Rewterz Threat Alert – Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia

July 25, 2019

Rewterz Threat Alert – TA505 Impersonates Airlines

July 26, 2019

Rewterz Threat Alert – Dragonfly Targets ICS Systems Using Man on the Side Attacks

July 25, 2019

Severity

High

Analysis Summary

Since at least 2010, the IRON LIBERTY threat group (also known as TG-4192, Energetic Bear, Dragonfly, and Crouching Yeti) has targeted the energy sector with a particular focus on industrial control systems (ICS). Following public disclosures in 2014, the likely Russian government group became less visibly active, but by 2016 it resumed operations with a combination of new and old techniques and tools.

Impact

Credential theft

Indicators of Compromise

Malware Hash (MD5/SHA1/SH256)

00a1b9fd9af9c5e366ef19908f028e9cca0462ec16adab9763e8c8b017b0f6bc
172be9ebd26946bdfe19150e304c8abd59d43a7bf92afa270f028c9a4a29fd99
18a4ab7f7783c06d6fd782908f8495e7c1ea15fa
195ec5fb2d5ccd344b655a955f20db81
1fd5b0b1a218b65443d7088e47dd79018bf46935375b061f5f78fbe1cadb50dc
20d20c9dda1f922786f95132eb64753b38f7db695d29a7b9993b880e44043b59
20ec7658254eddd917e1b351e1728534
2618ab729dea68dfbcb11dce2e66c8c2
2a876d27689a4947e01c785b42c45c09788ee4d4
2dbdeef42699730635abdc657775e4af
3019f121e6cc3a955c1a8005fd78328ab7c1d479
336b6f0108a23b95f3141afc787a31dd
3a7927fa71d43e3856761f2bf7d5441e6b310e30
418e58b78731546089eb1b7fa6e1d99f
425346c68fa8e113c4e243d1193c050548839c86
47a3f4fbe7984e3ae3d2088e2898bea371a0aeaee8fca6a6b6d59d6e938393fa
4877050e41f269bab1013649f747f1bd2a1f53e07825c21778f4b1a9a882c7bb
4ad06a76e1ad423b13e03587a887ede0
4af90d010586d7153345dc563722cdb12fd607e1
4ff23bc0b3a0fc08ac9f6bd7bbff73a15dc00d8e
5179d5874383b3c6a45350f77e86098ae7be606df490afbd57d98bed8e3bc2cd
53a4eae9858f4876fde02f7666ef6e0f69e8f70b
581fccf4766b23fbff924ce932b7d717
6449cff2a0497cae0c3fb780da287e2c
644ccf37af908d79da496c06b85b9060550149d9
656fe7c362b7421d5e94ab186e0beca01c00b55eecefa25270805fca6ad96d9a
6851cbfa790eb56b68942ee86a045c36
6cd47d4c2fd8997683baa1f278d2dd94
79c110e585934cd3756a5a7a259329eac4c6550c
7aa8cd8a2669537631b8ac7b892f51d4c74056c1369007c474277ebdf82fb74e
7b2c9bb78867319e8d907c48eb24e51dffc6a81edf5166dc4409ed07227402f3
7f3511b7e6cad7274c2450afd88544910c0ae33b
874295e9512c668a7df493c8975c081b
8aaa1b931610122a1908d9bfe1806881b430b57462a2147d403bb495183bd592
8aeacf3fde1b49940fb4d08226dccbc4
8b8b33a14f7be027fdb1aec1555fa8a8
8c5e6df90795fbbb3f6396abfe05887d4ad82982
94a1ec29f5d55edc67eee98ea086e4dbc98e5a56
95ba7f7b073bbf60f85d4c7b1bd76adfec8299aa
990e2e3ab8e2c8126214e667b0dc282f
9a1a196f6f5afa19643856cf8545b3401fc2dae8f79ec08a32456b3e9f8bbdbd
9d994710941540fe6bdf43196679b6a667f6370f1aa9b538836a509f4e4c42c4
a35ace92645e8a62536031784f60679200252a2a4ec1dc287f93797be34dfed2
ade68f4e5b03c6cf86b851613dbc3629
adf809c93f6bc1f758e7e3a4aeeb39d00e34e762ac4ff48dce59de5efb0f80fd
c605a771730cc618f2f85a8bee9d9cbdabc6f5f47d803976b4923f64f9aea282
ca2776624f2e0c1b1b478c77f63cf5ed1075b62a
da6f24b1bf61ad233ac9bf6709951db57c59ad2e
da97e4cda8eeef12c6540c6b060451a1369b7638
de0d3aaee6254074222d9bdf35fa67218d9738f05e1dfb75173cf982c03a0811
e644771565fb2144d018e8ce89fa116fc7e564007f941ce712fa5f929b86e338
f65425f95d84bd7efc71e402f40e59542bdd83db
fd6145bbc722ef52eed6b94dd520170c
fca1fa07afa1b3ff9f67f2a377de51ae
fd6145bbc722ef52eed6b94dd520170c
fff6dc1216fe549fa1d700f1ccfcd754

Remediation

Block all threat indicators at your respective controls.
Always be suspicious about emails sent by unknown senders.
Never click on the link/attachments sent by unknown senders.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Rewterz Threat Alert – GandCrab or .CRAB Ransomware – Active IOCs

Rewterz Threat Alert – NJRAT – Active IOCs

Rewterz Threat Advisory – CVE-2023-20113 – Cisco SD-WAN vManage Software Vulnerability

Threat Insights

About Us

Our Leadership

CSR

Connect with Us