Security News

The Kremlin-backed APT29 crew, also known by a variety of other names such as Cozy Bear, Iron Hemlock, or The Dukes, depending on which threat intel company you're talking to that week, is believed by most reputable analysts to be a wholly owned subsidiary of the FSB, modern-day successor to the infamous Soviet KGB. NCSC ops director Paul Chichester said in a statement: "We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic." Foreign Secretary Dominic Raab added: "It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic. While others pursue their selfish interests with reckless behaviour, the UK and its allies are getting on with the hard work of finding a vaccine and protecting global health."

Britain, the United States and Canada accused Russian hackers on Thursday of trying to steal information from researchers seeking a coronavirus vaccine, warning scientists and pharmaceutical companies to be alert for suspicious activity. Intelligence agencies in the three nations alleged that the hacking group APT29, also known as Cozy Bear and said to be part of the Russian intelligence services, is attacking academic and pharmaceutical research institutions involved in COVID-19 vaccine development.

Security researchers claim to have uncovered "Several previously undocumented post-compromise tools" used by a Russia-linked APT to target Microsoft Office and Outlook through Visual Basic for Applications. The Gamaredon hacking crew is said to be targeting Outlook through Visual Basic for Applications, allowing attackers to access the target account's contact book so they can forward phishing emails to a new batch of potential victims.

The Russian Foreign Ministry on Thursday angrily rejected Germany's allegations over Russian intelligence involvement in a cyberattack against the German parliament. The ministry's spokeswoman, Maria Zakharova, said the claim concerning a 2015 hacking attack on the German parliament was "Absurd" and "Unfounded."

Several vulnerabilities affecting the Exim mail transfer agent have been exploited by Russia-linked hackers, and administrators have been urged to patch immediately, but hundreds of thousands of servers remain unpatched. The U.S. National Security Agency issued an alert last week to urge users to update their Exim servers to version 4.93 or newer, as earlier versions are impacted by vulnerabilities that have been exploited by a hacker group with ties to the Russian military.

The startling prediction came from Tobias Ellwood MP, chairman of the Defence Committee, as he presided over a hearing on 5G security and Huawei's involvement. "To put it in cruder terms, Russia is going to become more subservient to China." He added: "If Russia understands the weaknesses, the vulnerabilities or the back doors that China provides, it can be Russia continuing to do those cyber attacks at the behest of China."

If you thought the Mirai botnet was bad, what about a version under the control of Russia's military that it could point like an electronic cannon at people it didn't like? That's the prospect we could face after the reported emergence of secret Russian project documents online last week. The documents, which come from hacking group Digital Revolution but haven't been verified, suggest that Russia's Federal Security Service, has been working on an internet of things botnet of its own called Fronton.

Earlier this year, Prevailion's security researchers identified a TA505 campaign targeting German companies with fake job application emails, but the attacks appear to have started in June 2019, or even the month before. Through the use of legitimate tools that are unlikely to be removed by traditional security software, the attackers can perform a broad range of activities, such as stealing files, capturing screens, and even recording audio.

The Russia-linked threat group known as Turla was observed using two new pieces of malware in attacks launched over a period of roughly two months in the fall of 2019, ESET reports. Also known as Waterbug, KRYPTON, Snake, and Venomous Bear, and active for more than a decade, Turla is known for the targeting of various diplomatic and military organizations, with a focus on NATO and Commonwealth of Independent States nations.

Data from ESET telemetry suggests that, for this campaign, only a very limited number of visitors were considered interesting by Turla's operators. The two compromised government websites and another pair of poisoned civilian websites have been active since early 2019.