We use cookies to improve your experience. Do you accept?

Tracking Lazarus APT: From Espionage to Financial Crimes

Tracking Lazarus APT: From Espionage to Financial Crimes - Featured Image

Research and Analysis Sep 25, 2023

Origin: 2007

Aliases : APT38, Labyrinth Chollima, HIDDEN COBRA, Guardians of Peace, ZINC, NICKEL ACADEMY, Stardust Chollima, BeagleBoyz, Whois Team, Gods Apostles, Gods Disciples, Bluenoroff, Andariel, UNC4736

Targeted Sectors :**** Government, Military, Financial, Manufacturing, Publishing, Media, Entertainment, Freight, Critical Infrastructure, Blockchain technology and Cryptocurrency Industry

Targeted Regions : East Asia, North America, Eastern Europe, Western Europe, Asia-Pacific, Middle East

Common infection vectors: Social Engineering, Phishing, Disinformation, Zero-Day, Spearphishing, Watering Hole Attack, BYOVD, Trojanized Apps,

Malware Used : YamaBot, LCPDot, DTrack, Mydoom, Dozer malware, RustBucket, COPPERHEDGE, BLINDINGCAN, AppleJeus, wAgent malware, Gopuram backdoor, VEILEDSIGNAL, ICONICSTEALER, DaclsRAT, VHD ransomware, NukeSped, Rifdoor, Phandoor, Andarat, Andaratm, TigerRAT, MagicRAT, EarlyRAT, QuiteRAT, DurianBeacon, AndarLoader, Goat RAT, Black RAT, Gh0st RAT, BADCALL backdoor, VSingle

Motivation : Espionage, Data Theft, Disruptive Attack, Financial Gains

Overview

The Lazarus Group, a shadowy cybercrime organization, has been a persistent threat on the global stage since its emergence in 2007. Linked to the government of North Korea, the Lazarus group has a history spanning over a decade and is responsible for well-known cyberattacks, including the 2014 Sony Pictures attack and the 2017 WannaCry 2.0 ransomware outbreak. What sets Lazarus apart from other state actors is its strong financial motivation, as it seeks to bolster North Korea's struggling economy.

This article delves into the enigmatic world of the Lazarus Group, exploring its history, notable attacks, tactics, mitigation strategies, and the complex web of attribution that surrounds this threat actor.

Attack Tactics and Methods

Lazarus has evolved from a criminal outfit to an advanced persistent threat with a wide array of cyberattack methods and a reputation for audacious heists and disruptive attacks. Its tactics are designed to ensure long-term access to compromised systems and to evade detection. Let’s go through some of its key tactics:

Social Engineering

  • Members of the group send carefully crafted emails and messages with malicious attachments or links to high-value targets, often posing as trusted entities.

  • One of the popular tactics that attackers use to date is fake job offer lures. It has masqueraded as Lockheed Martin, Coinbase, Northrop Grumman, Crypto.com, BAE Systems, Indeed, ZipRecruiter, and several others.

  • In Operation Dream Job, the group impersonated Disney, Google, and Oracle recruiters with fake potential job opportunities and targeted over 250 individuals.

Zero-day Exploits and Vulnerabilities

  • Lazarus leveraged the Log4Shell vulnerability to compromise VMware Horizon servers and deploy bespoke malware on energy providers in the U.S, Canada, and Japan.

  • Attackers abused a zero-day vulnerability, CVE-2022-0609, in Google Chrome’s web browser to target news media, information technology, cryptocurrency, and finance in the U.S.

  • The group often takes an interest in the cybersecurity community and targets them with zero day exploits. They further manipulate them to continue conversations on encrypted messaging platforms, such as Telegram, Signal, etc.

  • It exploited the same unpatched zero-day vulnerability twice, targeting a financial business in South Korea.

However, Lazarus’ attacks are not limited to zero day exploits. The group has demonstrated agility and adaptability by exploiting numerous other vulnerabilities, including, EternalBlue, ManageEngine Vulnerability, Log4j, Dell Driver Bug, and others.

Watering Hole Attacks

  • In late 2016 when the cryptocurrency bubble was at its peak, Lazarus most likely used the watering holes technique to target cryptocurrency-focused media organizations. These incidents were previously reported under TEMP.Hermit.

  • In a particular case, attackers relied on the watering hole tactic for initial access and then exploited a vulnerable and outdated version of Apache Struts2 to execute code on a targeted system.

Supply Chain Attacks

  • Lazarus has also been targeting software vendors and compromised their software distribution channels.

  • The supply chain attack on VoIP communications company 3CX and JumpCloud was attributed to this group.

Malware and Tools Used

Lazarus APT is renowned for developing and using a diverse arsenal of malware and tools. Most importantly, Lazarus prefers using several custom, self-developed malware families and backdoors designed for its targets. Additionally, the group is known for its persistence techniques; it uses rootkits, backdoors, and living-off-the-land tactics to maintain access to compromised systems, making it difficult for defenders to notice its presence.

For cryptocurrency theft, Lazarus used tools like AppleJeus and ELECTRICFISH to target cryptocurrency exchanges and wallets. While the former was designed to provide unauthorized access and control over infected systems, the latter was used for stealing data from compromised systems. To harvest sensitive information, Lazarus employs keyloggers (such as KiloAlfa and PSLogger) and credential stealers.

Moreover, Lazarus is known for frequently changing its target focus and customizing tools and tactics as per the situation. For example, during the beginning of COVID-19, Lazarus launched phishing campaigns using COVID-19-related lures to target healthcare institutions, research centers, and pharmaceutical companies involved in COVID-19 research and vaccine development.

The DeathNote campaign, which originally began in 2020, marks a major shift in its target as well as updated infection vectors. Lazarus targeted the automotive and academic sectors in Eastern Europe, both of which are connected to the defense industry. Threat actors leveraged an advanced malware called ThreatNeedle in the campaign.

Other notable malware associated with the group involves VHD ransomware, RustBucket, MagicRAT, and more.

Attack Details

The Lazarus Group is known for targeting a wide range of institutions belonging to the government, military, financial, manufacturing, publishing, media, entertainment, international shipping companies, and critical infrastructure industries.

Lazarus has been involved in several high-profile attacks from Operation Troy (2009 to 2012), Sony Pictures Hack (2014), the SWIFT heist (Bancomext, Bangladesh Bank Heist, Banco de Chile, and others), and the WannaCry attack, to Far Eastern International Bank (2017), FASTCash, and DeathNote.

By this time, the North Korean threat had grown enough infrastructure and was ready to wage a war against the blockchain and cryptocurrency industry. Some of its top victims included Coincheck, Bithumb, and Upbit in 2018, meanwhile, Harmony Horizon and Axie Infinity were the major targets in 2022. During 2022, the group accounted for losses exceeding $750 million, constituting roughly 20% of the total stolen value within the industry for that year.

Lazarus in 2023

  • Lazarus-affiliated groups have stolen over $240 million in cryptocurrency since June 2023, targeting various businesses, including Atomic Wallet ($100m), CoinsPaid ($37.3M), Alphapo ($60M), and Stake.com ($41M).

  • In August 2023, the FBI issued a warning indicating that North Korean hackers were gearing up to cash out stolen cryptocurrency, potentially worth over $40 million in Bitcoin. The agency's investigation had tracked the movement of approximately 1,580 bitcoins, stolen in previous cyberattacks, to six cryptocurrency wallets.

  • The latest back-to-back attack on 3CX and JumpCloud signifies its growing interest in the evolving supply chain threat landscape where other global threat actors, such as Cl0p (responsible for the MOVEit breach), also share the stage.

Attribution

The attribution to North Korea in the context of Lazarus Group is often made with a high level of confidence. Cybersecurity researchers have made significant strides in linking Lazarus to North Korea through various means.

Analysis of malware and infrastructure used by Lazarus has revealed code similarities and infrastructure patterns associated with North Korean actors. Its geopolitical motivations often align with North Korea's geopolitical interests. For instance, attacks on South Korean targets have been linked to political tensions between the two countries.

Furthermore, Lazarus is a highly financially motivated threat group. With respect to the attacks on cryptocurrency exchanges, some of the stolen funds have been traced to North Korean wallets. Also, the group's consistent targeting of South Korea and other countries in the region, as well as the use of North Korean infrastructure adds up to the already vetted confidence.

Mitigation

Effectively mitigating threats from the Lazarus APT demands a comprehensive strategy. Key steps include regular patching to thwart known vulnerabilities and following cyber hygiene practices. With supply chain attacks being the primary focus of Lazarus, large enterprises must share threat intelligence collected from their internal monitoring and detection tools as well as threat intelligence collected from ISACs (TLP White/Green) and CISA with their suppliers. More than 95% of suppliers are small sized lack budgets, infrastructure, and expertise to protect themselves from being used as an exploitation route.

Sharing threat intelligence with these suppliers using Cyware’s Collaborate (CSAP) platform protects their supply chain ecosystems by sharing threat intelligence with their suppliers. Collaborate facilitates seamless intelligence and advisory sharing in real time, fostering real-time threat awareness and rapid threat response, ultimately strengthening supply chain ecosystems. Furthermore, enterprise security teams can perform real-time threat assessments of their supply chain ecosystem and assign actions to take protective actions such as patching a vulnerability.

Conclusion

Lazarus APT has earned a fearsome reputation by delivering financial blows to thousands of organizations globally with far-reaching consequences. With a formidable arsenal of malware and tools, this threat actor has successfully targeted governments, financial institutions, and cryptocurrency exchanges, among others. The group operates with impunity possibly due to government backing and encouragement in North Korea, ensuring their safety against prosecution in their own country. This support makes it highly probable that the Lazarus group will persist in its cyber activities for many more years to come.

All these serve as a stark reminder of the need for strong cybersecurity measures in an increasingly interconnected world. Defending against Lazarus APT requires vigilance, constant updates to security measures, and a collaborative approach among organizations and nations.

Indicators of Compromise

QuiteRAT

ED8EC7A8DD089019CFD29143F008FA0951C56A35D73B2E1B274315152D0C0EE6

CollectionRAT

DB6A9934570FA98A93A979E7E0E218E0C9710E5A787B18C6948F2EEDD9338984

773760FD71D52457BA53A314F15DDDB1A74E8B2F5A90E5E150DEA48A21AA76DF

Magic RAT

8CE219552E235DCAF1C694BE122D6339ED4FF8DF70BF358CD165E6EB487CCFC5

C2904DC8BBB569536C742FCA0C51A766E836D0DA8FAC1C1ABD99744E9B50164F

DDA53EEE2C5CB0ABDBF5242F5E82F4DE83898B6A9DD8AA935C2BE29BAFC9A469

90FB0CD574155FD8667D20F97AC464ECA67BDB6A8EE64184159362D45D79B6A4

YamaBot

F226086B5959EB96BD30DEC0FFCBF0F09186CD11721507F416F1C39901ADDAFB

DeimosC2

05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d

Trojanized Plink

e3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe

Procdump

16F413862EFDA3ABA631D8A7AE2BFFF6D84ACD9F454A7ADAA518C7A8A6F375A5

05732E84DE58A3CC142535431B3AA04EFBE034CC96E837F93C360A6387D8FAAD

Mimikatz

6FBB771CD168B5D076525805D010AE0CD73B39AB1F4E6693148FE18B8F73090B

912018AB3C6B16B39EE84F17745FF0C80A33CEE241013EC35D0281E40C0658D9

CAF6739D50366E18C855E2206A86F64DA90EC1CDF3E309AEB18AC22C6E28DC65

3Proxy

2963A90EB9E499258A67D8231A3124021B42E6C70DACD3AAB36746E51E3CE37E

PuTTY plink

2AA1BBBE47F04627A8EA4E8718AD21F0D50ADF6A32BA4E6133EE46CE2CD13780

5A73FDD0C4D0DEEA80FA13121503B477597761D82CF2CFB0E9D8DF469357E3F8

Adfind

C92C158D7C37FEA795114FA6491FE5F145AD2F8C08776B18AE79DB811E8E36A3

IP Addresses

23.81.246[.]131

146.4.21[.]94

109.248.150[.]13

108.61.186[.]55

1.254.24[.]19

185.152.67[.]39

70.39.103[.]3

66.187.75[.]186

104.223.86[.]8

100.21.104[.]112

23.95.182[.]5

78.141.223[.]50

116.202.251[.]38

89.44.9[.]202

192.185.5[.]189

162.241.248[.]14

179.43.151[.]196

45.82.250[.]186

162.19.3[.]23

144.217.92[.]197

23.29.115[.]171

167.114.188[.]40

91.234.199[.]179

172.93.201[.]253

Domains

nomadpkgs[.]com

centos-repos[.]org

datadog-cloud[.]com

toyourownbeat[.]com

datadog-graph[.]com

centos-pkg[.]org

primerosauxiliosperu[.]com

zscaler-api[.]org

nomadpkg[.]com

launchruse[.]com

Reggedrobin[.]com

Canolagroove[.]com

Alwaysckain[.]com

URLS

hxxp[://]104[.]155[.]149[.]103/2-443[.]ps1

hxxp[://]104[.]155[.]149[.]103/8080[.]ps1

hxxp[://]104[.]155[.]149[.]103/mi64[.]tmp

hxxp[://]104[.]155[.]149[.]103/mi[.]tmp

hxxp[://]104[.]155[.]149[.]103/mm[.]rar

hxxp[://]104[.]155[.]149[.]103/pd64[.]tmp

hxxp[://]104[.]155[.]149[.]103/rar[.]tmp

hxxp[://]104[.]155[.]149[.]103/spr[.]tmp

hxxp[://]104[.]155[.]149[.]103/t[.]tmp

hxxp[://]104[.]155[.]149[.]103/update[.]tmp

hxxp[://]109[.]248[.]150[.]13:8080/1

hxxp[://]146[.]4[.]21[.]94/tmp/data_preview/virtual[.]php

hxxp[://]185[.]29[.]8[.]162:443/1[.]tmp

hxxp[://]40[.]121[.]90[.]194/11[.]jpg

hxxp[://]40[.]121[.]90[.]194/300dr[.]cert

hxxp[://]40[.]121[.]90[.]194/b[.]cert

hxxp[://]40[.]121[.]90[.]194/qq[.]cert

hxxp[://]40[.]121[.]90[.]194/ra[.]cert

hxxp[://]40[.]121[.]90[.]194/Rar[.]jpg

hxxp[://]40[.]121[.]90[.]194/tt[.]rar

hxxp[://]46[.]183[.]221[.]109//dfdfdfdfdfdfdfdfdfaflakjdfljaldjfladfljaldkfjlajdsflajdskf/huntertroy[.]exe

hxxp[://]46[.]183[.]221[.]109//dfdfdfdfdfdfdfdfdfaflakjdfljaldjfladfljaldkfjlajdsflajdskf/svhostw[.]exe

hxxp[://]84[.]38[.]133[.]145/board[.]html

hxxp[://]84[.]38[.]133[.]145/header[.]xml

hxxp[://]www[.]ajoa[.]org/home/manager/template/calendar[.]php

hxxp[://]www[.]ajoa[.]org/home/rar[.]tmp

hxxp[://]www[.]ajoa[.]org/home/tmp[.]ps1

hxxp[://]www[.]ajoa[.]org/home/ztt[.]tmp

hxxp[://]www[.]orvi00[.]com/ez/admin/shop/powerline[.]tmp

Networks IOCs

146[.]4[.]21[.]94

109[.]248[.]150[.]13

108[.]61[.]186[.]55:443

hxxp[://]146[.]4[.]21[.]94/tmp/tmp/comp[.]dat

hxxp[://]146[.]4[.]21[.]94/tmp/tmp/log[.]php

hxxp[://]146[.]4[.]21[.]94/tmp/tmp/logs[.]php

hxxp[://]ec2-15-207-207-64[.]ap-south-1[.]compute[.]amazonaws[.]com/resource/main/rawmail[.]php

hxxp[://]109[.]248[.]150[.]13/EsaFin[.]exe

hxxp[://]146[.]4[.]21[.]94/boards/boardindex[.]php

hxxp[://]146[.]4[.]21[.]94/editor/common/cmod

VSingle C2s

hxxps[://]tecnojournals[.]com/review

hxxps[://]semiconductboard[.]com/xml

hxxp[://]cyancow[.]com/find

MagicRAT C2s

hxxp[://]155[.]94[.]210[.]11/news/page[.]php

hxxp[://]192[.]186[.]183[.]133/bbs/board[.]php

hxxp[://]213[.]32[.]46[.]0/board[.]php

hxxp[://]54[.]68[.]42[.]4/mainboard[.]php

hxxp[://]84[.]38[.]133[.]145/apollom/jeus[.]php

hxxp[://]mudeungsan[.]or[.]kr/gbbs/bbs/template/g_botton[.]php

hxxp[://]www[.]easyview[.]kr/board/Kheader[.]php

hxxp[://]www[.]easyview[.]kr/board/mb_admin[.]php

YamaBot C2s

hxxp[://]213[.]180[.]180[.]154/editor/session/aaa000/support[.]php

MD5

8A05F6B3F1EB25BCBCEB717AA49999CD

265F407A157AB0ED017DD18CAE0352AE

7A73A2261E20BDB8D24A4FB252801DB7

7A307C57EC33A23CE9B5C84659F133CC

CED38B728470C63ABCF4DB013B09CFF7

9121F1C13955506E33894FFD780940CD

50B2154DE64724A2A930904354B5D77D

EE73A772B72A5F3393D4BF577FC48EFE

D1C652B4192857CB08907F0BA1790976

25B37C971FD7E9E50E45691AA86E5F0A

0493F40628995AE1B7E3FFACD675BA5F

8840F6D2175683C7ED8AC2333C78451A

C278D6468896AF3699E058786A8C3D62

9FD35BAD075C2C70678C65C788B91BC3

59CB8474930AE7EA45B626443E01B66D

7AF59D16CFD0802144795CA496E8111C

CD5357D1045948BA62710AD8128AE282

77194024294F4FD7A4011737861CCE3C

E9D89D1364BD73327E266D673D6C8ACF

0D4BDFEC1E657D6C6260C42FFDBB8CAB

5DA86ADEEC6CE4556F477D9795E73E90

706E55AF384E1D8483D2748107CBD57C

DD185E2BB02B21E59FB958A4E12689A7

4088946632E75498D9C478DA782AA880

4C239A926676087E31D82E79E838CED1

183AD96B931733AD37BB627A958837DB

9EA365C1714EB500E5F4A749A3ED0FE7

2449F61195E39F6264D4244DFA1D1613

1F254DD0B85EDD7E11339681979E3AD6

0071B20D27A24AE1E474145B8EFC9718

65DF11DEA0C1D0F0304B376787E65CCB

2EFBE6901FC3F479BC32AAF13CE8CF12

880B263B4FD5DE0AE6224189EA611023

E7AA0237FC3DB67A96EBD877806A2C88

56470E113479EACDA081C2EEEAD153BF

F4B55DA7870E9ECD5F3F565F40490996

1BD0CA304CDECFA3BD4342B261285A72

14D79CD918B4F610C1A6D43CADEEFF7B

C0A8483B836EFDBAE190CC069129D5C3

CA6658852480C70118FEBA12EB1BE880

EB2DC282AD3AB29C1853D4F6D09BEC4F

7D204793E75BB49D857BF4DBC60792D3

FC7B0764541225E5505FA93A7376DF4

075FBA0C098D86D9F22B8EA8C3033207

92657B98C2B4EE4E8FA1B83921003C74

78D42CEDB0C012C62EF5BE620C200D43

F6D6F3580160CD29B285EDF7D0C647CE

11FDC0BE9D85B4FF1FAF5CA33CC272ED

2B02465B65024336A9E15D7F34C1F5D9

CBC559EA38D940BF0B8307761EE4D67B

DA1DC5D41DE5F241CABD7F79FBC407F5

B3A8C88297DAECDB9B0AC54A3C107797

B23B0DE308E55CBF14179D59ADEE5FCB

64E5ACF43613CD10E96174F36CB1D680

C027D641C4C1E9D9AD048CDA2AF85DB6

C90D094A8FBEAA8A0083C7372BFC1897

853341A37EE6CD6516E03CE1341C7889

82491B42B9A2D34B13137E36784A67D7

7BA98EDD7015779A2625F11F3EABE869

3A9C24C92C221658A8BF9CE61D758E1A

B8724109E5473B4CA79A13C33B865E32

DC9244206E72A04D30EEADEF23713778

735AFCD0F6821CBD3A2DB510EA8FEB22

SHA-1

38B0DBA5045D7324F45E31249A1FBA5D086C1AC5

13C47E19182454EFA60890656244EE11C76B4904

720E60D0AFA4ED1718A68866740D4D4EEF963B8D

BAB4485B7F699723319B88A5E097B62B028563EF

4CF23D9A5EA4AD3F331FC35FF237D33875EA9A8E

89631469CF45EBAFC103829651B0F284F2CEEABC

033A15778AE9AF48466E0B39D123F492C8035665

63F974136C871E0FA4F14932873DD136E0B45AA5

659C854BBDEFE692EE8C52761E7A8C7EE35AA56C

975AE81997E6CD8C8A3901308D33C868F23E638F

35577959F79966B01F520E2F0283969155B8F8D7

988D07E40FD201CCEAAE5FEB29FEA2DB13846D7A

27E5B8CF9E23346649C9D95EC54287C094651BE5

F3847F5DE342632F8F9E2901F16B7127472493AE

88069CB17AB766F2D4F68D679D11DCD844BCFB27

43CA84252A84BEDC468E5C963A288966D6376CA3

323E1F522F18415F8EEF337A3551A736B69683D2

4B58ED2EC3A3104024DBA0BB0E4256D6B05D0D10

9ABB433B603D950B6CD59C92F0A818F012090896

AF5C411566FE993674E01308A5058E43CD0A5800

A1271B12DD7EFDAF30A5FD65B2FBBA2471F4326D

5D06679C25B8A8C4979194B67005F58535C12A13

4AAB3433616D37ED12F37151123C3F67C6DEFD7F

F938D0CA9233770A5E06658C68E800B98188D01B

2BEF437C6E7ED3C438D23E6CAC0A7FFB9D2F3E26

7F8455524BD987F5A0EF887D73092C72BDCD1AEA

20C3940DBD21464B5A1538C154A443BC858F38AD

BD178402B7B806BAC3CBFEB7141E80C2177AA703

B4D72C236E3CD58D9F92C099DD2628163C3A05FB

6A82EBF8A6E868323B1DE30A81CD6658CE4C31B6

C0D6BD29DAA7D80B07E339FC48868639123E75A1

7A58BA290EAC891BE743FFD1A74115799529873E

D705711BFDBCB2B583A0E740AF349589484D84A8

0ECC687D741C7B009C648EF0DE0A5D47213F37FF

C70EDFAF2C33647D531F7DF76CD4E5BB4E79EA2E

4C729E0E247CFA7A4B047E463BC6E34EA4298E3B

C699826810A8E3FCB1408A53E1D75714385ED716

ECD042EABDEAE16532B9602BE5786E408C3A622D

83C9095718DDD20CF287F5750256C00538CCD48F

8119475CA51654D6DF7391C6844E8CBBFEA2FCB7

5C2277E3E11F1053698A6DEE90937992993F9AF9

46F7B47D2F9CDB6A6D7522CE20D0C10314DE8BAD

C02A8450F93CA0D003D7B1DB2BE0253BBFF7CCE6

B9D25359820C2FA990868764634A06E024201542

B84A1747F9672409A5DAAD0910681A9D33AA016F

ED77B0DD1FE8A9C2AE7991333DE550596FFB6FCC

CEAF57F23EDE93307DA84ABF07BCF137D258F55D

BAAE100337B76BE346C3460711A0C413E639C7E1

AA8214C2949BBF66C11A5E27F0E09A13427F5FAA

C577D177D3A6D94B75483A89AA196C4B7AE5F1FE

B256F22A81DAA47D250782515912B13EF8C27390

46660F562FE01B5DF0E1AC03DD44B4CC8D2FA5F5

B57665909A6F6743DC3EC3476EF0C30252B78A6A

14B91C090048030088423FE1ACF17C8457AE098B

F141F9DFC7E082521C9D26980BFC8BF100BB2F61

97E9C7091A7275655D0E44559A3DF6D5A0CF21D9

6FF55C00A1C09CCD6AF7727D526E21CA969E0AF0

1DF16F8BB6068E5F65F0A9A3613CC31FE5321A8D

10408E6CF829699F0EB4C5199575261DB14FEE66

92480E506D51D920FCC1D4DBA7206C3185317F61

CB0E71340F963F7F2F404A0431D82AC809D2B15D

SHA-256

C26B8D9B9C76770D5EADD0DC11A2382DB1E5175E4E0EB69B6481D5A94747ABAE

1A172D92638E6FDB2858DCCA7A78D4B03C424B7F14BE75C2FD479F59049BC5F9

919DFA31F284412D41E45A90520DE2BACD211E7AD92D68512108F1302385C79F

383E75C5BDD46D1B6FF517CC3FAD88EB92C22AA9E969686DE4514CD665A1757A

2873D85E9129D8F54FB989D3D7BF3CA660601688DF4FFCF6D19EE3D5D0C8C0B1

77A94EA53961CB80A19E23B152CE1F92B91EF119CF9291D37B8C52C17E8D4263

4D2C98B53290918253A25A491F0398A58CBDCA540434923CD9924DD0F0B2FBB6

93F512CE023F0AA20A2A924A520B2ECAC19030A0FA85B583C59974D38DFA6A79

26A2FA7B45A455C311FD57875D8231C853EA4399BE7B9344F2136030B2EDC4AA

EC254C40ABFF00B104A949F07B7B64235FC395ECB9311EB4020C1C4DA0E6B5C4

02A28BC6829EDEF5E8A8F0CC5140056D2842588DAEA61247A31F9CCA69061BBF

1DB5A75AC2FAD4D96E64AC1AB39F70189F87DC008C3D0960D9302AB16681EA35

B751C8B13B93876FAF38565B0797486FDF0149C2134EE9B4D14EFB78A9119ADC

4D7AC076C4955F745B17BAB9AB5B61AA14832B689B3A9E852FBD77938D23BF99

7FDFC719935D938651F45AAFEF3CD2ECC0020E9B77AC0780EDB3BA585C16C9E2

4D9D1DCA64D7F4D3FD3308B548BF2F50E00AAB749239660BA234D1F221BAC675

6590F66D6AFE155B1109E81E2C36ECE73236223AB17AE1A1C77A027BE9F7D400

A241B6611AFBA8BB1DE69044115483ADB74F66AB4A80F7423E13C652422CB379

C1029545715E5A2E433FCB4C53CDBD12B019DEAF4D1F7D03BE3EE680FA007219

AAA1D7A0BDC59257141A9EFA76B541166064079D91492299A31C6C61371E27E4

9A8B4741A33D328A7441BAB1D5AB9D62E9CEBE572758ADEE4E67D877E3FBFCC4

E1A3D56BCDBB91CCD629929980EDAAC2EBD8D79A114D64F30800B29CB3062E73

BD57E944999F9DEE5EE5C21DC804753C732E7735B2FC7A32FE7B8C0DCB4FC196

A99A1B6FE798D17C9B87526AF340DE4EC98341247A566546ECBB1A71E5862387

1E434D8BD75909E689141AA5C6B2792D6BD9E86953CF23F0ECCB460F7C2C2274

34B4546E3468238702DF24794E598ADD494BEAEACF95DF10AF54D88B3D241E8A

A3ECA35D14B0E020444186A5FAABA5997994A47AF08580521F808B1BB83D6063

322AA22163954FF3FF017014E357B756942A2A762F1C55455C83FD594E844FDD

49724EE7A6BAF421AC5A2A3C93D32E796E2A33D7D75BBFC02239FC9F4E3A41E0

66E5371C3DA7DC9A80FB4C0FABFA23A30D82650C434EEC86A95B6E239ECCAB88

D7EF8935437D61C975FEB2BD826D018373DF099047C33AD7305585774A272625

1B0C82E71A53300C969DA61B085C8CE623202722CF3FA2D79160DAC16642303F

1076B25D5FA5CCCDDDCAF3F788789AE3C4EA9B034066693B6A0560AF129CEDA6

DF5536C254A5D9AC626DBFF7525DE8301729807433D377DB807CE3D8BC7C3FFE

6A3446B8A47F0AB4F536015218B22653FFF8B18C595FBC5B0C09D857EBA7C7A1

7933716892E0D6053057F5F2DF0CCADF5B06DC739FEA79EE533DD0CEC98CA971

B76B6BBDA8703FA801898F843692EC1968E4B0C90DFAE9764404C1A54ABF650B

2627B7C827404EE49271BFC6BB152E52CF28E35C4BEF1AD256018C5C08DAEA21

23D73FC8F10588944D8DC2073CE6AF6D159943F11AC0C140C9B2E67FB0AD8B89

3C5C1A7E7EFE4EEE3B7650167C664F730F40923A38C3E6640CBB2A4BFE9F64C6

48AE9F16AA87BF92639C24CCFD60B3E06B38560D4AAEE158A4E75875E1F23AE6

54DE934C8008B9ACEF506F5612A82C1786A7E75F8712D4CD1BE0A0F3FB28EF65

D7F66F75023B66BE4584CB5626A7213FF7D957DA5E21D76224C2A68E113B86A4

A8647A04563B746B1D8D4CDD67616CB646A3F6766D9C2D447541B9DC26452D8B

BB1B6865E62E6149CE7F849728FCBEFA27358CEB9BAAA53B8089C3FB9FB56AB3

21515FD6E6EB994DEFB589B4D0D9D956F7B4CB07823AAEC501134AB063D883E9

454734DCA530D54C4E8F543BDD33B5EB4B50F3039A953B54281DC67A09AF4CA6

BFF4D04CAEAF8472283906765DF34421D657BD631F5562C902E82A3A0177D114

37A3C01BB5EAF7ECBCFBFDE1AAB848956D782BB84445384C961EDEBE8D0E9969

48B8486979973656A15CA902B7BB973EE5CDE9A59E2F3DA53C86102D48D7DAD8

38715C080BEFA6D50659F1B0DDD5C0B0208048878E827796CC0C8D7CFFD91BA9

9D13C3678C204D32643594EB85380BAC35072C739070CB9F5ADA62BBD20319FF

A881C9F40C1A5BE3919CAFB2EBE2BB5B19E29F0F7B28186EE1F4B554D692E776

9949AF7B466F26859BCEAE1F448F6232A88E4FF56DDBFC79E4D339861765B7E9

C3EDE13E6321E091F519B043EE1BF0A669EAAF9591724642652C8B846C05EA08

DB6A9934570FA98A93A979E7E0E218E0C9710E5A787B18C6948F2EEDD9338984

773760FD71D52457BA53A314F15DDDB1A74E8B2F5A90E5E150DEA48A21AA76DF

05E9FE8E9E693CB073BA82096C291145C953CA3A3F8B3974F9C66D15C1A3A11D

E3027062E602C5D1812C039739E2F93FC78341A67B77692567A4690935123ABE

9151FF77B65EEACD5CDDDD13C041DB3AD9818FD2AEBE05D8745227FAC7E516B8

4DC71B659C9277C7BB704392F8AF5B6B2FBC9A66D3AD80D8CB4DF0BD686F0E86

Related Threat Briefings