The ongoing fallout of the SolarWinds/SUNBURST attack continues to take center stage in cybersecurity news. Although there were some recent concerns about another wave of SolarWinds-related threats, this is not entirely accurate. While Russia may be at it again on a broad scale, their latest threat appears to use a different delivery mechanism from what was used in the SolarWinds attack. Moreover, this attack was likely the work of the Russian intrusion set known as Sandworm. (Researchers suspect the Turla group was behind the SolarWinds compromise.)
In this case, Sandworm targeted a software suite tool commonly used in Europe from the French company Centreon. The victims are mostly IT firms and web hosting companies running CentOS, according to ANSSI. It is important to note that this is an outdated, open-source, legacy tool. It is the free version of CentOS instead of the paid software suite. With known vulnerabilities, it was an attractive backdoor for Sandworm, which breached P.A.S. web shell and Exaramel. These information-gathering techniques are very different from those used in the SolarWinds attack; however, the scope of both attacks seems to be fairly broad.
At IronNet, we look to behavioral analytics to detect such unknown threats on enterprise networks. First, we do the threat detection groundwork needed to spot abnormal network activity across our customers’ networks. Second, our expert system scores these alerts, prioritizing the most interesting events to help cut down on alert fatigue. Finally, we take a Collective Defense approach to threat sharing in real time.
The March IronNet Threat Intelligence Brief
The ability to analyze and correlate seemingly unrelated instances is critical for identifying sophisticated attackers who leverage varying infrastructures to hide their activity from existing cyber defenses. As reported in the March IronNet Threat Intelligence Brief, our analysts review alerts from millions of data flows that are ingested and processed with big data analytics. We apply ratings to the alerts (benign/suspicious/malicious) and immediately share them with IronDome Collective Defense participants.
Here is a snapshot of what we discovered across the IronDome communities in February, showing 740 correlated alerts across IronDome participant environments:
Analysis of IOCs
In addition to correlated alerts, significant IronDome community findings revealed 177 Indicators of Compromise (IoC) that may pose risk to IronDome participant environments. For example, we analyzed 542782[.]com. This is a malicious domain that appears to be part of an eBay live chat scam. If seen in your network, investigate for loss of personally identifiable information (PII) and block the domain. Also of note is macbethbroy[.]ga. This is a generic phishing domain attempting to harvest login credentials. At the time of triage, the site had been taken down.
All the IoCs we analyzed are used to trigger alerts that are mapped to the Cyber Kill Chain to identify the stage and progression of the threat. They can be used to create detection rules for network, endpoint, or other security tools currently deployed to mitigate cyber risk in each IronDome participant’s environment.
See the March IronNet Threat Intelligence Brief for the full list of recent IoCs.
The bigger picture of Collective Defense
Every month, IronNet’s expert threat analysts create threat intelligence rules (TIRs) based on significant community findings from IronDome, malware analysis, threat research, or other methods to ensure timely detection of malicious behavior targeting an enterprise or other IronDome community participants.
In February, we created 8,325 threat intel rules of our 188,825 created to date. Some examples of the month’s research include indicators associated with SystemBC malware, a Remote Access Trojan (RAT) associated with recent Ryuk and Egregor ransomware attacks. Another example is related to The Bazar Trojan, which was spotted sending phishing emails claiming the user had received a bonus.
This combination of behavior-driven and IoC signature-based detection, alert ranking, and sharing ensures IronDome participants have the broadest view of threats facing their enterprise.
The SolarWinds saga continues
The fallout of the SUNBURST attack has revealed new threats and concerns regarding cybersecurity. Threat actors believed to be associated with China may have exploited SolarWinds software in the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture (USDA). In contrast to the original supply chain attack, it is speculated that China may have exploited a separate bug in the Orion software to aid in lateral movement through a compromised network. The details of this additional compromise are sparse at present, but IronNet will continue to track them as they develop. It is currently unknown what was stolen in the breach or how many other agencies or companies were affected.
The National Finance Center processes payroll for several government agencies, including the FBI, State Department, Homeland Security, and Department of Treasury. As such, the agency houses what China would regard as a treasure trove of PII, such as social security numbers and bank account numbers, linked to specific U.S. government employees. Access to this information could improve China’s ability to collect intelligence on U.S. national security operations. If this incident is validated, it could provide some clarity around the SUPERNOVA malware web shell, which you can read more about here.
You can see the latest industry news in the March IronNet Threat Intelligence Brief and in IronNet News.