TLDR: Please verify your sources and IoCs before sharing. We have the responsibility of giving accurate or at least useful information.
This week, we have seen two main incidents that I would like to talk about: MGM and IFX Networks. One is in the USA and has been on all the news worldwide; the second is a ransomware event affecting multiple Colombian government systems, Chilean and Argentinian companies, and others. The first attack was done by the ALPHV gang. The second is likely to be done by the RansomHouse cybercrime gang.
Information about both cases has been blurry, and many people have given incorrect information. For instance, a news outlet said they managed to speak with a member of ALPHV, only for the threat actor to say that the journalist did not verify their sources. Another case is the one of another news outlet that claimed that ALPHV ransomware attempted to rig the casino machines, which is very unlikely, and also, the threat actors claimed they did not try to do this. In both cases, we have misinformation from poor practices when collecting information or an attacker trying to mess with the data.
This case is complex, and information is being released from attackers and defenders. We can attempt to piece this information and transform it into intelligence as we now have an idea of how the attack started and what the defenders have tried to do to contain it. This type of information, mixed with the knowledge of previous incidents, can give us ideas on how to strengthen controls, create playbooks, create detections, and others. Even after all the speculation, the different information sources, and versions, we got something that is not complete misinformation.
This is great. As defenders, we will have some of the information, but with good enough information, we can start making changes to protect the business.
In the second case, IFX Networks is a prominent service provider for multiple governments and companies. They have been hit by a ransomware cybercrime gang. There has been a ransom note that indicates that RansomHouse is the one that compromised IFX. RansomHouse has not claimed responsibility for the attack, so we still have no confirmation.
This situation became weirder when different SOCs and MSSPs started to publish indicators of compromise for this attack. When looking at these IoCs, I found that these were 2 year old, which make this unlikely to be true. Usually, threat actors do wait that long before deploying ransomware. Also, the phishing documents were in Italian and were used in a previous attack by the White Rabit cybercrime gang. I was really confused about these IoCs.
When reviewing information around these IoCs, it seems like some information was shared on a telegram group. An analyst expressed his/her opinion about possible IoCs, and some people in this group took this information as accurate. The analyst just gave his/her opinion based on some IoCs that someone shared as possible IoCs. As far as I know, there was no confirmation about these IoCs being part of the incident.
I don’t blame the analyst’s opinion, as he just gave an opinion, but the different SOCs and MSSPs started sharing this information without verifying it or giving it some thought. Even worse, other SOCs and MSSPs began to share the exact details. In this case, the misinformation seems limited to IoCs, not TTPs or wrong advice. But this example leads to incorrect decisions and a waste of resources.
This affects the reputation of the SOCs that share this information without reviewing it. I get it; we all want to be the ones to publish the latest information about an incident and start protecting, but we need to verify the information we are using.
The information we got is just useless. Instead, I would give information on previous attacks associated with RansomHouse or other similar threat actors. This is more helpful than just giving IoCs based on an opinion of possible IoCs that weren’t verified.