Here Today, Gone Tomorrow. New IOC Trends
Here Today, Gone Tomorrow. New IOC Trends
Indicators of Compromise (IOCs) have always been used within the Cyber community to track down threats. These key indicators include items such as IP addresses, domain names, file hashes, and anything else that can be used to map/detect a possible attack. These indicators, mapped with Indicators of Attack (IOAs), now allow our analysts to fully map-out and read the adversary’s playbook. Recent attack mappings are increasingly showing IP addresses with no reputation and the VNSOC360 team at InfusionPoints has noticed this to be a growing trend in cyber activity. The days of relying on IP based reputation as a surefire IOC are slowly evading us.
Analysts at InfusionPoints were recently involved in remediating and mapping a phishing attack within a state/local government.
Here are the details:
- The initial email was sent from a legit email service with a newly created account.
- The phishing email instructed users to “click the following link” to retain email and password access.
- Upon clicking the link, users were directed to a form hosted on sibforms.com. This form mimicked an Exchange OWA login.
- The user enters credentials Into the form and Game Over!
- Successful login to companies Exchange Outlook Web Access (OWA) servers.
- MITRE ATT&CK: T1566 and T1078
Notice from the above actions that no major bells and/or whistles were sounded. A legit email domain was used to send the email, a well-known and reputable web-form domain was used for capturing credentials, and there was a successful login to the organization's OWA site.
- Initial successful login was from 103.101.118.71.
- Location: Greater Noida, India
- IPAbuseDB: 103.101.118.71 was not found in our database.
- Location: Greater Noida, India
- Immediately after initial login, the attacker pivots to 52.188.145.215
- Location: United States of America
- Owner: Microsoft Corp.
- IPAbuseDB: 52.188.145.215 was not found in our database.
- Owner: Microsoft Corp.
- Location: United States of America
- The attacker begins to recon emails and set Exchange rule-sets.
This attack ended quickly after these behaviors and logins were recognized by the customer and mapped and verified by VNSOC360 Analysts at InfusionPoints.
Interestingly, the two IP addresses utilized in this attack were unknown and had no reputation within the cyber community databases. The VNSOC360 team of analysts verified this from several sources. Although the initial access was outside the United States the attacker quickly moved to a server within the U.S. to better masquerade the nefarious traffic.
In the above attack, notice the IP address owner of the permanent access, Microsoft Corp. With the growing trend in cloud computing, InfusionPoints Analysts are seeing these services leveraged in attacks. This growing trend is because of the ease of deployment and point and click IP refreshes. This “turn and burn” approach is being leveraged in some of the largest attacks today. Upon blocking the Microsoft address used in the initial attack, a new address immediately attempted to log in using captured user credentials.
InfusionPoints Analysts are Constantly Learning and Adapting to Protect What Matters Most
Relying only on systematic IOCs within community-based outlets are quickly becoming inadequate. At InfusionPoints our Analysts rely not only on known IOCs and IOAs but also on behavioral analysis. Analysts are constantly reviewing and threat-hunting logs for abnormal behavior within customer environments.