Posted
May 13 2020 Edition
Howdy, and welcome to the ThreatConnect Research Roundup: Threat Intel Update (blog edition)! Here we will be sharing a collection recent findings by our Research Team, as well as items from open source publications that have resulted in observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).
Note: Viewing the pages linked in this blog post require a ThreatConnect account.
Roundup Highlight: Rickrolling Researchers! Really?
Our highlight in this Roundup is a collection of suspicious network infrastructure registration activity using the brand name SharePoint (Microsoft team collaboration software) and spoofing legitimate domains belonging to organizations in a variety of industries, including automotive, energy, engineering, industrial control systems, manufacturing, and mining:
Associated Indicators
152.44.46[.]101
217.8.117[.]152
47.241.107[.]199
8.208.79[.]16
95.174.65[.]244
axiomatics-my-sharepoint[.]com
bhawkmining-my-sharepoint[.]com
bhmining-my-sharepoint[.]com
blackhawk-my-sharepoint[.]com
blackhawkm-my-sharepoint[.]com
blackhawkmining-my-sharepoint[.]com
britishsugar-my-sharepoint[.]com
cablecraft-my-sharepoint[.]com
cablecraftuk-my-sharepoint[.]com
easterns-my-sharepoint[.]com
ellex-my-sharepoint[.]com
ethosenergygroup-my-sharepoint[.]com
garry-you-are-the.best
hpienergy-my-sharepoint[.]com
invoice-my-sharepoint[.]com
invoices-my-sharepoint[.]com
login.blackhawkmining-my-sharepoint[.]com
login.britishsugar-my-sharepoint[.]com
login.cablecraftuk-my-sharepoint[.]com
login.easterns-my-sharepoint[.]com
login.ellex-my-sharepoint[.]com
login.hpienergy-my-sharepoint[.]com
login.invoice-my-sharepoint[.]com
login.invoices-my-sharepoint[.]com
login.net4gas-my-sharepoint[.]com
login.petrofac-my-sharepoint[.]com
login.roxteccom-my-sharepoint[.]com
login.tecom-my-sharepoint[.]com
login.toyota-indistries-my-sharepoint[.]com
maximumturbinesupport-my-sharepoint[.]com
naturewood-com-my-sharepoint[.]com
naturewood-my-sharepoint[.]com
naturewoods-com-my-sharepoint[.]com
naturwood-my-sharepoint[.]com
net4gas-my-sharepoint[.]com
petrofac-my-sharepoint[.]com
roxtec-my-sharepoint[.]com
roxteccom-my-sharepoint[.]com
score-group-my-sharepoint[.]com
serveleccontrols-my-sharepoint[.]com
te-my-sharepoint[.]com
tecom-my-sharepoint[.]com
toyota-indistries-my-sharepoint[.]com
Other commonalities include name servers, domain resolutions to dedicated servers, and Let’s Encrypt SSL certificate usage, as described in the Campaign shared to the ThreatConnect Common Community and the associated Incidents (also listed at the top of the next section of this blog post). One particularly peculiar feature of this activity is the configuration of subdomains like login.invoice-my-sharepoint[.]com, several of which were redirecting to a video of Rick Astley’s “Never Gonna Give you Up” on Youtube at the time of analysis.
At this time, we don’t know the extent to which these domains have been used maliciously or who they are associated with, but we will continue to monitor for related suspicious or malicious activity.
ThreatConnect Research Team Intelligence:
These are items recently created or updated in the ThreatConnect Common Community by our Research Team. They include threat actor profiles, malware families, campaigns, signatures, and incidents based on our research and threat hunting activities. This week, we highlight ongoing activity spoofing organizations in the ICS, energy, and mining sectors, as well as domain activity spoofing Windows, Cloudflare, and AWS.
- Suspicious “-my-sharepoint” Domains Spoofing Various ICS, Energy, and Mining Organizations ThreatConnect Research has identified an ongoing series of Sharepoint themed domains registered since mid April 2020 that spoof various industrial control system (ICS), energy, mining, manufacturing, and automotive organizations. Many of the domains have used Cloudflare or DNSpod name servers, are or were hosted on dedicated servers, used Let’s Encrypt SSL certificates, and had login subdomains that “rick roll” the researcher as they redirected to Rick Astley’s “Never Gonna Give you Up” on Youtube. At this time, we don’t know the extent to which these domains have been used maliciously or who they are associated with.
- 20200507A: Energy, Manufacturing, and ICS Spoofing Sharepoint Domains Hosted at 217.8.117[.]152
- 20200429B: Spoofed HPI Energy Sharepoint Domain Hosted at 8.208.79[.]16
- 20200428A: Spoofed Blackhawk Mining Sharepoint Domain Hosted at 47.241.107[.]199
- 20200421A: Suspicious Sharepoint Themed Domains Hosted at 152.44.46[.]101
- 20200511A: Suspicious Windows Spoofing Domain updatewindowsservices[.]com ThreatConnect Research identified the suspicious domain updatewindowsservices[.]com, which was registered through NameCheap on April 22 2020. Per Censys, Let’s Encrypt SSL certificates were created for the domain and identify subdomain data.updatewindowsservices[.]com. While the domain itself doesn’t currently resolve, subdomain data.updatewindowsservices[.]com is hosted on a probable dedicated server at 64.64.228[.]148. As of May 11 2020, the subdomain redirects to Microsoft’s legitimate site, per urlscan.io.
- 20200508A: Cloudflare-Spoofing Domains Registered Through OrangeWebsite ThreatConnect Research identified four domains that were registered through OrangeWebsite on May 6 and 7 2020 and are hosted on a probable dedicated server at Linode IP 172.105.119[.]20. The identified domains include the following:
At this time we don’t have any indication of the extent to which, if any, this infrastructure has been used maliciously.
- 20200507A: Energy, Manufacturing, and ICS Spoofing Sharepoint Domains Hosted at 217.8.117[.]152 ThreatConnect Research identified a set of 12 domains hosted on a probable dedicated server at 217.8.117[.]152 that most likely are a part of an ongoing series of Sharepoint-themed domains spoofing energy, manufacturing, industrial control system (ICS), and mining organizations. These domains were registered at essentially the same time on May 6 2020 through NameCheap and use CloudFlare name servers. The identified domains include the following:
- axiomatics-my-sharepoint[.]com
- britishsugar-my-sharepoint[.]com
- cablecraft-my-sharepoint[.]com
- ethosenergygroup-my-sharepoint[.]com
- maximumturbinesupport-my-sharepoint[.]com
- net4gas-my-sharepoint[.]com
- petrofac-my-sharepoint[.]com
- roxtec-my-sharepoint[.]com
- score-group-my-sharepoint[.]com
- serveleccontrols-my-sharepoint[.]com
- te-my-sharepoint[.]com
- toyota-indistries-my-sharepoint[.]com
In addition to the use of “my-sharepoint” strings, similar to the infrastructure identified in previous incidents, a login.petrofac-my-sharepoint[.]com subdomain was identified for one of the domains in a Let’s Encrypt SSL certificate, per Censys. Like the previous infrastructure, per urlscan.io, this login subdomain redirects to Rick Astley’s “Never Gonna Give You Up” on Youtube. At this time, we don’t have any information on the extent to which this infrastructure has been used maliciously.
Update 5/12/2020
ThreatConnect Research identified three additional “my-sharepoint” themed domains registered on May 11 2020 and hosted at the aforementioned 217.8.117[.]152. The additional domains include the following:
“Login” subdomains were also identified for these domains and several of those previously identified. Additionally, another domain — garry-you-are-the.best — and its subdomains are also hosted at 217.8.117[.]152. At this time, we do not know whether this domain is associated with the same actor behind the “my-sharepoint” themed infrastructure.
- 20200503A: Suspicious AWS Spoofing Domain aws-mfa[.]com Registered Through OrangeWebsite ThreatConnect Research identified the suspicious domain aws-mfa[.]com, which was registered through OrangeWebsite on May 1 2020 and is hosted on a probable dedicated server at 95.179.158[.]42. Per Censys, a Let’s Encrypt SSL certificate was created for the subdomain signin.aws-mfa[.]com, which is hosted at the same IP. Per urlscan.io, as of May 3 2020, both the domain and subdomain redirect to Amazon Web Services’ (AWS) legitimate site.
Update 5/6/20
Two related domains — mfaaws[.]com and mfa-aws[.]com — were registered through OrangeWebsite on May 4 2020. The mfa-aws[.]com is hosted at the aforementioned IP 95.179.158[.]42, while the mfaaws[.]com is hosted on non-dedicated infrastructure. Per Censys, the following subdomains were identified in a Let’s Encrypt SSL certificate and are also hosted at the same IP:
Per urlscan.io, as of May 6 2020, both the mfa-aws[.]com domain and subdomains redirect to Amazon Web Services’ (AWS) legitimate site.
Technical Blogs and Reports Incidents with Active and Observed Indicators:
The ThreatConnect Technical Blogs and Reports Source is a curated collection of open source blogs and reports that are automatically aggregated and parsed for Indicators on a daily basis. Incidents listed here are associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).
- Navigating the MAZE: Tactics, Techniques and Procedures Associated WithMAZE Ransomware Incidents (Source: http://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html)
- Threat Roundup for May 1 to May 8 (Source: https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html)
- PonyFinal (Source: https://id-ransomware.blogspot.com/2020/04/ponyfinal-ransomware.html)
- Emotet C2 and RSA Key Update – 05/11/2020 10:30 (Source: https://paste.cryptolaemus.com/emotet/2020/05/11/emotet-c2-rsa-update-05-11-20-1.html)
- Kupidon (Source: https://id-ransomware.blogspot.com/2020/05/kupidon-ransomware.html)