Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

BlueCharlie changes attack infrastructure in response to reports on its activity

Russia-linked APT group BlueCharlie was observed changing its infrastructure in response to recent reports on its activity. Researchers from Recorded Future reported that Russia-linked APT group BlueCharlie (aka Blue Callisto, Callisto, COLDRIVER, Star Blizzard (formerly SEABORGIUM), ColdRiver, and TA446) continues to change its attack infrastructure following recent reports on its activity. The APT group has […]

BlueCharlie

Russia-linked APT group BlueCharlie was observed changing its infrastructure in response to recent reports on its activity.

Researchers from Recorded Future reported that Russia-linked APT group BlueCharlie (aka Blue Callisto, Callisto, COLDRIVER, Star Blizzard (formerly SEABORGIUM), ColdRiver, and TA446) continues to change its attack infrastructure following recent reports on its activity.

The APT group has been active since at least 2017, its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft. The APT primarily targets NATO countries, but experts also observed campaigns targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine.

BlueCharlie primarily focuses operations on defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education. The group also targets former intelligence officials, experts in Russian affairs, and Russian citizens abroad.

Recently, Recorded Future Insikt Group observed BlueCharlie building a new infrastructure to launch phishing campaigns and/or credential harvesting. The new attack infrastructure was created starting from March 2023 and consists of 94 new domains.

“Several of the TTPs seen in the recent operation depart from past activity, suggesting that BlueCharlie is evolving its operations, potentially in response to public disclosures of its operations in industry reporting. Since Insikt Group’s initial tracking of the group in September 2022, we have observed BlueCharlie engage in several TTP shifts.” reads the analysis published by Recorded Future. “These shifts demonstrate that these threat actors are aware of industry reporting and show a certain level of sophistication in their efforts to obfuscate or modify their activity, aiming to stymie security researchers.”

Since at least December 17, 2022, the group has used a new naming pattern for its domains containing keywords related to information technology and cryptocurrency. Some examples are cloudrootstorage[.]com, directexpressgateway[.]com, storagecryptogate[.]com, and pdfsecxcloudroute[.]com.

BlueCharlie

In previous campaigns, the majority of the domains have been registered by BlueCharlie with the Porkbun registrar, followed by NameCheap, Regway, and REGRU.

After the disclosure of the report on previous attacks, seventy-eight of the 94 new domains have been registered using NameCheap.

Researchers recommend that organizations implement multi-factor authentication (MFA), enforce a frequent password reset policy, disable all macros by default in Microsoft Office products, train employees, contractors, and third-party vendors to protect against phishing, spearphishing, and social engineering attacks, properly configure intrusion detection systems (IDS), IPS, or any network defense mechanisms in place.

“BlueCharlie has demonstrated the ability to adapt and evolve over time to public reporting, and will likely continue to change their TTPs based on past precedent. Given the group’s historical use of phishing, were commend network defenders employ robust anti-phishing training and highly encourage the use of a FIDO2-compliant multi-factor authentication token, such as aYubikey.,” concludes the report.

The report includes Indicators of Compromise (IoCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BlueCharlie)