icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

Microsoft Uncovers Sandworm Subgroup's Global Cyber Attacks Spanning 15+ Countries

Summary:
Microsoft has recently released research they conducted into a subgroup within the Russian state APT Seashell Blizzard (Sandworm) and the details of their initial access campaign that Microsoft dubbed BadPilot. The subgroup has conducted globally diverse compromises of Internet-facing infrastructure to enable Sandworm to persist on high-value targets and support tailored network operations. This subgroup has three distinct exploitation patterns and the blog post details the TTPs Microsoft recently observed. This subgroup has been active since 2021 and leverages opportunistic access techniques and stealthy persistence to perform credential harvesting, achieve remote code execution and establish footholds for lateral movement that in the past has resulted in substantial network compromises.

Observed operations targeted sensitive critical sectors including energy, oil and gas, telecommunications, shipping, arms manufacturing, and government organizations. Sandworm has utilized published exploits for flaws like ConnectWise ScreenConnect (CVE-2024-1709) IT remote management and monitoring software and Fortinet FortiClient EMS security software (CVE-2023-48788) to discover and compromise many Internet-facing systems and expanded its range to include targets in the United States and the United Kingdom. Seashell Blizzard’s intrusions typically employ publicly available tools like Cobalt Strike and DarkCrystalRAT (dcRAT). Starting in February 2022, Sandworm has generally had 3 approaches to how they conduct their network intrusions:
  • Targeted: Sandworm APT has frequently used tailored mechanisms to access targets, including scanning and exploitation of specific victim infrastructure, phishing, and modifying legitimate functionality of existing systems to either expand network access or obtain confidential information.
  • Opportunistic: Sandworm APT has increasingly used broad exploitation of Internet-facing infrastructure and distribution of malware implants spread through trojanized software to achieve scalable but indiscriminate access. In cases where a resulting victim is identified as strategically valuable, Microsoft Threat Intelligence has observed the threat actor conducting significant post-compromise activities.
  • Hybrid: Sandworm APT has very likely gained access to target organizations using a limited supply-chain attack narrowly focused within Ukraine, an operation that was recently mitigated by the Computer Emergency Response Team of Ukraine (CERT-UA). Other hybrid methods have included the compromise of regionally managed IT service providers, which often afforded regional or vertical-specific access to diverse targets.
Security Officer Comments:
Sandworm is a high-impact threat actor linked to the Russian Federation that conducts global activities on behalf of GRU. Sandworm’s specialized operations have ranged from espionage to information operations and disruptions, usually in the form of destructive attacks and manipulation of industrial control systems. The opportunistic access techniques outlined in this campaign will continue to offer GRU opportunities for niche operations. Although Microsoft Threat Intelligence observed that the subgroup’s targeting is opportunistic, the compromises provide Russia with footholds to launch attacks against current and future sectors of interest to Russia as the country’s strategic objectives evolve. Sandworm’s far-reaching access operations pose a significant risk to organizations. According to Microsoft, as Sandworm makes notable shifts to its post-compromise malware operations, those shifts are reflected in BadPilot initial access operations. Microsoft was able to attribute this subgroup’s attacks to Sandworm because of the distinct exploits, tooling, infrastructure, and persistence methods utilized in subgroup attacks. This research is unveiled as EclecticIQ researchers detail a Sandworm campaign targeting Ukrainian users using Trojanized Microsoft KMS Activation Tools, highlighting the relevance of this threat.

Suggested Corrections:
IOCs are available here.

Suggested Corrections and Protection Guidance from Microsoft:
  • Utilize a vulnerability management system, such as Microsoft Defender Vulnerability Management, to manage vulnerabilities, weaknesses, and remediation efforts across your environment’s operating systems, software inventories, and network devices.
  • Require multifactor authentication (MFA). While certain attacks such as AiTM phishing attempt to circumvent MFA, implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats.
  • Implement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
  • Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
  • Organizations can also use Microsoft Defender External Attack Surface Management (EASM) , a tool that continuously discovers and maps digital attack surface to provide an external view of your online infrastructure. EASM leverages vulnerability and infrastructure data to generate Attack Surface Insights, reporting that highlights key risks to a given organization.
  • Enable Network Level Authentication for Remote Desktop Service connections.
  • Enable AppLocker to restrict specific software tools prohibited within the organization, such as reconnaissance, fingerprinting, and RMM tools, or grant access to only specific users.
Organizations can make APT groups’ lives more difficult. Here’s how:
  • Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
  • Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
  • Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
  • Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
Link(s):
https://thehackernews.com/2025/02/microsoft-uncovers-sandworm-subgroups.html

https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/

Contact Us for Threat Assistance
Back to Current Threats