{"id":6231,"date":"2025-12-16T23:54:27","date_gmt":"2025-12-16T23:54:27","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6231"},"modified":"2025-12-16T23:54:27","modified_gmt":"2025-12-16T23:54:27","slug":"russian-apt-group-pivots-to-network-edge-device-misconfigurations","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6231","title":{"rendered":"Russian APT group pivots to network edge device misconfigurations"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>A Russian state-sponsored cyberespionage group has been targeting energy companies and critical infrastructure providers by exploiting misconfigurations in network-edge devices.<\/p>\n<p>The group has been operating since at least 2021 and has exploited device misconfigurations before but also known vulnerabilities such as CVE-2022-26318 in WatchGuard Firebox and XTM appliances, CVE-2021-26084 and CVE-2023-22518 in Confluence or CVE-2023-2753 in Veeam Backup.<\/p>\n<p>However, <a href=\"https:\/\/aws.amazon.com\/blogs\/security\/amazon-threat-intelligence-identifies-russian-cyber-threat-group-targeting-western-critical-infrastructure\/\" target=\"_blank\" rel=\"noopener\">according to<\/a> telemetry collected by Amazon Threat Intelligence, the group has heavily focused on targeting misconfigurations this year, pivoting away from zero-day or N-day vulnerabilities. The main targets have been enterprise routers and routing infrastructure, VPN concentrators and remote access gateways, network management appliances, collaboration and wiki platforms and cloud-based project management systems.<\/p>\n<p>\u201cThis tactical adaptation enables the same operational outcomes, credential harvesting, and lateral movement into victim organizations\u2019 online services and infrastructure, while reducing the actor\u2019s exposure and resource expenditure,\u201d the researchers found.<\/p>\n<h2 class=\"wp-block-heading\">Links to Sandworm and Curly COMrades<\/h2>\n<p>According to Amazon\u2019s telemetry, the group\u2019s infrastructure has overlaps with Sandworm, a group also known as APT44 and Seashell Blizzard that\u2019s associated with Russia\u2019s military intelligence agency, the GRU. There are also overlaps with a group whose activity was documented in the past by security firm Bitdefender, under the name <a href=\"https:\/\/www.csoonline.com\/article\/4085272\/russian-apt-abuses-windows-hyper-v-for-persistence-and-malware-execution.html\" target=\"_blank\" rel=\"noopener\">Curly COMrades<\/a>.<\/p>\n<p>However, these could be subgroups within the GRU that work together, with the one tracked by Amazon handling initial access and lateral movement and Curly COMrades handling the host persistence through its CurlyShell and CurlCat custom malware implants.<\/p>\n<p>Amazon detected attacks against customer network edge appliances hosted on AWS EC2 instances with actor-controlled IP addresses achieving persistent connections that indicate interactive access to the compromised devices.<\/p>\n<h2 class=\"wp-block-heading\">Credential harvesting<\/h2>\n<p>The researchers also observed credential replay attacks against victims\u2019 other online services using stolen domain credentials following network edge device compromises. This indicates that the attackers are likely harvesting credentials by leveraging the traffic capturing and analysis capabilities of the compromised devices.<\/p>\n<p>\u201cTime gap between device compromise and authentication attempts against victim services suggests passive collection rather than active credential theft,\u201d the researchers found.<\/p>\n<p>Network traffic interception is consistent with Sandworm\u2019s known tradecraft and the targeting of network edge devices specifically positions the attackers to intercept credentials in transit.<\/p>\n<h2 class=\"wp-block-heading\">How critical infrastructure providers can defend against this threat<\/h2>\n<p>The group has a strong focus on the energy sector, with victims including electric utility companies, energy providers and even MSSPs with energy sector clients. However, it has also targeted technology and service cloud providers, as well as telecommunications companies across multiple regions.<\/p>\n<p>The Amazon Threat Intelligence team advises organizations to audit their network edge devices for packet capture files or utilities that shouldn\u2019t be present, to review their device configurations and isolate management interfaces, and implement multi-factor authentication.<\/p>\n<p>Companies should also review authentication logs and monitor authentication attempts from unexpected geographic locations. Anomaly detection for authentication patterns should be implemented for all online services and the use of plain text protocols that could expose credentials in transit should be audited.<\/p>\n<p>The Amazon report includes indicators of compromise associated with this attack campaign as well as security recommendations specific to AWS environments.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>A Russian state-sponsored cyberespionage group has been targeting energy companies and critical infrastructure providers by exploiting misconfigurations in network-edge devices. The group has been operating since at least 2021 and has exploited device misconfigurations before but also known vulnerabilities such as CVE-2022-26318 in WatchGuard Firebox and XTM appliances, CVE-2021-26084 and CVE-2023-22518 in Confluence or CVE-2023-2753 [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":6232,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6231","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6231"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6231"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6231\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6232"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6231"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6231"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6231"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}