Threat Intelligence Brief – July 2017


Threat Actor Phishing Reconnaissance

The Shadow Brokers showed no signs of slowing down in June. In fact, it was quite the opposite as they launched the “Data Dump of the Month Club.” So, not only are they not slowing down, they’ve created a profitable subscriber-based business model.

We attempted to highlight several key items of note in our security news for this release.

  1. Old vulnerabilities still exist with new ones constantly uncovered.
  2. Paying a ransomware demand is no longer a viable option for disaster recovery planning.
  3. Threat levels remain high even while developers continue to patch vulnerabilities and create security mechanisms to stop, or at least slow, attacks.

So, what can you do in the face of this unrelenting, ever-evolving attack? Last month we highlighted defense-in-depth. This month we focus on one of the most successful attack vectors, phishing. Phishing is accomplished via reconnaissance, social engineering and malicious web content.

Phishing Reconnaissance

Outside of mass marketing and spam campaigns, most phishing campaigns begin with reconnaissance. Adversaries will always take the path of least resistance first. To find an easy opening, their first step is gathering all of your publicly available information. Often, corporate websites are a rich resource for them. It’s understood that a good corporate persona is part of a successful marketing campaign, even if the risk of exposing data is often overlooked.

Recommendations include:

  • Carefully curate profiles of executives on public facing web sites.
  • Posting only phone numbers and email addresses that are intended for open public use.
  • Keeping feeds and press releases free of personally identifiable information and intricate details that could be used to craft an authentic looking phishing email.

Social Engineering

By now, we all know or think we know what social engineering is. In simple terms, it’s gathering data from someone through social interaction. It occurs via all means of communication, i.e. face-to-face, telephone, e-mail and social media. Human beings are social creatures, so preventing social interaction is not a viable strategy. Therefore, we’re left protecting people from themselves. This is accomplished or at least attempted through increasing phishing awareness and reducing exposure. Awareness training for users, while a widely implemented and auditable item for many, is only as effective as the support from management. Reports of detected phishing and malware attempts should be published for the consumption of all personnel in the organization. Warning personnel of current spam activity, malware detection events and additions to the web filtering program is an effective way to emphasize security. In short, people pay attention when bad things happen.

Malicious Web Content

Phishing through malicious web content involves redirecting targets to a phishing site or compromising them through man-in-the-middle tactics. The most widely used techniques for this are cross-site scripting on watering hole websites, malicious hyperlinks and malware.

Common solutions to prevent phishing include:

  • Antivirus
  • Web filtering
  • Spam filters
  • Email HTML filters
  • Email link disabling

These solutions catch most unsophisticated mass phishing. The next level of prevention is behavioral monitoring and watering hole (a high-traffic external website reconnaissance). Behavioral monitoring requires a learning period where you identify a baseline of web activity for your users.

This activity can be broken down into multiple categories that offer a snapshot of what normal looks like for your organization, including:

  • Time of day
  • User roles
  • Bandwidth usage

With a baseline identified, anomalies can be detected. An anomaly can indicate a new watering hole, data theft, browser compromise and a multitude of other issues that should be investigated.

Security personnel should review new watering holes to determine the potential for cross-site scripting and other malicious content. Spikes in connections to specific sites or IP addresses could indicate that browsers redirecting to a man-in-the-middle or an email-delivered malware is being launched. Also, spikes in bandwidth at odd times of the day may indicate that a compromise is underway or that data is being exfiltrated.

Malicious IPs

We’ve seen the following IPs involved in various malicious activity and have taken steps to block them from our environment. We highly recommend blocking these IPs until they can be remediated and no longer pose a threat. It’s prudent to heavily scrutinize any communications from your network to these IPs, especially C2 nodes.

IP Attack Signature IP Address Geo Location Attacking Web Application Ukraine Command and Control United States Attacking MySQL Taiwan Command and Control Egypt SSH Brute Force Poland Attacking Web Application United Kingdom Attacking Web Application France Command and Control Russia Malware Host China SSH Brute Force United States Command and Control Sweden Attacking Web Application Australia Command and Control Jordan Malware Host United States

Security Trends and Insights


The last week of June saw the release of patches for a high-severity vulnerability that exists in several popular Linux distributions. The vulnerability, CVE-2017-9445, is exploited using malformed DNS payloads to execute arbitrary code on the target system. The vulnerability emerged June 2015 and was discovered in January 2017 by a security researcher. Exploits haven’t been published for this vulnerability yet, but it’s recommended that affected Linux systems are patched immediately.

Read more


Petya victims paid $10,000 for encryption keys even though the attack wasn’t likely financially motivated and affected files may not be recoverable. This is a PSA: paying the ransom is never worth it. You may get your files back, but there’s no guarantee. Additionally, any payments received further incentivize perpetrators while also funding future ransomware campaigns. The only recommended method for recovering affected files is to restore from a known, reliable backup.

Read more


Microsoft continues to take heat as the number of variants and incidents of ransomware that specifically target the Windows OS increase. In response, the Windows 10 insider preview program is introducing Windows Defender features specifically designed to mitigate ransomware attempts. The “Controlled Folder Access” feature is set for release as part of the Windows 10 Creator Update (Redstone 3) later this fall. This EMET-like feature monitors and blocks unauthorized applications from making unexpected changes to files in protected folders.

Read more


Microsoft has finally decided to retire its 30-year-old file sharing protocol. After a series of high profile attacks utilized SMBV1 as a main infection vector, the company decided to remove (partially or fully – depending on SKU) it from the upcoming Windows 10 Fall Creators Update. In the meantime (or if you aren’t going applying this update), it’s advised that you manually disable SMBV1 on your systems.

Read more