At a glance.
- Russia's SVR targets resellers and MSPs.
- FIN7 uses phony security company to recruit talent.
- LightBasin targets the telecommunications industry.
Russia's SVR targets resellers and MSPs.
Microsoft says Russia's SVR is targeting resellers and managed service providers with phishing and password-spraying attacks. The threat actor, tracked by Microsoft as "Nobelium," has targeted more than 140 companies and compromised at least 14 of them since May 2021:
"Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain. This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers. We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers."
Microsoft notes that Nobelium is the same threat actor that was responsible for the SolarWinds attacks last year. The threat actor is generally associated with Russia's SVR foreign intelligence service.
FIN7 uses phony security company to recruit talent.
Recorded Future's Gemini Advisory has found that the cybercriminal gang FIN7 is using a fake cybersecurity company called "Bastion Secure" to recruit IT employees who initially believe they're accepting a legitimate job. The researchers note that there are several real companies named "Bastion Security," and the criminals list the address of one of those legitimate companies on their website.
A Gemini Advisory source went through the phony company's hiring process and noted that there were several stages. The first stage was the interview process, which was conducted over Telegram. In the second stage, the individual was given practice assignments that involved using penetration testing tools. It wasn't until the third stage that it became apparent that Bastion was conducting criminal activity. Gemini's source was given access to a supposed customer's network and told to "collect information on domain administrators, domain trust relationships, file shares, backups, and hypervisors" without attracting attention.
The researchers believe that hiring unwitting accomplices to do this work allows the criminals to save much more of their profits for themselves:
"FIN7's decision to use a fake cybersecurity company to recruit IT specialists for its criminal activity is driven by FIN7’s desire for comparatively cheap, skilled labor. Bastion Secure’s job offers for IT specialist positions ranged between $800 and $1,200 USD a month, which is a viable starting salary for this type of position in post-Soviet states. However, this 'salary' would be a small fraction of a cybercriminal's portion of the criminal profits from a successful ransomware extortion or large-scale payment card-stealing operation. In effect, FIN7's fake company scheme enables the operators of FIN7 to obtain the talent that the group needs to carry out its criminal activities, while simultaneously retaining a larger share of the profits.
"FIN7's use of Bastion Secure—even after the discovery of Combi Security, the group’s previous fake cybersecurity company—indicates that FIN7 continues to believe that hiring unwitting IT specialists is the group’s best method for balancing the need for a technically skilled team against the operators’ desire for maximum profits."
LightBasin targets the telecommunications industry.
CrowdStrike warns that a sophisticated threat actor dubbed "LightBasin" has been conducting a cyberespionage campaign against global telecommunications infrastructure since at least 2016. The researchers note that "the nature of the data targeted by the actor aligns with information likely to be of significant interest to signals intelligence organizations," but they don't have enough evidence to tie the actor to any specific nation-state:
"Active since at least 2016, LightBasin employs significant operational security (OPSEC) measures, primarily establishing implants across Linux and Solaris servers, with a particular focus on specific telecommunications systems, and only interacting with Windows systems as needed. LightBasin's focus on Linux and Solaris systems is likely due to the combination of critical telecommunications infrastructure running on those operating systems, in addition to the comparatively lax security measures and monitoring solutions on Linux/Solaris systems that are typically in place on Windows operating systems within an organization.
"LightBasin managed to initially compromise one of the telecommunication companies in a recent CrowdStrike Services investigation by leveraging external DNS (eDNS) servers — which are part of the General Packet Radio Service (GPRS) network and play a role in roaming between different mobile operators — to connect directly to and from other compromised telecommunication companies’ GPRS networks via SSH and through previously established implants."