IronNet threat intelligence

Updates and analysis on significant cybersecurity events from IronNet’s threat intelligence and research teams. This page is refreshed often: Watch our Twitter feed @IronNet for alerts.

Threat
Research

Significant IronDome Community Findings

Nation-State
Cyber Threat Reports

Threat Intelligence
Resources

IronNet threat research

Microsoft Exchange server exploitation

Cyber Lookback webinars on YouTube

Join IronNet threat hunters to discuss and debate cyber news items closer to go-live time.
IronNet-Threat intelligence-March Cyber Lookback

Significant IronDome community findings

IronDefense, deployed across IronDome customer communities, identified a number of network behavioral anomalies that were rated as Suspicious or Malicious by IronNet and/or community SOC analysts.
Below is a list from April 2021.
Domain/IP

googlemanagerapi[.]com

utmostsecond[.]com

agagaure[.]com

applewatchstoreusa[.]com

customer-help[.]us

hotmail-account[.]email

googie-anaiytlcs[.]com

security-hsb-cancelpayees[.]com

mindactual[.]com

betterprovokesap[.]com

Rating
MALICIOUS
SUSPICIOUS
SUSPICIOUS
SUSPICIOUS
SUSPICIOUS
SUSPICIOUS
SUSPICIOUS
SUSPICIOUS
SUSPICIOUS
SUSPICIOUS
Analyst Insight

This domain is involved with MageCart hacking of payment card information. If seen in your network, verify any traffic to checkout pages for possible compromised payment information. Other IoCs related to MageCart are tag-manager[.]net and tags-manager[.]com.

This is a TerraClicks domain associated with adware that could lead to unwanted connections, downloads, and pop-ups. We recommend blocking the domain.
This is a script used on hacked WordPress sites to load ads.
This is a fake online store claiming to sell Apple Watches. Interacting with the site could lead to compromised payment credentials.
This is a fake tech support website masquerading as McAfee, Epson, Webroot, and HP support, among others. If this domain is seen in your network, ensure users do not enter data into any subdomain.

This domain appears to be a how-to guide for logging into a Hotmail account. However, the site prompts the user to download a browser plug-in that is likely Suspicious or Malicious.

The user arrived at this domain via POST from a compromised podcast website. The redirect may have ties to the MageCart credit card stealing campaign.

This is a phishing page targeting HSBC Bank. This is a near-perfect clone of the bank’s U.K. page looking to harvest customer credentials. If seen in your network, verify all GET and POST requests and ensure no information was submitted. The site has since been taken down.

This domain appears to be related to TerraClicks because streaming content was found in the traffic. If seen in your network, block the domain.

This domain may be related to TerraClicks. If seen in your network, block the domain.

Nation-state cyber threat reports

Russia
China
Iran
North Korea
IronNet-Threat intelligence-Russian Flag@2x
IronNet-Threat intelligence-Chinese Flag@2x
IronNet-Threat intelligence-Iranian-Flag@2x
IronNet-Threat intelligence-North Korean Flag@2x
Russia

Russia

Updates as of April 2021:

SolarWinds/SUNBURST

  • NOBELIUM (threat actor against Solarwinds/SUNBURST backdoor and TEARDROP (malware and related): see original report
  • Three new pieces of malware being used in late-stage activity related to SolarWinds/SUNBURST
  • Activity seen as early as June 2020
  • Tailor-made for specific networks are introduced after the actor has gained access
  • Actor has been observed using stolen credentials to access cloud services like email and storage, as well as, VPNs and remote access tools
China

China

Updates as of April 2021:

Microsoft Exchange server attack

  • On-premise Microsoft Exchange has been identified as being actively exploited in a series of attacks by using a collection of zero-day vulnerabilities
  • The supposed motive of this APT group attack aligns to the typical strategy of Chinese cyber attacks: intellectual property
  • The four vulnerabilities affect unpatched on-premise Microsoft Exchange servers from version 2013 to 2019, excluding only Exchange Online (Office365)

Linux Attacks / RedXOR

  • A new sophisticated backdoor targeting Linux endpoints and servers was discovered by Intezer in early March
  • TTPs indicate it is the work of high-profile Chinese threat actors

APT10 - A41APT Campaign

  • The A41APT campaign, attributed to APT10, is noted to be a sophisticated campaign that deploys malicious backdoors
  • Exfiltrating information from a number of Japan-linked companies in different industry sectors across the world
Iran

Iran

Updates as of April 2021:

Natanz Nuclear Facilities

  • On April 11, 2021, it was reported that Iran’s Natanz nuclear facilities experienced a blackout after a large explosion destroyed the independently protected internal electric grid that supplies its underground uranium enrichment centrifuges
  • Evidence is still surfacing regarding the attack and its implications, but Iranian officials have publicly announced the blackout as an act of sabotage carried out by Israel
  • IronNet researchers are actively tracking this event, and will provide updates as more information becomes available

Earth Vetala campaign

  • In early March, Trend Micro detected activity targeting numerous organizations in the Middle East and neighboring regions
  • The cyber-espionage campaign is ongoing and attributed to Iranian APT MuddyWater
  • Threat actors leverage spearphishing emails and lure documents containing embedded links to a legitimate file-sharing service (Onehub)
North Korea

North Korea

Updates as of April 2021:

APT the Lazarus Group

  • Linked to a new cyberespionage campaign seeking to steal sensitive data from companies in the defense industry by leveraging ThreatNeedle malware
  • Using spear-phishing emails with COVID-19 themes and publicly available personal information

Hacker news

  • Indictments on NoKo Hackers
  • Charges include hacking of banks and crypto exchanges as well as the deployment of WannaCry

Monthly Threat Intelligence Brief

In addition to correlated alerts, significant IronDome community findings revealed 164 Indicators of Compromise (IoC) that may pose risk to IronDome participant environments. For example, we analyzed the malicious googlemanagerapi[.]com. This domain is involved with MageCart hacking of payment card information. If seen in your network, verify any traffic to checkout pages for possible compromised payment information. Other IoCs related to MageCart are tag-manager[.]net and tags-manager[.]com.

Discover IronNet
for SOC Analysts

  • Do what you do, even better, with behavioral analytics
  • Learn practical ways to rule out false positives
  • Use detection tools that integrate with your existing cybersecurity stack