While the fallout of the SolarWinds/SUNBURST attack continues to unfold, China also has entered the threat landscape. Though the APT group HAFNIUM is believed to have been exploiting flaws in on-premise Microsoft Exchange servers since January 6th, 2021, Microsoft publicly acknowledged the vulnerabilities on March 2nd and released several security updates to address the vulnerabilities, recommending that administrators install the patches immediately. The supposed motive of this APT group attack aligns to the typical strategy of Chinese cyber attacks: intellectual property theft.
We look to behavioral analytics to detect such unknown threats on enterprise networks before adversaries like HAFNIUM succeed at their end-game: exploitation or exfiltration. First, we do the threat detection groundwork needed to spot abnormal network activity across our customers’ networks. Second, our expert system scores these alerts, prioritizing the most interesting events to help cut down on alert fatigue. Finally, we take a Collective Defense approach to threat sharing in real time.
The April IronNet Threat Intelligence Brief
This ability to analyze and correlate seemingly unrelated instances is critical for identifying sophisticated attackers who leverage varying infrastructures to hide their activity from existing cyber defenses. As reported in the April Threat Intelligence Brief, our analysts review alerts from millions of data flows that are ingested and processed with big data analytics. We apply ratings to the alerts (benign/suspicious/malicious) and immediately share them with IronDome Collective Defense participants.
Here is a snapshot of what we discovered across the IronDome communities in March, showing 822 correlated alerts across IronDome participant environments:
Analysis of IOCs
In addition to correlated alerts, significant IronDome community findings revealed 108 Indicators of Compromise (IoC) that may pose risk to IronDome participant environments. For example, we analyzed window98originalmain[.]live.This domain is associated with ad redirect software. In the traffic in question, the user was redirected to multiple sites associated with ad redirect software, including basque[.]buzz, window98originalmain[.]live, and comppiwareresfai[.]tk. There were no downloads observed, but the techniques used were indicative of malspam. We recommend blocking traffic to this domain.
All the IoCs we analyzed are used to trigger alerts that are mapped to the Cyber Kill Chain to identify the stage and progression of the threat. They can be used to create detection rules for network, endpoint, or other security tools currently deployed to mitigate cyber risk in each IronDome participant’s environment.
See the April Threat Intelligence Brief for the full list of recent IoCs.
The bigger picture of Collective Defense
Every month, IronNet’s expert threat analysts create threat intelligence rules (TIRs) based on significant community findings from IronDome, malware analysis, threat research, or other methods to ensure timely detection of malicious behavior targeting an enterprise or other IronDome community participants.
In March, we created 13,299 threat intel rules of our 202,774 created to date. Some examples of this month’s research include indicators associated with the IoCs surrounding the Microsoft Exchange exploitation, as well as analysis of indicators associated with Nobelium malware.
This combination of behavior-driven and IoC signature-based detection, alert ranking, and sharing ensures IronDome participants have the broadest view of threats facing their enterprise.
More about the attack of Microsoft Exchange zero-day vulnerabilities
On-premise instances of Microsoft Exchange have been identified as active exploits in a series of attacks utilizing a collection of zero-day vulnerabilities. The four vulnerabilities affect unpatched, on-premise Exchange servers from version 2013 to 2019, excluding Exchange Online (Office 365). Historically, HAFNIUM has targeted U.S. entities with the goal of exfiltrating information from several industry sectors, including law firms, infectious disease researchers, higher education institutions, defense contractors, non-governmental organizations (NGO), and policy think tanks. Although HAFNIUM originated in China, it primarily operates from leased virtual private servers (VPS) in the U.S. to conceal its true location, exploiting the legal restriction that prohibits intelligence agencies from inspecting systems based in the U.S.
Since these vulnerabilities became well-known, numerous threat actors beyond HAFNIUM have also been conducting attacks: a total of five distinct hacking groups have been identified as exploiting these critical flaws in Microsoft’s email software. You can read more about these attacks and IronNet threat analysis here.
You can see the latest industry news in the full report or check out our monthly Cyber Lookback series.