Rewterz Threat Alert – PatchWork APT Threat Actor Group – Active IOCs
March 22, 2024Rewterz Threat Advisory – Multiple Adobe Experience Manager Vulnerabilities
March 22, 2024Rewterz Threat Alert – PatchWork APT Threat Actor Group – Active IOCs
March 22, 2024Rewterz Threat Advisory – Multiple Adobe Experience Manager Vulnerabilities
March 22, 2024Severity
High
Analysis Summary
OilRig, aka HelixKitten, APT 34, and Twisted Kitten, is a suspected Iranian threat group targeting Middle Eastern and international victims since at least 2014. The group appears to conduct supply chain attacks, taking advantage of the trust connection between organizations to attack its major targets. Based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that corresponds with nation-state goals, researchers conclude that the organization operates on behalf of the Iranian government. Financial, political, energy, chemical, and telecommunications sectors are the top targets of this threat actor group. For lateral movement, OilRig makes use of stolen account credentials. OilRig uses credential dumping tools like Mimikatz to harvest credentials from accounts logged onto the compromised system after gaining access to it. The threat actor group utilizes these credentials to gain access to and move laterally via the network’s systems.
Impact
- Information Theft and Espionage
- Exposure of Sensitive Data
Indicators of Compromise
MD5
- 21b7be0e2dc2879010ff1e05380ef146
- 0d5de13a07d2b678a2da5c1dc786d26b
SHA-256
- 5db93f1e882f4d7d6a9669f8b1ab091c0545e12a317ba94c1535eb86bc17bd5b
- 704360d765f6f1ef735594c7ff5fb6c47467dad8abc3133f8e935a6c0c804c8a
SHA-1
- 5a5241ee5dfb1d5b668e49ce5de368946fb8a68f
- 4df8adb1816fa6ca97d8caf79a04776bc6204e71
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
- Change all passwords on compromised accounts and systems. Implement strong, unique passwords and consider implementing multi-factor authentication (MFA) to enhance security.
- Continuously monitor network traffic and system logs for suspicious activity, using intrusion detection and prevention systems.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- Maintain daily backups of all computer networks and servers.
- Keep all software, operating systems, and applications up to date with the latest security patches.
- Continuously monitor network and system logs for unusual or suspicious activities.
- Deploy security information and event management (SIEM) solutions to centralize log analysis.