Published on: 2025-03-11

Intelligence Report: Blind Eagle Targets Colombian Government with Malicious URL Files – Infosecurity Magazine

1. BLUF (Bottom Line Up Front)

The Blind Eagle threat group has launched a cyber campaign targeting Colombian government institutions and organizations. The group is exploiting a recently patched CVE vulnerability to distribute malicious URL files, leveraging legitimate file-sharing platforms to bypass traditional security measures. Immediate actions are required to mitigate the threat, including disabling NTLM authentication and enhancing monitoring for unusual WebDAV requests.

2. Detailed Analysis

The following structured analytic techniques have been applied for this analysis:

General Analysis

Blind Eagle, known for its Advanced Persistent Threat (APT) capabilities, is targeting Colombian judicial institutions, private organizations, and government agencies. The group utilizes malicious URL files that exploit a CVE vulnerability, allowing attackers to extract NTLMv2 hashes for authentication attacks. The campaign has been active since December, with significant infection rates observed. Blind Eagle uses platforms like Google Drive, Dropbox, Bitbucket, and GitHub to distribute malware, making detection challenging. The attack chain includes sophisticated payloads such as the HeartCrypt packer and Remcos RAT.

3. Implications and Strategic Risks

The campaign poses significant risks to national security, regional stability, and economic interests in Colombia. The ability of Blind Eagle to exploit legitimate platforms increases the threat level, potentially leading to data exfiltration and system compromise. The exposure of personally identifiable information (PII) and compromised credentials further exacerbates the risk, with potential impacts on public trust and governmental operations.

4. Recommendations and Outlook

Recommendations:

• Implement strict security policies to disable NTLM authentication where possible.
• Enhance network monitoring to detect unusual WebDAV requests and other suspicious activities.
• Strengthen cybersecurity awareness and training for employees to recognize phishing attempts.
• Consider regulatory changes to improve the security of file-sharing platforms.

Outlook:

In the best-case scenario, prompt implementation of security measures will mitigate the threat, reducing the impact on Colombian institutions. In the worst-case scenario, continued exploitation could lead to widespread data breaches and significant operational disruptions. The most likely outcome involves ongoing attempts by Blind Eagle to refine their tactics, necessitating continuous vigilance and adaptation of security strategies.

5. Key Individuals and Entities

The report mentions significant individuals and organizations but does not provide any roles or affiliations. Key entities involved include Blind Eagle and the targeted Colombian government institutions and organizations.