Organizations that don’t have a dedicated pool of cybersecurity experts often hire managed security service providers (MSSPs) to help them ward off attempts and attacks. Yet in today’s ever-dangerous cyber threat landscape, even the best service providers may fall for cybercriminals’ traps.

Case in point: A major MSSP fell victim to a Sodinokibi ransomware attack back in December 2019. While most attacks of that sort can come from unknown threat sources, reliable cyber threat intelligence feeds such as those that power Threat Intelligence Platform (TIP) could contribute to the detection of dangerous indicators of compromise (IoCs).

What We Know of the Attack

The MSSP reportedly had to resort to paying the ransom to regain access to their infected systems. It informed customers via its Twitter account that it suffered a credential compromise but that this was effectively contained. The provider then proceeded diligently to remedy the situation with clients.

An undisclosed customer revealed that the attackers used a remote management tool to infect the MSSP’s systems with the ransomware. While the provider didn’t confirm the report, experts believe it was the latest addition to Sodinokibi’s victim list.

Sodinokibi gets into systems connected to vulnerable Oracle WebLogic servers. Once installed, the ransomware attempts to encrypt data in a user’s directory and deletes shadow copies to make data recovery difficult. While Oracle issued an out-of-cycle patch for the bug in April 2019, the MSSP may have left a hole open for attacks.

The critical vulnerability CVE-2019-2725 is easy for attackers to exploit and anyone with HTTP access to the WebLogic server can carry out an attack. Threat actors have, in fact, been exploiting the bug since at least April 2019.

How Cyber Threat Intelligence Feeds Could Have Helped

Apart from installing patches as soon as these are made available, especially for critical vulnerabilities such as CVE-2019-2725, using cyber threat intelligence feeds as a source of threat vectors could serve as an additional layer of protection.

In this particular case, for instance, we can obtain a list of IoCs tied to Sodinokibi ransomware. These include:

Hashes for ransomware samples:

<br /> > 0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d<br /> > 34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160<br /> > 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac<br /> > 95ac3903127b74f8e4d73d987f5e3736f5bdd909ba756260e187b6bf53fb1a05<br /> >fa2bccdb9db2583c2f9ff6a536e824f4311c9a8a9842505a0323f027b8b51451<br />

Distribution URLs:

> http[:]//188[.]166[.]74[.]218/office[.]exe<br /> > http[:]//188[.]166[.]74[.]218/radm[.]exe<br /> > http[:]//188[.]166[.]74[.]218/untitled[.]exe<br /> > http[:]//45[.]55[.]211[.]79/.cache/untitled[.]exe

Attacker’s IP address:

> 130[.]61[.]54[.]136

Attacker’s domain:

> decryptor[.]top

While TIP may not be able to detect the actual ransomware file, it can help to thwart threats from a different angle. In fact, the platform can detect malicious domains and IP addresses that organizations such as the affected MSSP should avoid accessing.

We subjected the IP addresses and domains in the IoC list to TIP analysis and found that 188[.]166[.]74[.]218, 45[.]55[.]211[.]79, 130[.]61[.]54[.]136, and decryptor[.]top all appear as malware hosts on VirusTotal. The domain decryptor[.]top is also part of Google’s Safe Browsing list. Our quick queries showed that any TIP user could limit access to any of the Sodinokibi sources from the get-go if the platform’s APIs, specifically the Domain Malware Check API, are integrated into existing security systems and solutions. In the MSSP’s case, that may translate to reducing the likelihood of such infections in the first place, thus not needing to shell out a likely huge amount to pay the ransom and incurring a tarnished reputation in the process.

Cybersecurity experts know how difficult and time-consuming patching can be. And so, sometimes, the less-security-savvy have a tendency to put the process in the backburner until it’s too late. Additionally, using additional layers of protection such as integrating cyber threat intelligence feeds into security solutions and systems is complementary. That is especially true for MSSPs who are tasked to protect clients from attacks.