Anomali Detect

September 20 - 22, 2017

Halt the Sidecar Bear’s infrastructure with Intel 471 and Anomali Threatstream

July 27, 2017 | Travis Farral

By Mark Arena, Intel 471 and Travis Farral, Anomali

We’ve all seen the research into Fancy Bear (aka APT28, Sofacy etc) which is likely a group sponsored by or a part of the Russian government. They even have their own website. Research into these groups is predominantly reactive.

Reactive Malware Research Process
Typical process for investigating nation state malware.

You’ll note in the above process that this is all driven by malware or attack samples being obtained at the beginning. The very nature of this means that attacks are already underway or might have already been finished by the time it’s detected or blocked. Protections against future attacks from this same actor using this process may or may not bear fruit as a result.

Rough Start

What if instead of simply waiting for malware or attack samples, we research one of the core enablers of this type of threat activity. Would this be a better return on investment for our efforts?

Bulletproof Hosting

For those that don’t know, bulletproof hosting is one of the key enablers for cyber threat activity. The miscreants need hosting for everything they do, be it command and control server hosting or exploit kit hosting. It also takes quite a bit of time for the miscreants to setup these servers, so ideally they want hosting that isn’t taken down easily. Any time a miscreant runs a command and control server or exploit kit, their server provider will likely receive complaints and pressure from various anti-virus and security companies to take down the malicious infrastructure. Bulletproof hosting is hosting that will (or claims to) remain running even with the pressure from the antivirus and security company. Some bulletproof hosting providers even have their own data centers with prepaid government protection.

When it comes to bulletproof hosting, we are trying to achieve a position of information dominance over our adversary where these hosting networks are identified before they are used and can be blocked. At Intel 471 we refer to these as “pre-IOCs”. It’s a marketing gimmick we know but based on the fact that these aren’t indicators of compromise (IOCs) yet, we believe it’s an accurate term to describe the proactive blocking of bulletproof hosting networks. Blocking the bulletproof hosting networks proactively also means we don’t need to spend all our resources focusing on the specific threat groups or malware families themselves.

Alex

We’ll use the name Alex to describe one bulletproof hoster whom Intel 471 has tracked closely (Alex isn’t a nickname he uses). At the elite cybercriminal level there are only a few legitimate bulletproof hosting providers and Alex is one of them. In March-May 2017 we were able to link Alex’s bulletproof hosting network to the following malicious infrastructure:

  • Ransomware: Cerber, Locky/Osiris, Sage, Yakes, Razy, Barys, and Kovter.
  • Malware: Dridex, Hancitor, Nemucod, PandaZeuS, Nymaim, Zusy, Symmi/Graftor, Gafgyt (Linux), Marcher (Android), Valyria, Pony/Fareit, exploitation for CVE-2017-0199, Mirai, and more.
  • Phishing: Global banks, Apcera (cloud management), Amazon, Google (Play, Gmail, etc), CDN providers, Android-related, Yandex, Microsoft, Local UK governments, UK Driver and Vehicle Licensing Agency, UK’s Crown Prosecution Service, UK parking enforcement and ticketing, Apple, IMF, Adobe, Chrome, Apcera (cloud management), Mail.ru, Ubuntu, PayPal, Hilton, and much more.
  • Other: Drug shops, cybercrime forums, credit card dump shops, credential shops, activity related to the Russia/Ukraine conflict, counterfeit watches, online casinos and more.

Alex’s front-end proxy network from March-May 2017 consisted of around 800 different IPs across about 230 different providers. The vast majority were abusing US, China and Russian cloud hosting providers. In the beginning, the daily average size was around 100 hosts that were being rotated across his clients’ infrastructure.

Blocking Alex and all his miscreant customers

Using Intel 471’s actor-centric intelligence with Anomali Threatstream, we are able to automatically ingest, correlate and action the blocking of Alex’s bulletproof hosting network. Intel 471, in this case, is the collector of the information whilst the Threatstream platform enables the sharing of this threat information into your organization’s security infrastructure.

ThreatStream

What’s the return on investment?

The idea behind proactively blocking bulletproof hosting is that you are blocking things before they are bad. I.e., don’t wait for your organization’s systems to be compromised with the latest exploit kit, banking trojan or ransomware whereby a costly incident response exercise is initiated. Intel 471 believes that there is truly only a dozen legitimate bulletproof hosters in the top tier or elite cybercriminal underground. The efficiency gain for simply blocking this pre-IOCs compared to the cost of not doing so is very large.

This is financially motivated cybercrime! You mentioned Fancy Bear at the start!

We did and you found us out. Alex’s cybercriminal bulletproof hosting service has been used in targeted attacks in Eastern Europe. Nation state threat actors need bulletproof hosting too.

The joint Anomali and Intel 471 offering

The joint Anomali and Intel 471 offering provides a window into the elite cybercriminal underground within the Anomali Threatstream platform. This centralized threat intelligence solution provides proactive and breaking insight into how top tier cybercriminals are targeting your organization, assets, and people. Leveraging ThreatStream’s integrations and data enrichment features with Intel 471’s intelligence and insights creates a powerful weapon against cybercriminals and other threat actors. It’s a solution that gives analysts the ability to research actors like Alex and proactively push out protections against his known infrastructure. Because Intel 471 stays on top of actors like Alex, infrastructure changes can be followed and defenses adjusted accordingly.

Anomali, Intel 471 Silver, Gold and Platinum Offerings

Anomali and Intel 471 are happy to announce that as of 1 August 2017 we are offering silver, gold and platinum Intel 471 packages so organizations of any size can take advantage of Intel 471’s actor-centric intelligence within the Anomali platform. These offerings are available exclusively through the Anomali platform and depending on the package chosen. Packages include:

  • Full integration of Intel 471 actor-centric intelligence within Anomali Threatstream
  • Custom underground alerting
  • Intel 471 finished intelligence reports
  • Intel 471 information reports from Intel 471’s on the ground intelligence collectors
  • Emergency threat briefings and regular customer calls
  • Anomali supported request for information (RFI) service
Intel471

Find out more about this new offering

Contact your Anomali representative or contact info@anomali.com.

Download our datasheet.

Travis Farral
About the Author

Travis Farral

Travis Farral is the Director of Security Strategy for Anomali. With over 20 years of security industry experience, he has developed a strong background in threat intelligence, incident response, and Industrial Control Systems security. Previously Travis ran the Cybersecurity Intelligence & Strategic Services team at ExxonMobil and spent several years at companies such as Nokia and XTO Energy.

Get the latest threat intelligence news in your email.