Transcription
IronNet:Threat Intelligence BriefTop Observed Threats from IronNet Collective Defense CommunityOctober 1 – October 31, 2021 Copyright 2021. IronNet Cybersecurity, Inc. All rights reserved. For public use.Edition #23: November 2021TM
SIGNIFICANT COMMUNITY FINDINGSFOR PUBLIC USESignificantCommunityFindingsThis month, IronDefense deployed across IronDome participants’ environments identifieda number of network behavioral anomalies that were rated as Suspicious or Malicious byIronNet and/or participant analysts.unlock-altTotal IoCs ReportedRecon11 :95 IoCsOther:191 IoCsmap-pinC218%Threat Intelligence Report Top Observed Threats from IronNet Collective Defense Community Copyright 2021. IronNet, Inc. All rights reserved. For public ss233 IoCsAction0%2
SIGNIFICANT COMMUNITY FINDINGSRecent Indicators of CompromiseDomain/IPRatingAnalyst InsightMALICIOUSA suspicious file downloaded from this domain triggeredan alert. The downloaded file is identified as a maliciousDownloadGuide by numerous security vendors. Theseapplications are most commonly software bundlers orinstallers for applications such as toolbars, adware, orsystem optimizers. We recommend blocking this domain.MALICIOUSThis domain was found within a URL that was imbedded inan email. When clicked, the link redirected the user to http://preferabletask[.]xyz/euNXv7bp/Amul-wa/? t 1633881723rpv.What is hosted on this site is unknown, but similar redirectsby this domain include phishing scams urging the userto claim a prize, which can result in potentially unwantedprograms (PUP). We recommend blocking the domain.MALICIOUSThe typo-squatting domain payapl[.]com/us/webapps/mpp/requesting-payments was found as a link submitted via auser agent in Microsoft Office Excel 2014. We recommendblocking the omgravelyelectricthicket[.]comSUSPICIOUSThis domain is associated with Terraclicks, a known browserredirector. Redirected clients can result in drive-by downloadsthat open up unwanted exposure to future injectionsources. Connection attempts to these domains should beinvestigated and the domains and IPs blocked.alcoholicsort[.]comSUSPICIOUSThis domain is related to spam/phishing activity and wasreported as Suspicious by VirusTotal, McAfee, and SymantecOSINT.SUSPICIOUSThis is a Terraclicks-related domain. Ads served by Adsterraare known to redirect traffic to sites hosting maliciouscontent. We recommend blocking this IP and any relateddomains.1337x[.]toSUSPICIOUSThis domain was flagged for JAWS WebserverUnauthenticated Shell Command Execution. This attemptappears to have been unsuccessful, and we recommendblocking the domain.glimpsemankind[.]comSUSPICIOUSTraffic to glimpsemankind[.]com currently resolvesto 192.243.59.20, which is a known Terraclicks IP. Werecommend blocking the es.online-reschedule-check[.]com is a phishing scamimpersonating the German postal carrier, Hermes.guanggoo[.]netSUSPICIOUSThis domain potentially sells scam products. We recommendusing caution when browsing this site.auntietraumatizemobile[.]comThreat Intelligence Report Top Observed Threats from IronNet Collective Defense Community Copyright 2021. IronNet, Inc. All rights reserved. For public use.3
THREAT RULES DEVELOPEDThreat RulesDevelopedEvery month, IronNet’s expert threat analysts create threat intelligence rules (TIRs) based onsignificant community findings from IronDome, malware analysis, threat research, or othermethods to ensure timely detection of malicious behavior targeting an enterprise or otherIronDome community participants. These TIRs are continually distributed to each IronDefensedeployment as they are created, ensuring that customers receive the most up-to-datedetection capabilities. TIRs provide IronDefense the ability to prove the negative going forwardfor known threats.6,048Threat Intel RulesDeveloped This Month275,115Threat Intel RulesDeveloped to DateThreat Intelligence Report Top Observed Threats from IronNet Collective Defense Community Copyright 2021. IronNet, Inc. All rights reserved. For public use.4
THREAT RULES DEVELOPEDThis month’s threat intelligence rules include signatures looking forIndicators of Compromise identified by the IronNet Threat Researchteam as associated with phishing or malware delivery. IronNet threatintelligence analysts also routinely monitor research distributed by the widercybersecurity community and ensure rules are created for documentedindicators. Some examples of this month’s research include indicatorsassociated with the following threats and campaigns:ĔĔĔMalware delivery domains forGafgyt, AgentTesla, Sabsik,Dridex, Nekark, and LnxGafgytmalwareIoCs related to Cobalt Strikebeacon payload distribution andCommand and ControlĔĔĔIoCs surrounding Dopplepaymerand Hancitor malware activityIoCs related to FIN12’s use of theDaveShell loaderIoCs related to SolarMarkermalware activityIoCs surrounding the Chinesestate-sponsored APT41 threatgroupThreat Intelligence Report Top Observed Threats from IronNet Collective Defense Community Copyright 2021. IronNet, Inc. All rights reserved. For public use.5
IN THE IRONDOMERating alertsdiminishesalert fatiguefor your SOC.!This Monthin the IronDomeThe IronDefense network detection and responsesolution detects behavior-based anomalies as follows:ĔThe NetFlow or enriched network metadata (“IronFlows”) collected by IronNet sensorsis analyzed by a participating enterprise’s IronDefense instance before being sent toIronDome for higher order analysis and correlation with other IronDome members.ĔIronNet’s IronDome Collective Defense platform delivers a unique ability to correlatepatterns of behavior across IronDome participants within an enterprise’s businessecosystem, industry sector, or region.This ability to analyze and correlate seemingly unrelated instances is critical for identifyingsophisticated attackers who leverage varying infrastructures to hide their activity fromexisting cyber defenses.On the following page is a snapshot of this month’s alerts.Threat Intelligence Report Top Observed Threats from IronNet Collective Defense Community Copyright 2021. IronNet, Inc. All rights reserved. For public use.6
IN THE IRONDOMEMonthly Alert Snapshot211BNetwork data or NetFlow is sent to IronDefense for processingbefore being sent to IronDome for behavioral correlation with otherIronDome participants.Flows Ingested892KAlerts DetectedIronDefense identifies potential cyber threats in your environment byprocessing participants’ logs with big data analytics, an expert systemwhere analysts rate the severity of the alerts, and behavioral models.IronNet Expert SystemIronNet’s proprietary Expert System combines analytic results with computational rules basedon our unique tradecraft experience. This essentially automates Tier 1 SOC analysis to enhancescoring precision.3,572High Severity Alertsexclamation-circle859Correlated AlertsValidated by IronNet’s Expert System,these results are communicatedto IronDefense and IronDomeparticipants.Severe alerts that have beenfound in more than oneIronDome participant’s network.70Found betweentwo participantsThreat Intelligence Report Top Observed Threats from IronNet Collective Defense Community Copyright 2021. IronNet, Inc. All rights reserved. For public use.789Found amongmore than twoparticipants7
IN THE IRONDOMETop Most Frequent Behavioral AnalyticsIronDome’s unique cross-sector visibility and Collective Defense capabilities highlight each month’s most frequentbehaviors, enabling us to track trends over time.External Scanning51.6%Suspicious File Downloads33.1%Beaconing6.1%New and Suspicious Domains5.2%C2 Rendevous (DGA)2.8%1,264Behavioral DetectionsThis MonthDNS Tunneling0.7%Credential Phishing0.5%Threat Intelligence Report Top Observed Threats from IronNet Collective Defense Community Copyright 2021. IronNet, Inc. All rights reserved. For public use.8
TRACKING INDUSTRY THREATSTrackingIndustry ThreatsRussia Turns Up the HeatRecent research from Microsoft reveals that betweenphishing campaign attributed to APT28 (aka, FancyJuly 2020 and June 2021, Russia was responsible forBear). APT28 has been connected to Russia’s General Staffapproximately 58% of all nation-state attacks. As opposedMain Intelligence Directorate (GRU) and was responsibleto disruption, this increased targeting of governmentfor big-name attacks, such as the compromise of theagencies is mainly for intelligence gathering purposes.Democratic National Committee (DNC) and Hillary Clinton’sTargeting government entities—mainly agencies involvedcampaign in 2016. Google identified a larger than usualin foreign policy, defense, and national security—to gathernumber of alerts in September that were traced to a smallintelligence has become one of Russia’s primary objectives,number of wide-target campaigns that were blocked. Ascatapulting from 3% of their targets last year to 53% thisa result, Google has warned roughly 14,000 of its usersyear. And not only are the number of attacks rising, so isthat they might be victims of a state-sponsored phishingthe success rate of their operations. Attacks from Russiancampaign from APT28. Gmail blocked all the phishingstate-sponsored threat actors rose from a 21% successfulemails from the APT28 campaign, automatically classifyingcompromise rate in 2020 to a 32% rate in 2021, with thethem as spam and redirecting them from going to the users’majority of their targets being in the U.S., the U.K., andinboxes. APT28 typically runs operations for the purposeUkraine. During this time, the most active Russian state-of exfiltration and espionage activity. It is likely they weresponsored APT was APT29 (aka, Nobelium), constitutingusing this campaign as an effort to gain initial infiltration92% of notifications about Russia-based threat activity thatinto various networks that may be of intelligence value toMicrosoft sent to its customers over the past year.the Russian government.Reinforcing the threat from malicious Russian cyberactivity, Google has recently detected a widespreadThreat Intelligence Report Top Observed Threats from IronNet Collective Defense Community Copyright 2021. IronNet, Inc. All rights reserved. For public use.9
TRACKING INDUSTRY THREATSAPT35 Phishing CampaignGoogle’s Threat Analysis Group (TAG) reported that inin the campaign just discussed, the attackers used theearly 2021, Iranian state-sponsored APT35 compromisedMunich Security and the Think-20 (T20) Italy conferencesa website affiliated with a U.K. university to use it foras lures in initial non-malicious contact emails. Once userscredential phishing purposes. The threat actors sentrespond, then the attackers send the phishing links inemails that contained links to this compromised website,follow-up correspondence. Targets would typically haveinstructing users to activate an invitation to a fake webinarto navigate through at least one redirect before landingby entering their login credentials. The phishing kit alsoon a phishing domain. APT35 also uses Telegram APIasked for multi factor authentication (MFA) codes. APT35to notify operators, embedding JavaScript into phishinghas leveraged this technique since 2017, continuouslypages to notify when the page is being loaded. Googleusing compromised websites to appear legitimate.made Telegram aware of this bot, and Telegram is activelyworking to remove it.In addition, APT35 is known to impersonate conferenceofficials to carry out phishing campaigns. For example,SquirrelWaffle Malspam CampaignsSquirrelWaffle is a malware loader that provides threatmalware. In these campaigns, SquirrelWaffle has beenactors with an initial foothold into networks, allowing themfrequently observed coinciding with Qakbot and Cobaltto drop additional malware. Beginning in mid-SeptemberStrike installations. The loader also uses an IP block list2021, researchers observed malicious spam (malspam)consisting of several known sandboxes and analysiscampaigns being used to deliver Microsoft Officeplatforms, and one of the distribution servers appears todocuments that serve as the initial stage of the infectionhave had antibot deployed shortly before the SquirrelWaffleprocess. The campaigns appear to be leveraging emailcampaigns using this server launched.thread hijacking, and they are designed to trick the potentialvictim into accessing the included hyperlink to download aOver the past few years, Emotet has been one of theZIP archive, which contains malicious Microsoft Office files.primary threats delivered via malspam campaigns.Since the coordinated law enforcement takedown of theThroughout the campaigns, multiple efforts were madeEmotet botnet in January, many have been waiting forto evade detection. The Microsoft Office documentsanother threat to fill the void left by Emotet’s exit. Whilecontain a malicious code that uses string reversal forSquirrelWaffle is not yet reaching the same level seenobfuscation, writes a VBS script, and then executespreviously with threats like Emotet, it appears to be usedit. This action fetches SquirrelWaffle from one of the fiveconsistently and its appearances may increase over time ashardcoded URLs and delivers it as a DLL file onto thethe threat actors infect more users and increase the size ofinfected system. The DLL functions as a malware loader,their botnet.enabling the infections to be used to deploy additionalThreat Intelligence Report Top Observed Threats from IronNet Collective Defense Community Copyright 2021. IronNet, Inc. All rights reserved. For public use.10
TRACKING INDUSTRY THREATSAPT 29 Targets MSPs andNPM Library HijackedAPT29 TARGETS MSPSNPM LIBRARY HIJACKEDMicrosoft recently published a report detailing APT29’sHackers hijacked the NPM library UA-Parser-JS, anlatest actions abusing trusted relationships and targetingincredibly popular library with millions of downloads perthe IT supply chain. APT29, also known as Nobelium, hasweek that parses a browser’s user agent. On Octoberbeen connected to Russia’s Foreign Intelligence Service22nd, the attackers published three malicious versions of(SVR) and is most well-known for its compromise ofthe library to install cryptominers and password-stealingSolarWinds. Since May 2021, the group has targeted 140Trojans on Windows and Linux devices. The threat actorsmanaged service providers (MSP) across the U.S. andwere able to gain access by targeting the NPM accountEurope, successfully breaching 14. Microsoft has informedof one of the developers of the project, who only noticed609 customers a total of 22,868 times that they had beensomething was unusual after receiving hundreds of spamtargeted by APT29 since the beginning of July. This is aemails.big shift from the total of 20,500 notifications sent out tocustomers over the past three years about attacks from allOn Linux systems, a preinstall.sh script checks if the usernation-state actors.is located in Russia, Ukraine, Belarus, or Kazakhstan. If itdetermines they are not, the script will download a programThe main targets in this campaign are resellers andcalled jsextension, which is an XMRig Monero miner.technology service providers that deploy and manage cloudThis program uses only 50% of the device’s CPU (centralservices. The goal is to target the privileged accounts ofprocessing unit) to avoid detection. On Windows systems,upstream providers to move laterally in cloud environmentsthe batch file will download jsextension and a dynamicand gain access to downstream customers. Essentially,link library (DLL) for a password-stealing Trojan, possiblythey want to piggyback on any access that resellers mayDanaBot, that begins stealing the user’s passwords for ahave to their customers’ systems. In one example intrusionvariety of programs, including Chrome, WinVNC, Windowschain observed by Microsoft, APT 29 chained togetherCredentials (local creds), mail programs, and more.artifacts from four other distinct providers to reach theirend target, exemplifying the breadth of tactics, techniques,and procedures (TTP) APT29 leverages to exploit trustedrelationships. These attacks are a continuation of APT29’sdynamic and diverse toolkit that includes token theft,sophisticated malware, password sprays, and spearphishing to gain access to privileged accounts.Threat Intelligence Report Top Observed Threats from IronNet Collective Defense Community Copyright 2021. IronNet, Inc. All rights reserved. For public use.11
INTRODUCTIONWhy CollectiveDefense?IronDome enables us to proactively defendagainst emerging cyber threats by uniquelydelivering machine speed anomaly detectionand event analysis across industry peersand other relevant sectors.”— CISO, Industry-Leading North American Energy CompanyThis report features threat findings, analysis, and research shared acrossIronDome, the industry’s first Collective Defense platform for sharing networkbehavior analytics and intelligence detected between and across sectors,states, and nations. IronDome participants work together in near-real-time tocollaboratively defend against sophisticated cyber adversaries.Information in this document is for public use and is subject to change without notice. The software described in this document is furnished under alicense agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those agreements. No part of thispublication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying andrecording for any purpose other than the purchaser’s personal use without the written permission of IronNet, Inc. Copyright 2021. IronNet, Inc. All rights reserved.Threat Intelligence Report Top Observed Threats from IronNet Collective Defense Community Copyright 2021. IronNet, Inc. All rights reserved. For public use.12
Your Partner inCollective DefenseIronNet’s goal is to strengthen Collective Defenseby detecting unknown threats using behavior-basedanalysis, rating these threats to reduce alert fatigue,and sharing them within the IronDome ecosystemto empower SOC teams across the communityto prioritize and accelerate response, and defendbetter, together.By working together, we can raise the bar oncybersecurity defense at your enterprise ororganization, across sectors at large, andLearn more aboutCollective Defensein our eBook.A C C E S S T H E B O O K arrow-rightTM Copyright 2021. IronNet, Inc. All rights reserved.IronNet.comon behalf of nations.
In addition, APT35 is known to impersonate conference officials to carry out phishing campaigns. For example, in the campaign just discussed, the attackers used the Munich Security and the Think-20 (T20) Italy conferences as lures in initial non-malicious contact emails. Once users respond, then the attackers send the phishing links in
