- ANSSI noted that attackers are compromising the networks of service providers and design firms in order to access their client data.
- The agency observed two waves of separate attacks against these providers. While the first wave relies on the PlugX malware, the second wave relies on credential theft and legitimate tools.
What’s the matter?
The National Cybersecurity Agency of France, also known as Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI) has published a security alert about cyber-espionage campaigns targeting service providers and engineering offices.
A brief overview
ANSSI investigations highlight that attackers are compromising the networks of service providers and design firms in order to access their client data.
- The agency observed two waves of separate attacks against these providers.
- The first wave relies on the PlugX malware.
- The second wave relies on credential theft and legitimate tools such as ProcDump, CertMig, WMIExec.vbs, rar.exe, MimiKatz, Netscan, among others.
“We just published a new analysis report about cyber threats targeting service providers and design offices for #spying purposes. The information provided by the #CTI team in this report is based on #incident response investigations,” Samuel Hassine, the head of ANSSI's Cyber Threat Intelligence division, tweeted.
ANSSI’s report also provides recommendations for service providers, design offices and their clients in order to prevent such attacks.
- In order to avoid supply chain attacks, the agency recommends service providers to use secure administration methods on IT systems.
- Service providers and design offices are advised to set up a security monitoring capability.
- ANSSI also recommends them to create a list of connections with clients and monitor them.
The second report
ANSSI published another report warning about the credentials gathering campaign targeting government entities via spearphishing emails and phishing websites.
- ANSSI noted that has observed several clusters of malicious activity, including domain names, subdomains and email addresses, used in large attack campaigns since 2017.
- The agency said that the threat actor behind this campaign registered multiple domain names and created several subdomains with a naming pattern revealing its potential targets.
- The potential targets include diplomatic entities belonging to member countries of the United Nations Security Council including China, France, Belgium, Peru, and South Africa.