Rewterz Threat Advisory – Sodinokibi ransomware exploits WebLogic Server vulnerability
May 2, 2019Rewterz Threat Alert – New Exploits for Unsecure SAP Systems
May 6, 2019Rewterz Threat Advisory – Sodinokibi ransomware exploits WebLogic Server vulnerability
May 2, 2019Rewterz Threat Alert – New Exploits for Unsecure SAP Systems
May 6, 2019Severity
Medium
Analysis Summary
OilRig or APT34 (or HelixKitten) has been associated with global cyber attacks on about a hundred organizations in 27 countries. Recently, researchers discovered about 12,765 credentials that were stolen by this APT group.
The group uses a number of malicious backdoors, webshells and DNS hijacking toolkits mainly poisonfrog (bondupdater), hypershell, highshell, minion and glimpse.
Impact
- Credential Theft
- DNS Hijacking
Indicators of Compromise
URLs
- hxxp[:]//office365-management[.]com/updatejuly/template[.]rtf
- msoffice-cdn[.]com
- myleftheart[.]com
- ns1[.]msoffice-cdn[.]com
- ns1[.]office365-management[.]com
- ns2[.]msoffice-cdn[.]com
- ns2[.]office365-management[.]com
- office365-management[.]com
- www[.]msoffice-cdn[.]com
- www[.]office365-management[.]com
Malware Hash (MD5/SHA1/SH256)
- 27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed
- fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392
- fe9cdef3c88f83b74512ec6400b7231d7295bda78079b116627c4bc9b7a373e0
- 22c4023c8daa57434ef79b838e601d9d72833fec363340536396fe7d08ee2017
- dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229
- c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e
- a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e
- 2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459
- 775442f10bd7c7df58e549d6682b990d47017f077fe37eb271b4477bb3f8d7dd
Remediation
Block the threat indicators at their respective controls.