This month wraps up a year of heightened activity on all fronts. As we cover in the December Threat Intelligence Brief, we are seeing adversaries that are taking advantage of the COVID-19 crisis to ongoing nation-state threats, including Chinese cyber espionage activity reported in newly published research, the threats are rampant.
Phishing remains a common, go-to technique, such as a series of recent campaigns targeting companies and organizations involved in industrial production from the oil and gas, energy, manufacturing, and logistics sectors, as reported here.
We look to behavioral analytics to detect these unknown threats on enterprise networks, including mission-critical sectors such as energy and utilities. Here’s how our IronDefense NDR solution works. First, we do the threat detection groundwork needed to spot abnormal network activity across our customers’ networks. Second, our expert system scores these alerts, prioritizing the most interesting events to help cut down on alert fatigue. You can learn how the expert system works here. Finally, we take a Collective Defense approach to threat sharing in real time so SOC analysts across companies can answer the common question: “What’s going on here?”
With IronNet’s correlated threat knowledge and SOAR integrations, SOC analysts can respond faster to threats within their existing SOAR platform (e.g., integrations for Splunk Phantom).
The December Threat Intelligence Brief
The ability to analyze and correlate seemingly unrelated instances is critical for identifying sophisticated attackers who leverage varying infrastructures to hide their activity from existing cyber defenses. Analysts in the IronNet Cyber Operations Center (CyOC) review alerts from millions of data flows that are ingested and processed with big data analytics. We apply ratings to the alerts (benign/suspicious/malicious) and immediately share them with IronDome Collective Defense participants.
Here is a snapshot of what we discovered and correlated across the IronDome communities in November, showing 652 alerts across IronDome participant environments:
Analysis of IOCs
In addition to correlated alerts, significant IronDome community findings revealed 96 Indicators of Compromise (IoC) that may pose risk to IronDome participant environments. For example, we analyzed the malicious domain facelook[.]no. This URL is the initialization vector for the Magento 1 Credit Card Skimmer. Once the skimmer script loads on the hacked website, customer information is sent to the malicious actor via one of the following domains: mcdnn[.]me, imags[.]pw, or consoler[.]in.
All the IoCs we analyzed are used to trigger alerts that are mapped to the Cyber Kill Chain to identify the stage and progression of the threat. They can be used to create detection rules for network, endpoint, or other security tools currently deployed to mitigate cyber risk in each IronDome participant’s environment.
See the December Threat Intelligence Brief for the full list of recent IoCs.
The bigger picture of Collective Defense
Every month, IronNet’s expert threat analysts create threat intelligence rules (TIRs) based on significant community findings from IronDome, malware analysis, threat research, or other methods to ensure timely detection of malicious behavior targeting an enterprise or other IronDome community participants.
In November, we created 5,179 threat intel rules of our 165,058 created to date. Some examples of this month’s research include indicators associated with domains used by
Iranian military intelligence to conduct a covert online influence campaign. We also analyzed tactics used by Malsmoke malware operators, who leverage social engineering to prompt users to download fake software updates, and we researched the WAPDropper Android malware, which subscribes victim devices to unwanted telecommunications services after successful infection.
This combination of behavior-driven and IoC signature-based detection, alert ranking, and sharing ensures IronDome participants have the broadest view of threats facing their enterprise.
Multiple foreign cyber actors targeting COVID-19 research
The IronNet CyOC continues to track industry threats to strengthen cybersecurity resilience across industries. The alarming trend of cyber actors targeting pharmaceutical companies and researchers working towards COVID-19 vaccines and treatments continues. Two recent reports indicate that multiple groups of state-sponsored threat actors are targeting research entities in North America, Europe, and Asia. Microsoft announced it had detected the infamous Russian group Strontium (also known as APT28 or Fancy Bear) utilizing password spraying and bruteforce login attacks to steal login credentials. The same announcement indicated that two North Korea-linked groups were observed using email spearphishing to attempt to gain access to multiple targeted networks. Separate research released earlier this month uncovered that another North Korean group known as Kimsuky (also tracked as Thallium) has been targeting COVID-19 research using a previously undocumented variety of malware.
The types of entities targeted by these campaigns fall outside the threat actors’ typical victim sectors and regions, suggesting the groups are pivoting to newly prioritized targets at the behest of government leadership. The rogue regimes behind these campaigns are undoubtedly looking to accelerate their own medical research through any means necessary in light of the international pandemic and its crippling effects. Such broad pivots in operational targeting illustrate the potential advantages of cross-company, cross-sector, and international data sharing and a collective approach to cyber defense.
You can see the latest industry news in the full report and in IronNet News.
That’s a wrap from the CyOC. See you next month.