IronNet: Threat Intelligence Brief

IronNet:Threat Intelligence BriefTop Observed Threats from IronNet Collective Defense CommunityOctober 1 – October 31, 2020Edition #11: November 2020TM

SIGNIFICANT COMMUNITY FINIDINGSSignificantCommunityFindingsThis month, IronDefense deployed across IronDome participants’ environments identifieda number of network behavioral anomalies that were rated as Suspicious or Malicious byIronNet and/or participant analysts.map-pin232Total IoCs Reportedunlock-altexclamation-circleC2:171 IoCsAccess16 IoCsOther:45 IoCsThreat Intelligence Report Top Observed Threats from IronNet Collective Defense Community2

SIGNIFICANT COMMUNITY FINIDINGSRecent Indicators of nalyst InsightThis is a phishing site imitating a Bank of NewYork login portal. The site appears to be targetingcustomers’ user credentials.SUSPICIOUSThis domain has been used in WordPress infectionexploits. Traffic to this site may indicate that a uservisited a WordPress site that had been injected withthis domain in a post or similar content. Investigateany redirections for is domain was used with the WordPress FileManager exploit, a zero-day vulnerability that allowsactors to hijack websites. Traffic to this site mayindicate that a user visited an infected WordPresssite. Investigate any redirections.paypal-debit[.]comSUSPICIOUSThis domain is related to credit card skimmingactivity. Investigate the traffic for loss of personallyidentifiable information (PII).bestbuystoreapple[.]comSUSPICIOUSAlthough this site claims to sell Apple products, it hasno association with Apple Inc. and is likely a scamwebsite selling fake products. OSNT sources alsoassociate this domain with suspicious activity.lotaboutpay1[.]liveSUSPICIOUSThis is a phishing site with adult content themes. Ifseen in your network, investigate the traffic for anypolicy violations and block the domain.shrimpsqueezed[.]comSUSPICIOUSThis domain is related to TerraClicks. If seen in yournetwork, investigate any redirections and block thedomain.SUSPICIOUSThe TFTP server executables tftpd32.jounin[.]net andhttp://tftpd64[.]com were downloaded, which mayindicate policy violations by an end user. If this TIRcreates an alert, we recommend verifying the enduser’s role.dev-nano[.]comSUSPICIOUSThis domain may indicate an undesired browserextension. Although the extension claims to be forad blocking, OSINT suggests it may collect networkinformation. The domain may indicate a user visitedthe site to look at the tool description. If seen in yournetwork, investigate the traffic and consider blockingthe domain.my-account-amazon[.]comSUSPICIOUSThis is a phishing page using the 16Shop phishingframework. At the time of triage, the page was down.Investigate POST activity for potential credential loss.developerstatss[.]gajounin[.]netThreat Intelligence Report Top Observed Threats from IronNet Collective Defense Community3

THREAT RULES DEVELOPEDThreat RulesDevelopedEvery month, IronNet’s expert threat analysts create threat intelligence rules (TIRs) based onsignificant community findings from IronDome, malware analysis, threat research, or othermethods to ensure timely detection of malicious behavior targeting an enterprise or otherIronDome community participants. These TIRs are continually distributed to each IronDefensedeployment as they are created, ensuring that customers receive the most up-to-datedetection capabilities.7,750Threat Intel RulesDeveloped This Month159,879Threat Intel RulesDeveloped to DateThreat Intelligence Report Top Observed Threats from IronNet Collective Defense Community4

THREAT RULES DEVELOPEDThis month’s threat intelligence rules include signatures looking forIndicators of Compromise as identified by IronNet analytics includingDomain Generation Algorithm, Domain Analysis HTTP, Domain Analysis TLS,Periodic Beaconing HTTP, Phishing HTTPS, Suspicious File Download, andTLS Invalid Certificate Chain. Additionally, rules were created for indicatorsidentified by the IronNet Threat Research team as associated with phishingor malware delivery. Finally, IronNet threat intelligence analysts routinelymonitor research distributed by the wider cybersecurity community andensure rules are created for documented indicators. Some examples of thismonth’s research include:ĔĔĔĔĔĔĔIndicators associated with theRyuk ransomware infectionchain tied to recent malspamcampaignsAnalysis of the Russianlanguage malware MontysThree,which has been leveraged forindustrial espionage operationsAZORult information-stealingTrojan targeting supply chainrelated organizations in theMiddle Eastern Oil and GassectorMultiple phishing sites usedby the Iran-linked threat actorSilent Librarian to actively targetuniversities in multiple countriesIndicators associated with newMirai botnet variants targetingrecent Internet of Things (IoT)vulnerabilitiesAnalysis indicating increasedactivity from the Lemon Duckcryptocurrency-mining botnetRecent GravityRAT campaigntargeting users in India acrossWindows, Android, and MacOSplatformsĔĔĔĔĔĔResearch examining updates tothe Purple Fox exploit kit thatincorporate exploitation of tworecent Common Vulnerabilitiesand Exposures (CVE) andadd methods to better evadedetection toolsAnalysis examining a fakeantivirus installer observedinfecting systems in Eastern andCentral EurasiaRecent upticks in voterregistration and U.S. electionthemed phishing emailsIndicators associated withRyuk ransomware identified bymultiple government and privatesector cybersecurity entitiesRecent activity by the Iran-linkedPhosphorus group targetingindividuals attending upcominghigh-profile internationalconferencesNew malicious backdoorsassociated with the OperationEarth Kitsune cyber espionagecampaignThreat Intelligence Report Top Observed Threats from IronNet Collective Defense Community5

IN THE IRONDOMERating alertsdiminishes“alert fatigue”for your SOC.!This Monthin the IronDomeThe IronDefense network detection and responsesolution detects behavior-based anomalies as follows:ĔThe NetFlow or enriched network metadata (“IronFlows”) collected by IronNet sensorsis analyzed by a participating enterprise’s IronDefense instance before being sent toIronDome for higher order analysis and correlation with other IronDome members.ĔIronNet’s IronDome Collective Defense platform delivers a unique ability to correlatepatterns of behavior across IronDome participants within an enterprise’s businessecosystem, industry sector, or region.This ability to analyze and correlate seemingly unrelated instances is critical for identifyingsophisticated attackers who leverage varying infrastructures to hide their activity fromexisting cyber defenses.On the following page is a snapshot of this month’s alerts.Threat Intelligence Report Top Observed Threats from IronNet Collective Defense Community6

IN THE IRONDOMEMonthly Alert Snapshot204BNetwork data or NetFlow is sent to IronDefense for processingbefore being sent to IronDome for behavioral correlation with otherIronDome participants.Flows Ingested399KAlerts DetectedIronDefense identifies potential cyber threats in your environment byprocessing participants’ logs with big data analytics, an expert systemwhere analysts rate the severity of the alerts, and behavioral models.IronNet Expert SystemIronNet’s proprietary Expert System combines analytic results with computational rules basedon our unique tradecraft experience. This essentially automates Tier 1 SOC analysis to enhancescoring precision.1,672High Severity Alertsexclamation-circle746Correlated AlertsValidated by IronNet’s Expert System,these results are communicatedto IronDefense and IronDomeparticipants.Severe alerts that have beenfound in more than oneIronDome participant’s network.49Found betweentwo participantsThreat Intelligence Report Top Observed Threats from IronNet Collective Defense Community697Found amongmore than twoparticipants7

TRACKING INDUSTRY THREATSTrackingIndustry ThreatsEfforts to Disrupt TrickBot EmergeA group of international cybersecurity firms has announcedTrickBot has been one of the most active and pervasivea coordinated effort to disrupt the widespread TrickBotmalware families since its emergence in 2016. The modularbotnet. Microsoft obtained a court order and coordinatednature of the malware and its decentralized and resilientwith telecommunications providers to cut off a largeC2 infrastructure make it especially difficult to consistentlynumber of TrickBot’s command and control (C2) servers.detect and disrupt. Such threats require dynamic andcollaborative security solutions to rapidly identify newThis comes on the heels of reports earlier in October thatcommunication channels and functionality.the U.S. Cyber Command was responsible for disruptingTrickBot by distributing bogus configuration files to infectedWindows systems. These configuration files changedthe designated C2 server to “localhost” in an attempt todisconnect the Windows systems from the botnet.Threat Intelligence Report Top Observed Threats from IronNet Collective Defense Community8

TRACKING INDUSTRY THREATSIranian “MuddyWater” Group Linked toRecent AttacksCybersecurity researchers have identified a recentSince MuddyWater has not been previously observedcampaign targeting multiple Israeli organizations. Theconducting such ransomware attacks, researcherscampaign has been attributed to MuddyWater, a threatspeculate that the actual goal of this attack may haveactor that has been previously tied to the Iranian Islamicbeen to serve as a de facto destructive attack, similarRevolutionary Guard Corps. The group attempted toto destructive attacks carried out by other Iranian threatinstall a malicious downloader known as PowGoop duringactors in the past.this most recent campaign. PowGoop was likely usedduring another recent intrusion into a Middle EasternPublicly available network indicators related to PowGoopstate-run organization in which an unidentified group ofhave been deployed as threat intelligence rules inthreat actors also deployed the Thanos ransomware. ThisIronDefense. IronNet Hunters have also conducted focusedactivity suggests the presence of PowGoop may serve as aqueries to identify any recent network activity potentiallyprecursor to ransomware deployment.related to such activity.Ransomware Gang IncreasinglyTargeting HospitalsIn recent weeks, the cybersecurity community hasThe infection vectors commonly preceding the deploymentwitnessed an uptick in ransomware attacks targetingof Ryuk are not particularly new or novel. Email phishinghospitals and healthcare facilities. Last week, several U.S.using malicious attachments and embedded hyperlinksfederal agencies released a joint advisory highlighting thehave been cited as typical ways in which attackers first“imminent threat” from these ransomware operators. Thegain access to victim networks. A defense-in-depthadvisory also provided recommendations for detecting andstrategy leveraging a combination of email inspection,mitigating such threats. Since the advisory’s release, newsnetwork detection and response (NDR), endpoint detectionhas surfaced that healthcare systems in Oregon, New York,solutions, and comprehensive backup and recoveryand Vermont have been affected by ransomware. Privatesystems represents the best path to combating suchsector reporting has attributed these campaigns to theransomware infections.Ryuk ransomware gang, sometimes known as UNC1878or Wizard Spider, a criminal group likely operating out ofRussia.Threat Intelligence Report Top Observed Threats from IronNet Collective Defense Community9