What were seeing today 26 Feb 2021


Today activity has been moderate but lower than yesterday.



Activity Observations

  • Noted APT28 activity from a previously active address that has picked up and increased 10 fold today

  • Noted multiple DNS manipulations occurring on software installations. This is indicative that DNS is being weaponized to infect end users. Remember we have been warning about the supply chain attacks that utilize DNS and CDN 's to infect massive amounts of user.

  • Still seeing Cobalt Strike activity, noted at least 22 different servers running today and was able to add them to our threat intelligence platform

  • CVE-2021-21972 is actively being exploited

  • Over 200 new botnet addresses were discovered after a flaw in code allows us to use Google to find a list of C2 servers, we love it when threat actors can't spell or can't spell frequently used terms

  • Still seeing MassLogger activity

  • Still seeing Instagram phishing, looks like the threat actor is trying to target specific high profile accounts that are verified

  • We are also seeing stimulus and tax themed targeted phishing

We are still seeing fallout and additional confirmations of incidents from the supply chain attacks that were tied to SolarWinds. We still believe that DNS hajacking, CDN attacks and DNS manipulation allowed many of these attacks to take place. In fact, we actively detected and stopped a Microsoft login domain being manipulated on a large network this past week as well as on a few ISP's that indicate this as being a much larger issue.




This report may be updated in the next couple of hours with additional information as analyst are currently reviewing new detection's and activity of interest.


In addition we added the following documents for reference

Added 3 documents to our library including the NSA Zero Trust publication and the Cisco critical vulnerability.



Other Notes

Nothing additional today


Last Updated: 3:39 PM EST




7 views0 comments