How to analyze IOCs before and after a cyber-attack
On June 27, JumpCloud discovered an APT attack. The company’s IR shared some IOCs to allow the customers or others third parties to protect their infrastructure.
As a Security Analyst, you should pay attention to the IOCS provided https://jumpcloud.com/support/july-2023-iocs .
The purpose of this article is to help the Analyst to detect and investigate different IOCs such as domains and IP addresses before or after an attack occurred.
Having a look at the domains from the list of IOCs, the first impression that would come in your mind is to check if the domains are FP or not.
Example of some Domains from the IOCs:
nomadpkgs[.]com
centos-repos[.]org
datadog-cloud[.]com
toyourownbeat[.]com
datadog-graph[.]com
centos-pkg[.]org
primerosauxiliosperu[.]com
zscaler-api[.]org
nomadpkg[.]com
As you see, some of the domains name are quite similar to the names of well-known service providers , companies for example we can observe some domains names with the name of some service providers such as Zscaler, Centos . As an Analyst, you should always be able to check such suspicious IOCs before making any conclusion.
Let’s take the example of a few domains:
zscaler-api[.]org
https://www.virustotal.com/gui/domain/zscaler-api.org/details
Whois Lookup
Administrative city: REDACTED FOR PRIVACY
Administrative country: REDACTED FOR PRIVACY
Administrative state: REDACTED FOR PRIVACY
Create date: 2023-06-23 00:00:00
Domain name: zscaler-api.org
Domain registrar id: 1068
Domain registrar url: http://www.namecheap.com
Expiry date: 2024-06-23 00:00:00
Name server 1: dns1.registrar-servers.com
Name server 2: dns2.registrar-servers.com
As you see, the result from Virustotal shows that the domain is a newly created, this is the first hint for us. As we know, most of domains used by threat actors are newly created. As Zscaler is a well-known brand, we can check the main domain of Zscaler to make a comparison between the both domains.
zscaler.com (Zscaler legitimate domain)
https://www.virustotal.com/gui/domain/zscaler.com/details
After checking the main domain of Zscaler (zscaler.com), we can observe that the zscaler.com is located at (Subject: C=US 2.5.4.15=Private Organization 2.5.4.5=4431830 L=San Jose O=Zscaler, Inc. ST=California 1.3.6.1.4.1.311.60.2.1.2=Delaware 1.3.6.1.4.1.311.60.2.1.3=US CN=www.zscaler.com )
Whois Lookup gave the following details:
Admin Country: US
Admin Organization: Zscaler, Inc.
Admin State/Province: CA
Creation Date: 2008-07-14T22:12:34+0000
Creation Date: 2008-07-14T22:12:34Z
DNSSEC: unsigned
Domain Name: ZSCALER.COM
Domain Name: zscaler.com
With this information, we can assume that the domain zscaler-api[.]org is not from Zscaler.
NB: It is always a good practice to check the browser search such as Google or Bring search to get some information about the domains.
The second example are the two domains nomadpkg[.]com and nomadpkgs[.]com
In this example, we will type the domain nomadpkg[.]com on Google search if we can find any related information, by doing that, we found a similar domain nomadpackaging.com a packaging website.
https://whois.domaintools.com/nomadpackaging.com
Dates 6,355 days old
Created on 2006-02-22
Expires on 2024-02-22
Updated on 2023-02-08
After checking the two domains, we found out that they are newly created
https://whois.domaintools.com/nomadpkg.com, https://whois.domaintools.com/nomadpkgs.com and no specifics information were found about them over the internet.
At this point, based on the naming convention, we may assume that the domains are probably mimicking the nomadpackaging.com. But for us, it is a hint for us to block such domain.
You can use the same technics we showed to analyze others domain such as centos-pkg[.]org and centos-repos[.]org or domains mentioned in the list.
NB: One thing to mention, during our investigation, we found a link https://www.usom.gov.tr/url-list.txtAlt where most of the domains available in https://jumpcloud.com/support/july-2023-iocs were reported as malicious one. You can use this link to upload the domain in your SIEM tool in order to monitor any interaction with any of them.
Now, lets analyzed some IP addresses detected during the investigation:
https://jumpcloud.com/support/july-2023-iocs
66.187.75.186
104.223.86.8
100.21.104.112
23.95.182.5
78.141.223.50
116.202.251.38
89.44.9.202
192.185.5.189
Most of the IP addresses mentioned above, look normal, seeing such traffic in your network, it is very difficult to guess that, it could be used by a threat actor. But you can use some technics to find more information about a specific IP address.
Let’s start:
In this case, a tool like https://www.abuseipdb.com did not help that much as the IP addresses look normal and most of them were not reported of any abuse, then we check the tool like https://securitytrails.com/ to list the domain behind the IP address.
By checking the domains on the IP address, we found the domain toyourownbeat[.]com (one of the domains mentioned above) address hosted on the IP address
https://securitytrails.com/list/ip/192.185.5.189
We found on the subdomains of toyourownbeat[.]com:
webmail.toyourownbeat[.]com
mail.toyourownbeat[.]com
Which could be a sign of phishing message sends to different users that interact with the website.
https://securitytrails.com/list/apex_domain/toyourownbeat.com .
I know this is a time consuming, but it is better to consume a time to analyze one indicator than to be hacked because of not analyzing it. Always stay focus and be patient.