Introduction
Welcome back to our quarterly wrap up blog series! It’s been a while since I summarized our most popular blogs, but I’m committed to highlighting educational resources and in-depth research on a regular basis. Alongside our timely research, we also published survey data on the talk of the town, SolarWinds. Furthermore, we partnered with Cybersecurity Insiders to conduct the annual Threat Hunting Report, and the talented Joe Slowik wrote a paper on how to Formulate a Robust Pivoting Methodology.
If you are in search of timely and relevant threat intelligence news, I might recommend that you follow our new Twitter handle, @SecuritySnacks, which is managed by the DomainTools Security Research Team, as well as our weekly podcast, Breaking Badness. Tim Helming produced a star-studded episode summarizing A Year in COVID Cybercrime, I’d highly recommend tuning in. Finally, we kicked off our new training series, Indicators Over Cocktails. In this monthly series, tune in for an informal demonstration of DomainTools products with this month’s featured beverage with the ever so captivating, Tim Helming. With that, I hope you enjoy a wrap up of our top blogs in Q1 2021.
Catch Up On Your Industry Reading
Examining Exchange Exploitation and its Lessons for Defenders
On 02 March 2021, Microsoft released out-of-band updates for Microsoft Exchange to cover four actively-exploited vulnerabilities. Used together, these vulnerabilities allow for remote access to an exposed Microsoft Exchange instance, follow-on code execution at privileged levels, and the ability to establish persistence on the victim system. DEVCORE research started in October 2020, with acknowledgement from Microsoft that the SSRF vulnerability ProxyLogon existed on 06 January 2021.
Continuous Eruption: Further Analysis of the SolarWinds Supply Chain Incident
Multiple entities disclosed a supply chain attack via SolarWinds Orion network monitoring software on 13 December 2020. DomainTools provided initial analysis of network infrastructure and implications on 14 December. Since then, multiple entities have released reports including additional malware analysis, Command and Control (C2) identification, and details on the possible scope of the incident.
CovidLock Update: Deeper Analysis of Coronavirus Android Ransomware
The DomainTools Security Research Team, in the course of monitoring newly registered Coronavirus and COVID labeled domain names, discovered a website luring users into downloading an Android application under the guise of a COVID-19 heat map. Analysis on the application showed that the APK contained ransomware. SSL certificates of the malicious domain (coronavirusapp[.]site) link the site to another domain (dating4sex[.]us) which is also serving the malicious application. The linked site has registration information pointing to an individual in Morocco.
Unraveling Network Infrastructure Linked to the SolarWinds Hack
On 13 December 2020, multiple media reports emerged first identifying network intrusions at several US government agencies. Subsequent reporting indicated these intrusions, along with a previously-identified breach at information security giant FireEye, were linked to a compromise at IT management and remote monitoring software provider SolarWinds.
Change in Perspective on the Utility of SUNBURST-related Network Indicators
In mid-December 2020, FireEye and then Microsoft disclosed impacts of the SolarWinds event. Soon after, additional entities from Volexity to Symantec to CrowdStrike (among others) have released further details on a campaign variously referred to as “the SolarWinds event,” “SUNBURST,” or “Solorigate.” DomainTools provided an independent analysis of network infrastructure, defensive recommendations, and possible attribution items in this time period as well.
The Devil’s in the Details: SUNBURST Attribution
Since initial disclosure in December 2020, the supply chain incident involving SolarWinds was linked in media reports to Russian intelligence entities, specifically Russia’s Foreign Intelligence Service (SVR). As previously reported by DomainTools, although it appears multiple government sources link the event to SVR, this has resulted in a type of “transitive” attribution to link the activity to APT29, also known as Cozy Bear or YTTRIUM, the only commercially-identified threat actor names linked to Russia’s SVR.
Evolving COVID-19 Challenges: Illegitimate Vaccination Cards
DomainTools Research has kept an eye on all new COVID-themed domain registrations producing both our COVID-19 Threat List as well as uncovering CovidLock, a COVID-themed Android ransomware APK that preyed on user’s fear of the virus. During the course of this research, the DomainTools Research team opened the floodgates on COVID-related domains in order to continuously monitor and analyze what domains are spun up on a daily basis. Each day, some 300,000 domains are registered and a small subset of those are pandemic-related.
What’s To Come
We will continue to work hard for all of you throughout the course of the quarter. Additionally, we will be sure to keep you apprised of recent security research, product enhancements, technical topics, industry news, and much more. If there are any topics you would be interested in reading about on our blog or covering in our weekly podcast, Breaking Badness, please feel free to tweet us at @DomainTools.
