IronNet's September Threat Intelligence Brief

As we look back on August, ransomware remains the name of the cyber attack game.A new ransomware familycalled LockFile has surfaced to target victims in various industries around the globe. First seen on the network of a U.S. financial organization on July 20th, LockFile’s latest activity was observed on August 20th.  

At IronNet, we look to behavioral analytics to detect such unknown threats on enterprise networks before adversaries succeed at their end-game: exploitation or exfiltration. When it comes to ransomware attacks and other types of attack campaigns, early detection is critical. First, we do the threat detection groundwork needed to spot abnormal network activity across our customers’ networks. Second, our expert system scores these alerts, prioritizing the most interesting events to help cut down on alert fatigue. Finally, we take a Collective Defense approach to crowdsourced threat sharing in real time.

The September IronNet Threat Intelligence Brief 

This ability to analyze and correlate seemingly unrelated instances is critical for identifying sophisticated attackers who leverage varying infrastructures to hide their activity from existing cyber defenses. As reported in the September Threat Intelligence Brief, our analysts review alerts from millions of data flows that are ingested and processed with big data analytics. We apply ratings to the alerts (benign/suspicious/malicious) and immediately share them with IronDome Collective Defense participants. 

Here is a snapshot of what we discovered across the IronDome communities in August, showing 429 correlated alerts across IronDome participant environments:

Given the unique cross-sector visibility and collective defense capabilities of IronDome, we are able to highlight the most frequent behaviors each month enabling us to track trends over time. For August, the most frequent behavior analytics were Domain Analysis HTTP (652), Domain Generation Algorithm (371), and Domain Analysis TLS (211).

Analysis of IOCs 

In addition to correlated alerts, significant IronDome community findings revealed 532 Indicators of Compromise (IoC) that may pose risk to IronDome participant environments. For example, we analyzed the malicious pipelinecrm[.]email domain, which hosts a phishing scam targeting pipeline customer relationship management.

All the IoCs we analyzed are used to trigger alerts that are mapped to the Cyber Kill Chain to identify the stage and progression of the threat. They can be used to create detection rules for network, endpoint, or other security tools currently deployed to mitigate cyber risk in each IronDome participant’s environment. 

See the September Threat Intelligence Brief for the full list of recent IoCs.

The bigger picture of Collective Defense 

Every month, IronNet’s expert threat analysts create threat intelligence rules (TIRs) based on significant community findings from IronDome, malware analysis, threat research, or other methods to ensure timely detection of malicious behavior targeting an enterprise or other IronDome community participants. 

In August, we created 4,301 threat intel rules of our 263,196 created to date. Some examples of this month’s research related to indicators associated with malware delivery domains for AgentTesla, Gafgyt, Sabsik, and Dridex malware, as well as IoCs surrounding the Chinese state-sponsored threat group APT40.

This combination of behavior-driven and IoC signature-based detection, alert ranking, and sharing ensures IronDome participants have the broadest view of threats facing their enterprise.

New ransomware strain emerges

As I mentioned, a new ransomware family called LockFile has surfaced to target victims in various industries around the globe. The new ransomware strain has already hit at least 10 corporations. Most of its victims are based in the U.S. and Asia in the sectors of manufacturing, financial services, engineering, legal, business, and tourism.

Two aspects of LockFile’s attack chain are garnering attention: ProxyShell and PetitPotam. LockFile exploits ProxyShell vulnerabilities to gain access to Microsoft Exchange email servers, which threat actors use to pivot to companies’ internal networks. ProxyShell is the name for three vulnerabilities that are chained together to accomplish unauthenticated remote code execution on Microsoft Exchange servers. LockFile uses the PetitPotam exploit to take over a company’s Windows domain controller and deploy file-encrypting payloads to connected workstations. PetitPotam is an NTLM (New Technology LAN Manager) relay attack bug that low-privileged attackers can use to take over a domain controller, which allows them to have control over the entire Windows domain and run any command they want.

You can see the latest industry news in the full report or check out IronNet’s threat intelligence web page.

About Ironnet
Founded in 2014 by GEN (Ret.) Keith Alexander, IronNet Cybersecurity is a global cybersecurity leader that is revolutionizing how organizations secure their networks by delivering the first-ever Collective Defense platform operating at scale. Employing an extraordinarily high percentage of former NSA cybersecurity operators with offensive and defensive cyber experience, IronNet integrates deep tradecraft knowledge into its industry-leading products to solve the most challenging cyber problems facing the world today. Follow IronNet on Twitter and LinkedIn.