May 13 2020 Edition
Howdy, and welcome to the ThreatConnect Research Roundup: Threat Intel Update (blog edition)! Here we will be sharing a collection recent findings by our Research Team, as well as items from open source publications that have resulted in observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).
Note: Viewing the pages linked in this blog post require a ThreatConnect account. If you don’t have one, please click here to request your free TC Open account.
Roundup Highlight: Rickrolling Researchers! Really?
Our highlight in this Roundup is a collection of suspicious network infrastructure registration activity using the brand name SharePoint (Microsoft team collaboration software) and spoofing legitimate domains belonging to organizations in a variety of industries, including automotive, energy, engineering, industrial control systems, manufacturing, and mining:
Other commonalities include name servers, domain resolutions to dedicated servers, and Let’s Encrypt SSL certificate usage, as described in the Campaign shared to the ThreatConnect Common Community and the associated Incidents (also listed at the top of the next section of this blog post). One particularly peculiar feature of this activity is the configuration of subdomains like login.invoice-my-sharepoint[.]com, several of which were redirecting to a video of Rick Astley’s “Never Gonna Give you Up” on Youtube at the time of analysis.
At this time, we don’t know the extent to which these domains have been used maliciously or who they are associated with, but we will continue to monitor for related suspicious or malicious activity.
ThreatConnect Research Team Intelligence:
These are items recently created or updated in the ThreatConnect Common Community by our Research Team. They include threat actor profiles, malware families, campaigns, signatures, and incidents based on our research and threat hunting activities. This week, we highlight ongoing activity spoofing organizations in the ICS, energy, and mining sectors, as well as domain activity spoofing Windows, Cloudflare, and AWS.
- Suspicious “-my-sharepoint” Domains Spoofing Various ICS, Energy, and Mining Organizations ThreatConnect Research has identified an ongoing series of Sharepoint themed domains registered since mid April 2020 that spoof various industrial control system (ICS), energy, mining, manufacturing, and automotive organizations. Many of the domains have used Cloudflare or DNSpod name servers, are or were hosted on dedicated servers, used Let’s Encrypt SSL certificates, and had login subdomains that “rick roll” the researcher as they redirected to Rick Astley’s “Never Gonna Give you Up” on Youtube. At this time, we don’t know the extent to which these domains have been used maliciously or who they are associated with.
- 20200507A: Energy, Manufacturing, and ICS Spoofing Sharepoint Domains Hosted at 217.8.117[.]152
- 20200429B: Spoofed HPI Energy Sharepoint Domain Hosted at 8.208.79[.]16
- 20200428A: Spoofed Blackhawk Mining Sharepoint Domain Hosted at 47.241.107[.]199
- 20200421A: Suspicious Sharepoint Themed Domains Hosted at 152.44.46[.]101
- 20200511A: Suspicious Windows Spoofing Domain updatewindowsservices[.]com ThreatConnect Research identified the suspicious domain updatewindowsservices[.]com, which was registered through NameCheap on April 22 2020. Per Censys, Let’s Encrypt SSL certificates were created for the domain and identify subdomain data.updatewindowsservices[.]com. While the domain itself doesn’t currently resolve, subdomain data.updatewindowsservices[.]com is hosted on a probable dedicated server at 64.64.228[.]148. As of May 11 2020, the subdomain redirects to Microsoft’s legitimate site, per urlscan.io.
- 20200508A: Cloudflare-Spoofing Domains Registered Through OrangeWebsite ThreatConnect Research identified four domains that were registered through OrangeWebsite on May 6 and 7 2020 and are hosted on a probable dedicated server at Linode IP 172.105.119[.]20. The identified domains include the following:
At this time we don’t have any indication of the extent to which, if any, this infrastructure has been used maliciously.
- 20200507A: Energy, Manufacturing, and ICS Spoofing Sharepoint Domains Hosted at 217.8.117[.]152 ThreatConnect Research identified a set of 12 domains hosted on a probable dedicated server at 217.8.117[.]152 that most likely are a part of an ongoing series of Sharepoint-themed domains spoofing energy, manufacturing, industrial control system (ICS), and mining organizations. These domains were registered at essentially the same time on May 6 2020 through NameCheap and use CloudFlare name servers. The identified domains include the following:
In addition to the use of “my-sharepoint” strings, similar to the infrastructure identified in previous incidents, a login.petrofac-my-sharepoint[.]com subdomain was identified for one of the domains in a Let’s Encrypt SSL certificate, per Censys. Like the previous infrastructure, per urlscan.io, this login subdomain redirects to Rick Astley’s “Never Gonna Give You Up” on Youtube. At this time, we don’t have any information on the extent to which this infrastructure has been used maliciously.
ThreatConnect Research identified three additional “my-sharepoint” themed domains registered on May 11 2020 and hosted at the aforementioned 217.8.117[.]152. The additional domains include the following:
“Login” subdomains were also identified for these domains and several of those previously identified. Additionally, another domain — garry-you-are-the.best — and its subdomains are also hosted at 217.8.117[.]152. At this time, we do not know whether this domain is associated with the same actor behind the “my-sharepoint” themed infrastructure.
- 20200503A: Suspicious AWS Spoofing Domain aws-mfa[.]com Registered Through OrangeWebsite ThreatConnect Research identified the suspicious domain aws-mfa[.]com, which was registered through OrangeWebsite on May 1 2020 and is hosted on a probable dedicated server at 95.179.158[.]42. Per Censys, a Let’s Encrypt SSL certificate was created for the subdomain signin.aws-mfa[.]com, which is hosted at the same IP. Per urlscan.io, as of May 3 2020, both the domain and subdomain redirect to Amazon Web Services’ (AWS) legitimate site.
Two related domains — mfaaws[.]com and mfa-aws[.]com — were registered through OrangeWebsite on May 4 2020. The mfa-aws[.]com is hosted at the aforementioned IP 95.179.158[.]42, while the mfaaws[.]com is hosted on non-dedicated infrastructure. Per Censys, the following subdomains were identified in a Let’s Encrypt SSL certificate and are also hosted at the same IP:
Per urlscan.io, as of May 6 2020, both the mfa-aws[.]com domain and subdomains redirect to Amazon Web Services’ (AWS) legitimate site.
Technical Blogs and Reports Incidents with Active and Observed Indicators:
The ThreatConnect Technical Blogs and Reports Source is a curated collection of open source blogs and reports that are automatically aggregated and parsed for Indicators on a daily basis. Incidents listed here are associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).
- Navigating the MAZE: Tactics, Techniques and Procedures Associated WithMAZE Ransomware Incidents (Source: http://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html)
- Threat Roundup for May 1 to May 8 (Source: https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html)
- PonyFinal (Source: https://id-ransomware.blogspot.com/2020/04/ponyfinal-ransomware.html)
- Emotet C2 and RSA Key Update – 05/11/2020 10:30 (Source: https://paste.cryptolaemus.com/emotet/2020/05/11/emotet-c2-rsa-update-05-11-20-1.html)
- Kupidon (Source: https://id-ransomware.blogspot.com/2020/05/kupidon-ransomware.html)
To receive ThreatConnect notifications about updates to these Groups or their associated Indicators or Tags, remember to check the “Follow Item” box on that item’s Details page.