October 3, 2023

Researchers from Microsoft Threat Intelligence has released a detailed report on a previously tracked threat actor (DEV-0586), now dubbed as Cadet Blizzard originated from Russia.

Microsoft believes Cadet Blizzard to be associated with the Russian General Staff Main Intelligence Directorate (GRU) and operates separately from other known GRU-affiliated groups.

Though the group’s activities may be less prolific than other threat actors, their destructive campaigns have targeted government organizations and IT providers primarily in Ukraine, with occasional operations in Europe and Latin America.

Advertisements

Cadet Blizzard predominantly achieved initial access by exploiting web servers and vulnerabilities in Confluence servers, Exchange servers and open-source platforms. They achieved the persistence on networks using web shells like P0wnyshell and reGeorg, escalated privileges through living-off-the-land techniques and harvested credentials.

Cadet Blizzard reportedly conducted lateral movement with obtained network credentials and modules from the Impacket framework, while C2 was achieved via socket-based tunneling utilities and occasionally Meterpreter.

To maintain operational security, Cadet Blizzard used anonymization services like IVPN, SurfShark and Tor. They employed anti-forensics techniques and carried out destructive actions, including data exfiltration, deploying malware, hack-and-leak operations and information operations through Tor sites and Telegram channels.

Activities linked to Cadet Blizzard indicate that they are comprehensive in their approach and have demonstrated an ability to hold networks at risk of continued compromise for an extended period. A thorough incident response approach may be necessary to effectively address and recover from the activities carried out by Cadet Blizzard.

More information on the research notes can be found here

Advertisements

Mitigation Measures

  • Review all authentication activity for remote access infrastructure to confirm authenticity and investigate any anomalous activity.
  • Enable MFA to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity.
  • Enable controlled folder access (CFA) to prevent MBR/VBR modification.
  • Block process creations originating from PSExec and WMI commands to stop lateral movement.
  • Turn on cloud-delivered protection.

Indicators of Compromise

  • justiceua[.]org
  • 179.43.187[.]33
  • 3a2a2de20daa74d8f6921230416ed4e6
  • 3e4bb8089657fef9b8e84d9e17fd0d7740853c4c0487081dacc4f22359bade5c
  • 20215acd064c02e5aa6ae3996b53f5313c3f13625a63da1d3795c992ea730191
  • 3fe9214b33ead5c7d1f80af469593638b9e1e5f5730a7d3ba2f96b6b555514d4
  • 23d6611a730bed886cc3b4ce6780a7b5439b01ddf6706ba120ed3ebeb3b1c478
  • 7fedaf0dec060e40cbdf4ec6d0fbfc427593ad5503ad0abaf6b943405863c897
Tags:

Leave a Reply

You may have missed

Industrial Control Systems and Vulnerability Management Process

October 2, 2023

McLaren Healthcare suffers a Ransomware Incident

October 2, 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – September, 2023

October 2, 2023

TheCyberThrone Security Week In Review – September 30, 2023

October 1, 2023

Mozilla fixes CVE-2023-5217 Vulnerability in its Products

September 30, 2023

CISA KEV Update Part III – September 2023

September 30, 2023
%d bloggers like this: