Search Results
122 items found for ""
- Announcing the Team Cymru Scout Integration With Palo Alto Cortex XSOAR
Enhance threat investigations by combining the world’s largest threat intelligence data lake with powerful automation and workflow capabilities In the SOC, having access to timely and accurate threat intelligence is essential for conducting investigations and effective incident response. In addition, the need for automation and orchestration is greater than ever given limited resources and the increasing number of sophisticated attacks, malware and alerts. We're excited to announce an integration between Team Cymru's Scout, which provides comprehensive insights on IP addresses and domains with Cortex XSOAR. This integration is available as a Content pack and has already been certified by Palo Alto Networks. What is Team Cymru’s Scout? Team Cymru’s Scout is a powerful, web & API-based threat intelligence and investigation tool designed for security analysts of varying experience levels. Scout has a simple GUI, graphical displays, tagged results, and easy-to-use searches. Scout helps quickly determine if suspicious IPs are malicious or compromised and has underlying data - from NetFlow communications, Whois data, passive DNS records, X.509 certificates, and fingerprinting details— to power a complete investigation. Integrating Scout into Cortex XSOAR gives you immediate access to critical information that helps your team quickly triage and address potential threats. This integration streamlines your investigative process but can also reduce alert fatigue for Security Operations Center (SOC) teams. Key Benefits: Team Cymru Scout Integration with Cortex XSOAR 1 . Access to IP communications, Netflow and domain intelligence to Empower the Cortex War Room : Centralize all critical security data in the Cortex War Room, but enhance it with external netflow, IP intelligence and domain intelligence. The data provided by Scout helps understand adversary communication patterns, domain and IP intelligence, and other critical information about potential threats needed to conduct an investigation and leverage the appropriate playbooks to drive an automated response. Above: IP information is automatically extracted from Scout into the XSOAR War Room for deep IP and domain analysis to accelerate information gathering necessary for an investigation or to drive an automated response 2. Real-Time External Threat Intelligence: Get immediate access to vital information allowing security teams to make informed decisions quicker and make informed decisions quickly. Leverage communication data to identify correlations between IP addresses, uncover compromised hosts, and discover other indicators of an attack. NetFlow and Whois Information: Access a quick summary of NetFlow communications, Whois data, passive DNS (PDNS) records, X.509 certificates, and fingerprinting details—all in one place. IPv4 and IPv6 Support: The integration supports both IPv4 and IPv6 address queries, ensuring that you can address any potential threats, regardless of the IP version. Scout automatically enriches XSOAR with critical netflow communications data, fingerprint information, X509, pdns and other critical information related to IP and domain intelligence. 3. Add Critical data for your Evidence Board: Streamline work by collecting and reviewing everything in one place. Under the Evidence Board tab, you will find the indicators and other evidence flagged earlier in the War Room. You can use this evidence to track relevant details needed for your response and to populate post-mortem reports and stakeholder presentations. 4. Empower Automated Security Workflows : Cortex XSOAR provides thousands of automation scripts out of the box. Indicators gleaned through the integration with Scout will help you make rapid decisions and carry out remedial actions such as blocking the indicator and thwarting lateral movement of the attack. 5. Provide indicators and data for closure and post-mortem : Now you can open, edit, and close incident tickets from within XSOAR without having to pivot to ServiceNow, Jira, Slack or other tools. Easily leverage the information from Scout to help inform and streamline this process. For more information about specific use cases and the integration, you can visit the Scout / Cortex XSOAR Web page on the Team Cymru Website. How to Get Started: -Access the Team Cymru Scout platform . If you don’t yet have access, please contact our team. -Use an API Key or Basic Auth credentials for authentication. Generating API Keys : If you prefer to use an API key for authentication, you can generate one as follows: Go to the Team Cymru Scout API Keys page . Click on the "Create" button. Provide the description for the key, if needed. Click on the "Create Key" button to generate the API key. Download the Team Cymru Content Pack for Palo Alto XSOAR in the Palo Alto Cortex Marketplace. Note: The number of API keys allowed for each organization is equal to the number of user seats. Therefore, an individual user may have multiple keys, but all the users in your organization may have a maximum of 5 keys. The API Keys page shows the total number of keys used by your organization. Download and use with confidence This integration has been formally certified by Palo Alto Networks. Team Cymru provides comprehensive documentation and support resources to assist with setup, configuration, and troubleshooting, ensuring a smooth integration process. For technical questions or support contact: support@cymru.com . Conclusion The integration of Team Cymru's Scout into Palo Alto Cortex XSOAR is a significant step forward in enhancing your threat investigation and automated response capabilities. The Scout integration enhances your investigation, analysis, and response capabilities by providing real-time insights and comprehensive data on IP and domains, PDNS as well as netflow to reveal adversary and threat actor communications. Your team will be better equipped to detect, identify, respond, and mitigate even the toughest threats. What are you waiting for? Get Started Here: Download: Scout Content Pack for Cortex XSOAR Access: Team Cymru Scout here
- Talent and Technology: Bridging the Gap in Modern Threat Hunting Programs
49% of organizations have experienced a major security breach in the past 12 months, according to our “ Voice of a Threat Hunter 2024 ” report. Of course, any data breach can have a number of impacts, from reputational to financial. However, of those that did have a breach, 72% say their threat hunting program played a key role in preventing or mitigating the breach. Numerous factors can make a threat hunting program effective, but two of those are the tools and technology you employ and having well-trained threat hunters on your team. Here’s what the 293 security practitioners we surveyed say about how having the right tools and the right training for your security team can boost the effectiveness of your threat hunting program. Having the Right Tools and Technology 53% said that their threat hunting program is very effective. What makes their program so effective is having the right tools in place, such as endpoint detection and response (EDR) and security information and event management (SIEM). Additionally, the top enhancement they would make to their program is to add more actionable threat intelligence. What threat hunting tools or products do they say are the most effective? The top tools are network forensic detection, netflow telemetry, raw network telemetry data and/or full packet captures. They also say that commercial threat intelligence feeds and detection and response capabilities (EDR, NDR, XDR, etc.) help them be more successful in their security approach. Next Steps To improve their threat hunting efforts, security teams should look to invest in tools that offer improved visibility into networks and environments, assets, endpoints, and more. Advanced tools can also map your attack surface to pinpoint vulnerabilities and see where you’re most at risk for compromise. Invest in tools that provide relevant external threat intelligence specific to your organization, which can make your threat hunting more proactive and boost your ability to uncover malicious actors targeting your organization faster and more effectively. Additionally, look for tools that have the ability to integrate across multiple platforms for faster response. Since speed is a factor in protecting an organization, tools need to work quickly, with easy-to-use dashboards that allow for full visibility into oncoming threats. Training Your Threat Hunters Those who say their threat hunting program is very effective also attribute it to having trained and experienced threat hunting analysts on their team — and their biggest worry about their program is failing to retain qualified personnel. To enhance their threat hunting program, respondents would like to add additional staff with specific threat hunting experience. Next Steps Having security team members who are trained on how to conduct threat hunting can make a security team much more effective. But how can security teams take the time to train when teams are already stretched thin as it is? Having the right tools and technology to assist with threat hunting can expedite the learning process. So can implementing more automation to handle manual, repetitive tasks to free up your security team for more high-impact activities such as threat hunting. How Tools and Trained Threat Hunters Facilitate Threat Reconnaissance By having the right tools and the right people, a security team can improve their threat hunting and make it more proactive. By using those tools and training, they can evolve their threat hunting approach to a threat reconnaissance approach. Threat reconnaissance is having the right intelligence and tools to take action against external threats before they even happen. Too often security teams are scrambling to hunt for an adversary after they've caused a breach or infiltrated a network. Today, successful security teams can take a more proactive approach to threat hunting by increasing their awareness of external threats to their organization and to their third-party partners. Contextualized, relevant, real-time threat intelligence forms the foundation for effective threat reconnaissance. This intelligence tells a security team exactly what the imminent threats are to the organization so that they can take action to shore up infrastructure or vulnerabilities to protect against a future attack. Real-time intelligence helps security teams take action before an attack can occur. And more relevant data frees up team members from having to sift through large reports filled with unapplicable information. Real-time intelligence that is specific to your organization means you can make more informed decisions about how to act against those threats as well. Conclusion An effective threat hunting program starts by having the right tools and technology in place, as well as trained threat hunters who can perform threat reconnaissance. By taking action today to shore up your threat hunting capabilities, you can ensure that you’re not one of the 49% to experience a data breach in the future. Read the “ Voice of a Threat Hunter 2024 report today.
- How Effective Threat Hunting Programs are Shaping Cybersecurity
49% have experienced a major security breach in the past 12 months, according to respondents to our new “ Voice of a Threat Hunter 2024 ” report. However, of those that did experience a breach, 72% say their threat hunting program played a key role in preventing or mitigating the breach. So how can security teams take steps to improve their threat hunting program today? What Creates an Effective Threat Hunting Program For this year's “Voice of a Threat Hunter 2024” report, we surveyed 293 security practitioners about the current state of their threat hunting program. 53% of respondents say that their current threat hunting program is very effective. This is an increase from only 41% believing the same thing last year, meaning that security teams are putting initiatives in place that are increasing their confidence and lowering their risk. What makes their threat hunting program so effective? The factor making the most impact is having the right tools in place such as endpoint detection and response (EDR) and security information and event management (SIEM). This can increase visibility into their systems, networks, and assets to help them more proactively protect against threat or breach. A second factor making their threat hunting program effective is having trained and experienced threat hunting analysts. Threat hunting is an acquired skill, and having members of the security team who know how to root out threats can boost effectiveness. Another contributor to effectiveness is having baseline data available to threat hunters to identify what host and network “normal” looks like. This way, security analysts can more easily see where compromises have happened, or where vulnerabilities are leaving their systems exposed. Challenges to Overcome Having an effective threat hunting program also means overcoming the challenges that threaten to derail it. According to our survey, the biggest challenge impacting security teams today is a lack of historical data to threat hunt against. This is why security teams say they need baseline data to know how to identify something that's not normal. Tied for the top challenge is a lack of appropriate funding to support threat hunting initiatives, like purchasing new tools or hiring new staff. Finally, another challenge is a lack of trained threat hunters. Having trained analysts is a major contributor to their effectiveness, so a lack of them would be detrimental to effective threat hunting. Actionable Next Steps While 53% said their threat hunting program is effective, 25% believe it’s somewhat effective, and 23% believe it’s not very effective at all. Based on what makes it effective, here are three steps security teams can take today to improve their threat hunting program. Tools The top factor that makes a threat hunting program effective is having the right tools in place. For better threat hunting, look for tools that facilitate increased visibility into your networks and environments, and that can map your attack surface to help identify vulnerabilities. These are tools like the aforementioned EDRs that can help alert and SIEMs that can track events. Additionally, invest in tools that deliver actionable threat intelligence that’s relevant to your organization. This can not only help your threat hunting become more proactive, but can increase your ability to perform threat reconnaissance, or find threats outside your organization that are targeting you. Training Having security team members who are capable of threat hunting makes security more effective. But making that a reality includes training security team members on threat hunting — which can be a challenge when there’s a talent shortage and teams are stretched thin as it is. Having the right tools and technology to help with threat hunting can shortcut the learning curve. By adopting more automation to take care of manual, repetitive tasks, you can free up your security team for more high-impact activities like threat hunting. Baseline data Respondents attribute their successes to having baseline data available to threat hunters to identify what host and network “normal” looks like. By having the right tools in place, security teams can gather more data and the right data needed to understand what their baseline looks like. Create a comprehensive inventory of the assets, systems, and environments that need to be protected, and map your attack surface so you know your perimeter. Create a strategy for log retention so that you can use it for future threat hunting, and document your past processes and procedures as well. Conclusion Increasing your threat hunting capabilities should focus on three key areas: having the right tools, getting the people trained, and having the right data to set a baseline to compare against. By starting here, you’ll soon see your threat hunting turn from reactive to proactive, and will help you mitigate or even prevent the next breach. Read the “ Voice of a Threat Hunter 2024 ” report today.
- The Evolution of Threat Hunting
According to Nearly 300 Security Practitioners One of the best ways to proactively protect your organization is through threat hunting. Then, with the right tools, training, and intelligence, security practitioners can take their threat hunting program one step further to conduct threat reconnaissance, where they track relevant threats to their organization and take action before a breach or attack can happen. But are security teams today equipped with the right tools, people, and processes to make their threat hunting program effective? To learn more, we surveyed 293 security practitioners for this year's “ Voice of a Threat Hunter 2024 .” They shared about the current state of their threat hunting program and what they need to make it more proactive and effective. Here’s how this year’s responses show changes, improvements, and setbacks from last year’s responses. Threat Hunting Program Effectiveness In 2024, 53% believe their current threat hunting program is very effective — an increase from 41% in 2023. They're putting in place tools, people, and processes that are increasing their effectiveness and increasing their confidence as well. What made their threat hunting so effective in 2024 was having the right tools in place such as endpoint detection and response (EDR) and security information and event management (SIEM), which ranked second in 2023. Another contributor is having trained and experienced threat hunting analysts, which ranked first in 2023. The third contributor to effectiveness is having baseline data available to threat hunters to identify what host and network “normal” looks like, which ranked sixth last year. What ranked third last year? Having formalized processes and procedures for conducting threat hunts. Overall, threat hunting is made effective by having the right tools, people, processes, and data in place — a comprehensive approach to threat hunting. Top Objectives In 2024, proactive detection of previously unknown threats is the top objective for their threat hunting program. This was followed by monitoring third parties for indicators of compromise or risk — likely due to the significant increase in third-party breaches worldwide — and reducing the attack surface by discovering and removing weaknesses. These objectives are more proactive and outward-facing than last year's more internal-focused objectives, which included creating detection rules based on threat hunt outputs, having the ability to identify threats before an attacker causes damage, and reducing attack surface by discovering and removing weaknesses. Top Challenges The biggest challenge slowing the success of a security team's threat hunting program in 2024 is tied for a lack of appropriate funding and a lack of historical data to threat hunt against (historical data being one of the ways a program can be effective). An additional challenge is a lack of trained threat hunters — trained hunters being another way a program can be effective. However, these are entirely different challenges than reported in 2023. Last year, the top challenges were a lack of tools to perform threat hunting with, poorly understood and/or undocumented baseline activity, and no executive-level support of the threat hunt program. Ultimately, challenges from last year and this year can be summed up as a lack of internal support, a lack of tools, a lack of trained hunters, and a lack of data — all things that, when working well, contribute to a program's effectiveness. Top Program Enhancements What enhancement do security practitioners want to add to improve their existing threat hunting program? At the top of the list is actionable threat intelligence, which can help them become more aware of the relevant threats to their organization, and help mitigate some of the challenges listed above. This enhancement rose from seventh place in 2023 to first this year. They also wish for additional staff with specific threat hunting experience, something that contributes to effectiveness — which was in second in 2023. Third, they're looking for network forensic detection, netflow telemetry, and/or full packet captures to give them the information they need to protect their organization — which was in first in 2023. Budgets One of the biggest challenges listed above was a lack of appropriate funding for their threat hunting programs. In 2024, 44% expect their budget to increase over the next year. Last year, only 38% expected it to increase, which is likely why the top challenge this year is a lack of funding. Top Priorities The top priorities for next year continue building on the objectives for this year. For their threat hunting program, security teams want to continue to expand their third-party monitoring for signals of compromise, followed by increasing their host/network visibility. Tied for third are adding more threat hunters or contracts for external support, and increasing storage and retaining logs for use by threat hunters. Last year's top priorities were to add more threat hunters or contract for external support, tied with increasing their host/network visibility. Ultimately, these priorities are ongoing. Biggest Worries As they prepare for the future, the biggest worry on the minds of security practitioners in 2024 is failing to retain qualified personnel — which rose from #7 in 2023, underscoring the importance of having the right members of the security team. They’re also worried about being unable to truly measure the success of the threat hunting program, which was the top worry last year. They also worry about failing to keep up with current trends and threat intelligence, which was the third biggest worry in 2023. Conclusion Making a threat hunting program effective relies on a number of contributing factors that include having the right tools, people, processes, and data in place. It’s certainly an ongoing process, but security teams can take steps in the right direction to move from reactive to proactive. Read the “ Voice of a Threat Hunter 2024 ” report today.
- Insights into a “Cyber Attack” against the Venezuelan National Electoral Council
About Team Cymru Internet weather reports Our Internet weather reports are intended to provide data and technical analysis of significant events occurring across the Internet. The information aims to equip readers with insights that contribute to their own conclusions and provide additional context. Introduction On July 28, 2024, Venezuela held presidential elections to determine who would lead the nation for the next six-year term. The government-controlled Consejo Nacional Electoral (CNE) declared incumbent Nicolás Maduro the winner, a result that remains heavily disputed by opposition candidates and the broader international community. Among the myriad concerns raised during the election process was a delay in the vote count, with the results being announced later than scheduled. Both the CNE and Maduro attributed this delay to a " cyber attack " allegedly launched from North Macedonia. In this blog post we will examine these “cyber attack” claims by analyzing high-level network telemetry data, derived from Pure Signal™ . Key Findings A noticeable spike in network traffic was observed on 28 July 2024, the day of the Venezuelan presidential election, specifically targeting IP 201.130.83.39, which is linked to the CNE's services The nature of the traffic spike, characterized by a sudden increase in connections from a wide range of global IP addresses, suggests a potential distributed denial of service (DDoS) attack. The responsible party for the activity remains unidentified based on the available data, leaving the source and intent of the attack unclear. Analysis of AS61471 The CNE operates its own autonomous system (AS61471) with a single /23 netblock assigned to it: 201.130.82.0/23. This netblock hosts various domains associated with the CNE, typically subdomains of cne.gob[.]ve . Given the claims of a "cyber attack" against the CNE, AS61471 is a logical focal point for our analysis. Figure 1 below shows observed UDP traffic from the period 23 July to 2 August, 2024. Figure 1 - UDP Traffic The traffic pattern shows a distinct spike on 28 July 2024, the day of the election. Traffic levels before and after this spike are generally consistent with expected volumes based on a broader analysis of AS61471 over a more extended period. Upon further investigation, we discovered that a single IP was the target of the vast majority of this activity, accounting for 98% of the traffic. Specifically, the communications data for IP 201.130.83.39 was related to traffic over UDP (Protocol 17). Once again, the distinct spike is evident in Figure 2 below. Figure 2 - Communications Overview for 201.130.83.39 According to passive DNS (pDNS) data, IP 201.130.83.39 hosts two CNE subdomains: safe.cne.gob[.]ve sicofpe.cne.gob[.]ve Both subdomains direct traffic to login portals. Figures 3 and 4 below show screenshots of the login portals for safe.cne.gob[.]ve and sicofpe.cne.gob[.]ve , respectively. Figure 3 - Login Portal for SAFE "SAFE" appears to be an acronym for Sistema Automatizado de Fiscalización Electoral , or “automated electoral oversight system”. Figure 4 - Login Portal for SICOFPE "SICOFPE" appears to be an acronym for Sistema Integral del Control del Financiamiento Político Electoral , or “comprehensive system for the control of political-electoral financing”. According to OSINT this relates to an accounting tool in which all expenses and income received and used by organizations with political purposes are recorded. It is evident that both portals play a role in the operations of the CNE and, by extension, in the political apparatus of the Venezuelan government. However, the data available to us (NetFlow) does not pinpoint which service was the likely target of the suspected attack. It merely shows an increase in traffic to the IP address hosting both portals. Analysis of 201.130.83.39 Examining specific data for IP 201.130.83.39 , we observed that activity prior to the spike on 28 July 2024 was primarily characterized by inbound connections from other hosts within Venezuela, typically on port 443. This activity likely represents Venezuelan users accessing the login portals known to be hosted on this IP address. However, at 11:29 AM local time in Venezuela on 28 July 2024, we noticed a change in activity, with UDP connections initiating from numerous remote hosts worldwide. These connections were characterized by remote port 53 and local port 80 on IP 201.130.83.39 . Figure 5 below provides a simplified representation of this activity for clarity. Figure 5 - Observed Connections This activity continued for approximately 34 minutes, until 12:03 PM local time. During this period, we also observed occasional TCP activity, with high ephemeral ports on the remote IPs replacing port 53. After 12:03 PM, the activity reverted to the previously detailed pattern, with inbound connections via port 443 from IPs primarily located in Venezuela. No further spikes in activity were noted. The ports and protocols observed in this case present a challenge when forming a hypothesis about the nature of the observed activity. However, we can state with a greater degree of confidence that there was a significant spike in traffic involving IP 201.130.83.39 ; a spike that may have affected genuine users trying to access the services hosted on this IP. Such a spike in traffic is indicative of an attempted distributed denial of service (DDoS) attack. Upon examining the individual IP addresses involved in this traffic spike; just under 6,000 in total, we found that the majority (86%) were assigned to providers in Czechia and South Africa. In all, we observed 110 distinct country codes. Conclusion The analysis of network traffic around the time of the Venezuelan presidential election on 28 July 2024 suggests a significant spike in activity directed at IP 201.130.83.39 , likely indicative of a distributed denial of service (DDoS) attack. Whether this spike led to services being knocked offline during the election is unclear, and, compared to other DDoS attacks we have observed, the activity appears to have been short-lived. One claim made following the election was that the "cyber attack" originated from North Macedonia. However, our findings do not support this assertion for the data we analyzed in this post. Based on the data available, it remains uncertain who was responsible for the observed activity. Ultimately, this incident further underscores the need for robust measures to protect electoral infrastructure from potential disruptions, particularly in environments characterized by high stakes and international scrutiny. Team Cymru’s Unwanted Traffic Removal Service (UTRS), is a no cost BGP-based service that is an effective tool to help mitigate large and concentrated DDoS attacks.
- How Security Teams are Strengthening Their Threat Hunting
According to "Voice of a Threat Hunter 2024" Security teams need to keep evolving their strategies to protect their organizations against cyber attacks that are only growing in frequency and severity. According to our research, 49% of security practitioners surveyed said their organization experienced a major security breach in the past 12 months. While a shocking number, 72% of those who did experience a breach say their threat hunting program played a key role in mitigating it. Having a threat hunting program in place is a great start, but to truly protect their organization, security teams need a more proactive approach in the form of threat reconnaissance. But security teams can’t achieve any of these successes without having the right tools, strategies, people, and budgets in place. For this year's “ Voice of a Threat Hunter 2024 ” report, we surveyed 293 security practitioners about the current state of their threat hunting program and what’s needed to evolve it into a more proactive program. Here are some of the insights they provided. Improving Threat Hunting and Reconnaissance Processes When it comes to feeling confident in how well they’re protecting their organization, about half (53%) believe their current threat hunting program is very effective. They attribute their effectiveness primarily to the tools they have in place, like endpoint detection and response (EDR) and security information and event management (SIEM). They also attribute their effectiveness to trained and experienced threat hunting analysts and having baseline data available to identify what host and network “normal” looks like. But it's not an easy path to proactive threat reconnaissance. Security practitioners say the biggest challenges to creating an effective threat hunting program are a lack of appropriate funding and a lack of historical data to threat hunt against (which both tied for first). They’re also challenged by a lack of trained threat hunters who know what to look for and how to use the right technology. In other words, proactive threat hunting is hindered by a lack of budget, technology, and talent. How will they address these challenges? Security practitioners' priority for their threat hunting program over the next year is expanding third-party monitoring for signals of compromise, especially given the recent rise in third-party and supply chain compromises. Their other priorities align with addressing the challenges they're facing today: increasing their host or network visibility, adding more threat hunters or contractors for external support, and increasing storage and retention of logs for use by threat hunters. Addressing the Needs of Security Teams Security teams can't proactively protect their organization unless they have the right tools, resources, and training to do so. One of the biggest challenges to creating an effective threat hunting program is a lack of trained threat hunters, as respondents said above, and their biggest worry about their threat hunting activities is failing to retain qualified personnel. How can security leaders better ensure their teams are prepared? The biggest enhancement respondents would like to add to their existing threat hunting program is actionable threat intelligence, which will give their teams the knowledge they need to conduct more proactive threat reconnaissance. They would also add additional staff with specific threat hunting experience as well as network forensic detection, netflow telemetry, and/or full packet captures — more ways to give their teams the knowledge and resources needed for more proactive protection. Having the Right Technology for Threat Hunting and Reconnaissance Security teams also need the right technology to move from reactive threat hunting to proactive threat reconnaissance. Respondents said the top objective for their threat hunting program is the proactive detection of previously unknown threats, which requires the right intelligence and technologies to uncover. Other objectives include monitoring third parties for indicators of compromise or risk and reducing the attack surface by discovering and removing weaknesses — both of which also require advanced detection tools and technology. Conclusion Cyber attacks today happen with more frequency and severity. But with the right intelligence, technologies, and training, security teams can evolve their threat hunting program into a more proactive threat reconnaissance program, preventing breaches from happening or mitigating their severity if they do. Read the “ Voice of a Threat Hunter 2024 ” report today.
- Insights into North Korean ‘Internet Outages’
About Team Cymru Internet weather reports: Our Internet weather reports are intended to provide data and technical analysis of significant events occurring across the Internet. The information aims to equip readers with insights that contribute to their own conclusions and provide additional context. Introduction The first month of 2022 saw the return of North Korean ballistic missile testing. Reports of several launches coincided with news of internet outages. This sequence of outages should peak interest due to the apparent impact on a variety of internet-facing assets of the Democratic People’s Republic of Korea (DPRK). Whilst we can speculate about the motive, it seems clear that the goal was to disrupt communications and media-related services behind the DPRK’s fiercely private domain. In this blog we will assess these ‘internet outages’ in further detail, using Team Cymru’s Pure Signal™ Recon platform to examine network telemetry data for the IPv4 netblock publicly assigned to the DPRK – 175.45.176.0/22 (STAR-KP, KP). Figure 1: Source - Reuters (Article Dated 26 January 2022) Act 1 ATTACK TARGETING THE KOREAN CENTRAL NEWS AGENCY; 14-15 JANUARY 2022 Between 23:00 (UTC) on 14 January and 02:00 (UTC) on 15 January, a large volume of outbound UDP sessions to remote port 3283 were observed, sourced from 175.45.176.71 . Figure 2: Threat Telemetry Data for 14/15 January 2022 Passive DNS data for 175.45.176.71 shows that this IP address hosts web infrastructure related to the Korean Central News Agency (KCNA) – the state news agency of the DPRK. The observed activity is therefore indicative of an amplification/reflection Distributed Denial of Service (DDoS) attack, targeting the KCNA. This type of DDoS attack is designed to cause disruption by magnifying traffic to/from the victim, whilst also enabling the attacker to obscure the original source. It was noted when reviewing the data for this attack that it lasted almost exactly three hours. This may be indicative of a service for hire – i.e., the ultimate perpetrator paid for three hours of access to a DDoS framework. UDP port 3283 is commonly associated with Apple Remote Desktop. Research undertaken by Netscout identified DDoS attacks which used this vector first occurring ‘in the wild’ in June 2019. At the time Netscout identified approximately 54,000 abusable devices, which were Apple Remote Management service (ARMS) enabled and had UDP/3283 open to the internet. Data from Shodan shows that although the number of abusable devices has decreased since 2019, around 24,000 such devices remain at risk. Figure 3: Abusable Devices with UDP/3283 Open (Data - Shodan) Reviewing WHOIS information for the hosts utilized in the DDoS attack against the KCNA, it is evident that a large proportion of abusable devices are located in the United States. Figure 4: Heat Map of Hosts Involved in 14 January DDoS Attack Act 2 DISRUPTION OF INTERNET-FACING WEBSITES; 25-26 JANUARY 2022 Between approximately 19:00 (UTC) on 25 January and 23:00 (UTC) on 26 January, a large volume of inbound TCP connections were observed to port 80 on IPs within the 175.45.176.0/22 netblock. Figure 5 below is based on a sampling of this data, accounting for approximately 5% of the total number of observed records. Figure 5: Network Telemetry Data for 25/26 January 2022 A review of the target IPs, augmented with Passive DNS data, indicates that a HTTP flood (DDoS) attack took place against various elements of the DPRK’s public web infrastructure. Table 1 below contains the top-10 most frequently targeted IPs. Note, the displayed Passive DNS data is not exhaustive, but serves to highlight the websites targeted. IP PDNS Context 175.45.176.71 kcna.kp Central News Agency 175.45.176.76 ma.gov.kp Maritime Administration 175.45.176.81 mfa.gov.kp Ministry of Foreign Affairs 175.45.176.81 kass.org.kp Association of Social Scientists 175.45.176.67 kass.org.kp Government Portal 175.45.176.67 airkoryo.com.kp State Airline 175.45.176.80 dprkportal.kp Government Portal 175.45.176.73 dprkportal.kp Government News 175.45.176.75 vok.rep.kp Voice of Korea 175.45.176.68 rodong.rep.kp Rodong Newspaper Table 1: Targeted DPRK Web Infrastructure In this case it is apparent that the attacker’s aim was to take down public North Korean websites, by overloading the infrastructure used to host them. This may be viewed as a symbolic act – this particular attack gained more widespread attention when users were unable to access these websites. Act 3 DPRK NAME SERVERS TARGETED VIA COMMON VECTOR; 29 JANUARY 2022 Between 03:27 (UTC) and 04:18 (UTC) on 29 January 2022, a large volume of outbound UDP sessions to remote port 123 were observed, sourced from 175.45.176.15 and 175.45.176.16 . Figure 6: Network Telemetry Data for 29 January 2022 Passive DNS data for 175.45.176.15 and 175.45.176.16 identifies them as name server infrastructure for the 175.45.176.0/22 netblock. The observed activity is therefore indicative of an amplification/reflection Distributed Denial of Service (DDoS) attack, targeting North Korean name server infrastructure. UDP/123 is commonly associated with the Network Time Protocol, a service which is frequently utilized (abused) in this type of attack. Conclusion This blog has highlighted three significant DDoS attacks against the DPRK internet, providing context to reported outages during January 2022. Each attack was distinct, with a varying scope and attack methodology. As a technical analysis, this blog does not attempt to attribute the attacks to particular actor(s), but is intended to support the understanding of the ‘internet outages’ first referenced at the beginning of this analysis. Notably the DDoS attack on 29 January 2022 does not appear to be a remnant of the DDoS attack which took place a few days earlier. These attacks may be indicative of a more concerted effort to disrupt the public North Korean internet at times of critical events, however copycat behaviour cannot be ruled out. For comparison purposes, Figure 7 provides a snapshot of all observed inbound and outbound network telemetry data for 175.45.176.0/22 , covering the month of December 2021. Figure 7: Network Telemetry Data (December 2021) for 175.45.176.0/22
- Insights into Internet Outages along Africa's Western Coast
About Team Cymru Internet weather reports: Our Internet weather reports are intended to provide data and technical analysis of significant events occurring across the Internet. The information aims to equip readers with insights that contribute to their own conclusions and provide additional context. Introduction On 14 March 2024, a series of major Internet outages were reported , affecting thirteen African countries situated along the continent’s western coast. Up until the time of this blog post, there has been no conclusive reason as to why this happened. This piqued our curiosity, prompting us to leverage our tools and data for a multinational and cross-continental analysis based on observed traffic patterns. The impacted countries are highlighted in the map (of Africa!) above. However, for the cartophobic, the list from north to south, including country codes, is as follows: Niger (NE) Burkina Faso (BF) Nigeria (NG) The Gambia (GM) Cameroon (CM) Guinea (GN) Benin (BJ) Ghana (GH) Togo (TG) Côte d'Ivoire (CI) Liberia (LR) Namibia (NA) South Africa (ZA) Over a week later, in this blog post, we will examine the current status of the situation by analyzing high-level network telemetry data derived from Pure Signal™ . Key Findings At the time of writing, Cameroon is still experiencing ongoing Internet outages, over a week after the initial reports. Impacted countries faced varying degrees of impact, ranging from minor blips within a 24-hour period to widespread outages lasting several days (or ongoing in the case of Cameroon). Status Update Cameroon (CM) Based on our vantage point, it is apparent that at least one country, Cameroon, is still impacted by the outages. As depicted in the chart above, a decline in client (user) activity was observed on March 14 and has yet to return to the levels observed before the outages were reported. Server records were also affected, albeit on a smaller scale, primarily due to limited inbound connections to services and websites in Cameroon from other countries in general. For clarity, client flows are those originating from an IP address located in the country of interest (e.g., country code CM in the chart above). Server flows are those where the destination IP address (server/service) was located in the country of interest. For example, a user in the United States accessing a website hosted in Cameroon. Benin (BJ) & Ghana (GH) Several other countries appear to have been impacted for several days. In the case of both Benin and Ghana, connectivity was dramatically and almost completely restored on 20 March. Nigeria (NG) A similar situation is observed in Nigeria, where, as of 20 March, normal service appears to have resumed. However, the 'return' seems to have been gradual over several days. Looking at server flow data for Ghana and Nigeria, it is evident that both countries host comparatively more services that are accessed by foreign users when compared with countries like Benin and Cameroon. Niger (NE) Much like the other countries already reviewed, Niger appears to have experienced outages lasting several days. However, since 18 March, there has been a surge in Internet usage to 150-200% of the "usual" levels. This surge potentially indicates a nation catching up on “what was missed” over the preceding days. Gambia (GM), Liberia (LR), Namibia (NA) & South Africa (ZA) In some cases, impacts of the outages were limited to a single day, or not fully discernable in our daily snapshots. Liberia, for example, appears to have been impacted within a 24-hour period before returning to business as usual levels. In Namibia, there was a small reduction in traffic, but nothing which would indicate wide-scale Internet outage. Burkina Faso (BF), Côte d’Ivoire (CI), Guinea (GN) and Togo (TG) For the final four countries affected by the Internet outages, we witness a different phenomenon as a result of the intricacies of our vantage points into these particular countries. Instead of a drop in traffic, we see a sharp increase in the case of Burkina Faso, Côte d’Ivoire, Guinea, and Togo. In each case, this increase lasts for 4-5 days. What we are observing here is likely attributable to one of two things (or a combination of both): Attempted and ultimately failed connections to external resources were being observed. Traffic rerouted via indirect paths across the Internet were being observed. Digging deeper into the data for these four countries combined to examine the top TCP ports observed strengthens this assessment. As can be seen in the image below, the large increase in network traffic is a result of an increase in TCP/443 (generally associated with web browsing) traffic, which is highlighted in green. Conclusion In conclusion, the recent Internet outages affecting multiple countries along Africa's western coast have highlighted the vulnerability of digital connectivity in the region. While some nations experienced minor disruptions lasting less than a day, others faced prolonged and ongoing outages, exemplified by the situation in Cameroon.
- What is Threat Intelligence?
This article provides a comprehensive overview of threat intelligence services, highlighting the importance, methodology, benefits, and future of threat intelligence. It aims to inform you about the value of leveraging advanced threat intelligence to enhance your organization’s cybersecurity posture. Threat intelligence involves collecting, analyzing, and disseminating information about past, current, and future threats to an organization's security. This intelligence can come from various sources, including the dark web, social media, and industry-specific data. The goal is to understand threat actors' tactics, techniques, and procedures (TTPs) to develop effective defense mechanisms. In response to cyber threats that continually grow in scale and sophistication, threat intelligence has emerged as a crucial component of cybersecurity strategies, providing actionable insights to defend against these ever-growing threats. At the forefront of this field, Team Cymru is a global leader in threat intelligence, and this article explains our area of expertise. The Importance of Threat Intelligence Proactive Defense By understanding the threat landscape, organizations can anticipate and mitigate attacks before they occur. This proactive approach is far more effective than reactive measures. Informed Decision-making Threat intelligence provides the data needed for informed decision-making. Security teams can prioritize threats based on their potential impact and likelihood. Resource Optimization Organizations can allocate their resources more efficiently with detailed threat intelligence, focusing on the most significant threats. Compliance and Reporting Many industries require stringent compliance with cybersecurity regulations. Threat intelligence helps organizations meet these requirements and provide necessary reporting. Types of Threat Intelligence Threat intelligence can be categorized into several types, each serving a unique purpose and providing distinct insights: Strategic Threat Intelligence Overview: Focuses on high-level trends, motivations, and potential impacts of cyber threats. Use Case: Helps executives and decision-makers understand the broader threat landscape to align security strategies with business objectives. Example: Reports on emerging geopolitical threats and their potential implications for specific industries.sd Tactical Threat Intelligence Overview: Provides detailed information on the TTPs used by threat actors. Use Case: Assists security teams in understanding how attacks are carried out to develop specific defense mechanisms. Example: Analysis of a new malware variant, including its behavior and indicators of compromise ( IOCs ). Operational Threat Intelligence Overview: Offers insights into specific, imminent threats targeting an organization. Use Case: Supports incident response teams in identifying and mitigating active threats. Example: Real-time alerts about phishing campaigns targeting the organization's employees. Technical Threat Intelligence Overview: Focuses on technical data, such as IP addresses, domain names, and file hashes associated with malicious activity. Use Case: Helps IT and security professionals block known threats and enhance network defenses. Example: A list of malicious IP addresses linked to a botnet . Comprehensive Approach to Threat Intelligence A comprehensive approach to threat intelligence combines advanced technology, skilled analysts, and extensive data sources. This methodology ensures that clients receive the most accurate and actionable intelligence available. Threat Intelligence typically has 5 main stages or steps that form a cyclical workflow: Data Collection, Analysis, Production, Dissemination & Feedback, and finally Planning & Direction. Data Collection The first stage of CTI is data collection. This involves gathering raw data from various sources, both internal and external. Sources can include: Internal logs and alerts : Data from firewalls, intrusion detection systems, and antivirus software. External feeds : Threat intelligence feeds from third-party providers, open-source intelligence ( OSINT ), and dark web monitoring. Human intelligence : Insights from cybersecurity experts and industry peers. The goal of this stage is to accumulate a comprehensive dataset that can provide insights into potential threats and vulnerabilities. Analysis Once the data is collected, it must be analyzed to extract meaningful information. This stage involves: Data processing : Filtering and cleaning the data to remove noise and irrelevant information. Correlation and pattern recognition : Identifying relationships and patterns that indicate potential threats or trends. Threat assessment : Evaluating the data to determine the nature, intent, and capability of potential threats. The analysis phase transforms raw data into actionable intelligence, providing a clearer picture of the threat landscape. Production The production stage involves creating intelligence reports and other deliverables based on the analyzed data. These reports can vary in detail and complexity depending on the audience and purpose. Key activities include: Report generation : Crafting detailed reports that outline findings, implications, and recommended actions. Visualization : Creating charts, graphs, and other visual aids to help stakeholders easily understand the intelligence. Summary briefs : Producing concise summaries for quick consumption by decision-makers. Effective production ensures that the intelligence is communicated clearly and tailored to different stakeholders' needs. Dissemination & Feedback In this stage, the intelligence is shared with the relevant parties, and feedback is collected to improve future efforts. Dissemination involves: Distribution : Sharing intelligence reports and summaries with stakeholders, such as security teams, executives, and external partners. Secure channels : Ensuring that the intelligence is distributed through secure and trusted channels to prevent leakage. Feedback loop : Gathering feedback from stakeholders to refine and enhance the intelligence process. Feedback is crucial as it helps to improve the accuracy, relevance, and timeliness of future intelligence efforts. Planning & Direction The final stage, planning and direction, involves setting the strategic objectives and priorities for the CTI program. This stage includes: Requirements gathering : Understanding the intelligence needs of the organization and its stakeholders. Strategy development : Creating a plan that outlines the goals, methodologies, and resources required for the CTI program. Continuous improvement : Regularly reviewing and adjusting the strategy based on feedback and changes in the threat landscape. Key Features of Threat Intelligence Solutions Comprehensive Coverage of the Threat Landscape Modern threat intelligence solutions provide a holistic view of potential threats by covering various aspects: Malware Analysis : Detailed insights into malware types, behaviors, propagation methods, and mitigation strategies. For example, SOC teams might use tools like VirusTotal for file analysis and ThreatGrid for dynamic malware analysis. Phishing Detection : Identification of phishing campaigns through techniques like machine learning to detect phishing sites and emails. Services like PhishTank and Proofpoint provide real-time phishing threat data. Vulnerability Management : Continuous monitoring for new vulnerabilities using feeds from sources such as the National Vulnerability Database (NVD) and vendor advisories. Solutions like Qualys and Tenable integrate this intelligence for proactive vulnerability management. Advanced Persistent Threats (APTs) : Tracking sophisticated, long-term cyber-espionage campaigns with reports from organizations like FireEye and Mandiant, which provide in-depth analysis of APT groups and their tactics, techniques, and procedures (TTPs). Industry-Specific Intelligence Different industries face unique threats, and tailored intelligence ensures relevance and effectiveness. A good example of an industry threat is a threat actor group known as Latrodectus . They specifically target the financial sector and have honed their skills and resources to improve their chances of success. To an organization outside of Financial Services, getting updates on this group specifically would be of minimal value. Here are some examples of threats that are industry-specific: Finance : Intelligence on threats like banking trojans, payment card fraud, and insider threats, with providers such as FS-ISAC offering sector-specific data. Healthcare : Insights into threats targeting patient data and medical devices, with intelligence from sources like the Health-ISAC. Critical Infrastructure : Detailed reports on threats to utilities, transportation, and other critical sectors, supported by entities like the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Integration and Automation Maximizing the effectiveness of threat intelligence requires seamless integration with existing security infrastructures: SIEM Integration : Feeding threat intelligence directly into Security Information and Event Management (SIEM) systems like Splunk and Tines for real-time analysis and correlation. Automated Response : Enabling automated responses to specific threats using Security Orchestration, Automation, and Response (SOAR) platforms like Palo Alto Networks’ Cortex XSOAR, which can automate mitigation efforts and reduce the burden on security teams. APIs : Providing APIs for easy integration with other security tools and platforms, allowing for custom workflows and enhanced data sharing. Popular solutions include APIs from platforms like Anomali . The Benefits of Effective Threat Intelligence Enhanced Security Posture Leveraging threat intelligence solutions can significantly enhance security posture by: Early Threat Detection: Identifying threats before they can cause harm. Reduced Incident Response Time: Speeding up the response to incidents and minimizing damage. Improved Risk Management: Better understanding and management of cybersecurity risks. Cost Savings Investing in threat intelligence can lead to substantial cost savings by: Preventing Data Breaches: Avoiding the high costs associated with data breaches, including fines, legal fees, and reputational damage. Optimizing Security Spend: Ensuring that security budgets are spent on addressing the most significant threats. Reducing Recovery Downtime: Minimizing downtime caused by cyber incidents, which can be particularly costly for businesses. Competitive Advantage Organizations that effectively utilize threat intelligence gain a competitive advantage by: Building Customer and Supplier Trust: Demonstrating a commitment to security builds trust with customers and partners. Staying Ahead: Staying ahead of competitors who may not have the same level of threat awareness and get breached as a result. Innovation: Focusing on innovation rather than constantly reacting to threats. Case Studies and Threat Intelligence Success Stories To illustrate the effectiveness of their threat intelligence solutions, here are some case studies and success stories: Financial Sector A leading retail banking organization significantly enhanced its cyber defense capabilities by integrating external threat visibility into its security operations. Key outcomes included: Preemptive Threat Mitigation : The bank's threat intelligence team could stop attacks before they happen by gaining visibility into changes in adversary infrastructure. Enhanced Supply Chain Security : They identified and mitigated potential compromises in their business partners' systems, often before the partners themselves were aware. Real-Time Intelligence Sharing : The ability to share real-time threat intelligence with peers and partners helped improve overall sector security. Comprehensive Threat Visibility : The solution provided unprecedented visibility into external malicious communications and infrastructure, enabling more informed and proactive threat hunting. Operational Efficiency : The platform supported automated investigations and helped analysts develop and refine investigative playbooks, leading to more efficient threat response and management. Technology Provider The Snowflake data breach, which affected major clients like Santander Bank and Ticketmaster, showcases the power of proactive threat intelligence. Snowflake swiftly identified and contained the breach through continuous monitoring and advanced threat intelligence tools. This proactive approach allowed them to enhance security measures, foster collaboration with affected parties, and conduct thorough threat-hunting to prevent future incidents. This case underscores how effective threat intelligence not only mitigates breaches but also strengthens overall cybersecurity resilience and cooperation among stakeholders. Critical Infrastructure In May 2021, Colonial Pipeline , a key fuel supplier in the U.S., was attacked by the DarkSide ransomware group, leading to a six-day shutdown of its operations to contain the threat. The attack targeted the IT network, causing significant fuel supply disruptions along the East Coast. Using internet traffic telemetry, it was observed that the attackers exfiltrated data to a Virtual Private Server (VPS). The telemetry provided critical visibility, allowing the detection of exfiltration activities and preventing the data from reaching its final destination. This insight helped mitigate the impact by identifying and blocking further malicious traffic. The Future of Threat Intelligence As cyber threats continue to evolve, so too will the field of threat intelligence. Staying at the cutting edge of this field, continuously enhancing capabilities, and developing new solutions to meet the challenges of tomorrow. Key areas of focus for the future include: Artificial Intelligence and Machine Learning: Leveraging AI and ML to improve threat detection and analysis. Threat Hunting: Proactively searching for threats within an organization’s network. Threat Reconnaissance: Proactively searching for threats beyond the borders of an organization’s network. Collaboration and Information Sharing: Enhancing collaboration and information sharing between organizations and industries. Privacy and Ethical Considerations: Ensuring that threat intelligence practices respect privacy and adhere to ethical standards. Conclusion In the constant battle against cyber threats and digital crime, threat intelligence is an indispensable tool. Organizations that leverage threat intelligence and successfully integrate it into an Exposure Management strategy can enhance their security posture, reduce costs, and gain a competitive advantage. As the cyber threat landscape continues to evolve, commitment to providing cutting-edge solutions is needed to stay ahead of adversaries and protect what matters most. For more information on how we can help your organization, please contact us . Request a Consultation or See a Demo Are you ready to elevate your cybersecurity strategy with advanced threat intelligence? Discover how our comprehensive threat intelligence solutions can empower your organization to stay ahead of cyber adversaries. Our team of experts is here to provide you with the insights and tools you need to protect your most valuable assets. Experience the full potential of our threat intelligence solutions by scheduling a consultation with our cybersecurity specialists. Discuss your specific security challenges and explore how our threat intelligence tools can be customized to meet your needs. Alternatively, see our solutions in action with a live demo and understand how our advanced technologies can transform your security posture.
- FIN7: The Truth Doesn't Need to be so STARK
First and foremost, our thanks go to the threat research team at Silent Push and the security team at Stark Industries Solutions (referred to as “Stark” from this point forwards) for their enthusiastic cooperation in the ‘behind the scenes’ efforts of this blog post. Introduction In our opening statement, we also introduce the subject of this post: the cross-team and cross-organization collaborative efforts of Silent Push, Stark, and Team Cymru in taking action against a common and well-known adversary, FIN7 . FIN7 is a financially motivated threat group that has been active for more than a decade, targeting a wide variety of sectors during that time. Although disruptive actions have previously been taken against the group, current reports within the CTI community indicate that it remains active today. Recent research by Silent Push has identified upwards of 4,000 domains that they believe are attributable to either FIN7 or other threat actors mimicking the group’s established TTPs (Tactics, Techniques, and Procedures). One notable subsection of their research highlighted the apparent use of infrastructure assigned to Stark for hosting a significant proportion of these domains. This particular finding was picked up by cybersecurity media outlets, notably including KrebsonSecurity , whose post inspired this blog's title. At this juncture, it is important to note that we have been working directly with Stark for several months to assist in their objective of identifying and reducing abuse activity on their networks. To ensure appropriate action can be taken, activity that breaches the terms of service outlined by Stark should be reported via email to abuse@stark-industries[.]solutions. We can confirm that there is a human reviewing this mailbox! If direct contact with Stark is not feasible, Team Cymru is happy to act as an intermediary to ensure the requests reach the right people. The following is an expanded analysis of the findings shared by Silent Push, undertaken in tandem with the security team at Stark. Key Findings Identification of two clusters of potential FIN7 activity, derived from collaborative analysis of indicators originally shared by Silent Push. The two clusters indicate communications inbound to FIN7 infrastructure from IP addresses assigned to Post Ltd (Russia) and Smart Ape (Estonia), respectively. Identification of 25 Stark-assigned IP addresses used to host domains associated with FIN7 activities. "Seed" Infrastructure In support of their research, Silent Push provided 70 indicators (67 domains and 3 IP addresses) of FIN7-related activity. Passive DNS data for the domains showed them resolving to 116 distinct IPs in the 30 days prior to the research’s publication. Notably, the majority of the IPs (74%) were assigned to Cloudflare, US, indicating the “true” hosting IPs were likely obscured behind Cloudflare services. From the overall list, we extracted nine Stark-assigned IPs as follows: 103.113.70.142 103.35.189.39 - 2024sharepoint[.]lat, sharepoint2024[.]one 103.35.189.46 - ariba[.]business, ariba[.]one 103.35.189.90 - dr1v3[.]one, dr1v3[.]top, dr1ve[.]xyz 103.35.191.112 - multyimap[.]com 103.35.191.28 103.35.191.87 - netepadtee[.]com 141.98.168.183 - hotnotepad[.]com 86.104.72.16 - thomsonreuter[.]info, thomsonreuter[.]pro, westlaw[.]top Our first step was to share this information with the security team at Stark, who were able to take prompt action to suspend any services that were still active. Some were no longer being operated by the threat actors at the time of publication. The initial feedback we received from Stark indicated that the hosts identified by Silent Push were likely procured by the threat actors from one of Stark’s resellers. "Stark Industries Solutions" acts as a white label brand under which services are sold, including by distinct entities acting as resellers. Reseller programs are common in the hosting industry; many of the largest VPS (virtual private server) providers offer such services. Customers procuring infrastructure via resellers generally must follow the terms of service outlined by the "parent" entity. The nine IPs shared with Stark served as the "seeds" for our investigation to identify and disrupt further FIN7 infrastructure. Using these initial seeds, we expanded our efforts to trace and mitigate additional malicious activities associated with these threat actors. Infrastructure Discovery Based on a combination of insights shared by the Stark security team and our own network telemetry data, we were able to identify two clusters of potential upstream activity. This led to the discovery of further FIN7 infrastructure, similar in nature to that shared by Silent Push. Post Ltd (AS12494) The first cluster involved four IP addresses assigned to Post Ltd, a broadband provider operating in the Northern Caucasus region in Southern Russia. Over the past 30 days, we observed these IP addresses communicating with at least 15 Stark-assigned hosts, which we associate with the TTPs referenced in the research by Silent Push. These hosts included 86.104.72.16 , which was in the original list of indicators from Silent Push. Figure 1 below shows the Stark-assigned IPs identified within this cluster, including resolving domains which we attribute to the same threat actor. Figure 1 - Post Ltd Cluster Communications occurred outbound from the Post Ltd IPs to remote TCP/22 on the Stark-assigned hosts. Reviewing metadata for these communications confirmed them to be established connections. This assessment is based on an evaluation of observed TCP flags and sampled data transfer volumes. Open port information for all 15 Stark-assigned hosts indicated that they had a version of OpenSSH listening on TCP/22 during the time of observed communications. This activity is therefore indicative of potential management activity of the Stark-assigned hosts, initiated via SSH from user(s) of the Post Ltd IPs. SmartApe (AS62212) The second cluster involved three IP addresses assigned to SmartApe, a cloud hosting provider operating from Estonia. Over the past 30 days, we observed these IP addresses communicating with at least 16 Stark-assigned hosts, which we associate with the TTPs referenced in the research by Silent Push. Again, these hosts included 86.104.72.16 . In addition, 12 of the hosts identified in the Post Ltd cluster were also observed in the SmartApe cluster. Figure 2 below shows the Stark-assigned IPs identified within this cluster, including resolving domains that we attribute to the same threat actor. Figure 2 - SmartApe Cluster Communications occurred outbound from the SmartApe IPs to remote TCP/443 on the Stark-assigned hosts. Again, metadata for these communications confirmed them to be established connections. Given the nature of the content likely hosted on the Stark-assigned IPs, which in many cases may be some form of spoofed website, it is possible that this cluster is tied to threat researcher activities, accessing potential FIN7 hosts (via TCP/443) to collect information. Alternatively, it is also possible that the SmartApe IPs are used in some capacity for testing purposes, such as verifying if the correct content is delivered when visiting the target site. For the purposes of our investigation, regardless of the case, the SmartApe IPs provided a vantage point from which to identify potential FIN7-linked activity. Note: In the case of both clusters, the identified hosts were reported to Stark and the customers’ services were suspended. In addition to the 19 hosts identified in the two clusters described above, insights from Stark’s security team led to the discovery of a further six hosts, which we assess to be connected to the same activity. Details of all identified hosts are provided in the IOC section at the end of this post. Conclusion The purpose of this blog post is not to exhaustively identify FIN7 infrastructure; rather, it represents a snapshot in time of activity hosted on the infrastructure of one hosting provider (Stark). The purpose is twofold: To highlight the value of collaboration in expanding our knowledge and understanding of threat activities. To demonstrate that efforts can be made to communicate directly with hosting providers who may previously have been considered facilitators of the same threat activities. Moving forward, we will continue to work closely with Stark to combat FIN7 activities and other threat groups, with a shared goal of reducing abuse of their networks. Similarly, we encourage other threat intelligence organizations to remain proactive in reporting suspicious activities to hosting providers. As a final point, in the spirit of this blog post we also reported our findings to the other hosting providers mentioned in advance of publication. Recommendations The usual advice applies in relation to the IOCs shared in this blog post - block, hunt, mitigate, remediate. It goes without saying that malicious activities should be reported to relevant authorities and hosting providers. As a specific reminder, abuse complaints can be sent to abuse@stark-industries[.]solutions for Stark-related matters. Indicators of Compromise (IoCs) IP Address Domain Name Cluster (if applicable) 103.35.188.245 2bonmai[.]buzz Post Ltd 103.35.189.143 ttlpcs[.]lat Both 103.35.189.38 clio[.]lat None 103.35.189.38 clio2024[.]top None 103.35.189.40 ariba[.]lat Both 103.35.190.215 2024-7zip[.]pw None 103.35.190.215 7zip2024[.]info None 103.35.190.40 gogogononono[.]top Both 103.35.190.40 gogogononono[.]xyz Both 103.35.190.40 lexisnexis[.]lat Both 103.35.190.51 dhlpost[.]lat None 103.35.190.51 dhlpost[.]nl None 103.35.190.51 dhlpost[.]sbs None 103.35.191.137 lexis2024[.]info SmartApe 103.35.191.137 lexis2024[.]pro SmartApe 103.35.191.137 lexisnex[.]pro SmartApe 103.35.191.137 lexisnex[.]team SmartApe 103.35.191.137 lexisnex[.]top SmartApe 103.35.191.137 lexisnexis[.]one SmartApe 103.35.191.137 lexisnexis[.]pro SmartApe 103.35.191.137 lexisnexis[.]top SmartApe 176.120.75.99 antispam-ms[.]pro Post Ltd 45.150.65.100 blackrock-alladin[.]pro Both 45.150.65.100 wilandsabim[.]info Both 45.150.65.46 wuriye[.]com Post Ltd 45.150.67.143 - None 45.89.53.175 2024aimp[.]info Both 45.89.53.243 gl-meet2024[.]com None 45.89.53.243 meet-gl[.]com None 45.89.53.243 meet-goo[.]net None 45.89.53.243 meet-goo[.]org None 45.89.53.243 meet[.]com[.]de None 45.89.53.243 meet2024[.]com None 5.180.24.27 gogogogogotests[.]xyz Both 5.252.22.213 edankhk[.]top SmartApe 5.252.22.213 miles-and-mroe[.]com SmartApe 5.252.22.213 otpdank24[.]top SmartApe 5.252.22.213 unicrebitdank[.]top SmartApe 5.252.22.213 unicredibank[.]top SmartApe 86.104.72.125 2024clio[.]one Both 86.104.72.125 2024clio[.]top Both 86.104.72.125 clio[.]pw Both 86.104.72.125 clio2024[.]info Both 86.104.72.125 clio2024[.]one Both 86.104.72.125 law360[.]one Both 86.104.72.15 2024xero[.]com None 86.104.72.16 thomsonreuter[.]info Both 86.104.72.16 thomsonreuter[.]pro Both 86.104.72.16 westlaw[.]top Both 86.104.72.19 2024-7zip[.]info Both 86.104.72.19 2024-7zip[.]pw Both 86.104.72.208 sapconcur[.]one SmartApe 86.104.72.208 sapconcur[.]team SmartApe 86.104.72.208 sapconcur[.]top SmartApe 86.104.72.22 2024mycase[.]com Both 86.104.72.22 2024mycase[.]win Both 86.104.72.22 ms-antispam[.]live Both 86.104.72.22 wilandsabim[.]info Both 86.104.72.23 2024-aimp[.]info Both 86.104.72.23 2024-aimp[.]pw Both 86.104.72.23 2024aimp[.]info Both 86.104.72.35 2024sage[.]win Both 91.228.10.81 law2024[.]info SmartApe 91.228.10.81 law2024[.]top SmartApe 91.228.10.81 law360[.]one SmartApe
- Botnet 7777: Are You Betting on a Compromised Router?
Firstly, we extend our thanks to Chris Fearnley and Gi7w0rm , two threat researchers who assisted us behind the scenes with our investigation into the 7777 (“Quad7”) botnet. Their insights were instrumental in confirming the findings mentioned in this blog post. A “7777 botnet” was first referenced in public reporting in October 2023 by Gi7w0rm. At the time, it was described as a botnet with approximately 10,000 nodes, observed primarily in brute-force attacks against Microsoft Azure instances. These attacks were characterized by their low-volume nature, making them inherently difficult to detect, with only 2-3 login attempts made per week in some cases. While initial reports suggested VIP users were targeted by these attacks, more recent research by Sekoia indicated there was no clear targeting pattern in the attacks they observed. The botnet takes its name from the fact it uniquely opens TCP port 7777 on compromised “zombie” routers. When scanned, the service on this port returns an xlogin: banner. To date, various low-confidence attributions have linked Quad7 to both cybercrime and state-sponsored activities. However, little conclusive evidence in this area has been made public, leaving the true operators of the botnet shrouded in mystery. In this blog post, we will examine the Quad7 botnet and the infrastructure used to control it in greater detail. Key Findings Identification of a potential expansion of the Quad7 threat operator’s modus operandi to include a second tranche of bots, characterized by an open port 63256 . The port 63256 botnet appears to be comprised mainly of infected Asus routers. Identification of 12,783 active bots (comprising both 7777 and 63256 ) over the 30-day period ending 05 August 2024, likely to represent a proportion rather than the full extent of the botnet. Identification of seven management IPs either currently active or last observed in the past 30 days. Four of the IPs align with recent research by Sekoia, with the remaining three previously unattributed. Bot Hunting & Characterization As disclosed by other researchers and alluded to above, Quad7 bots can be identified by querying for IP addresses with an open port 7777 displaying the xlogin: banner. In Figure 1 below, we can see that over the past 30 days (at the time of writing), 7,038 devices were identifiable in this way. Figure 1 - Quad7 Bots Note, we have redacted some victim-related information from Figure 1 (and Figure 2 below). This number (7,038) is lower than the approximately 10,000 nodes quoted in Gi7w0rm’s research from last October. There are two likely reasons for this discrepancy: The initial findings may have been derived from a period longer than 30 days or from scan data collected at closer intervals, capturing routers that were only “online” for relatively short periods. Since the public reporting of Quad7 emerged, users may have taken steps to clean infections or update vulnerable firmware to prevent their routers from being targeted. Point 1 raises a more general issue about approximating the scale of botnets with scan data. It is important to remember that statistics derived in this way only represent a proportion of all available bots. This is due to various factors, the most significant being an "offline" device won't be picked up via this discovery method, even though it will likely continue to be a viable bot when it returns "online". Whatever the case, nearly ten months later it is apparent that Quad7 remains active and retains a “healthy” number of bots, particularly if one of its primary use cases is low-volume brute force attacks. Digging further into our result set, and based on the comprehensive tagging of IPs that we undertake to contextualize the data observed on our platforms, it was apparent that a significant proportion were likely Hikvision or TP-Link devices. This finding correlated with previous research on Quad7, such as this blog by VulnCheck, which examined the targeted hardware in more detail. In Figure 2 below, we can see an example of this, with the highlighted host identified specifically as a TP-LINK WR841N router. Figure 2 - Router Tag Example Insights such as these, particularly specific router types, allow us to both understand and track how the botnet proliferates. Additionally, they enable Team Cymru and our customers to hunt for potentially vulnerable infrastructure in the hopes of pre-emptively disrupting future compromises. We will expand on the subject of hardware identification in the next section.. Eagle-eyed readers will also notice in Figures 1 and 2 that, in some cases, port 11288 was also observed open on hosts enrolled in the Quad7 botnet. This is not a novel finding; previous research into Quad7 identified that a SOCKS5 proxy service was configured to operate on this port in some cases. The research by Sekoia narrowed this activity down to an open-source SOCKS5 proxy server developed by GitHub user bhhbazinga . Of possible note, this user lists their location as Hangzhou, China. Sekoia found that TCP/11288 was used by the threat operators to proxy communications to third-party servers for the purpose of brute-forcing attacks. Specifically, they observed connections to login.microsoftonline[.]com , indicating that these attacks were targeted at Microsoft 365 accounts. This process is simplified in Figure 3 below. Figure 3 - SOCKS5 Proxy Use Case By repeating the technique illustrated in Figure 1, we can sanity-check our findings by hunting for hosts with an open port 11288. Based on data from numerous hosts identified through hunting for an open port 7777, we found that a common banner ( \x05\xff ) was also displayed in cases where port 11288 was open. Figure 4, below, shows an example of this. Figure 4 - Open Ports Information The 63256 Botnet Our next finding raises identity issues for the “7777 botnet.” We have observed a potential expansion of the threat operator’s activities, adding over 5,000 “zombie” devices in the process. First, let’s play a game of “spot the difference”, comparing Figure 5 below to Figure 4 above. Figure 5 - The Same Open Ports Information, But Different The banner information is almost identical, but the observed open ports have switched. When we combined a hunt for these banners on port 7777 ( xlogin: ) and port 63256 ( alogin: ), a total of 12,783 hosts were identified. So, in a way , we take back what we said about there being fewer “zombie” devices now compared to October 2023. When looking at tagging data for the 63256 botnet, we found that a significant proportion of the hosts were likely operating ASUS routers. This marks another change in technique. As previously referenced, Quad7 activity had focused on the compromise of TP-LINK routers. The delineation appears to be as follows: 7777 botnet ( xlogin ): TP-LINK routers and various IP-camera types 63256 botnet ( alogin ): ASUS routers NetFlow Analysis Having established a substantial pool of recent analytical leads in the form of hosts likely enrolled in the Quad7 botnet (or botnets), we can now start to examine supporting NetFlow data. In this case, we are seeking to establish common peer IPs and further indications of management activity. In total, seven such IPs were identified with high confidence following our analysis of associated NetFlow data. Figure 6 below presents the observed relationships in the form of a chart. Figure 6 - Infrastructure Diagram The seven IPs were assigned to three distinct providers: HOSTWINDS, HVC-AS, and M247. Four of these IPs were referenced in Sekoia’s research, which this analysis now builds upon. IP 151.236.20.185 continues to be the only IP to communicate with the bots on remote port 7777, which we now know is a service used to provide the threat operators with a remote shell on the compromised device. This IP, therefore, remains of heightened interest due to its apparent elevated role. The remaining six IPs communicated with the bots on remote port 11288. These connections are likely indicative of attack activity being proxied towards intended targets, as in the Microsoft 365 case referenced above. IP 151.236.20.211 also provides a clear link to the 63256 botnet infrastructure, communicating with remote IPs over ports 63256 and 63260. This finding increases our confidence that the two bot infrastructures are linked, while also remaining siloed. To date, we have not observed any activity indicative of the 63256 botnet being utilized in offensive activities. Conclusion The Quad7 botnet continues to pose a significant threat, demonstrating both resilience and adaptability, even if its potential is currently unknown or unreached. Despite public reporting and efforts to mitigate its impact, the botnet remains active with a substantial number of compromised devices. Our investigation has not only confirmed the continued presence of the original 7777 botnet but also identified an expansion in the threat actor's operations, with the addition of the 63256 botnet predominantly affecting ASUS routers. The identification of seven management IPs and their communication patterns provides valuable insights into the botnet's infrastructure and operational methods. The linkage between the 7777 and 63256 botnets, while maintaining what appears to be a distinct operational silo, further underscores the evolving tactics of the threat operators behind Quad7. Our investigations of this infrastructure continue, and we remain focused on further understanding the targeting choices of the threat operators and any leads which may point towards an attribution. We will return at an appropriate time to provide further updates on our findings. Recommendations Maintain Up-to-Date Firmware: Users should ensure their devices have the latest firmware updates to prevent their routers from being compromised and enlisted in malicious activities. Implement Robust Security Practices: Adopting strong security measures is crucial. This includes using strong, unique passwords, disabling unused services, and regularly monitoring network activity to detect any suspicious behavior. Continued Vigilance and Proactive Measures: Security teams must stay vigilant and proactive. By understanding the specific hardware targeted and the communication channels utilized by botnets like Quad7, they can better defend against potential compromises. Collaboration and Information Sharing: It is vital for researchers and security professionals to collaborate and share information. This collective effort is essential in the ongoing battle against botnets. Utilize Advanced Tracking Tools: Users of Pure Signal Recon and Scout can track Quad7 activity by querying the IPs shared in the IOC section below or by performing advanced queries that combine the open ports characteristics discussed in this blog post. Indicators of Compromise The below IPs were all observed in communications with compromised hosts, inbound traffic from these IPs is indicative of enrolment in either the 7777 or the 63256 botnet. Observed in traffic to remote ports 7777 and 11288: 151.236.20.185 Observed in traffic to remote ports 11288, 63256, and 63260: 151.236.20.211 Observed in traffic to remote port 11288: 104.168.152.139 142.11.205.164 23.227.196.73 23.254.201.175 23.254.209.118
- Navigating the Evolving Landscape of Cybersecurity
A Focus on Vulnerability Management In recent years, the cybersecurity landscape has undergone significant transformations, particularly in the realm of vulnerability management. This shift is driven by the increasing sophistication of cyber threats, the proliferation of digital transformation initiatives, and the growing complexity of IT environments. In this blog, we will explore how vulnerabilities are changing and how organizations are adapting their ability to ingest feeds, services, and platforms to manage the entire vulnerability management lifecycle effectively. A special focus will be on incorporating the Exploitability Prioritization Scoring System (EPSS) and Known Exploitable Vulnerabilities (KEV) into vulnerability management practices. The Changing Nature of Cyber Vulnerabilities Cyber vulnerabilities have evolved from simple exploits to more sophisticated and multi-faceted threats. Modern vulnerabilities are often more complex, targeting various layers of an organization's infrastructure, including software, hardware, and human elements. Key trends in the changing nature of vulnerabilities include: Increased attack surface: With the rise of cloud computing, IoT devices, and remote work environments, the attack surface has expanded, providing more entry points for cyber attackers. Increased number of technologies and vulnerabilities: The introduction of new technologies has expanded potential security flaws, creating complex environments that obscure vulnerabilities. The volume overwhelms security teams, and the use of open-source components adds risks. Zero-Day vulnerabilities: These are vulnerabilities that are unknown to the vendor and for which no patch is available, making them particularly dangerous as they can be exploited before any mitigation measures are in place. Limitations of Traditional Vulnerability Assessment Traditionally, organizations have relied heavily on the Common Vulnerability Scoring System (CVSS) to assess the severity of vulnerabilities. While CVSS provides a valuable baseline for evaluating vulnerabilities, it has inherent limitations: Inability to prioritize: Because it lacks context-specific factors such as exploitability, CVSS often falls short in enabling Security Teams to prioritize based on the severity of vulnerabilities alone. This limitation underscores the need for more nuanced and dynamic approaches that enable analysts to address mission-critical threats first as they appear. Insufficient exploitability assessment: CVSS does not adequately assess the exploitability of vulnerabilities. A high CVSS score does not necessarily mean that a vulnerability is easily exploitable in real-world scenarios. Conversely, a vulnerability with a low CVSS score may still be actively exploited if known techniques exist. Organizations must embrace new vulnerability scoring mechanisms into their tools and workflows to better recognize critical vulnerabilities that pose immediate risks to their systems and data. Two new methods that transform Vulnerability Management To address the limitations of traditional vulnerability assessment methods, organizations need more advanced scoring methods such as the Exploitability Prioritization Scoring System (EPSS) and Known Exploitable Vulnerabilities (KEV). Exploitability Prioritization Scoring System (EPSS): What is EPSS?: EPSS evaluates the likelihood and ease of exploitation of vulnerabilities based on factors such as the presence of known exploits, attack vectors, and weaponization. Benefits of EPSS: By incorporating EPSS into the risk scoring framework, organizations can provide more accurate assessments of vulnerability exploitability. This ensures that mitigation efforts are prioritized based on the actual likelihood of successful exploitation rather than solely relying on CVSS scores. Consideration of Known Exploitable Vulnerabilities (KEV): What is KEV?: KEV are vulnerabilities for which exploit techniques are publicly available and actively used by threat actors. Benefits of Considering KEV: By including KEV in the risk scoring framework, organizations ensure that they are alerted to vulnerabilities actively exploited in the wild, regardless of their CVSS scores. This proactive approach helps mitigate immediate threats and reduce the risk of successful cyberattacks. Implementation Considerations for EPSS and KEV Integrating EPSS and KEV into a vulnerability management framework involves several key steps: Data Integration: Organizations must integrate additional sources of vulnerability intelligence such as exploit databases and threat intelligence feeds to gather information on known exploit techniques and KEV. Scoring Algorithm Development: Engineering teams must develop algorithms to calculate EPSS scores based on exploitability factors and incorporate KEV data into the risk-scoring model. User Interface Enhancement: The platform's user interface will require updates to display EPSS scores and highlight KEV vulnerabilities effectively. Conclusion Incorporating EPSS and KEV into a vulnerability management framework enhances the accuracy and effectiveness of vulnerability management practices. By providing more nuanced assessments of vulnerability exploitability and considering actively exploited vulnerabilities, organizations can prioritize mitigation efforts more effectively and reduce their exposure to cyber threats. While implementing these enhancements may require an initial investment in development and integration, the long-term benefits in terms of improved security posture and reduced risk far outweigh the associated costs. This proactive approach is crucial in an era where cyber threats are constantly evolving and becoming more sophisticated. By leveraging advanced scoring systems and keeping abreast of known exploit techniques, organizations can stay one step ahead in the cybersecurity game, safeguarding their critical assets and ensuring operational resilience.