A recently disclosed cyberespionage operation linked to Russian government has been discovered to wield a new, low-and-slow phishing trick that beats two-factor authentication by exploiting Google’s little-known “app-specific password” feature.
The Google account feature called application specific passwords (or app passwords)is a 16-digit passcode that gives a less secure app or device permission to access your Google Account.
The threat actor identified as UNC6293 and believed to be linked to APT29 also known as Cozy Bear establishes rapport with targets through social engineering techniques.
They lure their target to set up application specific passwords, Once the target sharesthe ASP passcode, the attackers establish persistent access to the victim's mail box.
Cozying Up with the Bear
1. Picking the Perfect Targets
The threat actor focused on prominent academics and critics of Russia.
2. Rapport Building
They spend time building rapports, like making new friends at a coffee shop, to gain the target's trust.
3. Tailored Lures
Customized strategies and lures are crafted to appeal to the specific interests and situations of the targets.
4. Requestfor Application-Specific Passwords (ASPs)
The attackers convinced the targets to set up and share application-specific passwords.
5. Access Establishment
Once the target shares the ASP passcode, the attackers establish persistent access to the victim's mailbox.
6. Exploitation of Access
The attackers utilized their access for further exploitation, which may include data theft or surveillance.
Impact
Through evading techniques, the threat actors were able to:
i. Gain Access
ii. Exfiltrate Data
iii. Carryout Cyber Espionage
Recommendations
Threat actors are constantly evolving, by coming up with different techniques. Individuals and Organizations are advised to:
· Avoid sharing app passwords or any code received via email unless confirmed through secure channels.
· Disable or limit the use of app passwords where possible in organizational settings
· Educate employees and users about advanced phishing tactics, including those involving app passwords or device codes.
· Verify meeting invitations or email requests independently through known contacts or official phone numbers.
· Use advanced email filtering and threat detection to catch phishing lures.
It is important to stay informed, stay secure and always prioritize security in your daily operations.
.png)
.png)