News

US authorities seized domains used by hacker group APT29

Photo of Daniel Zimmermann Daniel ZimmermannJune 3, 2021
0 90 1 minute read

Microsoft experts said last week that the Russian hacker group APT29 (aka Cozy Bear, Dukes, Nobelium), standing behind the attack on SolarWinds, attacked the US Agency for International Development using four new malware families in the campaign.

The hackers compromised the agency’s Contact Contact account and then used that account to impersonate agents in phishing emails that appeared to be authentic.

In total, the attackers sent phishing messages to approximately 3,000 accounts in more than 150 organizations, including government agencies and organizations involved in international development, humanitarian and human rights activities.

The FBI and the Justice Department are now reporting that they managed to hijack two domains that the hack group used during these attacks.

After the recipient of the phishing email clicked on the hyperlink, the victim’s computer downloaded malware from the theyardservice[.]com subdomain. Using this foothold, the criminals downloaded the Cobalt Strike tool to maintain a constant presence on the system, and also likely installed additional tools and malware on the victims’ network. The Cobalt Strike installation communicated with the C&C server through other subdomains theyardservice[.]com, as well as the worldhomeoutlet[.]com domainwrite the specialists of the Ministry of Justice.

After receiving a court order, the authorities seized these two domains in order to block attackers from infecting new systems and interacting with previously infected hosts.

However, the actors may have deployed additional backdoor accesses between the time of the initial compromises and the attack last week.

The FBI remains committed to disrupting this type of malicious cyber activity targeting our federal agencies and the American public. We will continue to use all of the tools in our toolbelt and leverage our domestic and international partnerships to not only disrupt this type of hacking activity but to impose risk and consequences upon our adversaries to combat these threats.said Assistant Director Bryan Vorndran of the FBI’s Cyber Division.

Let me remind you that we wrote that Chinese hackers also took part in attacks on SolarWinds clients.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Tags
Photo of Daniel Zimmermann Daniel ZimmermannJune 3, 2021
0 90 1 minute read
Photo of Daniel Zimmermann

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

FBI warns that cybercriminals are looking for money laundering partners through dating sites

FBI warns that cybercriminals are looking for money laundering partners through dating sites

August 7, 2019
Microsoft fixed 71 vulnerabilities

Microsoft fixed 71 vulnerabilities and three 0-day bugs in its products

March 10, 2022
Facebook is fined

Facebook was fined $ 5 billion for violation of confidentiality laws

July 15, 2019
DDoS Attack through Telegram proxy servers

DDoS attack in Iran was conducted through Telegram proxy servers

November 15, 2019

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© Copyright 2024, All Rights Reserved  | Adware.Guru;
Back to top button