Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).
Note: Viewing the pages linked in this blog post requires a ThreatConnect account.
In this edition, we cover:
- APT29 Targets COVID-19 Vaccine Development
- Twitter Hijacking and Cryptocurrency Scam
- .NET Thanos Ransomware Supporting Safeboot
- COVID Relief Phishing
- Bigviktor Botnet
Roundup Highlight: APT29 Targets COVID-19 Vaccine Development
Our highlight in this Roundup is Incident 20200716A: NCSC Advisory and YARA Rules: APT29 targets COVID-19 vaccine development. On July 16, 2020, the United Kingdom’s National Cyber Security Centre (NCSC), Canada’s Communications Security Establishment (CSE), and the United States’ National Security Agency (NSA) released a joint advisory describing scanning and exploitation activity targeting organizations involved in COVID-19 vaccine development in the agencies’ respective countries. The report attributes the activity to the cyber espionage group APT29 (aka Cozy Bear), describes some of the techniques and malware used by the group, including WellMess, WellMail, and SoreFang, and includes indicators of compromise related to the above. APT29 itself is attributed to Russian intelligence services by the authors of the report, and more widely across the security industry.
The ThreatConnect Research team is investigating the indicators of compromise shared in the report, and in the meantime has made the IOCs and YARA rules available in the ThreatConnect Common Community here.
ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.
- 20200715A: Compromise of High-Profile Twitter Accounts to Advertise Cryptocurrency Scam On July 15, 2020, hackers broadcast a cryptocurrency scam to hundreds of millions of Twitter users by tweeting from dozens of hijacked, high-profile Twitter accounts. Based on Twitter’s communications regarding the matter and other reporting, we know that the attack involved internal Twitter tools, changes of associated email accounts, and a website located at cryptoforhealth[.]com promoting a fake giveaway project supposedly organized by several cryptocurrency exchanges.
- 20200715B: Additional Network Infrastructure Possibly Associated With Twitter Account Compromise From Yonathan Klijnsma: “Leveraging @RiskIQ’s datasets we have identified more infrastructure tied to the current cryptocurrency scammers impacting @elonmusk , @billgates, etc. This is research data, validate before taking action, it might identify new targets also.”
- 20200707A: Possible APT34 Domain lebanese-force[.]com ThreatConnect Research identified the possible APT34 / Helix Kitten / OilRig domain lebanese-force[.]com, which has registration and hosting consistencies with previously identified APT34 infrastructure.
Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).
- Analysis of .NET Thanos Ransomware Supporting Safeboot with Networking Mode (Source: https://www.fortinet.com/blog/threat-research/analysis-of-net-thanos-ransomware-supporting-safeboot-with-networking-mode)
- Invoice Themed Phishing Emails Are Spreading from Trusted Links (Source: https://cofense.com/invoice-themed-phishing-emails-are-spreading-from-trusted-links/)
- Emotet C2 and RSA Key Update – 07/14/2020 23:10 (Source: https://paste.cryptolaemus.com/emotet/2020/07/14/emotet-c2-rsa-update-07-14-20-1.html)
- HMRC latest target in global COVID relief phishing campaigns (Source: https://cofense.com/hmrc-latest-target-global-covid-relief-phishing-campaigns/)
- Scanning Home Internet Facing Devices to Exploit, (Sat, Jul 11th) (Source: https://isc.sans.edu/diary/rss/26340)
- The new Bigviktor Botnet is Targeting DrayTek Vigor Router (Source: https://blog.netlab.360.com/bigviktor-dga-botnet/)
To receive ThreatConnect notifications about any of the above, remember to check the “Follow Item” box on that item’s Details page.