Merge branch 'main' of https://github.com/curated-intel/Ukraine-Cyber-Operations
Этот коммит содержится в:
Nat
Коммит
26d92832c4
@ -2039,3 +2039,9 @@ SHA256,fbbe7ee073d0290ac13c98b92a8405ea04dcc6837b4144889885dd70679e933f,Maliciou
|
|||||||
IPv4,157.230.104.79,Stager server,hxxps://www[.]proofpoint[.]com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails,
|
IPv4,157.230.104.79,Stager server,hxxps://www[.]proofpoint[.]com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails,
|
||||||
IPv4,45.61.137.231,C2 server,hxxps://www[.]proofpoint[.]com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails,
|
IPv4,45.61.137.231,C2 server,hxxps://www[.]proofpoint[.]com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails,
|
||||||
IPv4,84.32.188.96,C2 server,hxxps://www[.]proofpoint[.]com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails,
|
IPv4,84.32.188.96,C2 server,hxxps://www[.]proofpoint[.]com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails,
|
||||||
|
SHA256,7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513,DanaBot loader,hxxps://www[.]zscaler[.]com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense,
|
||||||
|
IPv4,192.236.161.4,DanaBot C2 server,hxxps://www[.]zscaler[.]com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense,
|
||||||
|
IPv4,23.106.122.14,DanaBot C2 server,hxxps://www[.]zscaler[.]com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense,
|
||||||
|
IPv4,5.9.224.217,DanaBot C2 server,hxxps://www[.]zscaler[.]com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense,
|
||||||
|
Domain,ockiwumgv77jgrppj4na362q4z6flsm3uno5td423jj4lj2f2meqt6ad.onion,DanaBot C2 server,hxxps://www[.]zscaler[.]com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense,
|
||||||
|
SHA256,b61cd7dc3af4b5b56412d62f37985e8a4e23c64b1908e39510bc8e264ebad700,DDoS tool,hxxps://www[.]zscaler[.]com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense,
|
||||||
|
|||||||
|
@ -5,6 +5,8 @@ Curated Intelligence is working with analysts from around the world to provide u
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Analyst Comments:
|
### Analyst Comments:
|
||||||
|
|
||||||
- 2022-02-25
|
- 2022-02-25
|
||||||
@ -31,6 +33,11 @@ Curated Intelligence is working with analysts from around the world to provide u
|
|||||||
- IOCs shared by these feeds are `LOW-TO-MEDIUM CONFIDENCE` we strongly recommend NOT adding them to a blocklist
|
- IOCs shared by these feeds are `LOW-TO-MEDIUM CONFIDENCE` we strongly recommend NOT adding them to a blocklist
|
||||||
- These could potentially be used for `THREAT HUNTING` and could be added to a `WATCHLIST`
|
- These could potentially be used for `THREAT HUNTING` and could be added to a `WATCHLIST`
|
||||||
- IOCs are generated in `MISP COMPATIBLE` CSV format
|
- IOCs are generated in `MISP COMPATIBLE` CSV format
|
||||||
|
- 2022-03-03
|
||||||
|
- Additional threat reports and vendor support resources have been added
|
||||||
|
- Updated [Log4Shell IOC Threat Hunt Feeds](https://github.com/curated-intel/Log4Shell-IOCs/tree/main/KPMG_Log4Shell_Feeds) by KPMG-Egyde CTI; not directly related to Ukraine, but still a widespread vulnerability.
|
||||||
|
- Added diagram of Russia-Ukraine Cyberwar Participants 2022 by ETAC
|
||||||
|
- Additional [Indicators of Compromise (IOCs)](https://github.com/curated-intel/Ukraine-Cyber-Operations/blob/main/ETAC_Vetted_UkraineRussiaWar_IOCs.csv#L2042) have been added
|
||||||
|
|
||||||
#### `Threat Reports`
|
#### `Threat Reports`
|
||||||
| Date | Source | Threat(s) | URL |
|
| Date | Source | Threat(s) | URL |
|
||||||
@ -93,9 +100,11 @@ Curated Intelligence is working with analysts from around the world to provide u
|
|||||||
| 1 MAR | Proofpoint | Ukrainian armed service member's email compromised and sent malspam containing the SunSeed malware (likely TA445/UNC1151/Ghostwriter) | [proofpoint.com](https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails) |
|
| 1 MAR | Proofpoint | Ukrainian armed service member's email compromised and sent malspam containing the SunSeed malware (likely TA445/UNC1151/Ghostwriter) | [proofpoint.com](https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails) |
|
||||||
| 1 MAR | Elastic | HermeticWiper | [elastic.github.io](https://elastic.github.io/security-research/intelligence/2022/03/01.hermeticwiper-targets-ukraine/article/) |
|
| 1 MAR | Elastic | HermeticWiper | [elastic.github.io](https://elastic.github.io/security-research/intelligence/2022/03/01.hermeticwiper-targets-ukraine/article/) |
|
||||||
| 1 MAR | CrowdStrike | PartyTicket (aka HermeticRansom), DriveSlayer (aka HermeticWiper) | [CrowdStrike](https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/) |
|
| 1 MAR | CrowdStrike | PartyTicket (aka HermeticRansom), DriveSlayer (aka HermeticWiper) | [CrowdStrike](https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/) |
|
||||||
|
| 2 MAR | Zscaler | DanaBot operators launch DDoS attacks against the Ukrainian Ministry of Defense | [zscaler.com](https://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense) |
|
||||||
| 3 MAR | @ShadowChasing1 | Gamaredon/Shuckworm/PrimitiveBear (FSB) | [twitter.com/ShadowChasing1](https://twitter.com/ShadowChasing1/status/1499361093059153921) |
|
| 3 MAR | @ShadowChasing1 | Gamaredon/Shuckworm/PrimitiveBear (FSB) | [twitter.com/ShadowChasing1](https://twitter.com/ShadowChasing1/status/1499361093059153921) |
|
||||||
| 3 MAR | @vxunderground | News website in Poland was reportedly compromised and the threat actor uploaded anti-Ukrainian propaganda | [twitter.com/vxunderground](https://twitter.com/vxunderground/status/1499374914758918151?s=20&t=jyy9Hnpzy-5P1gcx19bvIA) |
|
| 3 MAR | @vxunderground | News website in Poland was reportedly compromised and the threat actor uploaded anti-Ukrainian propaganda | [twitter.com/vxunderground](https://twitter.com/vxunderground/status/1499374914758918151?s=20&t=jyy9Hnpzy-5P1gcx19bvIA) |
|
||||||
| 3 MAR | @kylaintheburgh | Russian botnet on Twitter is pushing "#istandwithputin" and "#istandwithrussia" propaganda (in English) | [twitter.com/kylaintheburgh](https://twitter.com/kylaintheburgh/status/1499350578371067906?s=21) |
|
| 3 MAR | @kylaintheburgh | Russian botnet on Twitter is pushing "#istandwithputin" and "#istandwithrussia" propaganda (in English) | [twitter.com/kylaintheburgh](https://twitter.com/kylaintheburgh/status/1499350578371067906?s=21) |
|
||||||
|
| 3 MAR | @tracerspiff | UNC1151/Ghostwriter (Belarus MoD) | [twitter.com](https://twitter.com/tracerspiff/status/1499444876810854408?s=21) |
|
||||||
|
|
||||||
#### `Access Brokers`
|
#### `Access Brokers`
|
||||||
| Date | Threat(s) | Source |
|
| Date | Threat(s) | Source |
|
||||||
|
|||||||
Двоичные данные
Russia-Ukraine Cyberwar.png
Обычный файл
Двоичные данные
Russia-Ukraine Cyberwar.png
Обычный файл
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 600 KiB |
Загрузка…
x
Ссылка в новой задаче
Block a user