At a glance.
- Cozy Bear update.
- Criminal gang targets the travel and hospitality sectors.
- Additions to CISA's Known Exploited Vulnerabilities Catalog.
- CISA issues five ICS security advisories.
- Killnet claims DDoS campaign against Estonia.
- GCHQ head calls Russian cyber operations a failure.
- US Cyber Command concludes "hunt forward" mission in cooperation with Croatia.
Cozy Bear update.
Mandiant reported yesterday on activity it's recently observed by APT29, the Russian SVR operation commonly referred to as Cozy Bear. "Mandiant has observed APT29 continue to demonstrate exceptional operational security and advanced tactics targeting Microsoft 365. We are highlighting several newer TTPs used by APT29 in recent operations." Among its recent tactics has been the disabling of licenses in Microsoft 365 in ways that disable the important security functions performed for the suite by Purview Audit. "Mandiant has observed APT29 disabling Purview Audit on targeted accounts in a compromised tenant. Once disabled, they begin targeting the inbox for email collection." The threat actor has also been observed to conduct successful password-guessing attacks that have enabled it to take over dormant accounts and exploit the access thereby obtained. In all of this Mandiant credits APT29 with an unusually high degree of operational security.