Rewterz Threat Alert – Microsoft Squatting Campaign
October 23, 2020Rewterz Threat Alert – Ryuk Evolved Its Encryption and Evasion Techniques
October 23, 2020Severity
Medium
Analysis Summary
Since at least September 2020, a Russian state-sponsored APT actor—known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting—has conducted a campaign against a wide variety of U.S. targets. The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and exfiltrated data from at least two victim servers. The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to Sensitive network configurations and passwords, Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA), IT instructions, such as requesting password resets, Vendors and purchasing information, Printing access badges etc.
Impact
- Credential Theft
- Exposure of Sensitive Information
Indicators of Compromise
Domain Name
- email[.]microsoftonline[.]services
- columbusairports[.]microsoftonline[.]host
Source IP
- 212[.]252[.]30[.]170
- 91[.]227[.]68[.]97
- 146[.]0[.]77[.]60
- 213[.]74[.]139[.]196
- 37[.]139[.]7[.]16
- 138[.]201[.]186[.]43
- 193[.]37[.]212[.]43
- 5[.]196[.]167[.]184
- 213[.]74[.]101[.]65
- 149[.]56[.]20[.]55
- 51[.]159[.]28[.]101
- 5[.]45[.]119[.]124
Remediation
- Block the threat indicators at their respective controls.
- Keep all systems and software updated to latest patched versions.