locsec/Ukraine-Cyber-Operations
1
Форкнуть 0
Код Задачи Запросы на слияние Действия Пакеты Проекты Релизы Вики Активность

Merge branch 'main' of https://github.com/curated-intel/Ukraine-Cyber-Operations

Просмотр исходного кода
Этот коммит содержится в:
Nat 2022-03-03 20:30:49 +05:30
родитель 676d15c0d8 99427ffd85
Коммит 9d9723d527
4 изменённых файлов: 79 добавлений и 6 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

24
README.md
Просмотреть файл

@ -27,27 +27,32 @@ Curated Intelligence is working with analysts from around the world to provide u
- 2022-03-02
- Additional [Indicators of Compromise (IOCs)](https://github.com/curated-intel/Ukraine-Cyber-Operations/blob/main/ETAC_Vetted_UkraineRussiaWar_IOCs.csv#L2011) have been added
- Added vetted [YARA rule collection](https://github.com/curated-intel/Ukraine-Cyber-Operations/tree/main/yara) from the Threat Reports by ETAC
- Added 'Medium Confidence' [IOC Threat Hunt Feeds](https://github.com/curated-intel/Ukraine-Cyber-Operations/tree/main/KPMG-Egyde_Ukraine-Crisis_Feeds/MISP-CSV_MediumConfidence_Filtered) by KPMG-Egyde CTI
- Added loosely-vetted [IOC Threat Hunt Feeds](https://github.com/curated-intel/Ukraine-Cyber-Operations/tree/main/KPMG-Egyde_Ukraine-Crisis_Feeds/MISP-CSV_MediumConfidence_Filtered) by KPMG-Egyde CTI (h/t [0xDISREL](https://twitter.com/0xDISREL))
- IOCs shared by these feeds are `LOW-TO-MEDIUM CONFIDENCE` we strongly recommend NOT adding them to a blocklist
- These could potentially be used for `THREAT HUNTING` and could be added to a `WATCHLIST`
- IOCs are generated in `MISP COMPATIBLE` CSV format
#### `Threat Reports`
| Date | Source | Threat(s) | URL |
| --- | --- | --- | --- |
| 14 JAN | SSU Ukraine | Website Defacements | [ssu.gov.ua](https://ssu.gov.ua/novyny/sbu-rozsliduie-prychetnist-rosiiskykh-spetssluzhb-do-sohodnishnoi-kiberataky-na-orhany-derzhavnoi-vlady-ukrainy)|
| 15 JAN | Microsoft | WhisperGate wiper | [microsoft.com](https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/) |
| 15 JAN | Microsoft | WhisperGate wiper (DEV-0586) | [microsoft.com](https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/) |
| 19 JAN | Elastic | WhisperGate wiper (Operation BleedingBear) | [elastic.github.io](https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/) |
| 31 JAN | Symantec | Gamaredon/Shuckworm/PrimitiveBear (FSB) | [symantec-enterprise-blogs.security.com](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine) |
| 2 FEB | RaidForums | Access broker "GodLevel" offering Ukrainain algricultural exchange | RaidForums [not linked] |
| 2 FEB | CERT-UA | UAC-0056 using SaintBot and OutSteel malware | [cert.gov.ua](https://cert.gov.ua/article/18419) |
| 3 FEB | PAN Unit42 | Gamaredon/Shuckworm/PrimitiveBear (FSB) | [unit42.paloaltonetworks.com](https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/) |
| 4 FEB | Microsoft | Gamaredon/Shuckworm/PrimitiveBear (FSB) | [microsoft.com](https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/) |
| 8 FEB | NSFOCUS | Lorec53 | [nsfocusglobal.com](https://nsfocusglobal.com/apt-retrospection-lorec53-an-active-russian-hack-group-launched-phishing-attacks-against-georgian-government) |
| 8 FEB | NSFOCUS | Lorec53 (aka UAC-0056, EmberBear, BleedingBear) | [nsfocusglobal.com](https://nsfocusglobal.com/apt-retrospection-lorec53-an-active-russian-hack-group-launched-phishing-attacks-against-georgian-government) |
| 15 FEB | CERT-UA | DDoS attacks against the name server of government websites as well as Oschadbank (State Savings Bank) & Privatbank (largest commercial bank). False SMS and e-mails to create panic | [cert.gov.ua](https://cert.gov.ua/article/37139) |
| 23 FEB | The Daily Beast | Ukrainian troops receive threatening SMS messages | [thedailybeast.com](https://www.thedailybeast.com/cyberattacks-hit-websites-and-psy-ops-sms-messages-targeting-ukrainians-ramp-up-as-russia-moves-into-ukraine) |
| 23 FEB | UK NCSC | Sandworm/VoodooBear (GRU) | [ncsc.gov.uk](https://www.ncsc.gov.uk/files/Joint-Sandworm-Advisory.pdf) |
| 23 FEB | SentinelLabs | HermeticWiper | [sentinelone.com]( https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ ) |
| 24 FEB | ESET | HermeticWiper | [welivesecurity.com](https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine/) |
| 24 FEB | Symantec | HermeticWiper | [symantec-enterprise-blogs.security.com](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia) |
| 24 FEB | Symantec | HermeticWiper, PartyTicket ransomware, CVE-2021-1636, unknown webshell | [symantec-enterprise-blogs.security.com](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia) |
| 24 FEB | Cisco Talos | HermeticWiper | [blog.talosintelligence.com](https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html) |
| 24 FEB | Zscaler | HermeticWiper | [zscaler.com](https://www.zscaler.com/blogs/security-research/hermetic-wiper-resurgence-targeted-attacks-ukraine) |
| 24 FEB | Cluster25 | HermeticWiper | [cluster25.io](https://cluster25.io/2022/02/24/ukraine-analysis-of-the-new-disk-wiping-malware/) |
| 24 FEB | CronUp | Data broker "FreeCivilian" offering multiple .gov.ua | [twitter.com/1ZRR4H](https://twitter.com/1ZRR4H/status/1496931721052311557)|
| 24 FEB | RaidForums | Data broker "Featherine" offering diia.gov.ua | RaidForums [not linked] |
| 24 FEB | DomainTools | Unknown scammers | [twitter.com/SecuritySnacks](https://twitter.com/SecuritySnacks/status/1496956492636905473?s=20&t=KCIX_1Ughc2Fs6Du-Av0Xw) |
@ -81,11 +86,16 @@ Curated Intelligence is working with analysts from around the world to provide u
| 27 FEB | ALPHV [themselves] | ALPHV ransomware | vHUMINT [closed source] |
| 27 FEB | Mēris Botnet [themselves] | DDoS attacks | vHUMINT [closed source] |
| 28 FEB | Horizon News [themselves] | Leak of China's Censorship Order about Ukraine | [TechARP](https://www-techarp-com.cdn.ampproject.org/c/s/www.techarp.com/internet/chinese-media-leaks-ukraine-censor/?amp=1)|
| 28 FEB | Microsoft | FoxBlade malware | [Microsoft](https://blogs.microsoft.com/on-the-issues/2022/02/28/ukraine-russia-digital-war-cyberattacks/?preview_id=65075) |
| 28 FEB | Microsoft | FoxBlade (aka HermeticWiper) | [Microsoft](https://blogs.microsoft.com/on-the-issues/2022/02/28/ukraine-russia-digital-war-cyberattacks/?preview_id=65075) |
| 28 FEB | @heymingwei | Potential BGP hijacks attempts against Ukrainian Internet Names Center | [https://twitter.com/heymingwei](https://twitter.com/heymingwei/status/1498362715198263300?s=20&t=Ju31gTurYc8Aq_yZMbvbxg) |
| 28 FEB | @cyberknow20 | Stormous ransomware targets Ukraine Ministry of Foreign Affairs | [twitter.com/cyberknow20](https://twitter.com/cyberknow20/status/1498434090206314498?s=21) |
| 1 MAR | ESET | IsaacWiper and HermeticWizard | [welivesecurity.com](https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/) |
| 1 MAR | Proofpoint | Ukrainian armed service member's email compromised and sent malspam containing the SunSeed malware (likely TA445/UNC1151/Ghostwriter) | [proofpoint.com](https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails) |
| 1 MAR | Elastic | HermeticWiper | [elastic.github.io](https://elastic.github.io/security-research/intelligence/2022/03/01.hermeticwiper-targets-ukraine/article/) |
| 1 MAR | CrowdStrike | PartyTicket (aka HermeticRansom), DriveSlayer (aka HermeticWiper) | [CrowdStrike](https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/) |
| 3 MAR | @ShadowChasing1 | Gamaredon/Shuckworm/PrimitiveBear (FSB) | [twitter.com/ShadowChasing1](https://twitter.com/ShadowChasing1/status/1499361093059153921) |
| 3 MAR | @vxunderground | News website in Poland was reportedly compromised and the threat actor uploaded anti-Ukrainian propaganda | [twitter.com/vxunderground](https://twitter.com/vxunderground/status/1499374914758918151?s=20&t=jyy9Hnpzy-5P1gcx19bvIA) |
| 3 MAR | @kylaintheburgh | Russian botnet on Twitter is pushing "#istandwithputin" and "#istandwithrussia" propaganda (in English) | [twitter.com/kylaintheburgh](https://twitter.com/kylaintheburgh/status/1499350578371067906?s=21) |
#### `Access Brokers`
| Date | Threat(s) | Source |
@ -201,9 +211,11 @@ Curated Intelligence is working with analysts from around the world to provide u
| FSecure | F-Secure FREEDOME VPN is now available for free in all of Ukraine | [twitter.com/FSecure](https://twitter.com/FSecure/status/1497248407303462960) |
| Multiple vendors | List of vendors offering their services to Ukraine for free, put together by [@chrisculling](https://twitter.com/chrisculling/status/1497023038323404803) | [docs.google.com/spreadsheets](https://docs.google.com/spreadsheets/d/18WYY9p1_DLwB6dnXoiiOAoWYD8X0voXtoDl_ZQzjzUQ/edit#gid=0) |
| Mandiant | Free threat intelligence, webinar and guidance for defensive measures relevant to the situation in Ukraine. | [mandiant.com](https://www.mandiant.com/resources/insights/ukraine-crisis-resource-center) |
| Starlink | Satellite internet constellation operated by SpaceX providing satellite Internet access coverage to Ukraine | [twitter.com/elonmus](https://twitter.com/elonmusk/status/1497701484003213317) |
| Starlink | Satellite internet constellation operated by SpaceX providing satellite Internet access coverage to Ukraine | [twitter.com/elonmusk](https://twitter.com/elonmusk/status/1497701484003213317) |
| Romania DNSC | Romanias DNSC – in partnership with Bitdefender – will provide technical consulting, threat intelligence and, free of charge, cybersecurity technology to any business, government institution or private citizen of Ukraine for as long as it is necessary. | [Romania's DNSC Press Release](https://dnsc.ro/citeste/press-release-dnsc-and-bitdefender-work-together-in-support-of-ukraine)|
| BitDefender | Access to Bitdefender technical consulting, threat intelligence andboth consumer and enterprise cybersecurity technology | [bitdefender.com/ukraine/](https://www.bitdefender.com/ukraine/) |
| NameCheap | Free anonymous hosting and domain name registration to any anti-Putin anti-regime and protest websites for anyone located within Russia and Belarus | [twitter.com/Namecheap](https://twitter.com/Namecheap/status/1498998414020861953) |
| Avast | Free decryptor for PartyTicket ransomware | [decoded.avast.io](https://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/) |
#### `Vetted OSINT Sources`
| Handle | Affiliation |

23
yara/HermeticWiper.yar Обычный файл
Просмотреть файл

@ -0,0 +1,23 @@
rule HermeticWiper : malware {
meta:
description = "Hermetic Wiper loading epmntdrv.sys by resources"
source = "Orange CD"
date = "24/02/22"
researcher = "Alexandre MATOUSEK"
category = "apt"
strings:
$s1 = "\\\\.\\EPMNTDRV\\%u" wide fullword
$s2 = "\\\\.\\PhysicalDrive%u" wide fullword
$s3 = "%s%.2s" wide fullword
$s4 = "\\\\?\\C:\\Windows\\System32\\winevt\\Logs" wide fullword
$os1 = "DRV_XP_X86" wide fullword
$os2 = "DRV_XP_X64" wide fullword
$os3 = "DRV_X86" wide fullword
$os4 = "DRV_X64" wide fullword
$cert = /Hermetica Digital Ltd[0-1]/
condition:
uint16(0) == 0x5A4D and
all of ($s*) and
2 of ($os*) and
$cert
}

23
yara/HermeticWiper_Code_273622_10001.yar Обычный файл
Просмотреть файл

@ -0,0 +1,23 @@
rule HermeticWiper_Code_273622_10001 {
meta:
description = "Detects HermeticWiper variants by blocks of common code"
author = "Cluster25"
date = "23/02/2022"
tlp = "white"
hash1 = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
hash2 = "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da"
strings:
$block1 = { C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B F8 33 D2 6A ?? 68 ?? ?? ?? ?? 8D 47 ?? F7 F6 8B CA 33 D2 8B C1 F7 F6 8B F2 33 D2 8B C6 C1 E0 ?? 03 C1 F7 75 ?? 0F B7 44 55 ?? 33 D2 66 89 03 8D 04 39 B9 ?? ?? ?? ?? F7 F1 8B CA 33 D2 8D 04 0E BE ?? ?? ?? ?? F7 F6 C1 E2 ?? 8D 04 11 33 D2 B9 ?? ?? ?? ?? F7 F1 8D 4B ?? 51 0F B7 44 55 ?? 66 89 01 FF 15 ?? ?? ?? ?? 33 C0 66 89 43 ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? }
$block2 = { 8D 84 24 ?? ?? ?? ?? 50 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? FF D7 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 0F B7 84 24 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? C7 84 C4 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 C4 ?? ?? ?? ?? ?? ?? ?? ?? 8D 43 ?? 50 8D 44 24 ?? 50 6A ?? FF D6 8D 43 ?? 50 68 ?? ?? ?? ?? 6A ?? FF D6 6A ?? 6A ?? 6A ?? 53 C7 03 ?? ?? ?? ?? 6A ?? C7 43 ?? ?? ?? ?? ?? C7 43 ?? ?? ?? ?? ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? FF D7 85 C0 75 ?? }
$block3 = { 8B 45 ?? 0F 57 C0 89 45 ?? 33 C9 8B 85 ?? ?? ?? ?? 0B 8D ?? ?? ?? ?? 25 ?? ?? ?? ?? 89 7D ?? 8B 7D ?? 66 0F 13 45 ?? F3 0F 7E 05 ?? ?? ?? ?? 68 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 57 89 4D ?? 89 45 ?? 66 0F D6 07 FF 15 ?? ?? ?? ?? 33 C9 51 51 6A ?? 51 6A ?? 68 ?? ?? ?? ?? 57 66 89 48 ?? FF 15 ?? ?? ?? ?? 89 45 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? }
$block4 = { 0F B7 46 ?? 0F B6 5E ?? 0F AF D8 53 50 FF 74 24 ?? FF 74 24 ?? 6A ?? 53 FF 76 ?? FF 76 ?? E8 ?? ?? ?? ?? 03 45 ?? 8B 4D ?? 13 D7 52 8B 55 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B CE 0F B7 41 ?? 53 50 6A ?? 53 6A ?? 53 FF 71 ?? FF 71 ?? E8 ?? ?? ?? ?? 03 45 ?? 8B 4D ?? 13 D7 52 8B 55 ?? 50 E8 ?? ?? ?? ?? 8B 44 24 ?? 83 C4 ?? 5F 5E 5B 8B E5 5D C2 ?? ?? }
$block5 = { 6A ?? 57 53 E8 ?? ?? ?? ?? 8A 56 ?? 83 C4 ?? 0F B7 46 ?? 8B 76 ?? 0F B6 CA 0F AF C8 89 43 ?? 0F B6 C2 99 52 89 4D ?? 89 4B ?? 8B 4D ?? 50 89 73 ?? 8B 49 ?? 51 56 89 4B ?? E8 ?? ?? ?? ?? 8B 75 ?? 89 43 ?? 89 53 ?? 8B 46 ?? 89 43 ?? 8B 46 ?? 89 43 ?? 8B 46 ?? 89 43 ?? 8B 46 ?? 89 43 ?? 8B 46 ?? 89 03 8B 46 ?? 89 43 ?? 8A 46 ?? 84 C0 7E ?? }
$block6 = { 8D 44 24 ?? 0F 57 C0 50 66 0F 13 44 24 ?? FF 15 ?? ?? ?? ?? 8B 45 ?? 33 C9 0B 4C 24 ?? 83 C0 ?? 89 44 24 ?? 8B 38 FF 77 ?? 8B 57 ?? 8B 47 ?? 52 89 44 24 ?? 8B 44 24 ?? 50 51 E8 ?? ?? ?? ?? 53 8B CA 89 44 24 ?? 56 51 50 FF 77 ?? 8D 57 ?? 89 4C 24 ?? 8B 7F ?? 89 54 24 ?? 8D 54 24 ?? 8B 4C 24 ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? }
$block7 = { 8B 5C 24 ?? 8B CE 8B 7C 24 ?? 8B C3 0F AF C7 2B 4C 24 ?? 50 8B 44 24 ?? 1B 44 24 ?? 53 6A ?? 53 50 51 E8 ?? ?? ?? ?? 6A ?? 57 52 50 E8 ?? ?? ?? ?? 52 50 FF 74 24 ?? 8B C3 FF 74 24 ?? F7 E7 52 50 E8 ?? ?? ?? ?? 8B 4C 24 ?? 03 41 ?? 13 51 ?? 8B 4D ?? 52 8B 54 24 ?? 50 E8 ?? ?? ?? ?? 8B 5C 24 ?? 8B C6 8B 74 24 ?? 83 C4 ?? EB ?? }
$block8 = { C7 45 ?? ?? ?? ?? ?? 8B 4D ?? 8B D9 8B 75 ?? 0F AC F3 ?? 89 5D ?? C1 EE ?? 89 75 ?? 89 5D ?? 89 75 ?? 33 DB 03 D1 13 5D ?? 83 C2 ?? 89 55 ?? 83 D3 ?? 89 5D ?? 8B F2 8B C3 0F AC C6 ?? 89 75 ?? C1 E8 ?? 89 45 ?? 83 E1 ?? BE ?? ?? ?? ?? 2B F1 B9 ?? ?? ?? ?? 1B C9 8B DA 83 E3 ?? 89 5D ?? C7 45 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? }
$block9 = { 8B 45 ?? 8B 4D ?? 8B 5D ?? 50 FF 75 ?? 89 48 ?? 8B 4D ?? 89 48 ?? 8B 4D ?? 89 70 ?? 89 78 ?? 89 58 ?? 89 48 ?? FF 55 ?? 8B 55 ?? 0F B6 0A 8B C1 83 E1 ?? C1 E8 ?? 03 CA 8D 50 ?? 8A 24 0A 03 D1 88 65 ?? 03 DE 89 55 ?? 8A C4 89 5D ?? 11 7D ?? 88 45 ?? 84 E4 0F 85 ?? ?? ?? ?? }
$block10 = { 8D 44 24 ?? BA ?? ?? ?? ?? 50 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 7C 24 ?? 8D 44 24 ?? 8B 74 24 ?? 50 FF 15 ?? ?? ?? ?? 8B 4C 24 ?? 8B 44 24 ?? 2B CE 33 F6 2B C7 69 7C 24 ?? ?? ?? ?? ?? 56 68 ?? ?? ?? ?? 51 50 E8 ?? ?? ?? ?? 2B F8 1B F2 85 F6 7F ?? }
$block11 = { 8D 45 ?? 0F 57 C0 50 66 0F D6 45 ?? FF 15 ?? ?? ?? ?? 8B 5E ?? 8D 45 ?? 8B 7E ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 50 C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? }
condition:
(uint16(0) == 0x5A4D and 1 of ($block*))
}

15
yara/PartyTicket.yar Обычный файл
Просмотреть файл

@ -0,0 +1,15 @@
rule PartyTicket : malware {
meta:
description = "PartyTicket ransomware during ukraine conflict, written in GO"
source = "Orange CD"
date = "28/02/22"
researcher = "Alexandre MATOUSEK"
category = "ransom"
strings:
$ = "read_me.html"
$ = "403forBiden" nocase
$ = "wHiteHousE.go" nocase
$ = ".encryptedJB"
condition:
all of them
}