EclecticIQ
nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Ransomware; TA505; Iranian Nation State

This issue of The Analyst Prompt looks at TA505’s change in initial access technique, Iranian nation state actors shift towards ransomware, and the arrest of Ukrainian and Russian nationals linked to the Kaseya ransomware attack.

EclecticIQ Threat Research Team November 30, 2021

Threat Actor Update: TA505 Shifts Towards Exploitation of Publicly Exposed Applications for Initial Access

The cybercriminal group known as TA505 exploits publicly available SolarWinds Serv-U servers vulnerable to CVE-2021-35211 (1) for initial access (2). Exploitation executes Base64 encoded PowerShell deploying Cobalt Strike Beacon. TA505 occasionally hijacks theRegIdleBackup scheduled task and abuses the COM handler to gain persistence and to execute the FlawedGrace remote access trojan. The intrusions are likely preparation for the deployment of ransomware (3).

TA505’s exploitation of CVE-2021-35211 represents a shift in initial access techniques. Historically, TA505 relied on socially engineered phishing campaigns with a malicious attachment or link (4). This technique requires users to manually click on the attached file or link for execution, whereas exploitation of public facing vulnerable servers requires no user execution for initial access. EclecticIQ recommended SolarWinds Serv-U users visit the official SolarWinds security advisory for affected products and patches (1).

Threat Actor Update: Iranian Nation State Groups use of Ransomware Highlights Continued Dominance of Ransomware Threat

Six Iranian threat groups are deploying ransomware with the goal to disrupt or collect funds from their targets (5). PHOSPHORUS gained initial access by exploiting vulnerabilities affecting Fortinet FortiOS SSL VPN (CVE-2018-13379) and - in the latter half of 2021 - by targeting unpatched on-premises Exchange Servers vulnerable to ProxyShell (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065). After compromise the actor moved laterally deploying Bitlocker to encrypt and ransom the victim. Multiple Iranian groups are also moving away from unsolicited phishing emails towards targeted social engineering for user execution and credential theft.

Ransomware is and will remain the most significant cyber threat for public and private organizations. Iranian based threat groups use of ransomware represents a growing emphasis by threat groups (6) on ransomware, for both financial and non-financial motivations. This shift will continue due to the effectiveness of encrypting an organization’s or individual’s data for monetary or disruptive reasons.

New & Noteworthy: U.S. Justice Department Charges Ukrainian and Russian Nationals in Continued Escalation Against Ransomware Threat

The U.S. Justice Department charged one Ukrainian and one Russian national for their involvement in deploying Sodinokibi/REVil ransomware against U.S. businesses and government entities (7). Yaroslav Vasinskyi, a Ukrainian national and Yevgeniy Polyanin, a Russian national have been charged with conducting ransomware attacks, including the Kaseya attack in July 2021 (8). The Department also seized $6.1 million USD, traceable to ransom payments obtained by Yevgeniy Polyanin. Vasinskyi was taken into custody in Poland awaiting extradition by request from the U.S. Polyanin remains at large.

The charges against Vasinskyi and Polyanin represent a continued escalation by the U.S. government in response to the ransomware threat. The charges are part of a larger effort by the U.S. government and the newly setup Ransomware Task Force to directly disrupt and counter ransomware groups using four lines of effort (9). The U.S. Department of the Treasury sanctioned the cryptocurrency exchange SUEX in September for its role in facilitating financial transactions related to ransomware (10), showing the willingness of the U.S. to disrupt financial infrastructure used by ransomware groups. International partnerships are also key, with the arrest of Vasinskyi involving multiple international partners including Poland (7).

Appendix

  1. https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211
  2. https://blog.fox-it.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnerability-cve-2021-35211-for-initial-access/
  3. https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/
  4. https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf
  5. https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/
  6. https://www.theguardian.com/uk-news/2021/oct/25/ransomware-attacks-in-uk-have-doubled-in-a-year-says-gchq-boss
  7. https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya
  8. https://us-cert.cisa.gov/kaseya-ransomware-attack
  9. https://www.whitehouse.gov/briefing-room/statements-releases/2021/10/13/fact-sheet-ongoing-public-u-s-efforts-to-counter-ransomware/
  10. https://home.treasury.gov/news/press-releases/jy0364 

Receive all our latest updates

Subscribe to receive the latest EclecticIQ news, event invites, and Threat Intelligence blog posts.

Explore all topics

© 2014 – 2022 EclecticIQ B.V.
EclecticIQ. Intelligence, Hunting, Response.
Get demo