Rewterz Threat Alert – Phishing attacks in Ukraine – Active IOCs – Russian-Ukrainian Cyber Warfare

Severity

High

Analysis Summary

APT28 is one of Russia’s longest-running APTs and its operations date back to at least 2007. The group supports Russia in their strategic operations against the U.S, countries of the former Soviet Union, Europe, and now Asia. These attacks mostly involve cyber crimes against the defense and military of targeted countries. To support Russia’s national interests, APT28 compromises the targeted country’s operation, steals their data, and then leaks it to their government. 

Going by the aliases Fancy Bear, Pawn Storm, Tsar Team, STRONTIUM, and Sofacy Group, APT28 performs their attacks using a spoofed website and phishing emails containing malicious links. 

A Ukrainian media company called UkrNet has been the victim of a massive credential phishing campaign. Newly created landing pages like blogspot domains are used by the attackers.

UNC1151 – a Minsk based threat group – has been targeting the Ukrainian government officials and military personnel with mass phishing emails. After the account is compromised, the attackers, by the IMAP protocol, get access to all the messages. Later, the attackers use contact details from the victim’s address book to send the phishing emails.

Mustang Panda, which although is a Chinese group, has also been taking advantage of the Russian-Ukrainian cyber warfare and used the situation to deploy a malware Ukraine.exe

Impact

• Credential Theft
• Financial Theft
• Data Exfiltration

Indicators of Compromise

Domain Name

• id-unconfirmeduser[.]frge[.]io
• hatdfg-rhgreh684[.]frge[.]io
• ua-consumerpanel[.]frge[.]io
• consumerspanel[.]frge[.]io
• accounts[.]secure-ua[.]website
• i[.]ua-passport[.]top
• login[.]creditals-email[.]space
• post[.]mil-gov[.]space
• verify[.]rambler-profile[.]site

MD5

• 7b2f41b57b9ab4151eb37ed69db9fdf8

SHA-256

• 8a7fbafe9f3395272548e5aadeb1af07baeb65d7859e7a1560f580455d7b1fac

SHA-1

• 2f46a7ed5d7a303c0f25d5e4a18bcbf01ce9af26

Remediation

• Logging – Log your eCommerce environment’s network activity and web server activity.
• Passwords – Implement strong passwords.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are
• not publicly accessible.
• WAF – Set up a Web Application Firewall with rules to block suspicious and malicious requests.
• Patch – Patch and upgrade any platforms and software timely. Prioritize patching known exploited vulnerabilities.
• 2FA – Enable two-factor authentication.
• Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner.