Fancy Bear Compromises Organizations via IoT Devices

Delaware, USA – August 7, 2019 – The Russian state-sponsored threat actor continues to be interested in IoT Devices and abuses them to infiltrate corporate networks. The Microsoft Security Response Center has published an article revealing details of recent activity of the Fancy Bear group (aka APT28, Sophacy, and Strontium). In April, Microsoft discovered attempts to compromise various IoT devices across multiple customer locations. Adversaries managed to compromise three devices: an office printer, VOIP phone, and a video decoder. In two cases, the default manufacturer’s passwords were not changed on the devices, and in the last detected case, the APT group exploited known vulnerability as the necessary updates were not installed. Attackers used compromised IoT devices as a starting point for penetrating the organization’s network. To maintain network persistence, Fancy Bear used a simple shell script, thanks to which infected devices contacted the C&C infrastructure of the group. After infection, hackers ran tcpdump to sniff network traffic and discover other vulnerable devices, they also enumerated administrative groups to attempt further exploitation. Microsoft Security Response Center detected attacks at an early stage, therefore it is impossible to determine what goals the adversaries pursued.

Since the beginning of the year, the Fancy Bear group has almost disappeared from our radars and news headlines. Last year, the APT group created VPNFilter malware, which infected more than half a million routers around the world and only a timely shutdown of the C&C server prevented the exploitation of the resulting botnet for malicious purposes. The group also uses extremely persistent malware, which is difficult to detect and remove. You can detect traces of their malicious activity using the SOFACY Activity Detector (Sysmon Behavior) rule by Lee Archinal: https://tdm.socprime.com/tdm/info/2308/
You can also use the APT Framework rule pack to uncover traces of malware and signs of cyberattack at any stage of Cyber ​​Kill Chain: https://my.socprime.com/en/integrations/apt-framework-arcsight