The UK Cyber Security Center (NCSC) and Canada’s Communications Security Establishment (CSE) with the help of the NSA released an advisory today on attacks from APT29 (also known as ‘the Dukes’ or ‘Cozy Bear’), a group with ties to the Russian intelligence services.
“APT29 is using custom malware known as ‘WellMess’ and ‘WellMail’ to target a
number of organisations globally. This includes those organisations involved with
COVID-19 vaccine development. “
The report gives a few examples of what vulnerabilities APT29 uses to compromise targets.
Known since 2018, WellMess targets Windows and Linux to run shell commands and download files. WellMail malware, a new malware targeting Linux servers, run commands on the victim’s computer and sends the results to its command and control server. For further details on the malware see the full report.
Targeted attacks on COVID-19 research continues and we have written about these attacks previously. Hospitals and research facilities mush take care to protect these servers and networks.
- The report didn’t find any new vulnerabilities exploited by the malware. If you keep up to date on patches, then APT29 can’t use these vulnerabilities to compromise your network.
- Users may mistakenly compromise their credentials. Keep your users updated on best practices, like how to identify suspicious emails and reporting these emails. If an adversary does compromise a password, multi-factor authentication helps ensure the user’s account stays secure.
- Logging and reporting on local network activities help identify suspicious activity as soon as it starts. Furthermore, after an incident, you can research the logs to identify the extent of the damage and surgically remove it without harming undamaged environments.