About a week ago, @TalosSecurity team shared some insights related to a recent cyber attack on @Cisco. According to Indicators of compromise, mentioned in this article (bit.ly/3K76lFJ), we have known this group of attackers since the beginning of 2022.
Group-IB's researchers has discovered their TTPs in a series of attacks using #CobaltStrike, #Sliver and #Covenant tools. Our internal name of this group is #TridentCrow.
One of the domains that was published by @Cisco (ciscovpn2[.]com) has a self-signed SSL certificate with unique values. According to Group-IB Threat Intelligence database, out of more than 2 billion certificates, only 39 have similar values and mimic well-known IT companies. Image
Therefore we believe that these domains and certificates were registered by the same threat actors, that conducted the attack on #Cisco.
We are sharing these #IOCs here to warn companies that might become #TridentCrow's next targets @mozilla @citrix @Microsoft @Sophos @esetglobal @avast_ru @Broadcom @Fortinet @Acronis

If you need more data related to #TridentCrow, contact us.

#FightAgainstCybercrime
firefoxupdaters1[.]com, 74627e3bac1a792baf5bafff050fddd37628a982

ciscovpn2[.]com, b3f77f63aa70adc87c668df272cd7163fd380115

cltrixworkspace4[.]com, 6bbc661d0420c39e266ab340efea5f8d7574679e

cltrixworkspace1[.]com, fe626b7e9005f497f09d271939a563e2f78354df
cltrixworkspace2[.]com, a2f6dd1966a2756a3cd69ebe63e73109e943aabb

rdpconnection[.]com, 9e091a85eee1863a0570a52366b486b0ba6b37e2

vpncltrlx[.]com, 5083b45dbf08e33f74a00272d96bd65005e2eb4b

firewallwithadvancedserurity[.]com, 8d1cb66245635d7593725d7578039e998c399f25
updatevpncitrix[.]com, 229de6c69b5e681ec8f570e77f4bdc1b3a3ef526

edgeupdater[.]com, 17056aee4ebd30db96ddb40488de638b5195f9c8

mikrosoftupdate[.]com, 87a81e568873fa602aaaab1217d5c28f9935f033

browserupdeta[.]com, d158e3a1ee348b0a887944a9feb55a2895b9b25c
vpnupdaters[.]com, 750885f0cef491da4d5728b6b924b8ee443dc6ad

edgebetaupdater[.]com, 7445b04c2f794befe9f48e00e256fd298cb3560b

edgemikrosoft[.]com, b8cb2539bf6ce24986afec6594949fddb17af515

citrixseruritys[.]com, 582b99ff9f6cd792989aca71762bb5e9b03072c5
sophospanels[.]com, 3a1ae94f863a3c9ebf498c56f3a9feef900882c9

sophospanels[.]com, 9a1bf15d4363da9d59f42ce8fbf4eeaa7119da47

citrixworcspace[.]com, 7c04f63b355a0f867b82d91231e1aad24837ba2d

ciscosecuritu[.]com, 93ce6b8e06eb2999e1b39b66535543e4249660d5
edgeconnectlon[.]com, 26dd9b92ec48ecd4b462396ddadf30c7bd24e5cb

chromeinstallupdate[.]com, d985a0157bcd9252545ccfb9e8947cd1275d319a

ciscosecyrity[.]com, a6bd2f3a3e30864fc28fc46dd6620b17f609e451

nod32updater[.]com, dfeba2a6b6fb33de709cdcb48540248139b7e455
7zipupdate[.]com, 5494e2fe7a42c9fd69de79a21f84d7810b1107ab

sophossecurityt[.]com, 092a8e57c838c9b746f934cdcb9471492d2f99a3

avastsecurityt[.]com, 85f28f885d04bdd7cc33f253f9212016c6be1105

symantecsecurityt[.]com, e2c35ed7cc3cf1db9327c5553c71519fcbe9567e
sophossecurityservice[.]com, e71aee9a0f2f46db46f8877432b35cca2b1f7769

forticlientupdater[.]com, fcb2dc4efde1a9f450af263a9c8c230890f79099

acronisupdater[.]com, 95253ed4f7577063a175742df7e31b238eee284a

officeupdatenew[.]com, 505f8cc229a2d6532244422747d96860938f19cc
officeupdatenew[.]com, 868579feda85fcea23a65988a3f6bf35121b94ea

avupdatesecurity[.]com, 7c32edd581153d12910b5482b4940e943b528a87

avupdatesecurity[.]com, 8dfaf8e51104f2da0c49e3234ebea33752cd0dfd

More details➡️ bit.ly/3puV6xb

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Group-IB Global

Group-IB Global Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(