Rewterz Threat Advisory – ICS: Siemens SIMATIC CP 442-1 and CP 443-1 RNA Vulnerability
May 11, 2022Rewterz Threat Advisory – CVE-2022-29885 – Apache Tomcat Vulnerability
May 12, 2022Rewterz Threat Advisory – ICS: Siemens SIMATIC CP 442-1 and CP 443-1 RNA Vulnerability
May 11, 2022Rewterz Threat Advisory – CVE-2022-29885 – Apache Tomcat Vulnerability
May 12, 2022Severity
High
Analysis Summary
In August 2021, Quantum Ransomware was identified for the first time. One of the first access vectors used by the threat actors is the IcedID virus, which uses Cobalt Strike for remote access and leads to data theft and encryption using Quantum Locker. Using phishing emails with an ISO file attached, IcedID gained initial access to the target’s PC. To get beyond email security restrictions, IcedID and ISO archive are a fantastic combination. Cobalt Strike was injected two hours after the infection had begun. Threat actors eventually employed WMI and PsExec to encrypt machines and deploy the Quantum ransomware payload. The attack was completed in less than four hours, which is extremely impressive.
Impact
- Unauthorized Access
- Data Exfiltration
- File Encryption
Indicators Of Compromise
Domain Name
- dilimoretast[.]com
- antnosience[.]com
- oceriesfornot[.]top
- arelyevennot[.]top
IP
- 138[.]68[.]42[.]130
- 157[.]245[.]142[.]66
- 188[.]166[.]154[.]118
MD5
- 0706764b3963df092079d3bdef787a1f
- 8a132d9eb16ab0a492c7858fa5d6b6fb
- 0c4c33d99a04d6e47e2338949d470bce
- 1ac3f71feece118a03c9e23af063f6d1
- 78f011f6196ab070e05e7e363a0c02f1
- ee9c6e60027c8ce65003de32d6125914
- 626715e0a2ae318c57f9b5816712696b
- 746d58e8b1b4c45a3acbc16b5b0e7921
- b2b10c12f6f2dc09d430226b27883e21
- 2b7e9b739ff70adbed054df626f37e87
- 59404a90cd27db81c493a0977cad9ed4
- 5f4e2c06c8e718eba504e584fed5ecda
- 879c2f1e69e5add488d345f889a86dc8
- eaf7db269b35d6f5015d354441c38b7f
- 233e34d7044e9c9bf54bcb567c12f30c
- e051009b12b37c7ee16e810c135f1fef
SHA-256
- b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192
- 1d64879bf7b1c7aea1d3c2c0171b31a329d026dc4e2f1c876d7ec7cae17bbc58
- 511c1021fad76670d6d407139e5fef62b34ca9656fb735bd7d406728568fa280
- faf49653a0f057ed09a75c4dfc01e4d8e6fef203d0102a5947a73db80be0db1d
- 0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2
- 0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f
- 8d30ab8260760e12a8990866eced1567ced257e0cb2fc9f7d2ea927806435208
- 2c84b5162ef66c154c66fed1d14f348e5e0054dff486a63f0473165fdbee9b2e
- 116e8c1d09627c0330987c36201100da2b93bf27560478be4043c1a834ad8913
- 99a732c0512bc415668cc3a699128618f02bf154ff8641821c3207b999952533
- f72c47948a2cb2cd445135bc65c6bf5c0aaacc262ee9c04d1483781355cda976
- 79e25568a8aeec71d18adc07cdb87602bc2c6048e04daff1eb67e45f94887efc
- d44c065f04fe13bd51ba5469baa9077efb541d849ad298043739e08b7a90008f
- 239d1c7cfd5b244b10c56abbf966f226e6a0cb91800e9c683ba427641e642f10
- 7522b6de340a68881d11aa05e2c6770152e2d49ca5b830821ffce533fad948fd
- 5bc00ad792d4ddac7d8568f98a717caff9d5ef389ed355a15b892cc10ab2887b
SHA-1
- 73c2460d59f3d0637523ca6d35425aae14358ba1
- bb3d3258e9207f9499f3f7dcf53442fc8ddabd45
- eb61609571bf629079f685fb66a931df20b6b12b
- bbc3979075e0574e54a5ead497fcba95fcc78fc0
- 8d31d3e523d1e11631d05f01c410340cef780bfc
- 97872dbc8df6d6c4cc6419e81994336503c748f9
- ff5d0ccc140f6ef97984f5bbe38179afc6eb0cde
- a3c2e1913038c237d40c5c60a543d60ac3e26ac2
- c83960c761daff7ae1d3d04985959373c4eb47b2
- 17eb8ef135d7bd84ae602ffe70679258569021b9
- f7cc52a9f065ecd90933279eeada8419db51b89d
- 2ff83421f7f3b41811b9c3ada98172b4611fc992
- 8c28c57b3cceaeb747bccc4cd8f9939801dd65b5
- 12a7366525966a92c3f1e7249e96b212359eba2b
- 66095429ba65067fed088a06ba941e2069e89616
- 415b27cd03d3d701a202924c26d25410ea0974d7
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.