A threat actor known as Fighting Ursa [2] [3] [4] [7], also identified as APT28 or Fancy Bear [2] [7], has been linked to a new campaign targeting diplomats across Europe.
Description
This group, also known as Sofacy [1], has ties to Russian military intelligence and is classified as an advanced persistent threat (APT) [4]. The campaign uses a car-for-sale phishing lure to distribute the HeadLace backdoor malware [3] [4] [5] [6], aiming to compromise systems and gain remote access [1]. The attackers leveraged phishing tactics to prompt targets to engage with malicious content [7], using public and free services like webhook[. [7]]site to host various stages of the attack. The compromise of networks associated with Ukraine’s Ministry of Defence and European railway systems allowed attackers to gather intelligence for influencing battlefield tactics and broader military strategies. To defend against such attacks [4], organizations should limit access to free hosting services and scrutinize their use for possible attack vectors [4].
Conclusion
Diplomatic entities must maintain heightened vigilance to thwart such malicious campaigns effectively [1]. Cortex XDR [4], XSIAM [4], and XSOAR offer protections and playbooks for detecting and responding to threats from Fighting Ursa [4]. Advanced URL Filtering and WildFire machine-learning models have been updated to identify malicious activity associated with this campaign [4]. Fighting Ursa is known for repeating successful tactics and exploiting known vulnerabilities for extended periods [2], even after their activities have been exposed [2]. The group is attributed with medium to high confidence for the attacks [2], and it is evident from the campaign details that they target diplomats and rely on public or free services for hosting various stages of their attacks [2].
References
[1] https://www.krofeksecurity.com/it-security-alert-apt28-targeting-diplomats-with-headlace-malware-through-car-sale-phishing-scam/
[2] https://unit42.paloaltonetworks.jp/fighting-ursa-car-for-sale-phishing-lure/
[3] https://cybersecuritynews.com/audi-q7-car-for-sale-but-malware-will-be-delivered-instead-of-car/
[4] https://unit42.paloaltonetworks.com/fighting-ursa-car-for-sale-phishing-lure/
[5] https://www.443news.com/2024/08/apt28-targets-diplomats-with-headlace-malware-via-car-sale-phishing-lure/
[6] https://thehackernews.com/2024/08/apt28-targets-diplomats-with-headlace.html
[7] https://securityaffairs.com/166496/apt/russia-apt-headlace-malware.html
