Simple Threat Hunting Exercise

In this post I'm going to discuss some incredibly simple threat hunting you can do in your industry or "vertical" that may have a big pay off in the end. Rather than using Healthcare, I decided to focus on Education. Why? Because so many of my contacts are either students, faculty or staff of educational institutions. I'm fairly certain 90% of them will be able to relate to this post. I also thought that this would be an excellent use of a class hour or two, having students conduct the same tests and then reporting the findings to the colleges IT department.

Ok, let's get started. Over the past few weeks I've run into several instances where a user was redirected to a malicious website due to a typo in one of my industries popular websites. I used that knowledge to block numerous domains proactively, and you could do the same. For this post, I'm focusing on education, so an example of a popular educational website would be "Blackboard.com" because it is used by so many colleges.

In two tries I found a malware site related to the blackboard.com domain. On my second try, I typed blackbord[.]com and this is what happened:

Once I hit return I was redirected to this site:

Yeah, Joe, so what... it's just a company that took over the domain and is using it for advertising. You would be correct except I'm familiar with the tactic of these malicious sites using the browser agent to find out what kind of computer is connecting. So upon seeing this, I reprogrammed Mozilla to spoof Internet Explorer as the browser:

After that, connecting to the same website produced this:

For those of you keeping track of the actionable intelligence... that's two websites that need to be blocked... blackbord[.]com and bbcheat[.]world. Yup, changing the browser agent made the redirect send me to a "fake update site". If you read closely, my "system files" are automatically deleted and I must fix the problem immediately. Trying to leave it produced this:

Oh no, still damaged and vulnerable - I better follow instructions and "Update".

I only had 241 seconds left to fix my system so I had to hurry up! Clicking "Update" produced this:

Here's another domain that I can take action on! www.greatpcchoice[.]com (that's number 3)

Clicking the "Download Now" button produced a download from yet another domain... cdnrep.reimageplus[.]com (that's number 4!)

Of course, I could be "all wet" and this could be a legitimate application that will fix some problem that my computer is having. Let's head on over to VirusTotal and see what it has to say:

Ok, Ok, Ok, I know what you're saying. Your college uses "state of the art", "next generation" firewalls with "category blocking" yada yada yada. Let's see what these sites are categorized with one of those "name brand firewalls - PaloAlto".

What's blackbord[.]com categorized as?

Oops, "Business and Economy", I doubt that category is being blocked! How about bbcheat[.]world, surely that will be blocked:

Insufficient Content...but "Low Risk"? site like www.google.com? I'd say that's a fail. ...and I'd really like to know what PaloAlto's definition of "benign" is. What about the next site, greatpcchoice[.]com:

Same as above... "Low Risk". But surely the site that holds the malware will be there, cdnrep.reimageplus[.]com!

This one might have been, seeing as the Category is "Questionable" but it's still considered "Low Risk".

So there you go, you can look at domains that your users might be typing regularly, come up with the easily typo'd ones and block them proactively!

If I were still teaching I can see teaching this and then having an assignment where students conduct the research on different verticals and then provide their findings. Get and education and save the world! Please share if you think others will find this useful.