Experiencing false positives, a DDoS attack or something else?
 
As many have read at Reuters, hivepro and other sources there was (or is?) a DDoS attack against several organizations going on, which also targeted the danish financial sector. 
 
On 2023-01-02 our analytics identified a danish banking site as false positive in multiple different CTI sources. It is absolutely clear that this is a benign website, but these sources still claim it's a phishing URL - even after 2 weeks. 

Interestingly one of the sources is a very prominent CTI source - operated by a large cybersecurity company and this URL has been verfied as phishing by multiple people from the community. As this is such an obvious false positive and in combination of reading the articles about the cyber attack targeting also the banks in Denmark, we are wondering if this could also be an attempt of that group? Or symphatisants? And if so - why is the community verification not effective here?  
 
Sure, chance is high this is just coincidence. But what if not? Supply chain attacks on CTI sources - could this be a new attack vector we need to worry about? 
 
At least it's a good example how valuable a good false positive analytics is - for CTI provider and consumers.
 
See also: 
https://www.hivepro.com/pro-russian-hacktivist-group-noname05716-launches-cyber-attacks-on-ukraine-and-nato-organizations/

https://www.reuters.com/technology/denmarks-central-bank-website-hit-by-cyberattack-2023-01-10/
 
#cti #threatintelligence #ticura #falsepositive #falsepositiveprevention #banking #infrastructure #vulnerable