• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – Oracle Solaris Multiple Third Party Components Multiple Vulnerabilities
June 27, 2019
Rewterz Threat Alert – APT 33 Resurfaces with Fresh Attacks – IoCs
June 27, 2019

Rewterz Threat Alert – GlobeImposter Ransomware Attacking Financial Services

June 27, 2019

Severity

Medium

Analysis Summary

A GlobeImposter ransomware outbreak took place at a Financial services’ subsidiary company, resulting in encryption of a server and the NAS storage which hosted the virtual machines connected to them. Initially, a brute force RDP attack was launched on an admin account on the first compromised server, resulting in 1800 failed login attempts within 5 hours, prior to getting access. Once the access was gained, the attackers deployed advanced port scanner, credential stealing malware Mimikatz and a crypto-mining malware. The attackers then proceeded to deploy the ransomware, which, the researchers reported to be GlobeImposter. However, evidence of data exfiltration has not been found.

Impact

  • Files Encryption
  • Credential Theft
  • Cryptomining

Indicators of Compromise

IP(s) / Hostname(s)

185.220.101[.]32

Malware Hash (MD5/SHA1/SH256)

  • 56bfc6dd7abd6d50dd9011c3e4884dfa
  • 2e3c25575959550b67ac7ea13bc9ac42
  • 55b2cc290683e3c1458638ea12804ffb
  • ffac2ab6ba4f6bb0b7e1063e93639bcf

Remediation

  • Closely monitor port 3389 (RDP).
  • Block the threat indicators at their respective controls.

  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.