[oagitm] CISA - Indicator Bulletin: SLTT Network Targeted with Ransomware - TLP: AMBER
- From: "MASSE THERESA" <dmarc-noreply@xxxxxxxxxxxxx> ("theresa.masse")
- To: "oagitm@xxxxxxxxxxxxx" <oagitm@xxxxxxxxxxxxx>
- Date: Fri, 21 Jan 2022 15:42:57 +0000
FYSA
The Cybersecurity and Infrastructure Security Agency (CISA) provided the
attached indicator bulletin for awareness of indicators of compromise (IOCs)
tied to a recent ransomware attack on a public healthcare organization. The
IOCs tied to this attack and actor group can be found in the attached files.
These files will NOT be posted to HSIN.
This information is provided “as-is” from a trusted third party. Please note
that CISA cannot guarantee the validity of the information, but the
organization is a trusted partner and has provided timely and accurate
information in the past. If unfamiliar with Traffic Light Protocol (TLP),
TLP:AMBER means that recipients may only share TLP:AMBER information with
members of their own organization, and with clients or customers who need to
know the information to protect themselves or prevent further harm.
Accordingly, this information should not be uploaded to any public-facing
platforms, to include platforms like VirusTotal, and should not be shared with
the cybersecurity community at large. Please contact CISA with any questions
about distribution at: CyberLiaison_SLTT@xxxxxxxxxxxx.
Summary:
On January 11, 2022, a trusted third party reported a possible ransomware case.
The constituent successfully blocked the attempt before the threat actor managed
to deploy ransomware. In VPN logs they saw references to a US medical facility
and perceived attempts to connect to the US medical entity's Citrix Gateway. It
is suspected the actors had valid credentials to the Citrix Gateway. They
observed deny/drop notifications in the logs and labeled as suspicious any
attempts or traffic from the provided IP range.
The trusted third party suspected with low confidence the actor may be the
"Hive" based on related cases and overlaps in infrastructure. The Hive, which
is a threat group of possibly Russian speaking individuals, was first observed
in June 2021. They likely operate as an affiliate-based ransomware group. TTPs
include initial compromise through phishing and RDP, double extortion
ransomware, human operated attacks, use of legitimate commercial applications,
and utilization of their own closed-source ransomware.
Theresa A. Masse
Cyber Security Advisor, Region 10 (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671
Email: theresa.masse@xxxxxxxxxxxx<mailto:theresa.masse@xxxxxxxxxxxx>
[cid:image001.png@01D80E9A.809301E0]
Department of Homeland Security
Cybersecurity and Infrastructure Security Agency (CISA)
Reference Number: NPG-15377043
Report Date: 2022-01-11
Notification:
DISCLAIMER: This report is provided "as is" for informational purposes only. The
Department of Homeland Security (DHS) does not provide any warranties of any
kind regarding any information contained within. The DHS does not endorse any
commercial product or service, referenced in this bulletin or otherwise. This
document is distributed as TLP:AMBER: Limited disclosure, restricted to
participants organizations. Recipients may only share TLP:AMBER information with
members of their own organization, and with clients or customers who need to
know
the information to protect themselves or prevent further harm.
For more information on the Traffic Light Protocol, see
http://www.us-cert.gov/tlp.
Summary:
On January 11, 2022, a trusted third party reported a possible ransomware case.
The constituent successfully blocked the attempt before the threat actor managed
to deploy ransomware. In VPN logs they saw references to a US medical facility
and perceived attempts to connect to the US medical entity's Citrix
Gateway. It is suspected the actors had valid credentials to the Citrix Gateway.
They observed deny/drop notifications in the logs and labeled as suspicious any
attempts or traffic from the provided IP range.
The trusted third party suspected with low confidence the actor may be the
"Hive" based on related cases and overlaps in infrastructure. The Hive, which is
a threat group of possibly Russian speaking individuals, was first observed in
June 2021. They likely operate as an affiliate-based ransomware group. TTPs
include initial compromise through phishing and RDP, double extortion
ransomware, human operated attacks, use of legitimate commercial applications,
and utilization of their own closed-source ransomware.
This activity was observed in the Healthcare and Public Health sector.
The following additional information was derived from trusted third parties and
open-source research:
Domain: ec2-18-157-86-155.eu-central-1.compute.amazonaws.com
Host IP: 207.171.166.22 (US)
Created Date: 2005-08-18
First Seen: 2020-02-10
Registrant: Amazon.com, Inc.
Activity: Associated with C2 Cobalt Strike beaconing; this is a legitimate AWS
domain
Domain: managecloudengine.com
Host IP: 45.67.229.232 (Moldova)
Created Date: 2021-12-10
Registrant: Redacted for Privacy by Registrar
Activity: Observed as a C2 site for Cobalt Strike Beacon; observed in phishing,
malware, and spam activity
Domain: malonblanco.com
Host IP: 69.49.235.239 (US)
Created Date: 2021-07-26
Registrant: Redacted for Privacy by Registrar
Activity: Observed as a C2 site for Cobalt Strike Beacon; observed in phishing,
malware, and spam activity
Domain: bellennium.com
Host IP: 159.65.186.190 (US)
Created Date: 2021-07-27
Registrant: Redacted for Privacy by Registrar
Activity: Observed as a C2 site for Cobalt Strike Beacon; observed in phishing,
malware, and spam activity
Domain: minimephotos.co.uk
Host IP: 18.218.223.142 (US)
Created Date: 2021-07-27
Registrant: N/A
Activity: Observed as a C2 site for Cobalt Strike Beacon; observed in phishing,
malware, and spam activity
Domain: instance-[ID]-relay.screenconnect.com
Host IP: 52.202.11.141 (US)
Created Date: 2004-10-27
Registrant: ConnectWise
Activity: This domain was used for the ScreenConnect tool; the [ID] is variable
to the instance; ScreenConnect is a legitimate tool with remote access
capabilities that can be used for malicious purposes
IP: 18.157.86.155
Organization: Amazon.com, Inc.
Resolutions: 3
Geolocation: Germany
Activity: Observed as a C2 site for Cobalt Strike Beacon
IP: 83.220.238.139
Organization: PJSC "Vimpelcom"
Resolutions: 0
Geolocation: Russia
Activity: Used to log into the organization's VPN, Public Gateway PJSC
VimpelCom; observed in probing and spam activity
IP: 45.67.230.28
Organization: Webhost LLC
Resolutions: 0
Geolocation: Russia
Activity: Used to log into the organization's VPN
IP: 141.98.103.251
Organization: M247 Ltd
Resolutions: 0
Geolocation: Serbia
Activity: Used to log into the organization's VPN; observed in spam and TOR
node activity
IP: 23.106.160.164
Organization: Leaseweb USA, Inc.
Resolutions: 0
Geolocation: US
Activity: Used to log into the organization's VPN
File: [MD5: bc7c6048bd9850d4997d911499f23f64]
Filename: cache.abf
File Type: Win32 DLL
Detection: Trojan.Win32.Agent; BehavesLike.Win64.Emotet.jh; other
Activity: Cobalt Strike Beacon
File: [MD5: 8899673a73654786e1893faa85afda59]
Filename: ads.exe
File Type: N/A
Detection: N/A
Activity: ScreenConnect tool used to connect via the organization's VPN;
ScreenConnect is a legitimate tool with remote access capabilities that can be
used for malicious purposes
Attack Patterns:
T1053 - Scheduled Task/Job - Persistence
T1021 - Remote Services - Lateral Movement
T1113 - Screen Capture - Collection
T1486 - Data Encrypted for Impact - Impact
Contact CISA Customer Service
Email: soc@xxxxxxxxxxx
Phone: 1-888-282-0870
Website: www.us-cert.gov
CISA continuously strive to improve its products and services. You can help by
answering a very short series of questions about this product at the following
URL:
https://www.us-cert.gov/forms/feedback.
Other related posts:
- » [oagitm] CISA - Indicator Bulletin: SLTT Network Targeted with Ransomware - TLP: AMBER - MASSE THERESA
