
Anonymous Sudan Continues to Attack
The world of cyberattacks continues to evolve with the emergence of new hacktivist groups that target different countries for various political reasons. One such group that has been making headlines is KillNet Anonymous Sudan, which is affiliated with the pro-Russian hacktivist group KillNet.
Indicators of Compromise
Domains (8)
secnoticeview.dow32.00ab15b194-95.sbx.tgbafybeig4warxkemgy6mdzooxeeuglstk6idtz5dinm7yayeazximd3azai.ipfs.w3s.linkstrivemktsupporters.com85.lp.ret.sbx.tgsecinfoview.doclient.smscredit.lv40gmail.comHashes (288)
c82bfa7688a738846ec9400d8940133e0eca5d5ba7cf6d91568fcc058c47889482e188324ebcbb08cce4245032b0cf4cc1a9d9cbeb77c0715d8b2777ad288bf317979aeb52165f5287a0d95f9eb91b73a061c81ac4725b9545609d20fe7203a5c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead081e3501a2154670941b8f173d7fb8cc7ea84a8e807851e9229ee39a763640ba264eecbf6dc1a1b609b35d163618bfec56aaba27cdefaf03f503d8c42d32c9b1394c627e4d2d127087fccacce353ca374eaec8ffe67d549a315ff4a3e8878f1df9522df8e669d381c695210c9f003f31c81e6624e55db693624bbd7184789e148a9823713b0c24a4160821640fa530353e57147e04129cac6b6177e91a9cfb9d3e6d06bb9afaeb8aa80e62e76a26c7cffd14497f6c0ef915ce28d874cba6725bd164a3f064b425da4badbd7aedd107077f5d8bb57ec856f1b94fa9e7e85da9c87262feda662c586d9f86c3f62371ca122f32fd7f3b457e8e9d92a1b31a4e21970377117838c69830a50fb85d8a794fa46643493b21077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274db02d679004b0489d6a2fe0278dc7488385249d9654a1fffbec9fa3eebbabe2394ae54853f939fe8dcdb56fb4703ca897aff698a2753bfaefce6c2425f002644f5e9985925da5d28804f97784ac357a0dbae0b078542d623118a454edbd962fee829126667ad9737be0b43f589cab3ffc5bd0f1c32a45404156c9c646d7ee88f03e61272d250061be418ade0d42983d5711462fdd4fb658ee348ea5bc987f28a5+268 moreIPv4 (150)
139.180.193.182119.207.79.175154.215.96.211185.220.102.25392.255.85.135185.100.87.13323.129.64.14745.32.121.100103.120.82.243211.110.1.1723.129.64.14945.227.72.50185.220.100.2428.208.94.945.181.4.59103.231.14.171103.133.139.29114.207.112.19164.92.218.13981.17.18.58+130 moreCVEs (6)
CVE-2022-42889CVE-2021-26606CVE-2022-32894CVE-2022-42827CVE-2022-32917CVE-2022-3602APT Groups
Killnet
Russian Federation
Anonymous Sudan
Notes
<div><font><b>How to Prevent a Killnet Attack </b></font></div><div><br></div><div>Firstly, we need to pay attention to two main defense tactics. One is enforcing strong password policies that can withstand basic brute-force credential attacks, and the second is to have a proper strategy for fighting off DDoS attacks.</div><div><br></div><div>The other defensive tactics are listed below:</div><div><br></div><div><ul><li>Purchase DDoS mitigation services from an Internet Service Provider (ISP), Content Delivery Network (CDN), or Web-Application Firewall (WAF) provider.</li><li>Deploy multi-factor authentication (MFA) mechanism for all remote accesses</li><li>Use blocklisting known Killnet-related IoC, such as IP addresses used by Killnet attacks.</li><li>Enable the DMZ (Demilitarized Zone) for internet-facing entities.</li><li>Employ DDoS protection via web bot detection techniques.</li><li>Reduce attack surfaces and make it easier with ASM (Attack Surface Management) platforms.</li><li>Get the CTI (cyber threat intelligence) feeds that monitor dark web information to identify and predict potential threats and provide actionable intelligence data for your organization.</li><li>Configure web servers and APIs with security modules to optimize performance during a web traffic spike.</li><li>Perform stress tests on all critical services for their ability to handle resource exhaustion attacks</li><li>Create and practice IRP (Incident Response Plan) for the worst case, which resulted in temporary downtime.</li></ul><div><div><font><b>Learn What Hackers Talk About Your Company With SOCRadar</b></font></div><div><br></div><div>The fact that Telegram is a legit messaging app used by millions gave hackers a chance to conceal themselves and follow their malicious agenda. More and more threat actors use Telegram for communication and announcements, and it has become the main hub for <a href="https://">threat actors.</a></div></div><div><br></div></div>
Mitigation
<div style="box-sizing: border-box; margin-top: 0px; margin-bottom: 1rem; font-weight: bold; line-height: 1.2; color: rgb(66, 66, 102); letter-spacing: normal;"><strong style="box-sizing: border-box; letter-spacing: 0px;"><font style="">MITRE Map</font></strong></div><table style="box-sizing: border-box; border-collapse: collapse; margin-bottom: 28px; border-top: 1px solid rgb(222, 226, 230); background-image: initial; background-position: initial; background-size: initial; background-repeat: initial; background-attachment: initial; background-origin: initial; background-clip: initial; color: rgb(96, 96, 128); font-family: " font-size: 16px;"><tbody style="box-sizing: border-box;"><tr style="box-sizing: border-box; border-bottom: 1px solid rgb(222, 226, 230);"><td style="box-sizing: border-box; vertical-align: top; padding: 0.75rem 1.5rem 0.75rem 0.75rem; border: 2px solid rgb(233, 236, 239);"><p style="box-sizing: border-box; margin-bottom: 1rem;"><strong style="box-sizing: border-box; letter-spacing: 0px;"><font>Reconnaissance </font></strong></p></td><td style="box-sizing: border-box; vertical-align: top; padding: 0.75rem 1.5rem 0.75rem 0.75rem; border: 2px solid rgb(233, 236, 239);"><p style="box-sizing: border-box; margin-bottom: 1rem;"><strong style="box-sizing: border-box; letter-spacing: 0px;"><font>Resource Development</font></strong></p></td><td style="box-sizing: border-box; vertical-align: top; padding: 0.75rem 1.5rem 0.75rem 0.75rem; border: 2px solid rgb(233, 236, 239);"><p style="box-sizing: border-box; margin-bottom: 1rem;"><strong style="box-sizing: border-box; letter-spacing: 0px;"><font>Credential Access </font></strong></p></td><td style="box-sizing: border-box; vertical-align: top; padding: 0.75rem; border: 2px solid rgb(233, 236, 239);"><p style="box-sizing: border-box; margin-bottom: 1rem;"><strong style="box-sizing: border-box; letter-spacing: 0px;"><font>Impact</font></strong></p></td></tr><tr style="box-sizing: border-box; border-bottom: 1px solid rgb(222, 226, 230);"><td style="box-sizing: border-box; vertical-align: top; padding: 0.75rem 1.5rem 0.75rem 0.75rem; border: 2px solid rgb(233, 236, 239);"><p style="box-sizing: border-box; margin-bottom: 1rem;"><font>T1595: Active Scanning </font></p></td><td style="box-sizing: border-box; vertical-align: top; padding: 0.75rem 1.5rem 0.75rem 0.75rem; border: 2px solid rgb(233, 236, 239);"><p style="box-sizing: border-box; margin-bottom: 1rem;"><font>T1583: Acquire Infrastructure </font></p></td><td style="box-sizing: border-box; vertical-align: top; padding: 0.75rem 1.5rem 0.75rem 0.75rem; border: 2px solid rgb(233, 236, 239);"><p style="box-sizing: border-box; margin-bottom: 1rem;"><font>T1110: Brute Force </font></p></td><td style="box-sizing: border-box; vertical-align: top; padding: 0.75rem; border: 2px solid rgb(233, 236, 239);"><p style="box-sizing: border-box; margin-bottom: 1rem;"><font>T1498: Network Denial of Service</font></p></td></tr><tr style="box-sizing: border-box; border-bottom: 1px solid rgb(222, 226, 230);"><td style="box-sizing: border-box; vertical-align: top; padding: 0.75rem 1.5rem 0.75rem 0.75rem; border: 2px solid rgb(233, 236, 239);"><p style="box-sizing: border-box; margin-bottom: 1rem;"><font>T1589: Gather Victim Identity Information </font></p></td><td style="box-sizing: border-box; vertical-align: top; padding: 0.75rem 1.5rem 0.75rem 0.75rem; border: 2px solid rgb(233, 236, 239);"><p style="box-sizing: border-box; margin-bottom: 1rem;"><font>T1584: Compromise Infrastructure </font></p></td><td style="box-sizing: border-box; vertical-align: top; padding: 0.75rem 1.5rem 0.75rem 0.75rem; border: 2px solid rgb(233, 236, 239);"><font> </font></td><td style="box-sizing: border-box; vertical-align: top; padding: 0.75rem; border: 2px solid rgb(233, 236, 239);"><p style="box-sizing: border-box; margin-bottom: 1rem;"><font>T1489: Service Stop</font></p></td></tr></tbody></table><br><div><div><font><b>Primary Killnet Tactics</b></font></div><div><br></div><div><font>Brute-force dictionary attacks against:</font></div><div><font><br></font></div><div><font>SSH (port 22) primarily targets the root account</font></div><div><font>Minecraft and TeamSpeak servers</font></div><div><font>DDoS attacks on the OSI model:</font></div><div><font><br></font></div><div><font>layer 4 (SYN flood attacks)</font></div><div><font>layer 7 (high volume POST/GET requests) to cause resource exhaustion and system failure.</font></div><div><font>In various Telegram groups, they collaborate with the members who are instructed to use IP stresser-for-hire tools such as Crypto Stresser, DDG Stresser, Instant-Stresser, and Stresser.ai. Moreover, several scripts are used during their attacks. Some of them are CC-attack, MDDoS, Low Orbit Ion Cannon (LOIC), KARMA, and Dummy.</font></div></div>