Home Blog APTs Tracked in October: Venomous Bear APTs Tracked in October: Venomous Bear BlueVoyant Share: Facebook Twitter LinkedIn “Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities. Venomous Bear is another group that was quite active in October. This threat group (also known as Turla, Snake, Uroboros) is an advanced, Russia-based adversary that typically targets foreign governments, defense technologies, and education sectors. Their first sighting involved the use of a Remote Access Trojan (RAT) named Reductor. This malware allowed attackers to take full control over the victim system while also making modifications to browser configurations. These modifications act like a tracking mechanism for TLS traffic. It is not yet known what this information will be used for. In mid-October a campaign was observed where Venomous Bear appears to be using Iranian cyber-espionage tools and masquerading as attackers from the Islamic Republic. The current campaign has used tools from the Iranian APT known as Helix Kitten (APT34) to successfully attack organizations in at least 20 different countries over the last 18 months, according to British security officials. Researchers do not believe the two groups are colluding, but rather, it appears that Venomous Bear infiltrated Helix Kitten’s infrastructure. According to information provided by the NSA and GCHQ, The Russian group was also able to access the networks of existing Helix Kitten victims and even access the code needed to build its own “Iranian” hacking tools. Share: Facebook Twitter LinkedIn Related reading Why Bluevoyant BlueVoyant – Microsoft Security Consulting Potential Career Paths November 29, 2021 BlueVoyant is always looking for people who are flexible, willing to tackle new technologies, explore, get their hands on the latest cybersecurity tools,… Read more Malware AnchorDNS Comes Ashore: Evolutions in the TTPs of TrickBot November 12, 2021 Using our knowledge of AnchorDNS-now-Stickseed, BlueVoyant Third-Party Risk and Managed Security Services were able to identify a Stickseed attack in the… Read more Identifying Threats Pivoting on Compliance Efforts Under CMMC 2.0 November 9, 2021 The U.S. government released CMMC 2.0 on November 4, or less than one week ago. This brief summarizes what we currently know, key points that still need to… Read more
BlueVoyant Share: Facebook Twitter LinkedIn “Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities. Venomous Bear is another group that was quite active in October. This threat group (also known as Turla, Snake, Uroboros) is an advanced, Russia-based adversary that typically targets foreign governments, defense technologies, and education sectors. Their first sighting involved the use of a Remote Access Trojan (RAT) named Reductor. This malware allowed attackers to take full control over the victim system while also making modifications to browser configurations. These modifications act like a tracking mechanism for TLS traffic. It is not yet known what this information will be used for. In mid-October a campaign was observed where Venomous Bear appears to be using Iranian cyber-espionage tools and masquerading as attackers from the Islamic Republic. The current campaign has used tools from the Iranian APT known as Helix Kitten (APT34) to successfully attack organizations in at least 20 different countries over the last 18 months, according to British security officials. Researchers do not believe the two groups are colluding, but rather, it appears that Venomous Bear infiltrated Helix Kitten’s infrastructure. According to information provided by the NSA and GCHQ, The Russian group was also able to access the networks of existing Helix Kitten victims and even access the code needed to build its own “Iranian” hacking tools. Share: Facebook Twitter LinkedIn Related reading Why Bluevoyant BlueVoyant – Microsoft Security Consulting Potential Career Paths November 29, 2021 BlueVoyant is always looking for people who are flexible, willing to tackle new technologies, explore, get their hands on the latest cybersecurity tools,… Read more Malware AnchorDNS Comes Ashore: Evolutions in the TTPs of TrickBot November 12, 2021 Using our knowledge of AnchorDNS-now-Stickseed, BlueVoyant Third-Party Risk and Managed Security Services were able to identify a Stickseed attack in the… Read more Identifying Threats Pivoting on Compliance Efforts Under CMMC 2.0 November 9, 2021 The U.S. government released CMMC 2.0 on November 4, or less than one week ago. This brief summarizes what we currently know, key points that still need to… Read more
Why Bluevoyant BlueVoyant – Microsoft Security Consulting Potential Career Paths November 29, 2021 BlueVoyant is always looking for people who are flexible, willing to tackle new technologies, explore, get their hands on the latest cybersecurity tools,… Read more
Malware AnchorDNS Comes Ashore: Evolutions in the TTPs of TrickBot November 12, 2021 Using our knowledge of AnchorDNS-now-Stickseed, BlueVoyant Third-Party Risk and Managed Security Services were able to identify a Stickseed attack in the… Read more
Identifying Threats Pivoting on Compliance Efforts Under CMMC 2.0 November 9, 2021 The U.S. government released CMMC 2.0 on November 4, or less than one week ago. This brief summarizes what we currently know, key points that still need to… Read more
