Home / Industry

How Cyber Threat Intelligence Feeds Can Support MSSPs

Organizations that don't have a dedicated pool of cybersecurity experts often hire managed security service providers (MSSPs) to help them ward off attempts and attacks. Yet in today's ever-dangerous cyber threat landscape, even the best service providers may fall for cybercriminals' traps.

Case in point: A major MSSP fell victim to a Sodinokibi ransomware attack back in December 2019. While most attacks of that sort can come from unknown threat sources, reliable cyber threat intelligence feeds such as those that power Threat Intelligence Platform (TIP) could contribute to the detection of dangerous indicators of compromise (IoCs).

What We Know of the Attack

The MSSP reportedly had to resort to paying the ransom to regain access to their infected systems. It informed customers via its Twitter account that it suffered a credential compromise but that this was effectively contained. The provider then proceeded diligently to remedy the situation with clients.

An undisclosed customer revealed that the attackers used a remote management tool to infect the MSSP's systems with the ransomware. While the provider didn't confirm the report, experts believe it was the latest addition to Sodinokibi's victim list.

Sodinokibi gets into systems connected to vulnerable Oracle WebLogic servers. Once installed, the ransomware attempts to encrypt data in a user's directory and deletes shadow copies to make data recovery difficult. While Oracle issued an out-of-cycle patch for the bug in April 2019, the MSSP may have left a hole open for attacks.

The critical vulnerability CVE-2019-2725 is easy for attackers to exploit and anyone with HTTP access to the WebLogic server can carry out an attack. Threat actors have, in fact, been exploiting the bug since at least April 2019.

How Cyber Threat Intelligence Feeds Could Have Helped

Apart from installing patches as soon as these are made available, especially for critical vulnerabilities such as CVE-2019-2725, using cyber threat intelligence feeds as a source of threat vectors could serve as an additional layer of protection.

In this particular case, for instance, we can obtain a list of IoCs tied to Sodinokibi ransomware. These include:

Hashes for ransomware samples:


> 0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d
> 34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160
> 74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac
> 95ac3903127b74f8e4d73d987f5e3736f5bdd909ba756260e187b6bf53fb1a05
>fa2bccdb9db2583c2f9ff6a536e824f4311c9a8a9842505a0323f027b8b51451

Distribution URLs:

> http[:]//188[.]166[.]74[.]218/office[.]exe
> http[:]//188[.]166[.]74[.]218/radm[.]exe
> http[:]//188[.]166[.]74[.]218/untitled[.]exe
> http[:]//45[.]55[.]211[.]79/.cache/untitled[.]exe

Attacker's IP address:

> 130[.]61[.]54[.]136

Attacker's domain:

> decryptor[.]top

While TIP may not be able to detect the actual ransomware file, it can help to thwart threats from a different angle. In fact, the platform can detect malicious domains and IP addresses that organizations such as the affected MSSP should avoid accessing.

We subjected the IP addresses and domains in the IoC list to TIP analysis and found that 188[.]166[.]74[.]218, 45[.]55[.]211[.]79, 130[.]61[.]54[.]136, and decryptor[.]top all appear as malware hosts on VirusTotal. The domain decryptor[.]top is also part of Google's Safe Browsing list. Our quick queries showed that any TIP user could limit access to any of the Sodinokibi sources from the get-go if the platform's APIs, specifically the Domain Malware Check API, are integrated into existing security systems and solutions. In the MSSP's case, that may translate to reducing the likelihood of such infections in the first place, thus not needing to shell out a likely huge amount to pay the ransom and incurring a tarnished reputation in the process.


Cybersecurity experts know how difficult and time-consuming patching can be. And so, sometimes, the less-security-savvy have a tendency to put the process in the backburner until it's too late. Additionally, using additional layers of protection such as integrating cyber threat intelligence feeds into security solutions and systems is complementary. That is especially true for MSSPs who are tasked to protect clients from attacks.

By Threat Intelligence Platform (TIP), Enterprise-Grade Threat Intelligence APIs, Tools, and Services – Threat Intelligence Platform (TIP) offers easy to use threat intelligence tools, services, and APIs to get detailed information about hosts and the infrastructure behind them. Gathering data from different providers, utilizing our substantial internal databases (compiled for 10+ years), and also real-time host configuration analysis, our threat intelligence solutions provide an in-depth look at target hosts and are an essential addition to any threat detection toolkit. Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

New TLDs

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byAppdetex

DNS Security

Sponsored byAfilias

Cybercrime

Sponsored byThreat Intelligence Platform

Domain Names

Sponsored byVerisign

Whois

Sponsored byWhoisXML API

IP Addressing

Sponsored byIPv4.Global