• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Microsoft Squatting Campaign
October 23, 2020
Rewterz Threat Alert – Ryuk Evolved Its Encryption and Evasion Techniques
October 23, 2020

Rewterz Threat Alert – Russian State-Sponsored Advanced Persistent Threat Actors

October 23, 2020

Severity

Medium

Analysis Summary

Since at least September 2020, a Russian state-sponsored APT actor—known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting—has conducted a campaign against a wide variety of U.S. targets. The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and exfiltrated data from at least two victim servers. The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to Sensitive network configurations and passwords, Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA), IT instructions, such as requesting password resets, Vendors and purchasing information, Printing access badges etc.

Impact

  • Credential Theft
  • Exposure of Sensitive Information

Indicators of Compromise

Domain Name

  • email[.]microsoftonline[.]services
  • columbusairports[.]microsoftonline[.]host

Source IP

  • 212[.]252[.]30[.]170
  • 91[.]227[.]68[.]97
  • 146[.]0[.]77[.]60
  • 213[.]74[.]139[.]196
  • 37[.]139[.]7[.]16
  • 138[.]201[.]186[.]43
  • 193[.]37[.]212[.]43
  • 5[.]196[.]167[.]184
  • 213[.]74[.]101[.]65
  • 149[.]56[.]20[.]55
  • 51[.]159[.]28[.]101
  • 5[.]45[.]119[.]124

Remediation

  • Block the threat indicators at their respective controls.
  • Keep all systems and software updated to latest patched versions.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.