The Sandworm Team and You
iSIGHT Partners released a report today outlining the exploitation of the 0-day vulnerability contained in CVE-2014-4114 by a threat
actor team they have dubbed “The Sandworm Team”. Believed to originate in Russia, their targets have included N.A.T.O, energy and telecommunications firms, as well as several European countries and US educational institutions.
Their common modus operandi is the use of spear phishing, luring users to open weaponized Powerpoint files that install one of the many BlackEnergy malware variants.
RSA has updated our 3rd party IOC feed to contain the IP addresses of the control servers being utilized by the Sandworm Team. Customers subscribing to the "Third Party IOC IPs" feed can perform the following pivot within Security Analytics to identify potentially compromised servers:
threat.desc begins “sandworm team”
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
Nice job on the quick turnaround Scott. Have any of the Community members had success with this parser? FYI there is also a thread on POODLE on the Community here https://community.emc.com/thread/200930