Our deception environments detected a recent attack, dating back to early February 2022, involving threat actors attempting to attack Ukrainian government infrastructure. These actors exploited the CVE-2021-4034 vulnerability in an attempt to run commands as privileged users. Find out more about the attack at our previous blogpost.
These were the topics discussed in our recent webinar:
Technical Evidence of Attacks on Ukrainian Government Infrastructure
Uncovering Threat Actor Techniques
If you missed the webinar, you can register to watch it on-demand here:
In this webinar, we discussed an in-depth analysis of this attack with Nicole Carignan, CounterCraft Customer Success Manager, and David Barroso, CEO. Watch it and stay tuned for any updates on the intel gathered by the deception environment.
The IoCs from the attack were the following:
| Value | SHA-256 | Description |
|---|---|---|
| CVE-2021-4034 | a3c982eff2948f3dfbe97bdf3d631f8bb82c78e231b5f5978e4ef370fdc52174 | https://github.com/berdav/CVE-2021-4034 |
| PwnKit | 4dcae1bddfc3e2cb98eae84e86fb58ec14ea6ef00778ac5974c4ec526d3da31f | https://github.com/ly4k/PwnKit |
| привет.py | 23c17ac3e7acb1db22e8498b6ffcaed74e6beba8d2dc0ab5ac2d4fe9ae5a82c5 | Hello.py script |
| информация.py | 83050f289b33f9301497968ab9aac4948e98fdd3defacbe5870fa981fca1efb8 | Info.py script |
| Stealth_ShellBot.pl | b9e059e282500571ffec2442fcd3c04071ee7a08f7bc43757bd5346fc52e1571 | Perl IRC script |
| 45.9.148.99 | Nice IT Customers Network – Kimon S. – 28 Cork Street, Roseau, Dominica | IRC Server |
| 209.141.32.204 | FranTech Solutions – Francisco Dias – 1621 Central Ave, Cheyenne, WY | Compromised host used for staging |
If you register for the webinar, you will automatically receive any new intel we pick up regarding this situation. You can also follow our LinkedIn for updates.
Learn more what we can do for Federal and government agencies.