Executive Summary
Threat actors launching large-scale cyberattacks often leave behind traces of their activity. They frequently reuse, rotate, and share elements of their infrastructure during the automated setup of their campaigns, presenting opportunities for defenders. By pivoting on known indicators, defenders can identify and track evolving malicious infrastructure. This article outlines the advantages of automated pivoting through a graph neural network (GNN) model and presents three key case studies that illustrate how proactive threat hunting can discover new indicators of attack vector infrastructure.
The article highlights case studies involving a postal services phishing campaign, a credit card skimmer operation, and financial services phishing schemes. It argues that tools like Palo Alto Networks’ Advanced URL Filtering and Advanced DNS Security can aid in identifying and blocking malicious infrastructures, while Advanced WildFire helps secure against related threats.
Proactive Detection Through Automation
Proactive detection of threat actors’ new infrastructures requires observing known indicators of compromise (IoCs). Automated detection mechanisms such as the GNN can uncover hidden connections and identify new malicious domains early in the attack lifecycle. The article specifically notes the case of FIN7, a notorious threat actor, whose registration of phishing domains was monitored. With timely detection of newly registered domains, defenders effectively tracked the evolution of this malicious group’s activities.
The article delineates several types of indicators that can be leveraged for pivoting, including:
- Co-Hosted Domains: Threat actors often use similar hosting infrastructure for multiple domains, exposing links that can be exploited.
- Malware Delivery URLs and Command-and-Control (C2) Domains: Investigating associated URLs can unveil additional malicious domains.
- HTTPS Certificates: Certificates can be cross-referenced to unearth additional domains sharing the same bad actors.
- Phishing Kits: These kits can be traced back to common domains, identifying a broader network of phishing activity.
Using GNN for Pivoting
By employing GNN to analyze correlations among domains, cybersecurity teams can ascertain whether domains are associated with the same campaign. The presence of multiple shared attributes—like registration date or hosting provider—can strengthen the likelihood of a coordinated attack. The process is automated to enable swift and extensive analysis of IoCs.
The article includes three detailed case studies:
-
Postal Services Phishing Campaign: Over the last year, a network impersonating postal services worldwide (including the US, Canada, and the UK) was traced back to approximately 4,000 domains and 1,200 IP addresses. The campaign utilized a fast-flux pattern to evade detection, switching between numerous domains and IPs within short timeframes.
-
Web Skimmer Campaign: This operation affected numerous commercial sites by injecting JavaScript to harvest customers’ sensitive information. The skimmer code was loaded onto compromised sites, beaming stolen data to domains mimicking legitimate infrastructure. GNN analysis helped identify a vast infrastructure that included both weaponized and unweaponized domains.
- Financial Services Phishing: Targeting banking customers globally, such efforts utilized around 5,000 domains associated with phishing scams. The campaigns appear to consistently exploit shared hosting infrastructure to imitate various financial services providers.
Conclusion
As cybercriminals adapt their methods to remain undetected, employing multiple infrastructures, defenders must innovate their strategies to uncover and mitigate these threats effectively. The automated GNN approach demonstrated throughout the article allows defenders to remain several steps ahead of threat actors by continuously monitoring and adapting to changes in their malicious infrastructure.
For organizations concerned about potential compromises, the article encourages contacting the Unit 42 Incident Response team for assistance. Palo Alto Networks collaborates with fellow cybersecurity associations, sharing findings and findings to systematically combat cyber threats. Enhanced detection and proactive measures play crucial roles in shielding customers from such persistent and evolving malicious infrastructures.