To be specific, the use of a PositiveSSL certificate in conjunction with a Sharepoint-related string, has been used several times previously by Fancy Bear and not widely seen elsewhere.
-
-
Prikaži ovu nit
-
Notably, that was seen in several of the Fancy Bear domains spoofing NGOs that Microsoft sinkholed earlier this year, like soros-my-sharepoint[.]com and transparencyinternational-my-sharepoint[.]com.
Prikaži ovu nit -
That cubenergy-my-sharepoint[.]com domain lead to another, dpkshodnya-my-sharepoint[.]com, by way of some initial redirect information. That domain also has that PositiveSSL certificate and Sharepoint string consistency.
Prikaži ovu nit -
That domain was initially registered using a barid[.]com email address. I then reviewed barid[.]com email registered domains using name servers that Fancy Bear has previously consistently used (like ITitch) and found those additional kub-gas[.]com and kvatral95[.]com domains.
Prikaži ovu nit -
Ultimately, none of these characteristics are definitively indicative of APT28 activity and we don't have any specific information on how the domains have been operationalized.
Prikaži ovu nit -
However, considering the possible targets that the domains spoof and given the aforementioned non-definitive consistencies, we assess with moderate confidence that the domains probably are associated with APT28 operations.
Prikaži ovu nit -
More information on how and against whom the identified infrastructure was operationalized could ultimately strengthen our assessment and increase our confidence in that attribution.
Prikaži ovu nit -
Should have included this originally, but this research leveraged capabilities from
@DomainTools,@censysio,@urlscanio,@FarsightSecInc, and@PassiveTotal. Many thanks to you all for enabling this research.Prikaži ovu nit
Kraj razgovora
Novi razgovor -
-
-
Amazing work and congrats to you! One question, are you able to share how you discovered the registrant email addresses? Using what's at my disposal I'm not finding them. Thank you again for providing this info.
-
Thanks! Whenever I encounter protected domains, I'll look at the start of authority (SOA) record to see if that has an email. Ex: https://bgp.he.net/dns/kvatral95.com … For this I often use
@henet,@DomainTools, and@PassiveTotal, with the latter two particularly useful for historical SOA info - Još 3 druga odgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.