IronNet’s Threat Intelligence Dossier for March 2021

The news of a new wave of SUNBURST attack sent ripples of concerns across the cybersecurity world, but it has turned out to be untrue. 

Even though Russia’s state-sponsored cybercriminals may be working on launching a wide-scale attack, their recent threat seems to employ a dispatch procedure different from those used in the SolarWinds attack. And this cyber onslaught was probably accomplished with the help of Sandworm, a Russian intrusion set. 

In the recent case, the notorious Sandworm group exploited loopholes in an IT monitoring software suite called CentOS made by French company Centreon. The suite is widely used by companies in Europe. IT firms and web hosting companies using CentOS were mainly affected by the attack.

It is worth noting that CentOS is open-source, outdated software. And the hackers targeted the free version of the tool instead of the paid version. The software’s security flaws were already known, which the criminals capitalized on to breach PAS web shell and Exaramel. The data collection methods are entirely unique to those employed in the SolarWinds attack. But the extent of both attacks appears to be widespread. 

IronNet uses behavioral analytics to monitor such unique threats on networks. It all starts with the threat monitoring legwork required to identify unusual activities through enterprise networks. In the second stage, an intelligent system prioritizes the events to reduce alert exhaustion. And in the final step, a collective defense route is taken to share the threats in real-time. 

Threat Intelligence Dossier for March 2021

It is crucial to assess and match up apparently unassociated events to recognize complicated malicious actors who use multiple platforms to conceal their activities from the cyber defense already in place. IronNet security specialists use data science to process, analyze, and review millions of alerts generated from the data flows. The identified threats and abnormal activities are then rated as benign, suspicious, or malicious. IronNet then shares the findings with its defense participants.

IOC’s Assessment 

Besides the associated alerts, the IronDome community found 177 Indicators of Compromise (IoC) that may expose the participants to risks. Consider IronNet ASSESS 542782[.]com, a domain used by bad actors in eBay live chat frauds. If identified in your enterprise network, be sure to check for a breach of personally identifiable information and immediately block the domain. Furthermore, keep an eye on macbethbroy[.]ga, a standard phishing domain hackers use to steal login information. 

All of the assessed IoCs are employed to generate notifications charted to the Cyber Kill Chain to identify the threat’s phase and advancement. These IoCs can be used to develop detection protocols for enterprise networks, endpoints, and other cybersecurity tools you’re using to reduce risks.

Collective Defense – A Holistic View

IronNet analysts develop threat intelligence protocols each month. These protocols are created based on the remarkable detections made by the IronDome community, malware assessments, research, and more methods. IronNet makes sure that its defense community members get timely information about malicious activities on enterprise networks. 

The previous month, the cyber analysts at IronNet developed 8,325 threat intelligence rules. The researches used to create these rules included signals linked with SystemBC malware used in the Egregor ransomware attacks. It also included The Bazar Trojan that scammers used in phishing attacks. 

A combo of behavior-based and IoC detection, events ranking, and real-time sharing provides IronDome participants with a broader and unified view of cybersecurity risks and threats. 

The SolarWinds Attack’s Aftershocks Continue

The SolarWinds attack has unveiled the newer and more complicated threats posed by malicious state-sponsored groups. Hackers sponsored by China may have gained access to SolarWinds software in the National Finance Center (NFC), a US federal payroll organization. Unlike the initial supply chain attack, it appears that Chinese hackers may have used a new loophole in the Orion software to perform unusual activities on a compromised network.

More information about the latest attacks is not available now, but IronNet said it is working on getting more details about the breaches. At present, it is not known as to what the cybercriminals stole or how many organizations fell victim to the attack. 

The NFC does payroll management for many governmental agencies, including Homeland Security, State Department, and FBI. That means it holds a cache of precious data for China. China could use any stolen information to compromise US national security. Once confirmed, it could also offer more clarity about the SUPERNOVA malware web shell.


Must read


Related Posts