Shulou(Shulou.com)05/31 Report--

This article shows you what the APT28 attack activity analysis report is like, which is concise and easy to understand. It will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Over the past year, APT28, Russia's largest hacker group, has been scanning and detecting flawed e-mail servers on the Internet. It is reported that APT28 has mainly used spear phishing over the past decade, email has been carefully designed for specific targets, and APT28 has infected victims with a variety of malware for more than 15 years.

Mail server scan

Spear phishing and malware attacks still exist, and APT28 began scanning the entire Internet last year, searching for vulnerable Webmail and Microsoft Exchange Autodiscover servers on TCP ports 445 and 1433. It is not clear what attacks APT28 has launched on the server, and it is expected that they will try to attack unpatched systems, steal sensitive data or use email servers in other attacks.

The scan IP belongs to the following:

Trust relationship phishing

In addition to server scanning, APT28 connects to an infected e-mail account on a legitimate company's e-mail server through the VPN network. APT28 can trick employees of legitimate companies, steal company e-mail account login credentials, or use brute force attacks to crack account passwords. Once you have the credentials, log in to the infected account through VPN.

APT28 either divulges the data they found or uses an infected e-mail account to send phishing messages to other targets. Emails come from real employees of legitimate companies, so these phishing activities are more effective, providing APT28 with new victim login credentials. The vast majority of stolen e-mail accounts are located in the UAE defence department.

Here are the email account companies that APT28 hacked between August 2019 and November 2019.

Request fishing via DNS SPF

Over the past two years, requests for the used domain DNS SPF have been carefully analyzed, and a large number of fishing activities have been observed by the organization. In the spring of 2017, it was discovered that attackers had assigned specific domain names to certain servers that were repeatedly used to send phishing emails to Webmail targets. The researchers recorded all DNS requests for the domain name.

Some of the domain names were registered free of charge in 2017, and the campaign targets two free Webmail services in the United States, one free Webmail service in Russia and one Webmail service in Iran.

Attackers often use commercial VPN services to connect to dedicated hosts that send spam. The spam server uses a specific domain name in its SMTP session EHLO command with the target mail server.

Figure 8 shows the fishing activity for Yahoo.

Summary and suggestion

APT28 has enough resources to carry out long-term network attacks according to the target. They have a wide range of attacks, such as DNS destruction, fishing attacks, puddle attacks, and so on. Direct attacks on Webmail and cloud services have recently begun, and the organization will remain active for years to come.

Because attackers use a variety of tools and strategies, organizations must secure their borders and reduce any potential risks. The following measures can be taken:

1. Enforce the principle of least privilege, limit traffic, enable only required services, and disable outdated or unused services to minimize risk in the network.

2. Fix security vulnerabilities, keep the system updated, create powerful patch management policies, and virtual fix known and unknown vulnerabilities.

3. Regularly monitor the infrastructure, including intrusion detection and prevention systems in addition to firewalls.

4. Enable two-factor authentication.

5. Educate employees on security, raise awareness of phishing techniques and common attacks, and prohibit the use of personal mailboxes and social accounts at work.

6. Maintain data integrity, back up data regularly, encrypt and store sensitive information. The above is what the APT28 attack activity analysis report is like. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.