Attacks leveraging several known security vulnerabilities have been deployed by a subgroup of the Russian state-backed threat operation Sandworm across more than 15 countries as part of the multi-year BadPilot campaign, according to The Hacker News.
Following the initial targeting of Ukrainian energy, education, agriculture, retail, and consulting entities in 2022 and subsequent attacks against U.S., European, Central Asian, and Middle Eastern sectors supporting Ukraine the following year, the Sandworm subgroup proceeded to compromise organizations in the U.S., Canada, Australia, and the UK in intrusions involving the exploitation of ConnectWise ScreenConnect and Fortinet FortiClient EMS flaws last year, a report from the Microsoft Threat Intelligence team revealed.Initial compromise has been followed with either malicious JavaScript code injections for credential theft, LocalOlive web shell delivery for further payload retrieval, or remote access software distribution for additional compromise.Such a development comes after Sandworm, also known as APT44, Seashell Blizzard, and Voodoo Bear, was reported by EclecticIQ to have launched an attack campaign exploiting Microsoft Key Management Service activators and fraudulent Windows updates to facilitate novel BACKORDER malware variant distribution.
Following the initial targeting of Ukrainian energy, education, agriculture, retail, and consulting entities in 2022 and subsequent attacks against U.S., European, Central Asian, and Middle Eastern sectors supporting Ukraine the following year, the Sandworm subgroup proceeded to compromise organizations in the U.S., Canada, Australia, and the UK in intrusions involving the exploitation of ConnectWise ScreenConnect and Fortinet FortiClient EMS flaws last year, a report from the Microsoft Threat Intelligence team revealed.Initial compromise has been followed with either malicious JavaScript code injections for credential theft, LocalOlive web shell delivery for further payload retrieval, or remote access software distribution for additional compromise.Such a development comes after Sandworm, also known as APT44, Seashell Blizzard, and Voodoo Bear, was reported by EclecticIQ to have launched an attack campaign exploiting Microsoft Key Management Service activators and fraudulent Windows updates to facilitate novel BACKORDER malware variant distribution.
