8.5 KiB
8.5 KiB
February Threat Reports
| Date | Source | Threat(s) | URL |
|---|---|---|---|
| 2 FEB | RaidForums | Access broker "GodLevel" offering Ukrainain algricultural exchange | RaidForums [not linked] |
| 2 FEB | CERT-UA | UAC-0056 using SaintBot and OutSteel malware | cert.gov.ua |
| 3 FEB | PAN Unit42 | Gamaredon/Shuckworm/PrimitiveBear (FSB) | unit42.paloaltonetworks.com |
| 4 FEB | Microsoft | Gamaredon/Shuckworm/PrimitiveBear (FSB) | microsoft.com |
| 8 FEB | NSFOCUS | Lorec53 (aka UAC-0056, EmberBear, BleedingBear) | nsfocusglobal.com |
| 15 FEB | CERT-UA | DDoS attacks against the name server of government websites as well as Oschadbank (State Savings Bank) & Privatbank (largest commercial bank). False SMS and e-mails to create panic | cert.gov.ua |
| 23 FEB | The Daily Beast | Ukrainian troops receive threatening SMS messages | thedailybeast.com |
| 23 FEB | UK NCSC | Sandworm/VoodooBear (GRU) | ncsc.gov.uk |
| 23 FEB | SentinelLabs | HermeticWiper | sentinelone.com |
| 24 FEB | ESET | HermeticWiper | welivesecurity.com |
| 24 FEB | Symantec | HermeticWiper, PartyTicket ransomware, CVE-2021-1636, unknown webshell | symantec-enterprise-blogs.security.com |
| 24 FEB | Cisco Talos | HermeticWiper | blog.talosintelligence.com |
| 24 FEB | Zscaler | HermeticWiper | zscaler.com |
| 24 FEB | Cluster25 | HermeticWiper | cluster25.io |
| 24 FEB | CronUp | Data broker "FreeCivilian" offering multiple .gov.ua | twitter.com/1ZRR4H |
| 24 FEB | RaidForums | Data broker "Featherine" offering diia.gov.ua | RaidForums [not linked] |
| 24 FEB | DomainTools | Unknown scammers | twitter.com/SecuritySnacks |
| 25 FEB | @500mk500 | Gamaredon/Shuckworm/PrimitiveBear (FSB) | twitter.com/500mk500 |
| 25 FEB | @500mk500 | Gamaredon/Shuckworm/PrimitiveBear (FSB) | twitter.com/500mk500 |
| 25 FEB | Microsoft | HermeticWiper | gist.github.com |
| 25 FEB | 360 NetLab | DDoS (Mirai, Gafgyt, IRCbot, Ripprbot, Moobot) | blog.netlab.360.com |
| 25 FEB | Conti [themselves] | Conti ransomware, BazarLoader | Conti News .onion [not linked] |
| 25 FEB | CoomingProject [themselves] | Data Hostage Group | CoomingProject Telegram [not linked] |
| 25 FEB | CERT-UA | UNC1151/Ghostwriter (Belarus MoD) | CERT-UA Facebook |
| 25 FEB | Sekoia | UNC1151/Ghostwriter (Belarus MoD) | twitter.com/sekoia_io |
| 25 FEB | @jaimeblascob | UNC1151/Ghostwriter (Belarus MoD) | twitter.com/jaimeblasco |
| 25 FEB | RISKIQ | UNC1151/Ghostwriter (Belarus MoD) | community.riskiq.com |
| 25 FEB | MalwareHunterTeam | Unknown phishing | twitter.com/malwrhunterteam |
| 25 FEB | ESET | Unknown scammers | twitter.com/ESETresearch |
| 25 FEB | BitDefender | Unknown scammers | blog.bitdefender.com |
| 25 FEB | SSSCIP Ukraine | Unkown phishing | twitter.com/dsszzi |
| 25 FEB | RaidForums | Data broker "NetSec" offering FSB (likely SMTP accounts) | RaidForums [not linked] |
| 25 FEB | Zscaler | PartyTicket decoy ransomware | zscaler.com |
| 25 FEB | INCERT GIE | Cyclops Blink, HermeticWiper | linkedin.com [Login Required] |
| 25 FEB | Proofpoint | UNC1151/Ghostwriter (Belarus MoD) | twitter.com/threatinsight |
| 25 FEB | @fr0gger_ | HermeticWiper capabilities Overview | twitter.com/fr0gger_ |
| 25 FEB | Netskope | HermeticWiper analysis | netskope.com |
| 26 FEB | BBC Journalist | A fake Telegram account claiming to be President Zelensky is posting dubious messages | twitter.com/shayan86 |
| 26 FEB | CERT-UA | UNC1151/Ghostwriter (Belarus MoD) | CERT_UA Facebook |
| 26 FEB | MHT and TRMLabs | Unknown scammers, linked to ransomware | twitter.com/joes_mcgill |
| 26 FEB | US CISA | WhisperGate wiper, HermeticWiper | cisa.gov |
| 26 FEB | Bloomberg | Destructive malware (possibly HermeticWiper) deployed at Ukrainian Ministry of Internal Affairs & data stolen from Ukrainian telecommunications networks | bloomberg.com |
| 26 FEB | Vice Prime Minister of Ukraine | IT ARMY of Ukraine created to crowdsource offensive operations against Russian infrastructure | twitter.com/FedorovMykhailo |
| 26 FEB | Yoroi | HermeticWiper | yoroi.company |
| 27 FEB | LockBit [themselves] | LockBit ransomware | LockBit .onion [not linked] |
| 27 FEB | ALPHV [themselves] | ALPHV ransomware | vHUMINT [closed source] |
| 27 FEB | Mēris Botnet [themselves] | DDoS attacks | vHUMINT [closed source] |
| 27 FEB | Facebook/Meta | Russian state actor-run websites posing as independent news entities and created fake personas across social media platforms including Facebook, Instagram, Twitter, YouTube, Telegram and also Russian Odnoklassniki and VK | about.fb.com |
| 28 FEB | Horizon News [themselves] | Leak of China's Censorship Order about Ukraine | techarp.com |
| 28 FEB | Microsoft | FoxBlade (aka HermeticWiper) | blogs.microsoft.com |
| 28 FEB | @heymingwei | Potential BGP hijacks attempts against Ukrainian Internet Names Center | twitter.com/heymingwei |
| 28 FEB | @cyberknow20 | Stormous ransomware targets Ukraine Ministry of Foreign Affairs | twitter.com/cyberknow20 |