EclecticIQ

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Australia Seeks to Disrupt & Stop Cybercriminal Syndicates with New Task Force

This issue of the Analyst Prompt looks at IRIDUIM’s ransomware campaign causing disruption in Ukraine and Poland, the continued use of log4shell by threats actors across the threat landscape, and Australia’s new joint standing operation to disrupt and stop cybercriminal syndicates.

EclecticIQ Threat Research Team November 24, 2022

tap-2022-21

Threat Actor Update: IRIDUIM Attributed to Prestige Ransomware Campaign

A ransomware campaign targeting transportation and logistics organizations in Ukraine and Poland has been attributed to a group called IRIDIUM. The ransomware campaign used a previously unidentified ransomware payload called ‘Prestige’ which was observed deployed on October 11th, 2022. The objective of the campaign was to cause disruption not financial gain. IRIDUIM is a Russia-based actor that overlaps with Sandworm and has been consistently active in Ukraine with IRIDIUM being linked to activity in March 2022 (1).

The Ukraine war continues to highlight the increased use of ransomware for non-financial means. Ransomware has been used for non-financial means before (2); however, many ransomware incidents have historically been financially driven. For example, the HermacticRansom malware used in Ukraine is suspected to be a smokescreen for destructive attacks (3). Hacktivist group FRwL has used ransomware during the Ukraine war without demanding a ransom (4, 14). BRONZE STARLIGHT, another cyber threat actor group, is suspected of using ransomware to distract responders from their true motivation, cyber espionage (5).

Exploit Tools and Targets: Log4j Continues to be Actively Exploited

Iranian government-sponsored APTs have been observed by the U.S. Cybersecurity and Infrastructure Agency (CISA) exploiting Log4Shell (CVE-2021-44228) for persistence within the U.S. Federal Civilian Executive Branch (FCEB). The actors exploited an unpatched VMware Horizon server using Log4Shell to install the XMRig crypto miner within FCEB. They moved laterally within the environment to the domain controller, compromised credentials, and installed Ngrok reverse proxies on multiple hosts to maintain persistence within the victims’ environments (6).

Log4Shell will almost certainly be exploited in the short and medium term by actors across the threat landscape. Log4shell is a remote code execution (RCE) vulnerability in the popular Java logging library log4j, used in multiple software products. Other Iran-linked threat groups have exploited log4j in SysAid Server instances (7) and VMWare Horizon (8). Ransomware groups have also exploited log4j, the Avos ransomware group used the Log4Shell vulnerability for initial access to the victim’s environment (9).

Policy Keynotes: Australia Announces a Task Force to Disrupt and Stop Cybercrime

Australia on October 12th announced the formation of the Joint Standing Operation task force aimed at disrupting and stopping cybercriminal syndicates with a priority on groups using ransomware. The operation will collect intelligence and identify networks, infrastructure, and individual leaders, regardless of their location. The joint standing operation will involve the Australian Federal Police and the Australian Signals Directorate who will be given powers to hunt down and disrupt criminals (10).

The Australian government’s announcement shows a continued trend at a national and international level to address cybercriminal threats, specifically actors using ransomware. The United States government launched the Ransomware Task Force (RTF) in April 2021 to address the growing threat ransomware poses to U.S. private and public organizations (11). The European Union has adopted legislation requiring businesses, administrations, and organizations involved with infrastructure to meet stricter supervisory obligations and enforcement measures (12). The International Counter Ransomware Task Force (ICRTF), involving 36 countries and the EU, has been established to coordinate resilience, disruption, and information and capability sharing against ransomware threats (13).

About EclecticIQ Intelligence and Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.

TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery

Please refer to our support page for guidance on how to access the feeds.

You might also be interested in:

Ukraine-Russia Conflict: Ukraine Alerts Energy Enterprises to Possible Cyberattack Escalation

Killnet Effectively Amplifies Russian Narratives but has Limited DDoS Capabilities

Attack Against Tata Power Highlights Cyber Risk to India’s Growing and Increasingly Connected Population 

Appendix

  1. https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/
  2. https://www.ncsc.gov.uk/news/russian-military-almost-certainly-responsible-destructive-2017-cyber-attack
  3. https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/
  4. https://cert.gov.ua/article/2724253
  5. https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader
  6. https://www.cisa.gov/uscert/ncas/alerts/aa22-320a
  7. https://www.microsoft.com/en-us/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/
  8. https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/
  9. https://blog.talosintelligence.com/avoslocker-new-arsenal/
  10. https://ministers.ag.gov.au/media-centre/joint-standing-operation-against-cyber-criminal-syndicates-12-11-2022
  11. https://securityandtechnology.org/ransomwaretaskforce/
  12. https://www.europarl.europa.eu/news/en/press-room/20221107IPR49608/cybersecurity-parliament-adopts-new-law-to-strengthen-eu-wide-resilience
  13. https://www.whitehouse.gov/briefing-room/statements-releases/2022/11/01/fact-sheet-the-second-international-counter-ransomware-initiative-summit/
  14. https://www.helpnetsecurity.com/2022/11/14/somnia-ransomware-ukrainian/ 

Receive all our latest updates

Subscribe to receive the latest EclecticIQ news, event invites, and Threat Intelligence blog posts.

Explore all topics

© 2014 – 2024 EclecticIQ B.V.
EclecticIQ. Intelligence, Automation, Collaboration.
Get demo