About a week ago, @TalosSecurity team shared some insights related to a recent cyber attack on @Cisco. According to Indicators of compromise, mentioned in this article (bit.ly/3K76lFJ), we have known this group of attackers since the beginning of 2022.
Group-IB's researchers has discovered their TTPs in a series of attacks using #CobaltStrike, #Sliver and #Covenant tools. Our internal name of this group is #TridentCrow.
One of the domains that was published by @Cisco (ciscovpn2[.]com) has a self-signed SSL certificate with unique values. According to Group-IB Threat Intelligence database, out of more than 2 billion certificates, only 39 have similar values and mimic well-known IT companies. 
Therefore we believe that these domains and certificates were registered by the same threat actors, that conducted the attack on #Cisco.
We are sharing these #IOCs here to warn companies that might become #TridentCrow's next targets @mozilla @citrix @Microsoft @Sophos @esetglobal @avast_ru @Broadcom @Fortinet @Acronis
If you need more data related to #TridentCrow, contact us.
#FightAgainstCybercrime
If you need more data related to #TridentCrow, contact us.
#FightAgainstCybercrime
firefoxupdaters1[.]com, 74627e3bac1a792baf5bafff050fddd37628a982
ciscovpn2[.]com, b3f77f63aa70adc87c668df272cd7163fd380115
cltrixworkspace4[.]com, 6bbc661d0420c39e266ab340efea5f8d7574679e
cltrixworkspace1[.]com, fe626b7e9005f497f09d271939a563e2f78354df
ciscovpn2[.]com, b3f77f63aa70adc87c668df272cd7163fd380115
cltrixworkspace4[.]com, 6bbc661d0420c39e266ab340efea5f8d7574679e
cltrixworkspace1[.]com, fe626b7e9005f497f09d271939a563e2f78354df
cltrixworkspace2[.]com, a2f6dd1966a2756a3cd69ebe63e73109e943aabb
rdpconnection[.]com, 9e091a85eee1863a0570a52366b486b0ba6b37e2
vpncltrlx[.]com, 5083b45dbf08e33f74a00272d96bd65005e2eb4b
firewallwithadvancedserurity[.]com, 8d1cb66245635d7593725d7578039e998c399f25
rdpconnection[.]com, 9e091a85eee1863a0570a52366b486b0ba6b37e2
vpncltrlx[.]com, 5083b45dbf08e33f74a00272d96bd65005e2eb4b
firewallwithadvancedserurity[.]com, 8d1cb66245635d7593725d7578039e998c399f25
updatevpncitrix[.]com, 229de6c69b5e681ec8f570e77f4bdc1b3a3ef526
edgeupdater[.]com, 17056aee4ebd30db96ddb40488de638b5195f9c8
mikrosoftupdate[.]com, 87a81e568873fa602aaaab1217d5c28f9935f033
browserupdeta[.]com, d158e3a1ee348b0a887944a9feb55a2895b9b25c
edgeupdater[.]com, 17056aee4ebd30db96ddb40488de638b5195f9c8
mikrosoftupdate[.]com, 87a81e568873fa602aaaab1217d5c28f9935f033
browserupdeta[.]com, d158e3a1ee348b0a887944a9feb55a2895b9b25c
vpnupdaters[.]com, 750885f0cef491da4d5728b6b924b8ee443dc6ad
edgebetaupdater[.]com, 7445b04c2f794befe9f48e00e256fd298cb3560b
edgemikrosoft[.]com, b8cb2539bf6ce24986afec6594949fddb17af515
citrixseruritys[.]com, 582b99ff9f6cd792989aca71762bb5e9b03072c5
edgebetaupdater[.]com, 7445b04c2f794befe9f48e00e256fd298cb3560b
edgemikrosoft[.]com, b8cb2539bf6ce24986afec6594949fddb17af515
citrixseruritys[.]com, 582b99ff9f6cd792989aca71762bb5e9b03072c5
sophospanels[.]com, 3a1ae94f863a3c9ebf498c56f3a9feef900882c9
sophospanels[.]com, 9a1bf15d4363da9d59f42ce8fbf4eeaa7119da47
citrixworcspace[.]com, 7c04f63b355a0f867b82d91231e1aad24837ba2d
ciscosecuritu[.]com, 93ce6b8e06eb2999e1b39b66535543e4249660d5
sophospanels[.]com, 9a1bf15d4363da9d59f42ce8fbf4eeaa7119da47
citrixworcspace[.]com, 7c04f63b355a0f867b82d91231e1aad24837ba2d
ciscosecuritu[.]com, 93ce6b8e06eb2999e1b39b66535543e4249660d5
edgeconnectlon[.]com, 26dd9b92ec48ecd4b462396ddadf30c7bd24e5cb
chromeinstallupdate[.]com, d985a0157bcd9252545ccfb9e8947cd1275d319a
ciscosecyrity[.]com, a6bd2f3a3e30864fc28fc46dd6620b17f609e451
nod32updater[.]com, dfeba2a6b6fb33de709cdcb48540248139b7e455
chromeinstallupdate[.]com, d985a0157bcd9252545ccfb9e8947cd1275d319a
ciscosecyrity[.]com, a6bd2f3a3e30864fc28fc46dd6620b17f609e451
nod32updater[.]com, dfeba2a6b6fb33de709cdcb48540248139b7e455
7zipupdate[.]com, 5494e2fe7a42c9fd69de79a21f84d7810b1107ab
sophossecurityt[.]com, 092a8e57c838c9b746f934cdcb9471492d2f99a3
avastsecurityt[.]com, 85f28f885d04bdd7cc33f253f9212016c6be1105
symantecsecurityt[.]com, e2c35ed7cc3cf1db9327c5553c71519fcbe9567e
sophossecurityt[.]com, 092a8e57c838c9b746f934cdcb9471492d2f99a3
avastsecurityt[.]com, 85f28f885d04bdd7cc33f253f9212016c6be1105
symantecsecurityt[.]com, e2c35ed7cc3cf1db9327c5553c71519fcbe9567e
sophossecurityservice[.]com, e71aee9a0f2f46db46f8877432b35cca2b1f7769
forticlientupdater[.]com, fcb2dc4efde1a9f450af263a9c8c230890f79099
acronisupdater[.]com, 95253ed4f7577063a175742df7e31b238eee284a
officeupdatenew[.]com, 505f8cc229a2d6532244422747d96860938f19cc
forticlientupdater[.]com, fcb2dc4efde1a9f450af263a9c8c230890f79099
acronisupdater[.]com, 95253ed4f7577063a175742df7e31b238eee284a
officeupdatenew[.]com, 505f8cc229a2d6532244422747d96860938f19cc
officeupdatenew[.]com, 868579feda85fcea23a65988a3f6bf35121b94ea
avupdatesecurity[.]com, 7c32edd581153d12910b5482b4940e943b528a87
avupdatesecurity[.]com, 8dfaf8e51104f2da0c49e3234ebea33752cd0dfd
More details➡️ bit.ly/3puV6xb
avupdatesecurity[.]com, 7c32edd581153d12910b5482b4940e943b528a87
avupdatesecurity[.]com, 8dfaf8e51104f2da0c49e3234ebea33752cd0dfd
More details➡️ bit.ly/3puV6xb
• • •
Missing some Tweet in this thread? You can try to
force a refresh
