Cyber Threats 2021: A Year in Retrospect
Common Information
| Type | Value |
|---|---|
| UUID | c549878e-858d-43a0-92c6-e20dd65bb56e |
| Fingerprint | a86d95b4d550f3b213ce41f13dd47b184e0dcbefc423468f584e3d914d3b8ce9 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | April 26, 2022, 1:18 p.m. |
| Added to db | April 14, 2024, 8:03 a.m. |
| Last updated | Aug. 31, 2024, 8:16 a.m. |
| Headline | Cyber Threats 2021: A Year in Retrospect |
| Title | Cyber Threats 2021: A Year in Retrospect |
| Detected Hints/Tags/Attributes | 485/4/218 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 30 | cve-2013-3900 |
|
| Details | CVE | 71 | cve-2020-0688 |
|
| Details | CVE | 65 | cve-2021-1675 |
|
| Details | CVE | 91 | cve-2021-34527 |
|
| Details | CVE | 102 | cve-2021-40444 |
|
| Details | CVE | 397 | cve-2021-44228 |
|
| Details | CVE | 67 | cve-2021-45046 |
|
| Details | CVE | 18 | cve-2021-4104 |
|
| Details | CVE | 41 | cve-2021-45105 |
|
| Details | Domain | 7 | pwc.com |
|
| Details | Domain | 2 | micr0soft.com |
|
| Details | Domain | 1 | mail-mailbox-microsoft.com |
|
| Details | Domain | 24 | mega.io |
|
| Details | Domain | 317 | bit.ly |
|
| Details | Domain | 360 | attack.mitre.org |
|
| Details | Domain | 1373 | twitter.com |
|
| Details | Domain | 26 | www.lac.co.jp |
|
| Details | Domain | 36 | schemas.openxmlformats.org |
|
| Details | Domain | 19 | www.pwc.co.uk |
|
| Details | Domain | 403 | securelist.com |
|
| Details | Domain | 167 | www.ic3.gov |
|
| Details | Domain | 182 | www.mandiant.com |
|
| Details | Domain | 1 | ora.ox.ac.uk |
|
| Details | Domain | 46 | jsac.jpcert.or.jp |
|
| Details | Domain | 6 | rclone.org |
|
| Details | Domain | 4127 | github.com |
|
| Details | Domain | 141 | research.checkpoint.com |
|
| Details | Domain | 26 | www.technologyreview.com |
|
| Details | Domain | 397 | www.microsoft.com |
|
| Details | Domain | 62 | www.zerodayinitiative.com |
|
| Details | Domain | 251 | www.bleepingcomputer.com |
|
| Details | Domain | 452 | msrc.microsoft.com |
|
| Details | Domain | 10 | www.riskiq.com |
|
| Details | Domain | 23 | logging.apache.org |
|
| Details | Domain | 36 | www.volexity.com |
|
| Details | Domain | 67 | citizenlab.ca |
|
| Details | Domain | 55 | blog.google |
|
| Details | Domain | 262 | www.welivesecurity.com |
|
| Details | Domain | 20 | www.pwc.com |
|
| Details | File | 48 | applaunch.exe |
|
| Details | File | 1 | c:\windows\wmiad.dll |
|
| Details | File | 2 | wmiad.dll |
|
| Details | File | 11 | dropbox.exe |
|
| Details | File | 5 | 20201201_002363.html |
|
| Details | File | 12 | pe.dll |
|
| Details | File | 8 | pe.dat |
|
| Details | File | 10 | umworkerprocess.exe |
|
| Details | File | 58 | document.xml |
|
| Details | File | 1208 | powershell.exe |
|
| Details | File | 1018 | rundll32.exe |
|
| Details | File | 456 | mshta.exe |
|
| Details | File | 15 | document.url |
|
| Details | File | 55 | control.exe |
|
| Details | File | 4 | chasing-shadows.html |
|
| Details | File | 5 | 2020_ic3report.pdf |
|
| Details | File | 1 | jsac2021_202_niwayanagishita_en.pdf |
|
| Details | File | 64 | security.html |
|
| Details | Github username | 6 | fsecurelabs |
|
| Details | Github username | 1 | pwcuk-cto |
|
| Details | sha256 | 2 | 5eaaf8ac2d358c2d7065884b7994638fee3987f02474e54467f14b010a18d028 |
|
| Details | sha256 | 2 | d69d200513a173aff3a4b2474ccc11812115c38a5f27f7aafe98b813c3121208 |
|
| Details | sha256 | 1 | 94c7965e0fba7deb71ca0ff7901b1a1074b41140528ea5bc75a14dfbd3782c8b |
|
| Details | sha256 | 2 | 56e9b0c2b87d45ee0c109fb71d436621c7ada007f1bd3d43c3e8cf89c0182b90 |
|
| Details | sha256 | 1 | 8ef94327cab01af04a83df86a662f3abe9ae35aa1084eff7273d8292941bebdb |
|
| Details | sha256 | 1 | 69adaf19cc19594e0193da88597b6af886f1c0e148ad980fa0fe3f9250d52332 |
|
| Details | sha256 | 1 | 697be6add418ca9e1ebcef6cc6fdbb6277851e1892e48264b1e6720e48122c40 |
|
| Details | MITRE ATT&CK Techniques | 310 | T1566.001 |
|
| Details | MITRE ATT&CK Techniques | 542 | T1190 |
|
| Details | MITRE ATT&CK Techniques | 365 | T1204.002 |
|
| Details | MITRE ATT&CK Techniques | 333 | T1059.003 |
|
| Details | MITRE ATT&CK Techniques | 137 | T1059.005 |
|
| Details | MITRE ATT&CK Techniques | 106 | T1204.001 |
|
| Details | MITRE ATT&CK Techniques | 380 | T1547.001 |
|
| Details | MITRE ATT&CK Techniques | 275 | T1053.005 |
|
| Details | MITRE ATT&CK Techniques | 40 | T1221 |
|
| Details | MITRE ATT&CK Techniques | 627 | T1027 |
|
| Details | MITRE ATT&CK Techniques | 348 | T1036 |
|
| Details | MITRE ATT&CK Techniques | 297 | T1070.004 |
|
| Details | MITRE ATT&CK Techniques | 550 | T1112 |
|
| Details | MITRE ATT&CK Techniques | 585 | T1083 |
|
| Details | MITRE ATT&CK Techniques | 433 | T1057 |
|
| Details | MITRE ATT&CK Techniques | 230 | T1033 |
|
| Details | MITRE ATT&CK Techniques | 1006 | T1082 |
|
| Details | MITRE ATT&CK Techniques | 49 | T1074.001 |
|
| Details | MITRE ATT&CK Techniques | 219 | T1113 |
|
| Details | MITRE ATT&CK Techniques | 442 | T1071.001 |
|
| Details | MITRE ATT&CK Techniques | 99 | T1132.001 |
|
| Details | MITRE ATT&CK Techniques | 422 | T1041 |
|
| Details | MITRE ATT&CK Techniques | 46 | T1608 |
|
| Details | MITRE ATT&CK Techniques | 91 | T1620 |
|
| Details | MITRE ATT&CK Techniques | 19 | T1036.007 |
|
| Details | MITRE ATT&CK Techniques | 33 | T1614.001 |
|
| Details | MITRE ATT&CK Techniques | 42 | T1016.001 |
|
| Details | MITRE ATT&CK Techniques | 409 | T1566 |
|
| Details | MITRE ATT&CK Techniques | 420 | T1204 |
|
| Details | MITRE ATT&CK Techniques | 695 | T1059 |
|
| Details | MITRE ATT&CK Techniques | 207 | T1547 |
|
| Details | MITRE ATT&CK Techniques | 119 | T1049 |
|
| Details | MITRE ATT&CK Techniques | 86 | T1124 |
|
| Details | MITRE ATT&CK Techniques | 444 | T1071 |
|
| Details | MITRE ATT&CK Techniques | 96 | T1132 |
|
| Details | MITRE ATT&CK Techniques | 247 | T1070 |
|
| Details | MITRE ATT&CK Techniques | 534 | T1005 |
|
| Details | MITRE ATT&CK Techniques | 92 | T1048 |
|
| Details | MITRE ATT&CK Techniques | 172 | T1555 |
|
| Details | MITRE ATT&CK Techniques | 157 | T1560 |
|
| Details | MITRE ATT&CK Techniques | 14 | T1591 |
|
| Details | MITRE ATT&CK Techniques | 50 | T1592 |
|
| Details | MITRE ATT&CK Techniques | 34 | T1589 |
|
| Details | MITRE ATT&CK Techniques | 306 | T1078 |
|
| Details | MITRE ATT&CK Techniques | 36 | T1595 |
|
| Details | MITRE ATT&CK Techniques | 109 | T1210 |
|
| Details | MITRE ATT&CK Techniques | 159 | T1021 |
|
| Details | MITRE ATT&CK Techniques | 176 | T1135 |
|
| Details | MITRE ATT&CK Techniques | 492 | T1105 |
|
| Details | MITRE ATT&CK Techniques | 118 | T1570 |
|
| Details | MITRE ATT&CK Techniques | 179 | T1087 |
|
| Details | MITRE ATT&CK Techniques | 124 | T1482 |
|
| Details | MITRE ATT&CK Techniques | 16 | T1615 |
|
| Details | MITRE ATT&CK Techniques | 65 | T1069 |
|
| Details | MITRE ATT&CK Techniques | 125 | T1110 |
|
| Details | MITRE ATT&CK Techniques | 289 | T1003 |
|
| Details | MITRE ATT&CK Techniques | 67 | T1039 |
|
| Details | MITRE ATT&CK Techniques | 78 | T1548 |
|
| Details | MITRE ATT&CK Techniques | 208 | T1068 |
|
| Details | MITRE ATT&CK Techniques | 472 | T1486 |
|
| Details | MITRE ATT&CK Techniques | 159 | T1095 |
|
| Details | MITRE ATT&CK Techniques | 163 | T1573 |
|
| Details | MITRE ATT&CK Techniques | 152 | T1090 |
|
| Details | MITRE ATT&CK Techniques | 152 | T1056 |
|
| Details | Threat Actor Identifier - APT-C | 79 | APT-C-23 |
|
| Details | Threat Actor Identifier - APT | 132 | APT32 |
|
| Details | Threat Actor Identifier - APT | 121 | APT36 |
|
| Details | Threat Actor Identifier - APT | 522 | APT41 |
|
| Details | Threat Actor Identifier - APT | 277 | APT37 |
|
| Details | Threat Actor Identifier - APT | 16 | APT23 |
|
| Details | Threat Actor Identifier - APT | 278 | APT10 |
|
| Details | Url | 3 | https://attack.mitre.org/techniques/t1566/001 |
|
| Details | Url | 2 | https://attack.mitre.org/techniques/t1204/002 |
|
| Details | Url | 1 | https://attack.mitre.org/techniques/t1059/005 |
|
| Details | Url | 1 | https://attack.mitre.org/techniques/t1036/007 |
|
| Details | Url | 3 | https://attack.mitre |
|
| Details | Url | 1 | https://attack.mitre.org/techniques/t1608/001 |
|
| Details | Url | 3 | https://attack.mitre.org/techniques/t1547/001 |
|
| Details | Url | 1 | https://attack.mitre.org/techniques/t1620 |
|
| Details | Url | 12 | https://attack.mitre.org/techniques/t1082 |
|
| Details | Url | 4 | https://attack.mitre.org/techniques/t1049 |
|
| Details | Url | 4 | https://attack.mitre.org/techniques/t1033 |
|
| Details | Url | 4 | https://attack.mitre.org/techniques/t1124 |
|
| Details | Url | 6 | https://attack.mitre.org/techniques/t1071/001 |
|
| Details | Url | 6 | https://attack.mitre.org/techniques/t1132/001 |
|
| Details | Url | 7 | https://attack.mitre.org/techniques/t1041 |
|
| Details | Url | 5 | https://attack.mitre.org/techniques/t1070/004 |
|
| Details | Url | 7 | https://attack.mitre.org/techniques/t1083 |
|
| Details | Url | 7 | https://attack.mitre.org/techniques/t1005 |
|
| Details | Url | 1 | https://attack.mitre.org/techniques/t1048/003 |
|
| Details | Url | 1 | https://attack.mitre.org/techniques/t1555/003 |
|
| Details | Url | 4 | https://attack.mitre.org/techniques/t1560/001 |
|
| Details | Url | 1 | https://attack.mitre.org/techniques/t1591/004 |
|
| Details | Url | 1 | https://attack.mitre.org/techniques/t1592/002 |
|
| Details | Url | 1 | https://attack.mitre.org/techniques/t1589/001 |
|
| Details | Url | 1 | https://attack.mitre.org/techniques/t1078/003 |
|
| Details | Url | 1 | https://attack.mitre.org/techniques/t1595/002 |
|
| Details | Url | 1 | https://attack.mitre.org/techniques/t1210 |
|
| Details | Url | 4 | https://attack.mitre.org/techniques/t1021/001 |
|
| Details | Url | 4 | https://attack.mitre.org/techniques/t1135 |
|
| Details | Url | 10 | https://attack.mitre.org/techniques/t1105 |
|
| Details | Url | 5 | https://attack.mitre.org/techniques/t1570 |
|
| Details | Url | 4 | https://attack.mitre.org/techniques/t1087/002 |
|
| Details | Url | 5 | https://attack.mitre.org/techniques/t1482 |
|
| Details | Url | 1 | https://attack.mitre.org/techniques/t1615 |
|
| Details | Url | 2 | https://attack.mitre.org/techniques/t1069/002 |
|
| Details | Url | 3 | https://attack.mitre.org/techniques/t1110/004 |
|
| Details | Url | 2 | https://attack.mitre.org/techniques/t1003/006 |
|
| Details | Url | 2 | https://attack.mitre.org/techniques/t1078/002 |
|
| Details | Url | 3 | https://attack.mitre.org/techniques/t1039 |
|
| Details | Url | 4 | https://attack.mitre.org/techniques/t1548/002 |
|
| Details | Url | 2 | https://attack.mitre.org/techniques/t1027/002 |
|
| Details | Url | 2 | https://attack.mitre.org/techniques/t1027/004 |
|
| Details | Url | 2 | https://attack.mitre.org/techniques/t1068 |
|
| Details | Url | 9 | https://attack.mitre.org/techniques/t1486 |
|
| Details | Url | 1 | https://twitter.com/dtcert/status/1454022175254618114 |
|
| Details | Url | 5 | https://www.lac.co.jp/lacwatch/report/20201201_002363.html |
|
| Details | Url | 5 | http://schemas.openxmlformats.org/officedocument/2006/relationships/oleobject |
|
| Details | Url | 2 | https://www.pwc.co.uk/issues/cyber-security- |
|
| Details | Url | 1 | https://securelist.com/qakbot-technical-analysis/103931 |
|
| Details | Url | 2 | https://www.ic3.gov/media/pdf/annualreport/2020_ic3report.pdf |
|
| Details | Url | 7 | https://attack.mitre.org/techniques/t1078 |
|
| Details | Url | 1 | https://attack.mitre.org/techniques/t1056/003 |
|
| Details | Url | 1 | https://www.mandiant.com/resources/russian-targeting-gov-business |
|
| Details | Url | 1 | https://ora.ox.ac.uk/objects/uuid |
|
| Details | Url | 1 | https://jsac.jpcert.or.jp/archive/2021/pdf/jsac2021_202_niwayanagishita_en.pdf |
|
| Details | Url | 3 | https://rclone.org |
|
| Details | Url | 1 | https://github.com/fsecurelabs/c3 |
|
| Details | Url | 1 | https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central- |
|
| Details | Url | 1 | https://securelist.com/apt10-sophisticated-multi-layered-loader- |
|
| Details | Url | 1 | https://securelist.com/webinars/sas-2021-learning-to-chacha-with-apt41 |
|
| Details | Url | 1 | https://github.com/pwcuk-cto/thesas2021-red-kelpie |
|
| Details | Url | 1 | https://www.technologyreview.com/2021/09/23/1036140/2021- |
|
| Details | Url | 8 | https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers |
|
| Details | Url | 2 | https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-0-day-vulnerabilities |
|
| Details | Url | 2 | https://www.zerodayinitiative.com |
|
| Details | Url | 1 | https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange- |
|
| Details | Url | 4 | https://attack.mitre.org/tactics/ta0001 |
|
| Details | Url | 1 | https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901 |
|
| Details | Url | 2 | https://msrc.microsoft.com/update-guide/vulnerability/cve-2021-1675 |
|
| Details | Url | 5 | https://msrc.microsoft.com/update-guide/vulnerability/cve-2021-34527 |
|
| Details | Url | 1 | https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/#_technical_analysis:_ |
|
| Details | Url | 1 | https://www.riskiq.com/blog/external-threat-management/wizard-spider-windows-0day-exploit |
|
| Details | Url | 15 | https://logging.apache.org/log4j/2.x/security.html |
|
| Details | Url | 1 | https://www.microsoft.com/security/blog/2021/12/11/guidance- |
|
| Details | Url | 1 | https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims- |
|
| Details | Url | 1 | https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus |
|
| Details | Url | 2 | https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks |
|
| Details | Url | 1 | https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east- |
|
| Details | Windows Registry Key | 3 | HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows |
|
| Details | Windows Registry Key | 4 | HKLM\SYSTEM\CurrentControlSet\Control |
|
| Details | Yara rule | 1 | import "math"
rule Red_Lich_Encoded_PlugX : Red_Lich {
meta:
description = "Detects PlugX payloads that have been encoded with a multi-byte XOR key (of varying
length) that is stored at the start of the file. Many of these decoded payloads are associated with Mustang
Panda."
TLP = "WHITE"
author = "PwC Cyber Threat Operations"
copyright = "Copyright PwC UK 2021 (C)"
created_date = "2021-03-31"
modified_date = "2021-10-29"
revision = "3"
hash = "5eaaf8ac2d358c2d7065884b7994638fee3987f02474e54467f14b010a18d028"
hash = "d69d200513a173aff3a4b2474ccc11812115c38a5f27f7aafe98b813c3121208"
hash = "94c7965e0fba7deb71ca0ff7901b1a1074b41140528ea5bc75a14dfbd3782c8b"
hash = "56e9b0c2b87d45ee0c109fb71d436621c7ada007f1bd3d43c3e8cf89c0182b90"
reference = "https://twitter.com/dtcert/status/1454022175254618114"
strings:
$dos = "This program cannot be run in DOS mode."
condition:
(uint16(0) != 0x5A4D and uint32(0) != 0x464c457f and uint32be(0) != 0x504B0304 and uint32be(0) != 0x41564620 and uint32be(0) != 0x414b504b and uint16be(0) != 0x4944 and uint8(2) != 0x33 and uint32be(0) != 0x25504446 and uint32be(0) != 0xd0cf11e0 and uint32be(0) != 0x4d534346 and uint32be(0) != 0x556e6974 and uint32be(0) != 0x38425053 and uint32be(0) != 0x63616666 and uint32be(0) != 0x64617461 and uint32be(0) != 0x664c6143 and uint32be(0) != 0x424b504b) and (not $dos) and (filesize > 50KB and filesize < 800KB) and for any i in (4 .. 0x1F) : ( uint8(i) == 0x00 and for all j in (0 .. i - 1) : ( for any k in (0x41 .. 0x5A) : ( uint8(j) == k ) or for any k in (0x61 .. 0x7A) : ( uint8(j) == k ) ) ) and (math.entropy(0, filesize) >= 6.8 and math.entropy(0, filesize) < 7.9) and for all i in (filesize - 10 .. filesize - 1) : ( for any j in (0x41 .. 0x5A) : ( uint8(i) == j ) or for any j in (0x61 .. 0x7A) : ( uint8(i) == j ) )
} |