June 4, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
ICS: Delta Electronics DTN Soft Zero-Day Vulnerability
August 30, 2024
Multiple Cisco NX-OS Software Vulnerabilities
August 30, 2024
ICS: Delta Electronics DTN Soft Zero-Day Vulnerability
August 30, 2024
Multiple Cisco NX-OS Software Vulnerabilities
August 30, 2024
Severity
High
Analysis Summary
The same iOS and Android exploits made by commercial spyware manufacturers have been seen being used by the Russian state-sponsored APT29 threat group in a string of cyberattacks between November 2023 and July 2024.
Google's Threat Analysis Group (TAG) reported the activity and stated that although the n-day vulnerabilities have been fixed, they are still active on unpatched devices. APT29, dubbed "Midnight Blizzard," used watering hole techniques to attack several government websites in Mongolia. A watering hole is a cyberattack in which malicious code compromises a legitimate website with the intention of delivering payloads to visitors based on predetermined parameters, such as device architecture or location (based on IP addresses).
It's interesting to note that TAG reports that APT29 employed exploits that were nearly exact replicas of those employed by commercial distributors of surveillance-ware, such as NSO Group and Intellexa, who produced the vulnerabilities and deployed them as zero days in the absence of a fix. Threat analysts at Google observe that APT29 has a lengthy history of taking advantage of n-day and zero-day vulnerabilities.
Targeting government officials in Eastern Europe, Russian cyber-operatives used CVE-2021-1879 as a zero-day attack in 2021 in an effort to offer a cookie-stealing framework that stole accounts on Facebook, Gmail, LinkedIn, and other websites. Mongolian government websites were breached by APT29 in November 2023, and a malicious iframe that delivered an exploit for CVE-2023-41993 was added.
APT29 used this iOS WebKit vulnerability to collect browser cookies from iPhone users with iOS 16.6.1 and older. According to TAG, this exploit utilized CVE-2023-41993, a zero-day vulnerability at the time, similar like the one Intellexa employed in September 2023. APT29 broke into another website run by the Mongolian government in February 2024 and added a fresh iframe that carried the same exploit. In July 2024, APT29 attacked Android users who visited by utilizing Google Chrome exploits for CVE-2024-5274 and CVE-2024-4671.
The goal was to take advantage of the victims' Chrome browser's stored passwords, cookies, and other private information. While the attack for CVE-2024-4671 bore many parallels to other vulnerabilities developed by Intellexa, the exploit for CVE-2024-5274 is a slightly modified version of the one utilized by NSO Group for zero-day exploitation in May 2024.
It is unknown how the APT29 threat actors gained access to the exploits previously known only to NSO Group and Intellexa. However, independently creating their own exploits with the limited information seems unlikely. APT29 hacking spyware suppliers, hiring or bribing rogue insiders at those companies, or continuing a partnership directly or through a middleman are among the theories that could be put up.
Buying them from a vulnerability broker who previously sold them to surveillance corporations as zero-days is another option. The important thing is that these exploits reach sophisticated threat organizations supported by states, regardless of how they do so. This means that it is much more crucial than the general public may assume to quickly fix zero-day vulnerabilities that advisories classify as 'under limited scope exploitation'.
Impact
- Unauthorized Access
- Cyber Espionage
- Code Execution
- Data Theft
Indicators of Compromise
URL
- https://ceo-adviser.com/fb-connect.php?online=1
- https://track-adv.com/market-analytics.php?pc=1
- https://track-adv.com/analytics.php?personalization_id
MD5
- b60252816f727be830de36a425740a5e
SHA-256
- 8bd9a73da704b4d7314164bff71ca76c15742dcc343304def49b1e4543478d1a
SHA-1
- 75eef1d07f095f59464bcf2d8f1de71daa1bf1e5
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Apply the latest security patches and updates to the email server software and associated components to address any vulnerabilities that may have been exploited by APT29. Also, prioritize patching known exploited vulnerabilities and zero-days.
- Perform comprehensive security audits on the email server infrastructure to identify and address any potential weaknesses. This includes reviewing server configurations, access controls, and encryption protocols to ensure they meet industry best practices.
- Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
- Enable 2FA for user accounts on the email server to add an extra layer of security. This prevents unauthorized access even if usernames and passwords are compromised.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Implement network segmentation to isolate critical systems and sensitive data from the rest of the network. This limits the lateral movement of attackers in case of a breach and reduces the impact of potential future attacks.
- Implement a regular backup strategy for email servers and critical data. Ensure that backups are stored securely and regularly tested for data restoration.
