The SolarWinds/SUNBURST attack dominated threat intelligence activity last month and continues to unfold. For more information about SolarWinds, please see this blog post on IronNet’s website.
While information on these intrusions is still incomplete, IronNet is taking proactive steps to ensure the security of our internal networks and our customers’ networks. You can read more in our January Threat Intelligence Brief about the steps we are taking. In addition, you can find coverage of the SolarWinds tactics, techniques, and procedures (TTPs) here, and the blog “SolarWinds/SUNBURST: DGA or DNS Tunneling?” by our threat analysis lead Peter Rydzynski takes a look at this subtle, but important, distinction for identifying attackers' behaviors — and predicting their next moves.
We look to behavioral analytics to detect such unknown threats on enterprise networks. First, we do the threat detection groundwork needed to spot abnormal network activity across our customers’ networks. Second, our expert system scores these alerts, prioritizing the most interesting events to help cut down on alert fatigue. Finally, we take a Collective Defense approach to threat sharing in real time.
The January Threat Intelligence Brief
The ability to analyze and correlate seemingly unrelated instances is critical for identifying sophisticated attackers who leverage varying infrastructures to hide their activity from existing cyber defenses. Our analysts review alerts from millions of data flows that are ingested and processed with big data analytics. We apply ratings to the alerts (benign/suspicious/malicious) and immediately share them with IronDome Collective Defense participants.
Here is a snapshot of what we discovered and correlated across the IronDome communities in December, showing 217 alerts across IronDome participant environments:
Analysis of IOCs
In addition to correlated alerts, significant IronDome community findings revealed 71 Indicators of Compromise (IoC) that may pose risk to IronDome participant environments. For example, we analyzed avsvmcloud[.]com. This is a known-bad domain that was used for command and control (C2) communications in the SolarWinds SUNBURST attack.
All the IoCs we analyzed are used to trigger alerts that are mapped to the Cyber Kill Chain to identify the stage and progression of the threat. They can be used to create detection rules for network, endpoint, or other security tools currently deployed to mitigate cyber risk in each IronDome participant’s environment.
See the January Threat Intelligence Brief for the full list of recent IoCs.
The bigger picture of Collective Defense
Every month, IronNet’s expert threat analysts create threat intelligence rules (TIRs) based on significant community findings from IronDome, malware analysis, threat research, or other methods to ensure timely detection of malicious behavior targeting an enterprise or other IronDome community participants.
In December, we created 7,829 threat intel rules of our 172,887 created to date. Some examples of this month’s research include indicators associated with Identifying domains spoofing the World Health Organization and an associated phishing campaign delivering malicious Java attachments. We also analyzed tactics, techniques, and procedures (TTP) and command and control infrastructure associated with Egregor and Prolock ransomware campaigns.
This combination of behavior-driven and IoC signature-based detection, alert ranking, and sharing ensures IronDome participants have the broadest view of threats facing their enterprise.
SolarWinds breach continues to evolve
The IronNet CyOC continues to track industry threats to strengthen cybersecurity resilience across industries. All eyes are on the SolarWinds/SUNBURST attack.
Numerous reports about the SolarWinds software supply chain breach have been published, providing additional details into this wide-ranging and sophisticated intrusion campaign. Information provided by SolarWinds indicates that up to 18,000 of their customers may have been affected. While the Trojanized version of SolarWinds’ Orion software (dubbed SUNBURST or Solorigate) appears to have been distributed between March and May of 2020, one report suggests that the threat actors behind the breach may have had access to SolarWinds’ network as early as 2019.
Additional research indicates that the threat actors behind these intrusions have also utilized techniques to abuse authentication services. These tactics were cited in an alert from CISA as well. To further complicate matters, research from Microsoft and Palo Alto have described a second piece of malware, tracked as SUPERNOVA, that affects SolarWinds Orion but is distinct from SUNBURST.
As these points illustrate, the cybersecurity community’s understanding of these events is still evolving. IronNet is actively tracking these developments. We are cataloging new and emerging information about this campaign, and are using it to run targeted queries, build and deploy signature-based detections for known Indicators of Compromise, further analyze the related malware, and review the adversarial techniques involved to refine and enhance our behavioral analytics.
You can see the latest industry news in the full January Threat Intelligence Brief and in IronNet News.