Dark Cubed saved an MSP customer from an attack that went undetected by the customer’s advanced threat protection in their firewall as well as their top tier EDR product. This event proves that Dark Cubed provides immediate value within even a sophisticated security stack at a price point that simply works for MSPs.
As a part of our routine review of analytics and threat activity among our MSP partner community and their clients, our team observed activity that we believe to be associated with an advanced threat actor group known as APT-C-36 or Blind Eagle.
Based on our analysis, the malware identified in this attack is known as BitRAT. BitRAT is commodity malware that allows remote attackers access to infected machines without the users' knowledge (via a hidden virtual network computing (hVNC) module reportedly based on recycled code from other malware).
The activity we identified was on a device in one of our MSP partners’ clients’ networks that was likely compromised by BitRAT malware. On March 15th, the device attempted to connect to a known BitRAT malware controller at least 70 times. These communication attempts were actively blocked by Dark Cubed without requiring the MSP or their customer to do anything.
Dark Cubed’s platform had processed threat intel from a source that identified the command and control system (C2) prior to the observed behavior. Based on our scoring algorithm and additional data we process, we categorized the C2 server as a high threat with high confidence (a score of 9 in our system) so the C2 communications were automatically blocked at the MSP’s client’s firewall. Additional details of the Dark Cubed analysis that identified this threat and its likely perpetrators can be found at the end of this article.
What Does It All Mean?
Stopping attacks makes our team here at Dark Cubed very happy…it’s what we live for. In this situation, it would be easy to call out the vendors that failed to detect this attack by name for our own self-aggrandizement, but we are not that type of company. The real takeaway from this incident - this a familiar mantra among the cybersecurity community - is that an effective security stack works in layers. It’s important for the business community to understand and appreciate that not every layer is going to detect or stop a given threat, but in combination, an effective defense can be built.
In this case, the customer deployed a top-tier EDR that typically does a great job at detecting these types of attacks. They also had the advanced security protection that was purchased through their firewall company. However, had they not had Dark Cubed up and running, they would have missed this one. Our message is simple and clear: we do not claim to stop every attack, but we do a superb job at detecting and stopping a majority of the threats we see targeting the SMB community every day. What this MSP did right was to implement several layers of security to protect their customers, and they were successful in their mission this time. Each month, Dark Cubed’s platform blocks tens of thousands of dangerous IPs connecting to our clients’ firewalls. This BitRAT malware episode is just one example of the myriad threats to the SMB community Dark Cubed users don’t have to worry about.
So, if you are an MSP and have one or twenty items in your security stack, check out the great work our team here at Dark Cubed is doing and we are confident that you will see how we can complement your security stack and deliver value to your customers.
Appendix: Technical Details of our Research and Analysis
- The IP we observed on the MSP’s client device shows up as an IP which several earlier samples of Blind Eagle malware callback domains resolved to.
- The network traffic at the MSP’s client appears to match network behavior of recent BitRAT samples and this commodity malware is known to be used by the group.
- Two hostnames which have in the past resolved to, or are currently resolving to that IP, include a subdomain which matches a kind of naming convention Blind Eagle malware callback domains have used in the past.
- Recent BitRAT samples that reach out to the same IP as the MSP’s client device (based on current DNS resolution), use the same, or similar - though relatively generic - communication password as BitRAT samples which Trend Micro attributes to Blind Eagle.
- An email used to deliver BitRAT samples which callback to the same IP as the MSP’s client device (based on current resolution) appears to have impersonated a government employee at the Commonwealth of Northern Mariana Islands. This fits the MO of Blind Eagle according to public reports.
- The inferred BitRAT malware at the MSP’s client uses a dynamic DNS service Blind Eagle has used often in the past.
- The same mail server may have been used to deliver the CNMI-impersonating sample and earlier Blind Eagle malware.