IronNet threat intelligence

Updates and analysis on significant cybersecurity events from IronNet’s threat intelligence and research teams. This page is refreshed often: Watch our Twitter feed @IronNet for alerts.

Threat
Research

Significant IronDome Community Findings

Nation-State
Cyber Threat Reports

Threat Intelligence
Resources

IronNet threat research

Microsoft Exchange server exploitation

Cyber Lookback webinars on YouTube

Join IronNet threat hunters to discuss and debate cyber news items closer to go-live time.
IronNet-Threat Intelligence-August Cyber Lookback

Significant IronDome community findings

IronDefense, deployed across IronDome customer communities, identified a number of network behavioral anomalies that were rated as Suspicious or Malicious by IronNet and/or community SOC analysts.
Below is a list from August 2021.
Domain/IP

sql1q12u73[.]com

pipelinecrm[.]email

fnacgbik9v14[.]com

2ozglttd7ftas1xm[.]com

ringexpressbeach[.]com

securesearchnow[.]com

easforcom[.]biz

amads[.]uno

lowerbeforwarden[.]ml

alcoholicsort[.]com

Rating
MALICIOUS
MALICIOUS
MALICIOUS
SUSPICIOUS
SUSPICIOUS
SUSPICIOUS
SUSPICIOUS
SUSPICIOUS
SUSPICIOUS
SUSPICIOUS
Analyst Insight

This domain is part of a redirect chain involving pucopum[.]info and box20files[.]com. When visited, it serves an encrypted ZIP file after providing the unzip password to the user. The binary file contained adware along with a malicious version of msimg32[.]dll.

This domain hosts a phishing scam targeting pipeline customer relationship management.

This is a known spyware/malware infection source. Clients are redirected to this domain from infected sites.

This domain navigates to a mobile-optimized site that appears to be adult-themed Tik Tok videos. Mobile users are redirected to the related domains vqtxxbkqhss7tncw[.]jewelry and rbl4all.caroline26[.]com.

This is a Terraclicks-related domain hosting ad redirects. We recommend blocking the domain.

This IP address is a possible internet scanner that OSINT rates Suspicious.

This site redirects users to userscloud[.]com, which presents the user with a potentially unwanted program (PUP) download option and browser notifications.

This domain invokes a pop-under redirect to grandprize[.]xyz. The suspicious traffic was a result of landing on a compromised site. If seen in your network, ensure any redirects and amads[.]uno are blocked.

This domain is indicative of a hacked WordPress site injected with adware/malvertising. The domain may lead to unwanted redirects. If seen in your network, investigate any redirects.

This domain is associated with adware/Terraclicks. Ensure connections are blocked.

Nation-state cyber threat reports

Russia
China
Iran
North Korea
IronNet-Threat intelligence-Russian Flag@2x
IronNet-Threat intelligence-Chinese Flag@2x
IronNet-Threat intelligence-Iranian-Flag@2x
IronNet-Threat intelligence-North Korean Flag@2x
Russia

Russia

Updates as of September 2021:

More than 30 active APT29 C2 servers

  • RiskIQ’s initial investigation began with a tweet mentioning possible IOCs associated with APT29 and WellMess
  • Nearly three dozen command-and-control (C2) servers were discovered under the control of APT29 actively serving WellMess and WellMail malware.
  • They linked SSL Certificates and IP addresses to APT29 C2 infrastructure with high confidence.
  • No information to say how it is being used or who the targets are.
China

China

Updates as of September 2021:

SparklingGoblin

  • SparklingGoblin was first detected in May 2020.
  • The new APT, SparklingGoblin, has recently been linked to undocumented modular backdoor called Sidewalk.
  • Sidewalk was used during a recent SparklingGoblins campaign targeting a computer retail company in the US.

 

UNC 215 cyber espionage campaign in Israel

  • Since January 2019, UNC215 has conducted campaigns against Israeli government entities, IT providers, and telecommunications companies.
  • UNC215 is linked with low confidence to APT27.
  • They target organizations that are of interest to Beijing's financial, diplomatic, and strategic objectives, demonstrating China's consistent strategic interest in the Middle East and interest in Israel’s robust technology sector.
Iran

Iran

Updates as of September 2021:

Siamese Kitten

  • Iranian APT group Siamesekitten [PDF] found responsible for supply chain attack campaigns that targeted IT and communication companies in Israel In May and July 2021.
  • The attacks impersonated IT companies and their HR personnel to compromise computers and access the companies’ clients.
  • The main goal was to conduct espionage and use the infected network to gain access to their clients’ networks and possibly deploy ransomware or wiper malware.
North Korea

North Korea

Updates as of September 2021:

APT37/ Scarcruft browser exploits

  • Volexity uncovered a strategic web compromise of South Korea’s online newspaper the Daily NK.
  • The malicious code was first detected in April 2021, but was at least present on the website in late March 2021 until early June 2021.
  • The attackers are North Korean APT37, aka Scarcruft.
  • Scarcruft modified legitimate files used as part of the normal function of the Daily NK website to include code redirecting users to load malicious JavaScript from the attacker-owned domain jquery[.]services.

 

Konni malware

  • In late July 2021, Malwarebytes identified an ongoing spear-phishing campaign pushing Konni RAT to target Russia.
  • Konni was first observed in the wild in 2014 and has been potentially linked to the North Korean APT group named APT37.
  • The main victims of this RAT are mostly political organizations in Russia and South Korea, but it has also been observed targeting Japan, Vietnam, Nepal, and Mongolia.

Monthly Threat Intelligence Brief

In addition to correlated alerts, significant IronDome community findings revealed 164 Indicators of Compromise (IoC) that may pose risk to IronDome participant environments. For example, we analyzed the malicious googlemanagerapi[.]com. This domain is involved with MageCart hacking of payment card information. If seen in your network, verify any traffic to checkout pages for possible compromised payment information. Other IoCs related to MageCart are tag-manager[.]net and tags-manager[.]com.

Catch ransomware early with IronNet

Ransomware attack vectors, which network detection and response tools such as IronDefense can identify, typically include:

IronNet-Ransomware-Social Engineering Envelope
social engineering:
spear-phishing
IronNet-Ransomware-User
“legitimate” user credentials:
from services such as remote desktop protocols and remote file sharing
IronNet-Ransomware-Exploitation Arrow
exploitation:
for example via publicly known, but unpatched, software vulnerabilities 
IronNet-Ransomware-Command and Control Globe
command and control:
domain generation
IronNet-Ransomware-Encryption Cloud
encryption:
files are encrypted after backup files are removed

Discover IronNet
for SOC Analysts

  • Do what you do, even better, with behavioral analytics
  • Learn practical ways to rule out false positives
  • Use detection tools that integrate with your existing cybersecurity stack