
