On February 24, 2022, Russian President Vladimir Putin approved troops to begin moving into Ukraine-controlled territory. Since the invasion, several cyber attacks - including DDoS attacks, the deployment of wiper malware, and phishing campaigns - have targeted both Ukrainian and Russian public and private entities, and several non-state hacking groups have announced support of Ukraine or Russia. IronNet is continuously monitoring the Russian-Ukraine conflict and tracking the updates here.
At IronNet, we look to behavioral analytics to detect unknown threats on enterprise networks before adversaries succeed at their end-game: exploitation or exfiltration. First, we do the threat detection groundwork needed to spot abnormal network activity across our customers’ networks. Second, our IronDefense NDR expert system scores these alerts, prioritizing the most interesting events to help cut down on alert fatigue. Finally, we take a Collective Defense approach to crowdsourced threat sharing in real time.
The March IronNet Threat Intelligence Brief
This ability to analyze and correlate seemingly unrelated instances is critical for identifying sophisticated attackers who leverage varying infrastructures to hide their activity from existing cyber defenses. As reported in the March Threat Intelligence Brief, our analysts review alerts from millions of data flows that are ingested and processed with big data analytics. We apply ratings to the alerts (benign/suspicious/malicious) and immediately share them with IronDome Collective Defense participants.
Here is a snapshot of what we discovered across the IronDome communities in February, showing 1,135 correlated alerts across IronDome participant environments:
Given the unique cross-sector visibility and Collective Defense capabilities of IronDome, we are able to highlight the most frequent behaviors each month, in turn enabling us to track trends over time. For February, the most frequent behavior analytics were Data Exfiltration (824), New and Suspicious Domains (173), and Credential Phishing (142).
Analysis of IOCs
In addition to correlated alerts, significant IronDome community findings revealed 431 Indicators of Compromise (IoC) that may pose risk to IronDome participant environments. For example, we analyzed the malicious domain findquickresultsnow[.]com, known as a parked domain that contains associated malicious files, such as Trojans.
All the IoCs we analyzed are used to trigger alerts that are mapped to the Cyber Kill Chain to identify the stage and progression of the threat. They can be used to create detection rules for network, endpoint, or other security tools currently deployed to mitigate cyber risk in each IronDome participant’s environment.
See the March Threat Intelligence Brief for the full list of recent IoCs.
The bigger picture of Collective Defense
Every month, IronNet’s expert threat analysts create threat intelligence rules (TIRs) based on significant community findings from IronDome, malware analysis, threat research, or other methods to ensure timely detection of malicious behavior targeting an enterprise or other IronDome community participants.
In February, we created 4,388 threat intel rules of our 298,297 created to date. Some examples of this month’s research related to indicators associated with malware delivery domains for Gafgyt, DarkStealer, Emotet, Quasar, and DDoSTF malware.
This combination of behavior-driven and IoC signature-based detection, alert ranking, and sharing ensures IronDome participants have the broadest view of threats facing their enterprise.
Russia cyber warfare
As mentioned, the current Russia-Ukraine war has led to many cyber attacks including Russian state-sponsored cyber activity by the Gamaredon threat group targeting Ukrainian organizations. Since October 2021, Microsoft has observed Gamaredon targeting Ukrainian organizations in sectors such as government, military, law enforcement, nonprofit, and NGOs, which are organizations that are vital to emergency response and security in Ukraine, as well as organizations that coordinate humanitarian and international aid in Ukraine during a crisis.
Additionally, Palo Alto’s Unit 42 shared insights into two recent Gamaredon (aka, ACTINIUM, Primitive Bear, Shuckworm) phishing attempts. Unit 24 observed both new and old domains leveraged by the group, and mapped out three large clusters of currently active infrastructure used by Gamaredon to support its various phishing and malware campaigns. These clusters link to over 700 malicious domains, 215 IP addresses, and over 100 samples of malware.
You can see the latest industry news in the full brief or check out IronNet’s threat intelligence hub.