Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

Nobelium APT targets French orgs, French ANSSI agency warns

The French cyber-security agency ANSSI said that the Russia-linked Nobelium APT group has been targeting French organizations since February 2021. The French national cybersecurity agency ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information) revealed that the Russia-linked Nobelium APT group has been targeting French organizations since February 2021. The NOBELIUM APT (APT29, Cozy Bear, and […]

APT28 ANSSI warns of Nobelium attacks

The French cyber-security agency ANSSI said that the Russia-linked Nobelium APT group has been targeting French organizations since February 2021.

The French national cybersecurity agency ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information) revealed that the Russia-linked Nobelium APT group has been targeting French organizations since February 2021.

The NOBELIUM APT (APT29Cozy Bear, and The Dukes) is the threat actor that conducted supply chain attack against SolarWinds, which involved multiple families of implants, including the SUNBURST backdoorTEARDROP malwareGoldMax malwareSibot, and GoldFinder backdoors.

NOBELIUM focuses on government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers.

The state-sponsored hackers have compromised the email accounts belonging to French organizations and used them to orchestrate spear-phishing campaigns aimed at foreign institutions.

The French Agency also reported that French public organizations were targeted with spoofed emails sent from servers belonging to foreign entities, likely compromised by the same threat actor.

“ANSSI has observed a number of phishing campaigns directed against French entities since February 2021. Technical indicators correspond to activities associated with the Nobelium intrusion set. These campaigns have succeeded in compromising email accounts belonging to French organisations, and then using these to send weaponised emails to foreign institutions.” reads the report published by ANSSI. “Moreover, French public organisations have also been recipients of spoofed emails sent from supposedly compromised foreign institutions. Overlaps have been identified in the tactics, techniques & procedures (TTP) between the phishing campaigns monitored by ANSSI and the SOLARWINDS supply chain attack in 2020.”

The payload delivered by spear-phishing attacks is a Cobalt Strike implant, while the infrastructure used in the attacks against French organizations was mainly created using virtual private servers (VPS) from different providers. The nation-state actors favor servers located close to the target countries. Experts noticed that several IP addresses within the C2 infrastructure belong to the OVH provider.

The attackers used domain names resembling legitimate domains, including names mimicking information and news websites. Most of the domains were registered with NAMESILO and NAMECHEAP.

ANSSI researchers state that threat actors focus on Active Directory (AD) servers, for this reason, they recommend organizations to improve security measures to defend them. ANSSI experts also recommend restricting the execution of email attachments to block weaponized attachments.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Nobelium)

[adrotate banner=”5″]

[adrotate banner=”13″]