SafeBreach Hacker’s Playbook Updated for US-CERT Alert (AA21-148A)- Sophisticated Spearphishing Campaign Targeting Government Organizations, IGOs, and NGOs
US Cert Alerts
SafeBreach Labs has updated the Hacker's Playbook™ with new attack methods for malware samples, URLs, and domains described in US-CERT: Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs which addresses a spearphishing campaign leveraged by the threat actor Nobelium (part of APT29) specifically targeting government organizations, intergovernmental organizations (IGOs), and non-governmental organizations (NGOs). The threat actor leveraged a compromised end-user account from Constant Contact, a legitimate email marketing software company, to spoof a U.S.-based government organization and distribute phishing emails to more than 7,000 accounts across approximately 350 government organizations, IGOs, and NGOs. The phishing email delivers an HTML attachment which, when clicked, automatically downloads and mounts an ISO (Optical Disc Image) file and executes the Cobalt Strike Beacon Loader* (a malicious shortcut file).
The new attack methods for US-CERT AA21-148A are already in the SafeBreach Hacker’s playbook and ready to be run across your simulators. The Known Attack Series report is updated so you can run the specific attacks from this US-CERT alert. From the Known Attack Series report, select the US-CERT AA21-148A (Nobelium) report and select Run Simulations which will run all attack methods.
NOTE - Cobalt Strike is a commercial penetration testing tool used to conduct red team operations. It contains several tools that complement the cyber threat actor’s exploitation efforts, such as a keystroke logger, file injection capability, and network services scanners. The Cobalt Strike Beacon is the malicious implant that calls back to attacker-controlled infrastructure and checks for additional commands to execute on the compromised system