Russian APT Group is Focusing on Institutions Engaged in COVID-19 Research

Russian APT Group is Focusing on Institutions Engaged in COVID-19 Research

The APT29 hacking gang, otherwise known as Cozy Bear, is focusing its attacks on healthcare companies, pharmaceutical suppliers, and research organizations in the United Kingdom, United States, and Canada and is seeking to gain access to research data regarding COVID-19 and the development of a vaccine.

On July 16, 2020, the National Security Agency (NSA), Canada’s Communications Security Establishment (CSE), the UK National Cyber Security Centre (NCSC) and the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) published a joint bulletin to increase understanding of the danger.

APT29 is a cyber surveillance gang which is almost undoubtedly works with the Russian intelligence services. The gang generally finds diplomats, government agencies, think-tanks and energy targets so as to gain access to sensitive files. The group is remarkably active all through the COVID-19 pandemic and has carried out various attacks on organizations engaged COVID-19 study and vaccine invention.

The threat group performs extensive scanning to discover unpatched vulnerabilities and utilizes publicly available exploits to get access in vulnerable networks. The group had used exploits for the following vulnerabilities: FortiGate vulnerability CVE-2019-13379, Citrix vulnerability CVE-2019-19781,, the The Zimbra vulnerability CVE-2019-9670 and Pulse Secure vulnerability CVE-2019-11510. The group could additionally utilize other exploits.

APT29 employs various tools to get access credentials and obtain persistent access to networks and utilizes anonymizing services if applying stolen credentials. APT29 uses custom made malware variants to infiltrate entities, which include WellMail and WellMess, two types of malware that APT29 hasn’t utilized in the past.

WelMess is a lightweight type of malware created in Golang or .NET which could perform arbitrary shell commands as well as upload and download information and utilizes HTTP, DNS and TLS for correspondence. WellMail is a lightweight program that employs hard-coded client and certificate authority TLS certificates to convey messages with C2 servers. A third type of malware, referred to as SoreFang, is being employed as well. SoreFang is a first level downloader that exfiltrates files through HTTP and downloads another state malware. The attackers utilize the malware to aim for SangFor devices.

Attacks on entities associated in COVID-19 research are very likely to go on and any group engaged in COVID-19 research must regard itself as a target. Establishments were cautioned to do something to safeguard their systems and keep an eye on attacks.

Organizations ought to make certain to patch and install updates on all software program, and do first the patches for CVE-2019-9670, CVE-2019-13379, CVE-2019-11510 and CVE-2019-19781 . Antivirus software ought to be employed and updated, and routine scans ought to be performed to discover downloaded malware types.

Multi-factor authentication must be employed to avert utilizing stolen credentials to acquire access to networks. All employees must be qualified regarding the phishing threat and all personnel must be positive in their capability to recognize a phishing attack. All employees must be advised to report any suspected phishing attacks to their security organizations and reports must be investigated immediately and carefully.

Organizations were instructed to establish a security monitoring system to make sure that all essential information is obtained to assist investigations of the network intrusions. Networks must be separated, and there need to be activity to avoid and identify lateral movement after only networks.