November opens with all eyes on cybersecurity -- from election security concerns related to disinformation campaigns to the executive proclamation of November as Critical Infrastructure Security and Resilience Month. IronNet’s Adam Hlavek highlights recent Russian threat and Iranian threat activity that makes awareness of protecting critical infrastructure on ongoing urgency.
In the IronNet November Threat Intelligence Brief, we look to behavioral analytics to detect these unknown threats on enterprise networks, including mission-critical sectors such as energy and healthcare. Here’s how our IronDefense Network Detection and Response solution works. First, we do the threat detection groundwork needed to spot abnormal network activity across our customers’ networks. Second, our expert system scores these alerts, prioritizing the most interesting events to help cut down on alert fatigue. Finally, we take a Collective Defense approach to threat sharing in real time so SOC analysts across companies can answer the common question: “What’s going on here?”
With IronNet’s correlated threat knowledge and SOAR integrations, SOC analysts can respond faster to threats, using their existing SOAR platform (e.g., integrations for Splunk Phantom).
Below is an overview of our latest threat intelligence brief from the IronNet CyOC team:
The November Threat Intelligence Brief
The ability to analyze and correlate seemingly unrelated instances is critical for identifying sophisticated attackers who leverage varying infrastructures to hide their activity from existing cyber defenses. Analysts in the IronNet Cyber Operations Center (CyOC) review alerts from millions of data flows that are ingested and processed with big data analytics. We apply ratings to the alerts (benign/suspicious/malicious) and immediately share them with IronDome Collective Defense participants.
Here is a snapshot of what we discovered and correlated across the IronDome communities in October, showing 746 alerts across IronDome participant environments:
Analysis of IOCs
In addition to correlated alerts, significant IronDome community findings revealed 232 Indicators of Compromise (IoC) that may pose risk to IronDome participant environments. For example, we analyzed a phishing site (accessbny[.]com) imitating a Bank of New York login portal. The site appears to be targeting customers’ user credentials. We also looked into two suspicious domains targeting PayPay and BestBuy. First, the paypal-debit[.]com domain is related to credit card skimming activity. Investigate the traffic for loss of personally identifiable information (PII). Second, although the bestbuystoreapple[.]com claims to sell Apple products, it has no association with Apple Inc. and is likely a scam website selling fake products. OSNT sources also associate this domain with suspicious activity.
All the IoCs we analyzed are used to trigger alerts that are mapped to the Cyber Kill Chain to identify the stage and progression of the threat. They can be used to create detection rules for network, endpoint, or other security tools currently deployed to mitigate cyber risk in each IronDome participant’s environment.
See the IronNet November Threat Intelligence Brief for the full list of recent IoCs.
The bigger picture of Collective Defense
Every month, IronNet’s expert threat analysts create threat intelligence rules (TIRs) based on significant community findings from IronDome, malware analysis, threat research, or other methods to ensure timely detection of malicious behavior targeting an enterprise or other IronDome community participants.
In October, we created 7,750 threat intel rules of our 159,879 created to date. Some examples of this month’s research include indicators associated with the Ryuk ransomware infection chain tied to recent malspam campaigns, as well as analysis of the Russian language malware MontysThree, which has been leveraged for industrial espionage operations rules are associated with indicators associated with the Ryuk ransomware infection chain tied to recent malspam campaigns.
This combination of behavior-driven and IoC signature-based detection, alert ranking, and sharing ensures IronDome participants have the broadest view of threats facing their enterprise.
Iranian “MuddyWater” group linked to recent attacks
The IronNet CyOC continues to track industry threats to strengthen cybersecurity resilience across industries. Cybersecurity researchers have identified a recent campaign targeting multiple Israeli organizations. The campaign has been attributed to MuddyWater, a threat actor that has been previously tied to the Iranian Islamic Revolutionary Guard Corps. The group attempted to install a malicious downloader known as PowGoop during this most recent campaign. PowGoop was likely used during another recent intrusion into a Middle Eastern state-run organization in which an unidentified group of threat actors also deployed the Thanos ransomware. This activity suggests the presence of PowGoop may serve as a precursor to ransomware deployment.
Since MuddyWater has not been previously observed conducting such ransomware attacks, researchers speculate that the actual goal of this attack may have been to serve as a de facto destructive attack, similar to destructive attacks carried out by other Iranian threat actors in the past.
Publicly available network indicators related to PowGoop have been deployed as threat intelligence rules in IronDefense. IronNet Hunters have also conducted focused queries to identify any recent network activity potentially related to such activity. You can read more about MuddyWater in IronNet’s Iranian Cyber Threat Report.
You can see the latest industry news in the full report and in IronNet News.
That’s a wrap from the CyOC. See you next month.