Welcome to the latest edition of The Week in Cybersecurity, which brings you the latest headlines from both the world and our team about the most pressing topics in cybersecurity. This week: Cozy Bear APT group is using Dropbox and Google drive to cover up attacks, malware is spreading via Google Play Store apps, and more.

This Week’s Top Story

SolarWinds attackers are using Google Drive to hide malware

Russian-linked hacking group APT29, also known as "Cozy Bear" or "Cloaked Ursa," has been using Google Drive to disseminate malware. TechCrunch reports that researchers at Palo Alto Networks' Unit 42 threat intelligence team discovered APT29's newest tactic.

Cozy Bear is the same group responsible for the SolarWinds hack. Using this new tactic, the group has targeted several entities over the past two months, including diplomatic missions and foreign embassies in Portugal and Brazil. The latest discovery can be added onto APT29's lengthy track record of targeting nation-states. Just this past May, the security firm Mandiant discovered the same hacking group utilizing Dropbox in a similar scheme that also targeted diplomats and government agencies.

Advanced threat actors combine the use of encrypted data with ubiquitous services like Dropbox and Google Drive to hide from detection tools, the researchers said.

Unit 42 has disclosed APT29's operations to Google and Dropbox, and both have taken actions to mitigate.

The news about APT29 also coincides with the EU foreign service's warning that Russian hacker groups have become "increasingly disruptive" in Europe since the start of Russia's war in Ukraine.

News Roundup

Here are the stories we’re paying attention to this week…

Several new play store apps spotted distributing Joker, Facestealer, and Coper Malware (The Hacker News)

Google has taken steps to ax dozens of fraudulent apps from the official Play Store that were spotted propagating Joker, Facestealer, and Coper malware families through the virtual marketplace.

USCYBERCOM releases IOCs for new malware found in Ukraine (Cybercom)

USCYBERCOM’s Cyber National Mission Force on Wednesday released indicators of compromise (IOCs) for new malware discovered in Ukraine. The 20 indicators of compromise were analyzed and identified by the Security Service of Ukraine. USCYBERCOM released them to the public "to highlight the potential compromises and provide additional context to our industry counterparts."

U.S. cybersecurity agency CISA to open London office (Security Week)

The US Cybersecurity and Infrastructure Security Agency (CISA) announced on Monday that it’s set to open an office in the United Kingdom in an effort to boost international cooperation and collaboration.

Pegasus spyware used against Thailand Pro-Democracy Activists and Leaders (Schneier on Security)

Citizen Lab discovered an extensive espionage campaign targeting Thai pro-democracy protesters, and activists calling for reforms to the monarchy.

10K organizations targeted by phishing attack that bypasses MFA (Graham Cluley)

Microsoft has shared details of a widespread phishing campaign that not only attempted to steal the passwords of targeted organizations, but was also capable of circumventing multi-factor authentication (MFA) protections.

New Luna ransomware encrypts Windows, Linux, and ESXi systems (BleepingComputer)

Discovered by Kaspersky security researchers via the company's Darknet Threat Intelligence active monitoring system, the Luna ransomware appears to be specifically tailored to be used only by Russian-speaking threat actors.