Today, factors that threaten cybersecurity on a global and national scale are rapidly increasing and changing shape, often in a way that is difficult to catch.

To briefly explain the categories;

Suspicious Activities: Activities that are not included in any category and do not contain a 100% defined attack metric, but have created anomalies and may be potential threats.

AD User Activities: Suspicious changes made to the tools used by the institution/organization in object management (This category is 100% based on Windows Active Directory structure).

Scanning Activities: Scanning activities performed from remote to local or from local to remote.

Communication with Malicious IP Address: It refers to communication with malicious IPs collected from threat intelligence services that are likely to be C&C.

Brute Force Activities: It refers to the situation where the attacker tries different password combinations with the motivation of guessing the password of an account.

Malware Detection: It refers to the detection of malicious software on endpoints.

Outside of Working Hours Login: This refers to activities that are done outside of working hours to log into the system.

When suspicious activity category alarms are classified, as can be expected, the most incidents are seen as potential phishing activity and emails from suspicious senders. In addition, legal transactions made by system and network administrators are also seen under this category from time to time. For such transactions, our analyst team directly contacts the customer and analyzes the feedback, determines those with false/positive status and makes improvements regarding the rules.

GLOBAL TRENDS

Egregor Ransomware

Egregor ransomware was discovered as a new version of the old ransomware called Sekhmet, which targeted large organizations. Egregor ransomware has affected a large number of organizations in a short period of time. It is thought that the cyber threat group Maze is behind the development of the malware.

Egregor attacks organizations using phishing or certain exploits and encrypts critical files. It encrypts the files it captures and copies them to its own servers before demanding a ransom. It returns the files on its servers to organizations that pay the ransom. Egregor malware has successfully cyber-attacks Barnes&Noble, Ubisoft and many other large organizations in a short period of time. It is also known to have affected more than 130 high-value organizations in the industrial product, retail and transportation sectors.

XMRig Miner Worm

In early December, a new and previously undetected Worm malware written in Golang was discovered. This worm is already among the most popular multi-platform malware of late 2020 and the first quarter of 2021.

The worm moves within the network to spread XMRig Miner. The malware targets both Windows and Linux servers and, interestingly, can easily spread from one platform to another. It is observed that it targets corporate services that are open to the internet; MySQL, Tomcat Admin Panel and Jenkins systems with weak passwords are the focus of the malware. It was also observed that an older version of the malware tried to exploit WebLogic’s current CVE-2020-14882 vulnerability.

During the analysis, it was seen that the attackers continue to update the malware on the Command and Control (C&C) server, indicating that this worm is active and will expand its scope in future updates.

Suspicous Network Activities: The category that defines suspicious situations that occur during network use and includes anomalies.

Account Management: Suspicious changes made to the tools used by the institution/organization in object management.

Suspicious Web Communications: Activities received from proxy or URL filtering sources and causing an alarm.

Authentication and Authorization: The category that includes authorization problems occurring on central servers or local systems.

Malware: Refers to malicious software detection at endpoints.

When the alarms in the Suspicious network activities category are classified, as can be expected, the most frequent events appear as potential scanning activity and access to blacklisted IPs. In addition, legal transactions made by system and network administrators are also occasionally seen under this category. For such transactions, our analyst team directly contacts the customer and analyzes the feedback, determines those with false/positive status, and improvements are made regarding the rules.

GLOBAL TRENDS

Avaddon Ransomware

A new ransomware called Avaddon has been detected. Avaddon, a modern type of ransomware, bypasses antivirus software on target devices and can encrypt critical files. It has been announced that more than 10 sectors in 20 different countries, including Germany, China and the UK, have been affected by Avaddon.

The malware, which infects targeted devices with e-mails containing malicious JavaScript files, uses a module called “GetUserDefaultLCID” to determine whether the infected system is valuable and to perform system discovery. The detected critical files are encrypted with the “AES-256” algorithm and transferred to C&C (Command and Control) servers controlled by cyber threat actors. If the requested ransom is not paid, the captured corporate data is published on the Tor network.

In order not to be a victim of critical cyber attacks, it is recommended to be careful against suspicious/fraudulent emails and to block the IoC (Indicator of Compromise) findings shared below by security devices.

Data Leak Site:

avaddongun7rngel[.]onion
FileHash-SHA256:

0a052eff71641ff91897af5bdecb4a98ed3cb32bcb6ff86c4396b1e3ceee0184
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b
146e554f0d56db9a88224cd6921744fdfe1f8ee4a9e3ac79711f9ab15f9d3c7f
165c5c883fd4fd36758bcba6baf2faffb77d2f4872ffd5ee918a16f91de5a8a8
28adb5fa487a7d726b8bad629736641aadbdacca5e4f417acc791d0e853924a7
2946ef53c8fec94dcdf9d3a1afc077ee9a3869eacb0879cb082ee0ce3de6a2e7
29b5a12cda22a30533e22620ae89c4a36c9235714f4bad2e3944c38acb3c5eee
331177ca9c2bf0c6ac4acd5d2d40c77991bb5edb6e546913528b1665d8b501f3
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675
5252cc9dd3a35f392cc50b298de47838298128f4a1924f9eb0756039ce1e4fa2
61126de1b795b976f3ac878f48e88fa77a87d7308ba57c7642b9e1068403a496

Conti Malware

It has been revealed that BlueForce, a US defense industry company, was affected by the Conti ransomware and its critical data was leaked.

The malware in question infects target devices via a DLL file containing the Cobalt Strike shell. After the installation is complete, it communicates with the command and control server. It has been discovered that the Conti malware, which encrypts files on the victim system, transfers the encrypted files to the command and control center.

It is recommended that the iocs belonging to the Conti malware be blocked on security technologies.

IP:

23.106.160[.]174
23.82.140[.]137
Domain:

docns[.]com
tapavi[.]com
contirecovery[.]best
FileHash-SHA256:

3b375dcda1f6019d986de1f7ae3458657e623c4f401c121e660add55d36a9e8c
4e3d8806e6c9ba334166f12ffe4e27dbde203425c882fccf1e452f77355b7d25
e974c09f204b99bfcdeb9fe4a561a28e064c612132829919f8b99a838c2b2106
af218e34e12216d56e5c6c86704804866100aa09ccb9160bc4029492c3f1f959
591677b54eb556e7e840670eccb2d62434e336af6d3908394d17cb26e99c4733
2d3b859f2ad3f0e296fd29c1abc5eb80b4dabe7c0b9d9a3b44821c9ed8e015b1
63625702e63e333f235b5025078cea1545f29b1ad42b1e46031911321779b6be

Colonial Pipeline Fuel Pipeline Hit by Ransomware Attack

Colonial Pipeline, which transports 45% of the fuel consumed on the US East Coast, has been shut down due to a ransomware attack. Colonial Pipeline Company announced on May 7 that it was subject to a cyberattack that compromised its system and proactively took some systems offline to contain the threat, which temporarily halted all pipeline operations.

There are many leaks in the press from many parts of the world, many of which are large organizations.

The first and indispensable step in preventing data leakage is to share the responsibilities of the data you own and classify this data. Classified data is brought under control through data leakage prevention technologies.

In general, it is thought that data leakage can be prevented with technology without much thought to the classification part in practice, and this approach contains great dangers for organizations and especially for national security..