IronNet threat intelligence

Updates and analysis on significant cybersecurity events from IronNet’s threat intelligence and research teams.

IronNet Threat
Research

Nation-State
Cyber Threat Reports

Monthly Threat
Intelligence Brief

Significant IronDome Community Findings

IronNet threat research

Nation-state cyber threat reports

Russia
China
Iran
North Korea
IronNet-Threat intelligence-Russian Flag@2x
IronNet-Threat intelligence-Chinese Flag@2x
IronNet-Threat intelligence-Iranian-Flag@2x
IronNet-Threat intelligence-North Korean Flag@2x
Russia

Russia

Updates as of February 2021:

Russia begins DDoS attacks against Ukraine

  • ESET first detected the HermeticWiper malware, which is believed to have been pre-positioned for months.
  • Avast Threat Labs reported on Twitter that a new golang-based ransomware is targeting Ukrainian entities.
  • Kharkiv is suffering significant internet disruption (at least 30% drop in network connectivity).
  • February 23rd and coinciding with the DDoS attacks, new wiper malware was observed targeting Ukrainian organizations.
China

China

Updates as of September 2021:

SparklingGoblin

  • SparklingGoblin was first detected in May 2020.
  • The new APT, SparklingGoblin, has recently been linked to undocumented modular backdoor called Sidewalk.
  • Sidewalk was used during a recent SparklingGoblins campaign targeting a computer retail company in the US.

 

UNC 215 cyber espionage campaign in Israel

  • Since January 2019, UNC215 has conducted campaigns against Israeli government entities, IT providers, and telecommunications companies.
  • UNC215 is linked with low confidence to APT27.
  • They target organizations that are of interest to Beijing's financial, diplomatic, and strategic objectives, demonstrating China's consistent strategic interest in the Middle East and interest in Israel’s robust technology sector.
Iran

Iran

Updates as of September 2021:

Siamese Kitten

  • Iranian APT group Siamesekitten [PDF] found responsible for supply chain attack campaigns that targeted IT and communication companies in Israel In May and July 2021.
  • The attacks impersonated IT companies and their HR personnel to compromise computers and access the companies’ clients.
  • The main goal was to conduct espionage and use the infected network to gain access to their clients’ networks and possibly deploy ransomware or wiper malware.
North Korea

North Korea

Updates as of September 2021:

APT37/ Scarcruft browser exploits

  • Volexity uncovered a strategic web compromise of South Korea’s online newspaper the Daily NK.
  • The malicious code was first detected in April 2021, but was at least present on the website in late March 2021 until early June 2021.
  • The attackers are North Korean APT37, aka Scarcruft.
  • Scarcruft modified legitimate files used as part of the normal function of the Daily NK website to include code redirecting users to load malicious JavaScript from the attacker-owned domain jquery[.]services.

 

Konni malware

  • In late July 2021, Malwarebytes identified an ongoing spear-phishing campaign pushing Konni RAT to target Russia.
  • Konni was first observed in the wild in 2014 and has been potentially linked to the North Korean APT group named APT37.
  • The main victims of this RAT are mostly political organizations in Russia and South Korea, but it has also been observed targeting Japan, Vietnam, Nepal, and Mongolia.
Year in review

Nation-state actors turned up the heat in 2021

Dive into the 12 most significant cyber events of 2021 inside IronNet’s 2021 Annual Threat Report. 

AlienVault Pulses
from IronNet

Get access to the AlienVault OTX pulses from IronNet to apply detection insights into your environment, including threat summaries, software targeted, and related indicators of compromise.

NOTE: You will need to log in on your first visit. Be sure
to sign up on AlienVault to receive IronNet Pulses via email.

Access IronNet’s GitHub

Get access to IronNet's GitHub for recent threat research and reporting from IronNet's Threat Research Teams on recent attacks.

NOTE: You will need to log in on your first visit. Be sure
to sign up on AlienVault to receive IronNet Pulses via email.

Monthly Threat Intelligence Brief

In addition to correlated alerts, significant IronDome community findings revealed552 Indicators of Compromise (IoC) that may pose risk to IronDome participant environments. For example, we analyzed the malicious domain best-lucky-man[.]xyz, known for hosting process injection malware detected by ESET and VirusTotal.

Significant IronDome community findings

IronDefense, deployed across IronDome customer communities, identified a number of network behavioral anomalies that were rated as Suspicious or Malicious by IronNet and/or community SOC analysts.
Below is a list from February 2022.
Domain/IP

best-lucky-man[.]xyz

itchytidying[.]com

tsmtracking[.]com

prodidygame[.]com

prophetachybrief[.]com

railcowboy[.]com

81.171.33.201

dominantpartition[.]com

test1-smalleststores[.]com

itchytidying[.]com

Rating
MALICIOUS
MALICIOUS
MALICIOUS
MALICIOUS
MALICIOUS
MALICIOUS
MALICIOUS
MALICIOUS
MALICIOUS
SUSPICIOUS
Analyst Insight

This domain hosted process injection malware detected by ESET and was flagged as malicious by VirusTotal.

After investigating the domain and its related IPs, we determined it was malicious. In addition, multiple vendors have flagged it as malicious and/or suspicious.

This domain is indicative of a successful phishing attempt from a phishing email impersonating a bank. Further triage revealed personal information left the network.

This is a typo-squatting domain impersonating prodigygame[.]com. We recommend blocking the domain.

This domain has been known to actively host malware/ adware without the user’s permission. We recommend cleaning the infected device and blocking the domain.

After investigating both IP (192.243.59.13) and domain, The IP has been determined as malicious and the domain suspicious. We recommend blocking both domain and IP.

The IP 81.171.33.201 is owned by Eweka Internet Services B.V. Web traffic to this IP presents a potentially high fraud risk. We recommend blocking this IP.

Multiple vendors on Virustotal.com flagged this domain as malware. We recommend blocking the domain.

This domain has been flagged as malware. We recommend blocking the domain.

This domain is associated with Terraclicks, a browser redirector known to redirect to malicious sites. We recommend blocking all traffic to this domain

Microsoft Exchange server exploitation

Catch ransomware early with IronNet

Ransomware attack vectors, which network detection and response tools such as IronDefense can identify, typically include:

IronNet-Ransomware-Social Engineering Envelope
social engineering:
spear-phishing
IronNet-Ransomware-User
“legitimate” user credentials:
from services such as remote desktop protocols and remote file sharing
IronNet-Ransomware-Exploitation Arrow
exploitation:
for example via publicly known, but unpatched, software vulnerabilities 
IronNet-Ransomware-Command and Control Globe
command and control:
domain generation
IronNet-Ransomware-Encryption Cloud
encryption:
files are encrypted after backup files are removed

Discover IronNet
for SOC Analysts

  • Do what you do, even better, with behavioral analytics
  • Learn practical ways to rule out false positives
  • Use detection tools that integrate with your existing cybersecurity stack