May 3, 2024
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – North Korea Linked Konni APT Group – Active IOCs
December 29, 2023
Rewterz Threat Alert – LockBit Ransomware – Active IOCs
December 29, 2023
Rewterz Threat Alert – North Korea Linked Konni APT Group – Active IOCs
December 29, 2023
Rewterz Threat Alert – LockBit Ransomware – Active IOCs
December 29, 2023
Severity
High
Analysis Summary
APT28 is one of Russia’s longest-running APTs and its operations date back to at least 2007. The group supports Russia in its strategic operations against the U.S., countries of the former Soviet Union, Europe, and now Asia. These attacks mostly involve cyber crimes against the defense and military of targeted countries. To support Russia’s national interests, APT28 compromises the targeted country’s operation, steals its data, and then leaks it to its government. Going by the aliases Fancy Bear, Pawn Storm, Tsar Team, STRONTIUM, and Sofacy Group, APT28 performs their attacks using a spoofed website and phishing emails containing malicious links.
In Feb 2022, APT 28 (allegedly) attacked Eastern European countries using Empire and Invoke-Obfuscation. The MSHTML Remote Code Execution vulnerability, CVE-2021-40444, was used by their threat actors
The recent phishing campaign uses JavaScript & “ms-search” to deploy custom MASEPIE, STEELHOOK, OCEAN MAP, as well as OpenSSH to target Ukrainian and Polish organizations.
The use of PowerShell scripts in cyberattacks is not uncommon. Malicious actors often employ PowerShell to execute various activities, including reconnaissance, lateral movement, and data exfiltration. By using PowerShell, attackers can leverage the functionality and privileges provided by the Windows operating system to perform their malicious actions.
Impact
- Information Theft
- Data Exfiltration
- Exposure of Sensitive Data
Indicators of Compromise
MD5
- 825a12e2377dd694bbb667f862d60c43
- 47f4b4d8f95a7e842691120c66309d5b
- 5db75e816b4cef5cc457f0c9e3fc4100
- 6128d9bf34978d2dc7c0a2d463d1bcdd
SHA-256
- 593583b312bf48b7748f4372e6f4a560fd38e969399cf2a96798e2594a517bf4
- 18f891a3737bb53cd1ab451e2140654a376a43b2d75f6695f3133d47a41952b6
- 24fd571600dcc00bf2bb8577c7e4fd67275f7d19d852b909395bebcbb1274e04
- 19d0c55ac466e4188c4370e204808ca0bc02bba480ec641da8190cb8aee92bdc
SHA-1
- 4018b68de4b2eda4a831852df158a7a756470aaf
- 1922698073911b18f60edd84ff8d13461fbd4c5a
- 2a1461189052a014d345444557611af0c9d3fe34
- 7adf410aa45b05740c7c22b09b36e33bd24db3af
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of Compromise (IOCs) in your environment utilizing your respective security controls.
- Ensure that general security policies are employed including implementing strong passwords, correct configurations, and proper administration security policies.
- Emails from unknown senders should always be treated with caution.
- Never open links or attachments from unknown senders.
- all threat indicators at your respective controls.