Microsoft announced a Russian threat group (ITG11, aka Nobelium, APT29) also thought to be behind the SolarWinds attack conducted an email campaign masquerading as the U.S. Agency for International Development. Microsoft reports that while organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries. The earlier campaign in April and May of this year targeted human rights groups and governmental agencies.

The adversary used a legitimate marketing service, Constant Contact, to distribute malicious URLs and malware to 3,000 individual accounts in 150 organizations via phishing emails. When victims clicked the malicious URL, the adversary attempted to drop a Cobalt Strike Beacon loader, dubbed NativeZone by Microsoft, to maintain persistence on the victim’s computer.

IBM is closely monitoring the situation and updates will be available on the X-Force Exchange Threat Activity Report. Additionally, IBM recommends nongovernmental organizations consider these security best practices to prevent a compromise:

  • Among many best practices to counter common cybersecurity risks, turn on and scale up multi-factor authentication (MFA) for all of your accounts, especially ones with access to sensitive data. The benefit of MFA is that it provides additional security by adding protection in layers. The more layers/factors in place, the more the risk of an intruder gaining access to critical systems and data is reduced.
  • Enhance your organization’s defenses against phishing attacks by using email security filters to flag messages that originate from external sources and by training your employees about some of the latest phishing attacks circulating, such as spoofing, to keep their home networks and devices safe from malicious actors.
  • Use Quad9, an open DNS service that is free and provides protection against malicious domains. This tool quickly detects and blocks malicious domains, keeping organizations safe from attacks that might deploy malware or steal user credentials. X-Force findings show that threat actors actively created new, malicious domains mimicking top brands and government agencies. Blocking out communication with malicious and suspicious websites can help mitigate the threat of phishing and fraud.
  • With phishing and ransomware attacks on the rise, cyber criminals look to combine social engineering and crisis operations to compromise business emails and deploy malicious code. Organizations must protect their workforces to implement context-based zero trust models.
Learn more on IBM X-Force Exchange

Assistance is also available to assist 24×7 via IBM Security X-Force’s US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Threat Intelligence

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today