Ember Bear
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| DEV-0586 | (Citation: Cadet Blizzard emerges as novel threat actor) |
| Cadet Blizzard | (Citation: Cadet Blizzard emerges as novel threat actor) |
| Frozenvista | (Citation: CISA GRU29155 2024) |
| UAC-0056 | (Citation: CISA GRU29155 2024) |
| Bleeding Bear | (Citation: CrowdStrike Ember Bear Profile March 2022) |
| UNC2589 | (Citation: Mandiant UNC2589 March 2022) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1583 | .003 | Acquire Infrastructure: Virtual Private Server |
Ember Bear has used virtual private servers (VPSs) to host tools, perform reconnaissance, exploit victim infrastructure, and as a destination for data exfiltration.(Citation: CISA GRU29155 2024) |
| Enterprise | T1595 | .001 | Active Scanning: Scanning IP Blocks |
Ember Bear has targeted IP ranges for vulnerability scanning related to government and critical infrastructure organizations.(Citation: CISA GRU29155 2024) |
| .002 | Active Scanning: Vulnerability Scanning |
Ember Bear has used publicly available tools such as MASSCAN and Acunetix for vulnerability scanning of public-facing infrastructure.(Citation: CISA GRU29155 2024) |
||
| Enterprise | T1071 | .004 | Application Layer Protocol: DNS |
Ember Bear has used DNS tunnelling tools, such as dnscat/2 and Iodine, for C2 purposes.(Citation: CISA GRU29155 2024) |
| Enterprise | T1110 | .003 | Brute Force: Password Spraying |
Ember Bear has conducted password spraying against Outlook Web Access (OWA) infrastructure to identify valid user names and passwords.(Citation: CISA GRU29155 2024) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Ember Bear has used PowerShell commands to gather information from compromised systems, such as email servers.(Citation: CISA GRU29155 2024) |
| .001 | Command and Scripting Interpreter: PowerShell |
Ember Bear has used PowerShell to download and execute malicious code.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
||
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Ember Bear had used `cmd.exe` and Windows Script Host (wscript) to execute malicious code.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
||
| .007 | Command and Scripting Interpreter: JavaScript |
Ember Bear has used JavaScript to execute malicious code on a victim's machine.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
||
| Enterprise | T1491 | .002 | Defacement: External Defacement |
Ember Bear is linked to the defacement of several Ukrainian organization websites.(Citation: Cadet Blizzard emerges as novel threat actor) |
| Enterprise | T1561 | .002 | Disk Wipe: Disk Structure Wipe |
Ember Bear conducted destructive operations against victims, including disk structure wiping, via the WhisperGate malware in Ukraine.(Citation: Cadet Blizzard emerges as novel threat actor) |
| Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
Ember Bear has used tools such as Rclone to exfiltrate information from victim environments to cloud storage such as `mega.nz`.(Citation: CISA GRU29155 2024) |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Ember Bear uses the NirSoft AdvancedRun utility to disable Microsoft Defender Antivirus through stopping the WinDefend service on victim machines. Ember Bear disables Windows Defender via registry key changes.(Citation: Cadet Blizzard emerges as novel threat actor) |
| .001 | Impair Defenses: Disable or Modify Tools |
Ember Bear has executed a batch script designed to disable Windows Defender on a compromised host.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
||
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Ember Bear deletes files related to lateral movement to avoid detection.(Citation: Cadet Blizzard emerges as novel threat actor) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Ember Bear has renamed tools to match legitimate utilities, such as renaming GOST tunneling instances to `java` in victim environments.(Citation: CISA GRU29155 2024) |
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Ember Bear uses legitimate Sysinternals tools such as procdump to dump LSASS memory.(Citation: Cadet Blizzard emerges as novel threat actor)(Citation: CISA GRU29155 2024) |
| .002 | OS Credential Dumping: Security Account Manager |
Ember Bear acquires victim credentials by extracting registry hives such as the Security Account Manager through commands such as |
||
| .004 | OS Credential Dumping: LSA Secrets |
Ember Bear has used frameworks such as Impacket to dump LSA secrets for credential capture.(Citation: CISA GRU29155 2024) |
||
| Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
Ember Bear has added extra spaces between JavaScript code characters to increase the overall file size.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
| .002 | Obfuscated Files or Information: Software Packing |
Ember Bear has packed malware to help avoid detection.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
||
| Enterprise | T1588 | .001 | Obtain Capabilities: Malware |
Ember Bear has acquired malware and related tools from dark web forums.(Citation: CISA GRU29155 2024) |
| .002 | Obtain Capabilities: Tool |
Ember Bear has obtained and used open source scripts from GitHub.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
||
| .003 | Obtain Capabilities: Code Signing Certificates |
Ember Bear has stolen legitimate certificates to sign malicious payloads.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
||
| .005 | Obtain Capabilities: Exploits |
Ember Bear has obtained exploitation scripts against publicly-disclosed vulnerabilities from public repositories.(Citation: CISA GRU29155 2024) |
||
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Ember Bear has sent spearphishing emails containing malicious attachments in the form of PDFs, Word documents, JavaScript files, and Control Panel File (CPL) executables.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
| .002 | Phishing: Spearphishing Link |
Ember Bear has sent spearphishing emails containing malicious links.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
||
| Enterprise | T1090 | .003 | Proxy: Multi-hop Proxy |
Ember Bear has configured multi-hop proxies via ProxyChains within victim environments.(Citation: CISA GRU29155 2024) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Ember Bear uses remotely scheduled tasks to facilitate remote command execution on victim machines.(Citation: Cadet Blizzard emerges as novel threat actor) |
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
Ember Bear deploys web shells following initial access for either follow-on command execution or protocol tunneling. Example web shells used by Ember Bear include P0wnyshell, reGeorg, P.A.S. Webshell, and custom variants of publicly-available web shell examples.(Citation: Cadet Blizzard emerges as novel threat actor)(Citation: CISA GRU29155 2024) |
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Ember Bear has used stolen certificates from Electrum Technologies GmbH to sign payloads.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
| Enterprise | T1218 | .002 | System Binary Proxy Execution: Control Panel |
Ember Bear has used control panel files (CPL), delivered via e-mail, for execution.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
| Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
Ember Bear has dumped configuration settings in accessed IP cameras including plaintext credentials.(Citation: CISA GRU29155 2024) |
| Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
Ember Bear has used pass-the-hash techniques for lateral movement in victim environments.(Citation: CISA GRU29155 2024) |
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
Ember Bear has attempted to lure users to click on a malicious link within a spearphishing email.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
| .002 | User Execution: Malicious File |
Ember Bear has attempted to lure victims into executing malicious files.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
||
| Enterprise | T1078 | .001 | Valid Accounts: Default Accounts |
Ember Bear has abused default user names and passwords in externally-accessible IP cameras for initial access.(Citation: CISA GRU29155 2024) |
References
- Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
- US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
- Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
- CrowdStrike. (2022, March 30). Who is EMBER BEAR?. Retrieved June 9, 2022.
- Sadowski, J; Hall, R. (2022, March 4). Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation. Retrieved June 9, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.