Cyberattacks of the Cobalt grouping on banks

The KZ-CERT Computer Emergency Response Team of the State Technical Service of the National Security Committee of the Republic of Kazakhstan informs that large cyberattacks of the Cobalt grouping, one of the most active criminal groups engaged in targeted attacks on banks, have been recorded on the territory of the CIS.

During the attack, the group "Cobalt" repeatedly used the domain names of the .kz zone (microsoft.org.kz, system1.kz, document.com.kz, documents.com.kz, address-in.kz, securitym.kz, webmaster-1 .kz, internal.kz, vision71.kz), for the purpose of implementing malicious mailing.

Service KZ-CERT, in cooperation with Group-IB, took part in the investigation and blocking of malicious domains in the .kz zone.

In order to prevent and carry out pre-emptive activities, please read the report prepared by Group-IB on the activities of the cybercrime group Cobalt, which attacked banks in the CIS. The report contains information about tactics, methods and tools used by attackers (https: //www.group-ib.ru/resources/threat-research / ...).

The following is information that contains indicators of compromise (IOC).

E-mail addresses

a.kirilov@oracle-russia.info

a.shevcov@cards-cbr.ru

aa.volkov@bpcbt.com

admin@fincert-cbr.ru

admin@koronapaycard.com

admin@visa-pay.com

Anna.Yasko@profix.kiev.ua

anton0hn8ko@mail.ru

apache@ibm-warning.com

apache@westernunion-corporate.com

ashkol@bfs.su

AvdeevaAA@russia-westernunion.com

billing@billing-mts.ru

bochkarev.s.v@cards-nspk.ru

client@regionbank24.ru

crysanoff.yury@yandex.ru

Daniel.L@bankosantantder.com

drop@banknp.ru

DVoronkov@lanit.ru

e.maslakov@cft.ru

factura@billing-megafon.ru

info@advocat-partners.ru

Info@cards-sberbank-region.ru

info@ecb.europa.eu

info@fatf-gafi.info

info@ingbank-fr.com

Info@retail-beeline.com

info@roskomnadzor.info

info@terminal-cyberplat.ru

info@westernunion-corporate.com

info@wincor-nixdorf.com

mermachenkov@bloomberg.net

Natalia.S@westernunion.com

Natalia.Shchetinina@westernunion.com

nfo@retail-beeline.com

olgagor@polyfaust.com

OSolomatin@lanit.ru

pv@mtbank.by

razlokyou@tutanota.com

sales@mastercard-enterprise.com

secretar@asmo-arbitr.ru

secure@pcidss-visa.com

security@mastercard-europe.com

security@mastercard-fraud.com

Shahova_O.V@terminal-cyberplat.com

support@cards-cbr.ru

support@nwift.org

support@qiwi-bank.com

support@swift-alliance.com

tarifs@retail-qiwi.com

vasiliy.utko@diebold.pw

visa-alert@visa-alert.com

Visa@visa-enterprise.com

webmaster@moneta.ru

www@avers.odessa.ua

www@mxs.tema-telecom.info

zapros@moscow-bank.com

zhanibekh@halykinkas.kz

ivanovroman.iwanow@yandex.ru

j.stivens@spamhuas.com

media@ecb-europe.com

invoice@retail-beeline.com

IP addresses

104.144.207.207

104.200.67.112

104.254.99.77

107.181.160.16

109.236.89.194

128.199.34.92

138.197.128.24

138.197.155.136

138.197.160.220

138.68.136.147

138.68.234.128

138.68.26.129

139.59.115.141

139.59.89.20

142.91.104.105

146.148.124.166

159.89.189.120

162.243.161.186

162.243.38.176

162.243.38.178

165.227.77.109

172.81.132.131

176.9.99.134

178.62.117.16

178.62.220.89

178.62.6.220

185.13.5.46

185.175.158.202

185.68.93.26

185.82.216.94

188.166.60.43

188.209.52.64

188.214.129.65

188.226.147.178

188.226.157.121

188.226.160.76

190.123.35.177

190.123.45.112

190.123.45.134

192.241.163.48

192.241.250.229

192.241.251.13

192.64.119.93

192.81.220.160

89.35.178.108

89.37.226.131

91.218.220.66

92.114.92.102

92.222.235.243

92.63.111.201

93.113.131.116

93.115.201.211

94.140.120.179

94.140.125.205

95.183.51.24

95.215.45.221

95.46.8.65

96.44.188.57

193.238.152.198

193.238.152.67

194.165.16.86

195.123.212.86

195.26.182.22

196.1.4.24

196.1.4.252

198.199.86.50

198.50.179.97

200.63.45.85

204.11.59.144

204.145.94.123

213.252.247.69

217.12.199.176

217.12.208.77

217.20.166.231

23.152.0.210

31.148.220.141

31.193.195.41

31.31.216.40

31.47.249.36

37.1.207.202

37.1.211.165

37.1.212.129

37.1.212.133

37.252.248.93

45.32.165.110

46.102.152.157

46.21.147.61

46.21.147.63

5.101.124.34

5.45.66.161

51.254.164.248

52.15.209.133

67.205.190.195

67.207.81.80

67.207.86.201

72.21.81.200

80.91.163.146

81.163.254.122

81.163.254.27

81.92.202.202

82.211.30.97

82.211.34.88

84.200.210.96

84.200.32.184

84.200.84.241

85.204.74.117

86.105.1.116

86.106.131.17

86.106.131.207

87.120.254.44

87.121.52.83

88.212.208.115

89.248.170.232

89.33.64.134

95.85.20.22

95.85.60.7

Domains

advocat-partners.ru

akamai-technology.com

applepay-invoice.com

arpanet-network.com

asmo-arbitr.ru

atm-sberbank.ru

aws-software.com

bankosantantder.com

billing-cbr.ru

billing.chelny.online

cards-alfabank.ru

cards-cbr.ru

cards-nspk.ru

corp-cyberplat.ru

dns-verifon.com

dns.vision71.kz

downloads.damemp3.org

fincert-cbr.ru

getfreshnews.com

help-desc-me.com

helpdesk-bpc.in

helpdesk-oracle.com

hoteltoren.com

ibm-cert.com

ibm-notice.com

ibm-warning.com

koronapaycard.com

mail.in1.kz

mastercard-enterprise.com

mastercard-fraud.com

nwift.org

oplata-gosuslugi.ru

oracle-russia.info

oracleupdatenews.com

patch-alahli.com

qiwi-bank.com

regdommain.com

retail-beeline.com

roskomnadzor.info

sberbank-region.ru

secure-banregio.com

semea-visa.com

sepa-gate.com

servicecentrum.info

servicenetupdate.com

spamhuas.com

swift-alliance.com

tarif-changes.doc

techupdateslive.com

teredo-update.com

terminal-cyberplat.ru

updatemaster.info

updatesupermaster.info

updatetechnews.com

visa-alert.com

visa-fraud-monitoring.com

webmail.microsoft.org.kz

westernunion-corporate.com

word-live.com