In this blog post, we explore the Cozy Bear Group, an established threat actor with recent exploits that impacted a popular remote access software. We explore the tactics and techniques used in this attack, the most common attack vectors used by the threat group, and provide an aligned list of Labs that can help your teams stay resilient. There will also be bear puns. Please enjoy!
When you think of a “cozy bear”, you might think of Winnie the Pooh or a faux fur throw by the fire, not a criminal hacker group that’s been active since 2008.
There was an intrusion to TeamViewer, the most popular remote access software, on 26 June 2024. Evidence points accountability towards Russia’s Midnight Blizzard group, also known as APT29, the Dukes, and the Cozy Bear group.
Not exactly the type of behavior you’d expect from a cozy bear, right?
The Cozy Bear group has been observed using tools and techniques that target groups like government, healthcare and energy organizations. Its most common techniques include scanning (T1595.002) and exploitation (T1190) against vulnerable systems. It’s also associated with the notorious SolarWinds incident in 2021 that resulted in the first ever SEC charges against a CISO. It’s safe to say this bear isn’t hibernating, it’s on the prowl.
All honey pots aside, Immersive Labs has a dedicated Threat Actor Lab for APT29 and a wealth of content around other attack types perpetuated by this malicious threat group. Ensure your teams aren’t caught in a bear trap by exploring or revisiting content designed specifically around this cyber espionage group:
APT29: Threat Hunting with Elasticsearch
Successful cyber threat hunting relies on a combination of information from cyber threat intelligence to detailed event logs via endpoints, network devices, and security tools. This lab collection gives you an opportunity to explore some of these concepts through the lens of an emulated APT29 attack scenario.
APT29: Threat Hunting with Splunk
These labs follow the same attack path as the above collection, but with different tactical and system focuses, providing an opportunity to explore concepts through the lens of an emulated APT29 attack scenario with Splunk.
Brute Ratel: Extracting Indicators of Compromise
Brute Ratel C4 is a commercial command and control (C2) framework for adversary simulation and red team engagements. This tool has been observed in the wild being used by nation-state actors, specifically APT29.
The following labs are also based on this threat group’s known tactics, techniques, and procedures (TTPs) and exploits. Check them out:
- CVE-2019-19781 (Citrix RCE) – Defensive
- CVE-2019-19781 (Citrix RCE) – Offensive
- CVE-2020-5902 (F5 BIG-IP) – Defensive
- CVE-2020-5902 (F5 BIG-IP) – Offensive
We may be having fun here, but your cyber readiness is no joke.
Make sure your teams are up to date on the newest CVEs and that they’re well versed on established threat actors and attack vectors – so your organization stays out of the news 🙅♀️🐻📰
Share your thoughts!
Do you like bear-themed articles? Do you plan to assign or bookmark these recommended labs? We’re beary eager for your feedback in the comments below!
Immerser
