Bulletin
Who:
- On August 29, 2024, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) issued a joint advisory releasing indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with the RansomHub ransomware. RansomHub is a ransomware-as-a-service variant, formerly known as Cyclops and Knight, that has established itself as an efficient and successful service model.
- RansomHub emerged in February 2024 with the targeting and compromise of data from over 210 victims. These victims span various critical infrastructure sectors, including water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications.
What:
- RansomHub has has attracted high-profile affiliates from other prominent variants such as LockBit and ALPHV. The affiliates leverage a double-extortion model by encrypting systems and exfiltrating data to extort victims. It should be noted that data exfiltration methods are dependent on the affiliate conducting the network compromise.
- The ransom note left during encryption usually lacks an initial ransom demand or payment instructions. Instead, it provides victims with a client ID and directs them to contact the ransomware group through a unique [.]onion URL, accessible via the Tor browser. Victims are typically given a timeframe of three to 90 days, which varies by affiliate, to pay the ransom before their data is published on the RansomHub Tor data leak site.
Infoblox Capability:
- From the list of RansomHub IOCs, Infoblox Threat Intel identified these domains just days after registration and months ahead of availability in OSINT as MALICIOUS.
- Infoblox identified 40031[.]co and recommended it for blocking 409 days earlier than identification by OSINT published within the alert. Infoblox identified this domain within 4 days of initial registration which was July 13, 2023.
- Infoblox identified samuelelena[.]co and recommended it for blocking 378 days earlier than identification by OSINT published within the alert. Infoblox identified this domain within 34 days of initial registration which was July 14, 2023.
Infoblox Impact:
- Infoblox customers running in blocking mode using our high-risk feeds were protected from these dangerous domains.
- Our feeds could be used to automatically block these malicious domains, which would break the RansomHub Kill Chains if they appeared anywhere in our customer base worldwide.
Recommended Action: Click here to request a security workshop.
DNS Indicators Of Compromise Are Impactful And Effective
DNS is fundamental to internet communication, making it a common threat vector used by attackers. It only takes one DNS query to compromise a network. Monitoring threat actor infrastructure on the Internet and analyzing DNS traffic in an organization can reveal a wide range of malicious activities, providing early indicators of compromise, often before other signs become apparent.
DNS intel is proactive and can identify threat actor owned domains before those domains are weaponized, without having to rely on an event to determine that it is bad. The first DNS query to those high-risk domains can be immediately blocked proactively preventing a compromise or a malware download.
Unusual DNS requests can signal malware attempting to communicate with its command and control (C2) server. DNS Indicators of Compromise (IOCs) can also reveal behavioral patterns, such as domain generation algorithms (DGAs) used by malware to dynamically connect with new domains, making it easier to track and block malicious activities.
Infoblox DNS Threat Intel is HIGH VALUE, can be used with relatively LOW EFFORT and can SHRINK THE TIME TO VALUE and INCREASE THE RETURN ON INVESTMENT for your threat intelligence program.
Infoblox Threat Intel for Early Threat Detection
Infoblox Threat Intel uses proprietary techniques to identify potentially malicious domains much earlier than other technologies. Infoblox flags these domains as high risk so your defenders can automatically block them, often weeks to months before OSINT designates them malicious.
By taking this proactive approach, defenders can stop attacks days, weeks, or even months before they appear in OSINT or threat intelligence feeds.
Threat actors continually adjust their techniques and often use malicious domains to quickly launch damaging and dangerous attacks. Once that link to a malicious domain is clicked, the Kill Chain can rapidly unfold to the detriment of the defenders. These malicious domains are often detected and shared too late by OSINT and threat intel feeds
For Additional Information
Infoblox Threat Intel provides fast access to accurate, contextual threat alerts and reports from our real-time research teams. High-Risk Domains feeds were introduced as an Infoblox proprietary capability on November 10, 2022, and, since then, have successfully provided many thousands of customers with the advanced information to block domains that ultimately become malicious long before most other threat intelligence sources identify them as malicious. Infoblox allows your team to leverage the high value of DNS-based threat intelligence while ensuring a unified security policy across your entire security infrastructure. Infoblox threat data minimizes false positives, so you can be confident in what you are blocking.
To learn more about Infoblox Threat Intel and DNS early detection:
https://www.infoblox.com/threat-intel/
To learn more about Infoblox Threat Defense:
https://www.infoblox.com/products/threat-defense/
To learn more about the National Security Agency (NSA) and Cybersecurity & Infrastructure Security Agency (CISA) guidance on Protective DNS:
https://media.defense.gov/2021/Mar/03/2002593055/-1/-1/0/CSI_PROTECTIVE%20DNS_UOO117652-21.PDF
