The June IronNet Threat Intelligence Brief

As we look back on May, it’s clear that adversaries across the globe were rampant — from the ransomware attack of the Colonial Pipeline in the U.S. to the Conti ransomware attack of the Health Service Executive (HSE) in Ireland. Meanwhile, on May 27, Microsoft announced that Nobelium, the threat actor behind the SolarWinds attacks, hacked into the Constant Contact account of the United States Agency for International Development (USAID).

At IronNet, we look to behavioral analytics to detect such unknown threats on enterprise networks before adversaries succeed at their end-game: exploitation or exfiltration. First, we do the threat detection groundwork needed to spot abnormal network activity across our customers’ networks. Second, our expert system scores these alerts, prioritizing the most interesting events to help cut down on alert fatigue. Finally, we take a Collective Defense approach to threat sharing in real time.

The June IronNet Threat Intelligence Brief

This ability to analyze and correlate seemingly unrelated instances is critical for identifying sophisticated attackers who leverage varying infrastructures to hide their activity from existing cyber defenses. As reported in the June Threat Intelligence Brief, our analysts review alerts from millions of data flows that are ingested and processed with big data analytics. We apply ratings to the alerts (benign/suspicious/malicious) and immediately share them with IronDome Collective Defense participants. 

Here is a snapshot of what we discovered across the IronDome communities in May, showing 769 correlated alerts across IronDome participant environments:

Analysis of IOCs 

In addition to correlated alerts, significant IronDome community findings revealed 164 Indicators of Compromise (IoC) that may pose risk to IronDome participant environments. For example, we analyzed the malicious googlemanagerapi[.]com. This domain is involved with MageCart hacking of payment card information. If seen in your network, verify any traffic to checkout pages for possible compromised payment information. Other IoCs related to MageCart are tag-manager[.]net and tags-manager[.]com.

All the IoCs we analyzed are used to trigger alerts that are mapped to the Cyber Kill Chain to identify the stage and progression of the threat. They can be used to create detection rules for network, endpoint, or other security tools currently deployed to mitigate cyber risk in each IronDome participant’s environment. 

See the June Threat Intelligence Brief for the full list of recent IoCs.

The bigger picture of Collective Defense 

Every month, IronNet’s expert threat analysts create threat intelligence rules (TIRs) based on significant community findings from IronDome, malware analysis, threat research, or other methods to ensure timely detection of malicious behavior targeting an enterprise or other IronDome community participants. 

In May, we created 12,746 threat intel rules of our 220,804 created to date. Some examples of this month’s research include indicators associated with C2 domains for the Cerber Ransomware-as-a-Service (RaaS) malware and IoCs related to Cobalt Strike beacon payload distribution and C2.

This combination of behavior-driven and IoC signature-based detection, alert ranking, and sharing ensures IronDome participants have the broadest view of threats facing their enterprise.

The Colonial Pipeline ransomware attack

On May 7, Colonial Pipeline learned it was the victim of a ransomware attack that infected its corporate IT network. Colonial Pipeline is a major gasoline distributor that supplies 45% of the U.S. East Coast’s fuel through its 5,500 miles of pipeline. According to Bloomberg, the attackers stole approximately 100GB of data from Colonial Pipeline on Thursday, May 6, before locking some of the company’s computers and servers and demanding a ransom. The attackers reportedly threatened to leak the stolen data to the internet and hold the encrypted information hostage inside the network unless the company paid a ransom. At this time, it does not appear that the operational network that controls the company’s pipelines and distributes fuel was infected, but Colonial temporarily shut down the pipelines as a precautionary measure to prevent the infection from spreading. 

Sources have attributed the attack to DarkSide, a “professional organized hacking organization” composed of veteran cybercriminals who are focused on squeezing out as much money as they can from their targets. Colonial has hired FireEye to manage the incident response investigation, and the company is working together with law enforcement and other federal agencies to investigate and deal with the fallout of the attack. IronNet is monitoring this incident as further details of the compromise and its impact continue to emerge.

You can see the latest industry news in the full June brief or check out IronNet’s threat intelligence web page.

001_May21_Monthly_Report_SM_Promo_1200x627

 

About Ironnet
Founded in 2014 by GEN (Ret.) Keith Alexander, IronNet Cybersecurity is a global cybersecurity leader that is revolutionizing how organizations secure their networks by delivering the first-ever Collective Defense platform operating at scale. Employing an extraordinarily high percentage of former NSA cybersecurity operators with offensive and defensive cyber experience, IronNet integrates deep tradecraft knowledge into its industry-leading products to solve the most challenging cyber problems facing the world today. Follow IronNet on Twitter and LinkedIn.