Rewterz Threat Alert – Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities
October 21, 2020Rewterz Threat Alert – Office 365 OAuth Phishing Campaign Compromises Emails
October 22, 2020Rewterz Threat Alert – Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities
October 21, 2020Rewterz Threat Alert – Office 365 OAuth Phishing Campaign Compromises Emails
October 22, 2020Severity
High
Analysis Summary
An Iranian cyberattack group known as Seedworm — thought to be linked to Iran’s government — has started using new tools, including a custom download utility and commodity ransomware, as part of their attacks on a wide range of targets including companies and government agencies in the broader Middle East region. Seedworm Group, aka MuddyWater, is deploying commodity ransomware as part of espionage attacks on companies and government agencies in the Middle East region. Group continues to be highly active in 2020, while tentative links to recently discovered PowGoop tool suggest possible retooling. Attacks were uncovered against targets in Iraq, Turkey, Kuwait, the United Arab Emirates, and Georgia. In addition to some government entities, organizations in the telecoms and computer services sector were also targeted. Seedworm was also observed setting up tunnels to its own infrastructure using Secure Sockets Funneling and Chisel. These tools allow the attackers to configure local and remote port forwarding as well as copying files to compromised machines. On the same machine where Seedworm was active, a tool known as PowGoop was deployed. This same tool was also deployed against several of the organizations attacked by Seedworm in recent months.
Impact
- Credential Theft
- Data Exfiltration
- Files Encryption
Indicators of Compromise
MD5
- 0b37c62da0464c830a68598b865f45eb
- 08f933c423a281153811c278a34248ef
- e3a8839230acb9c253dd9673ae0b4103
- b07d9eca8af870722939fd87e928e603
- 2e40b75c20b2d40dc820f90de437022c
- 6983f7001de10f4d19fc2d794c3eb534
- 8ee07f579a0e5cf4c3ec2a3b68602963
- 7c12a63096a6b157564dc912e62b2773
SHA-256
- 950469b0acef00d8074eb1642d153675f07a13ab8eb4acada30c06df0c3261d2
- f9c4f95592d0e543bca52f5882eace65fe3bbbb99bcaae6e97000115fb3cb781
- d3bbb2fee563108345db9d8b6feb72352ea7534798f72757a7e114bf94f2ac78
- 19ec3f16a42ae58ab6feddc66d7eeecf91d7c61a0ac9cdc231da479088486169
- c4599f05a8d44bd315da646064adcf2c90886a705a071f0650ee6d17b739d5c8
- 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71
- ad594fa71852bd5652b0c594d5453155d8da8b6f67fcf63b459190d93adf2d88
- a224cbaaaf43dfeb3c4f467610073711faed8d324c81c65579f49832ee17bda8
SHA1
- e0105bae0047bb4359250f2383565cc2c50e4450
- 322e0b671126faa5320af201afd5c87f3726708e
- 2566da60426e915288a249028643b719d859168d
- a80c650cd1a486e077b2e1867f36f553cb682a41
- 88a4b762a1dbdb3bc4f64cbd16b098d7bc21ae58
- 23873bf2670cf64c2440058130548d4e4da412dd
- cf0007679f4f7cd6b53f9a8451095f9ed76b6db0
- bee6c97ac6337adc22887da899d8a30acb523ade
Source IP
- 104[.]168[.]14[.]116
URL
- http[:]//107[.]173[.]141[.]103[:]443/downloadc[.]php?key=[REDACTED]
- http[:]//107[.]173[.]141[.]114[:]443/downloadc[.]php?key=[REDACTED]
- http[:]//107[.]175[.]0[.]140[:]443
Remediation
- Block the threat indicators at their respective controls.
- Maintain strong password policies and roll out multi factor authentication.
- Keep all assets patched and protected against all known vulnerabilities.
- Do not download files attached in untrusted emails.