One of the most challenging things we do is to setup monitoring of DNS sinkhole activity at customer sites. When a company utilizes our products the immediate response is that the information coming out of the sensors is overwhelming partly because the amount of information observed and reported is missed by most IDS/IPS systems and also because we monitor the DNS stream to find detail missed by other solutions. DNS is a treasure trove of data when you implement it in the manner that we have, whereas our sensors can disrupt malware and stop infections in it's tracks.
Monitoring Events - How we do what we do
When monitoring for suspicious activity we spend time to find insider threat activity, malware infection attempts, phishing and similar threats all in near real time. Even if a phishing email is clicked, our system disrupts the infection chain and normally prevents any damage from occurring. The difference between our solution and many other SIEM solutions is that even though we block the infections, we still let you see what is occurring. This helps security organizations to properly evaluate what is occurring and to train users in the areas where they are failing.
So what are we seeing? - Locky, Scanning, Hidden Cobra and LDPinch Malware
Over the last 2 days we are observing the usual scans. Mostly RDP and scans for incorrectly configured storage platforms (Elasticsearch and Mongo to be exact). In addition we are seeing an uptick in Locky activity and targeted phishing attempts. We have seen the usual suspect activity but mostly phishing, Locky and LDPinch malware infection attempts.
Where are your sensors located?
Jigsaw Security installs sensors in many locations to include:
Cloud Hosting Environments (Rackspace, AWS, Azure, Vultr, Dreamhost and others)
Internet Crossconnect Points
Our own networks
WiMAX networks (Wireless MAN Networks)
Ingress and Egress at Select ISP's
Managed Security Provider Sites (For rollup reports)
What sensor Software do you run to figure out what is occuring?
Jigsaw Security has combined our Threat Intelligence Data, Hueristic Detection Models as well as detection engines that capture HTTP headers, scan detection, DDOS identification, TOR and VPN monitoring capabilities as well as brute force and unauthorized access attempts reporting. This data is then ingested into the Jigsaw Analytic Platform deployed at Jigsaw Security for analyst use and review. In addition we ingest sites such as paste sites, Usenet and IRC channel information as well as individual reports from security professionals.
So what else is going on?
So in order to put out good information we are seeing many attacks originating from steadfast.net IP space, unauthorized router access logs associated with a report we put out this morning on the Hajime botnet that is exploiting MikroTik routers as well as IOT alerts we published in our threat intelligence. We are observing these attempts to find MikroTik devices and have seen that in all areas of our monitoring regardless of location.
Why the new activity from Hidden Cobra?
There are very strong indicators in our data and reporting from others that Hidden Cobra APT activity is targeting financial institutions. Some of the recent alerting shows overlap with Bankshot which was reported in our threat intelligence for the past few months. Starting 1 March 2018, we started seeing activity associated with malware that has been primarily dormant but was traced to infections that occurred back in November of 2017. These infections continued through the end of 2017 and are still ongoing and taking advantage of CVE-2018-4878 which was recently reported. The fact that the exploits were being used for a few months leads Jigsaw to believe that the vulnerability was being used long before it was detected.
Most of the Bankshot samples go back to word documents that are titled Agreement.docx which is a template for bitcoin between and unknown individual in Paris and a crypto-currency exchange. While this document may be appealing to read, it carry's the payload and silently injects the malware when it is accessed. Based on our information we believe that subjects in Iran, Turkey and other areas of the middle east are being targeted by this campaign. We have not seen any activity in the US but we have observed activity in all other regions to include Australia, South America and Russian IP space. Sensors continue to see related activity in these locations but primarily in the middle east locations.
It has also been reported the Sharpknot is related to North Korea but we have not been able to confirm that this destructive malware is in fact tied to this campaign.
Why it's important to generate your own threat intelligence
We often hear from companies that ask about value in threat intelligence. While we can tell you what is being seen over the Internet, the real intelligence value is what is occurring on your own networks and connections. If you can't tell what's occurring on your own network, you don't have a grasp on the threats your organization is facing. We highly recommend looking for malicious content on your own network. There are many sensor products out there (most of which work with Jigsaw data) that are good at telling you what is occurring on your networks.
The greatest value is to know how and who is targeting your company. You can't do that by consuming the threat intelligence products of vendors but rather must use threat intelligence from vendors and to look for activity on your own networks. The TI products of vendors will not find targeted malware, that's where analytic models come in to play. By looking for patterns in activity you can uncover the who is targeting you, the how they are targeting you and possibly what they are after and why. In short get a platform installed that can answer these questions and you will have a better grasp on what is being targeted, uncover insider threats and to find malicious activity and content that is relevant to your organization and not the Interwebs in general. Generate your own threat intelligence by deploying the Jigsaw Analytic Platform and Jigsaw Security models. For more information contact us via our web contact form for a free no obligation demo of our platform and products.