ThreatConnect Research Roundup: Spoofing SharePoint

May 13 2020 Edition

Howdy, and welcome to the ThreatConnect Research Roundup: Threat Intel Update (blog edition)! Here we will be sharing a collection recent findings by our Research Team, as well as items from open source publications that have resulted in observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

Note: Viewing the pages linked in this blog post require a ThreatConnect account. If you don’t have one, please click here to request your free TC Open account.

Roundup Highlight: Rickrolling Researchers! Really?

Our highlight in this Roundup is a collection of suspicious network infrastructure registration activity using the brand name SharePoint (Microsoft team collaboration software) and spoofing legitimate domains belonging to organizations in a variety of industries, including automotive, energy, engineering, industrial control systems, manufacturing, and mining:

Associated Indicators

152.44.46[.]101

217.8.117[.]152

47.241.107[.]199

8.208.79[.]16

95.174.65[.]244

axiomatics-my-sharepoint[.]com

bhawkmining-my-sharepoint[.]com

bhmining-my-sharepoint[.]com

blackhawk-my-sharepoint[.]com

blackhawkm-my-sharepoint[.]com

blackhawkmining-my-sharepoint[.]com

britishsugar-my-sharepoint[.]com

cablecraft-my-sharepoint[.]com

cablecraftuk-my-sharepoint[.]com

easterns-my-sharepoint[.]com

ellex-my-sharepoint[.]com

ethosenergygroup-my-sharepoint[.]com

garry-you-are-the.best

hpienergy-my-sharepoint[.]com

invoice-my-sharepoint[.]com

invoices-my-sharepoint[.]com

login.blackhawkmining-my-sharepoint[.]com

login.britishsugar-my-sharepoint[.]com

login.cablecraftuk-my-sharepoint[.]com

login.easterns-my-sharepoint[.]com

login.ellex-my-sharepoint[.]com

login.hpienergy-my-sharepoint[.]com

login.invoice-my-sharepoint[.]com

login.invoices-my-sharepoint[.]com

login.net4gas-my-sharepoint[.]com

login.petrofac-my-sharepoint[.]com

login.roxteccom-my-sharepoint[.]com

login.tecom-my-sharepoint[.]com

login.toyota-indistries-my-sharepoint[.]com

maximumturbinesupport-my-sharepoint[.]com

naturewood-com-my-sharepoint[.]com

naturewood-my-sharepoint[.]com

naturewoods-com-my-sharepoint[.]com

naturwood-my-sharepoint[.]com

net4gas-my-sharepoint[.]com

petrofac-my-sharepoint[.]com

roxtec-my-sharepoint[.]com

roxteccom-my-sharepoint[.]com

score-group-my-sharepoint[.]com

serveleccontrols-my-sharepoint[.]com

te-my-sharepoint[.]com

tecom-my-sharepoint[.]com

toyota-indistries-my-sharepoint[.]com

Other commonalities include name servers, domain resolutions to dedicated servers, and Let’s Encrypt SSL certificate usage, as described in the Campaign shared to the ThreatConnect Common Community and the associated Incidents (also listed at the top of the next section of this blog post). One particularly peculiar feature of this activity is the configuration of subdomains like login.invoice-my-sharepoint[.]com, several of which were redirecting to a video of Rick Astley’s “Never Gonna Give you Up” on Youtube at the time of analysis.

At this time, we don’t know the extent to which these domains have been used maliciously or who they are associated with, but we will continue to monitor for related suspicious or malicious activity.

ThreatConnect Research Team Intelligence:

These are items recently created or updated in the ThreatConnect Common Community by our Research Team. They include threat actor profiles, malware families, campaigns, signatures, and incidents based on our research and threat hunting activities. This week, we highlight ongoing activity spoofing organizations in the ICS, energy, and mining sectors, as well as domain activity spoofing Windows, Cloudflare, and AWS.

At this time we don’t have any indication of the extent to which, if any, this infrastructure has been used maliciously.

In addition to the use of “my-sharepoint” strings, similar to the infrastructure identified in previous incidents, a login.petrofac-my-sharepoint[.]com subdomain was identified for one of the domains in a Let’s Encrypt SSL certificate, per Censys. Like the previous infrastructure, per urlscan.io, this login subdomain redirects to Rick Astley’s “Never Gonna Give You Up” on Youtube. At this time, we don’t have any information on the extent to which this infrastructure has been used maliciously.

Update 5/12/2020

ThreatConnect Research identified three additional “my-sharepoint” themed domains registered on May 11 2020 and hosted at the aforementioned 217.8.117[.]152. The additional domains include the following:

“Login” subdomains were also identified for these domains and several of those previously identified. Additionally, another domain — garry-you-are-the.best — and its subdomains are also hosted at 217.8.117[.]152. At this time, we do not know whether this domain is associated with the same actor behind the “my-sharepoint” themed infrastructure.

Update 5/6/20

Two related domains — mfaaws[.]com and mfa-aws[.]com — were registered through OrangeWebsite on May 4 2020. The mfa-aws[.]com is hosted at the aforementioned IP 95.179.158[.]42, while the mfaaws[.]com is hosted on non-dedicated infrastructure. Per Censys, the following subdomains were identified in a Let’s Encrypt SSL certificate and are also hosted at the same IP:

Per urlscan.io, as of May 6 2020, both the mfa-aws[.]com domain and subdomains redirect to Amazon Web Services’ (AWS) legitimate site.

Technical Blogs and Reports Incidents with Active and Observed Indicators:

The ThreatConnect Technical Blogs and Reports Source is a curated collection of open source blogs and reports that are automatically aggregated and parsed for Indicators on a daily basis. Incidents listed here are associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).

 

 

To receive ThreatConnect notifications about updates to these Groups or their associated Indicators or Tags, remember to check the “Follow Item” box on that item’s Details page.

 

 

 

 

 

 

 

About the Author
ThreatConnect Research Team

The ThreatConnect Research Team: is an elite group of globally-acknowledged cybersecurity experts, dedicated to tracking down existing and emerging cyber threats. We scrutinize trends, technology and socio-political motivators to develop comprehensive knowledge of the cyber landscape. Then, we share what we’ve learned so that you can protect your organization, and your team can take precise action against threats.