March 2022 Threat Intelligence Brief from IronNet


On February 24, 2022, Russian President Vladimir Putin authorized the deployment of troops in Ukrainian-controlled territory. Since the invasion, several cyberattacks – including DDoS attacks, use of wiper malware and phishing campaigns – have targeted public and private entities in Ukraine and Russia, and several non-governmental hacking groups have expressed their support for Ukraine or Russia announced. IronNet is continuously monitoring the conflict between Russia and Ukraine and follows updates here.

At IronNet, we use behavioral analysis to detect unknown threats on corporate networks before attackers successfully complete their endgame: exploitation or exfiltration. First, we provide the threat detection fundamentals required to detect anomalous network activity on our customers’ networks. Second, our IronDefense NDR expert system scores these alerts and prioritizes the most interesting events to reduce alert fatigue. Finally we take one collective defense Approach to crowdsourcing real-time threat sharing.

March IronNet Threat Intelligence Brief

This ability to analyze and correlate seemingly unrelated instances is critical for identifying sophisticated attackers who use disparate infrastructures to hide their activities from existing cyber defenses. As reported in the March Threat Intelligence Brief, our analysts review alerts from millions of data flows ingested and processed with big data analytics. We score the alerts (benign/suspicious/malicious) and share them immediately IronDome collective defense Attendees.

Here’s a snapshot of what we discovered in the IronDome Communities in February, showing 1,135 correlated alerts in IronDome participants’ environments:


Given IronDome’s unique cross-industry visibility and collective defense capabilities, we are able to highlight the most common behaviors each month, which in turn allows us to track trends over time. In February, the most common behavioral analyzes were data exfiltration (824), new and suspicious domains (173), and credential phishing (142).

Analysis of IOCs

In addition to correlated alerts, significant findings from the IronDome community have identified 431 Indicators of Compromise (IoC) that may pose a risk to IronDome subscriber environments. For example, we analyzed the findquickresultsnow malicious domain[.]com known as parked domain that contains associated malicious files like trojans.

All IoCs we analyze are used to trigger alerts associated with Cyber ​​Kill Chain to identify threat stage and progress. They can be used to create detection rules for networks, endpoints, or other security tools currently deployed to mitigate cyber risks in each IronDome participant’s environment.

For the full list of recent IoCs, see the March Threat Intelligence Brief.

The bigger picture of collective defense

Each month, IronNet’s experienced threat analysts create Threat Intelligence Rules (TIRs) based on key IronDome community findings, malware analysis, threat research, or other methods to ensure that malicious behavior targeting an organization or other participants in the IronDome Community aims, is recognized in time.

In February, we created 4,388 threat intelligence rules out of our 298,297 created so far. Some examples of this month’s research related to indicators related to malware delivery domains for Gafgyt, DarkStealer, Emotet, Quasar, and DDoSTF malware.

This combination of behavioral and IoC signature-based detection, alert ranking, and sharing ensures IronDome participants have the most comprehensive view of threats facing their organization.

Russia’s Cyber ​​War

As mentioned, the current war between Russia and Ukraine has led to many cyber attacks including state sponsored cyber activities by the Gamaredon threat group targeting Ukrainian organizations. Since October 2021, Microsoft has observed that Gamaredon is targeting Ukrainian organizations in sectors such as government, military, law enforcement, nonprofit organizations and NGOs, which are organizations critical to emergency response and security in Ukraine, as well as organizations involved in humanitarian and international organizations are coordinating aid in Ukraine during a crisis.

Additionally, Palo Alto’s Unit 42 shared insights into two recent Gamaredon (aka ACTINIUM, Primitive Bear, Shuckworm) phishing attempts. Unit 24 observed both new and legacy domains used by the group and mapped three major clusters of currently active infrastructure used by Gamaredon to support its various phishing and malware campaigns. These clusters link to 700+ malicious domains, 215 IP addresses, and 100+ malware samples.

For the latest industry news, check out the full briefing or IronNet’s Threat Intelligence Hub.


About Author

Comments are closed.