Security Alerts

  • Home
  • Security Alerts

Malware targeting Western Asian authorities detected by Trellix

To conduct a sophisticated cyberespionage operation targeting high-ranking government and military sector personnel in a West Asian country, an advanced persistent threat actor is exploiting Microsoft OneDrive services for C2 reasons. There is a low to moderate degree of confidence that APT28 (aka Fancy Bear), which the US government has previously linked to Russian military intelligence, is behind the campaign. A study of data from the campaign reveals that threat actors are also targeting military and government agencies in Poland as well as Eastern Europe. The exploit for CVE-2021-40444, a severe remote code execution flaw in Microsoft's proprietary browser engine "Trident," was included in the download. Defending teams would have a difficult time spotting the attack's various stages and stages of execution. Even so, a well-configured detection system should be able to identify suspicious activities. There were preparations for the operation in July 2021, and the actual actions took place between September and November 2021, according to Trellix's study. Trellix believes the assaults were geopolitically motivated since they occurred at a time when political tensions were high along the Armenian-Azerbaijani border. Information on how to remove all known attack components from your network has been sent to the victims of the assaults by a leading security provider, according to the company.