March 12, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Advisory – Oracle Solaris Multiple Third Party Components Multiple Vulnerabilities
June 27, 2019Rewterz Threat Alert – APT 33 Resurfaces with Fresh Attacks – IoCs
June 27, 2019Rewterz Threat Advisory – Oracle Solaris Multiple Third Party Components Multiple Vulnerabilities
June 27, 2019Rewterz Threat Alert – APT 33 Resurfaces with Fresh Attacks – IoCs
June 27, 2019
Severity
Medium
Analysis Summary
A GlobeImposter ransomware outbreak took place at a Financial services’ subsidiary company, resulting in encryption of a server and the NAS storage which hosted the virtual machines connected to them. Initially, a brute force RDP attack was launched on an admin account on the first compromised server, resulting in 1800 failed login attempts within 5 hours, prior to getting access. Once the access was gained, the attackers deployed advanced port scanner, credential stealing malware Mimikatz and a crypto-mining malware. The attackers then proceeded to deploy the ransomware, which, the researchers reported to be GlobeImposter. However, evidence of data exfiltration has not been found.
Impact
- Files Encryption
- Credential Theft
- Cryptomining
Indicators of Compromise
IP(s) / Hostname(s)
185.220.101[.]32
Malware Hash (MD5/SHA1/SH256)
- 56bfc6dd7abd6d50dd9011c3e4884dfa
- 2e3c25575959550b67ac7ea13bc9ac42
- 55b2cc290683e3c1458638ea12804ffb
- ffac2ab6ba4f6bb0b7e1063e93639bcf
Remediation
- Closely monitor port 3389 (RDP).
- Block the threat indicators at their respective controls.