Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.
  • Residence:
  • County:
  • Country:
Cyber Security Incident Response
Management & Architecture of Cyber Security Teams
Solutions & Coaching
  • Cyber Security Incident Response
  • Management & Architecture of Cyber Security Teams
  • Solutions
  • Training & Coaching

Experts Uncover Several C&C Servers Linked to WellMess Malware

July 30, 2021
WellMess Malware

Cybersecurity researchers on Friday unmasked new command-and-control (C2) infrastructure belonging to the Russian risk actor tracked as APT29, aka Cozy Bear, that has been noticed actively serving WellMess malware as a part of an ongoing assault marketing campaign.

Greater than 30 C2 servers operated by the Russian overseas intelligence have been uncovered, Microsoft-owned cybersecurity subsidiary RiskIQ said in a report shared with The Hacker Information.

APT29, the moniker assigned to authorities operatives working for Russia’s Overseas Intelligence Service (SVR), is believed to have been the mastermind behind the massive SolarWinds supply chain attack that got here to gentle late final 12 months, with the U.Ok. and U.S. governments formally pinning the intrusions on Russia earlier this April.

Stack Overflow Teams

The exercise is being tracked by the cybersecurity neighborhood underneath numerous codenames, together with UNC2452 (FireEye), Nobelium (Microsoft), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Darkish Halo (Volexity), and Iron Ritual (Secureworks), citing variations within the ways, strategies, and procedures (TTPs) employed by the adversary with that of recognized attacker profiles, counting APT29.

First recognized by Japan’s JPCERT/CC in 2018, WellMess (aka WellMail) has been beforehand deployed in espionage campaigns undertaken by the risk actor to plunder mental property from a number of organizations concerned in COVID-19 analysis and vaccine growth within the U.Ok., U.S., and Canada.

“The group makes use of quite a lot of instruments and strategies to predominantly goal governmental, diplomatic, think-tank, healthcare and power targets for intelligence achieve,” the U.Ok.’s Nationwide Cyber Safety Centre (NCSC) noted in an advisory printed in July 2020.

Prevent Data Breaches

RiskIQ mentioned it started its investigation into APT29’s assault infrastructure following a public disclosure a couple of new WellMess C2 server on June 11, resulting in the invention of a cluster of no fewer than 30 lively C2 servers. One of many servers is believed to have been lively as early as October 9, 2020, though it isn’t clear how these servers are getting used or who the targets are.

This isn’t the primary time RiskIQ has recognized the command-and-control footprint related to the SolarWinds hackers. In April, it unearthed an additional set of 18 servers with excessive confidence that seemingly communicated with the focused, secondary Cobalt Strike payloads delivered by way of the TEARDROP and RAINDROP malware deployed within the assaults.

“RiskIQ’s Group Atlas assesses with excessive confidence that these IP addresses and certificates are in lively use by APT29,” mentioned Kevin Livelli, RiskIQ’s director of risk intelligence. “We had been unable to find any malware which communicated with this infrastructure, however we suspect it’s seemingly just like beforehand recognized samples.”

Posted in SecurityTags:
Write a comment