External Threat Management

Attacks on the Capitol Showed the Pitfalls of Having a Narrow View of the Internet

In the wake of the tragic events that unfolded on Capitol Hill on January 6, 2021, it is now clear that abundant warning signs existed to alert lawmakers and law enforcement that a dangerous storm was brewing.  It is uncommon for threats of this nature to be so blatantly forecasted. Yet, not enough people did. On December 21, 2020, writer and political analyst Arieh Kovler tweeted, “On January 6, armed Trumpist militias will be rallying in [D.C.], at Trump’s orders. It’s highly likely that they’ll try to storm the capitol after it certifies Joe Biden’s win. I don’t think this has sunk in yet.”

Now that so much of the world has turned to social media, and with the proliferation of so many various platforms, it has become increasingly difficult to monitor where threats broadcast themselves, particularly when so many discovery platforms are keyword based.  If a threat actor makes a post that slips past your keyword threat matrix, it will slip through your detection. Your security teams and corporate leadership will be caught off guard by the threat you will later discover was forecast right in front of your very eyes. It didn’t pop up out of nowhere; unfortunately, you just missed it.

Continue Reading
Labs Magecart

New Analysis Puts Magecart Interconnectivity into Focus

RiskIQ's recent analysis of Magecart infrastructure has shown its massive scale and put its interconnectivity into focus. Our most recent research takes two email addresses evoking the name of one of the most prominent bulletproof hosting providers on earth and ties them to newly discovered batches of Magecart infrastructure. From there, we show how this infrastructure overlaps with previously reported Magecart activity and highlight some common Magecart operator practices that can help researchers identify skimming infrastructure.

Continue Reading
External Threat Management Analyst

RiskIQ’s New JARM Feature Supercharges Incident Response

There will be many more breaches like the one of SolarWinds. 

Moving into 2021 and beyond, the ability to view your organization from the outside-in, as attackers do, will be the best defense against these internet-scale attacks by advanced APTs. FireEye and other security experts analyzing early information on SunBurst have said mass scanning and internet-scale data are critical to incident response efforts. This real-time global visibility shows security teams if their organization is affected and helps uncover attacker fingerprints on the network. 

RiskIQ is helping organizations respond to attacks like SunBurst with our Internet Intelligence Graph, built by mapping the Internet via over ten years of crawling and mass scanning. Our brand new JARM feature will help incident responders quickly query this graph, putting the world’s largest index of applications, components, and behaviors at their fingertips for a smarter, faster response.

Continue Reading

Skimming a Little Off the Top: ‘Meyhod’ Skimmer Hits Hair Loss Specialists

In October, RiskIQ discovered what we believe to be a new Magecart skimmer placed on several e-commerce sites, including websites for the well-known hair treatment company Bosely and the Chicago Architecture Center (CAC), one of Chicago's largest cultural organizations. The skimmer was or has been on both these sites for several months.

RiskIQ researchers have dubbed the skimmer used in these attacks "Meyhod," after a mistyped function in the skimming code. Meyhod itself is simple compared to the Magecart skimmers we've recently analyzed, such as the new variant of the Grelos skimmer and the Ant and Cockroach skimmer. However, Meyhod is carefully crafted to blend in with victim sites' appearance and functions, indicating experienced Magecart operators wield it.

The Meyhod skimmer works by appending code to seemingly benign JavaScript resources ranging from commonly used JavaScript libraries to custom code. These resources have been embedded in cart and checkout pages using script tags that could easily be mistaken for an ordinary call to a library.  

Continue Reading
External Threat Management

SolarWinds Orion Hack: Know if You’re Affected and Defend Your Attack Surface

The FireEye hack resulting in the theft of sophisticated red team tools was part of one of the most devastating cyberattacks in recent history. Today, with the news that Russian operatives also breached SolarWinds' Orion software, the attack has proven much worse than anyone thought. 

FireEye's investigation surfaced a supply chain attack trojanizing legitimate SolarWinds Orion business software updates to distribute malware. This hacking campaign, which may date back to as early as fall 2019, affects vulnerable Orion versions 2019.4 HF 5 through 2020.2.1.

According to FireEye, a SolarWinds digitally-signed component of the Orion software framework contains a backdoor, dubbed SUNBURST, that communicates via HTTP to attacker-owned CC servers. This takeover of SolarWinds' Orion software, an IT performance monitoring platform that integrates into a businesses' full IT stack, is akin to handing over the keys to SolarWinds' customers' networks to attackers. 

CISA has issued an emergency directive calling on all organizations to review their networks and disconnect from any SolarWinds systems. Still, real-time global visibility is the most effective weapon against this new breach. 

Continue Reading
External Threat Management

Implement FireEye’s List of CVEs and Detections with RiskIQ Attack Surface Intelligence

This week, FireEye’s proprietary red team tools (pen-testing and hacking) were stolen. It appears the attack was executed by highly advanced nation-state threat groups after breaching FireEye systems with "novel” and “previously unseen” techniques.

This successful attack has critical implications. A new set of sophisticated hacking tools have joined the cyberattack arena that gives skilled threat actors a powerful new way to target attack surface weaknesses, vulnerabilities, and exposures worldwide. While these hijacked red team tools did not contain any 0-day exploits, they put digital assets outside the firewall, such as web apps, devices, services, pages, in immediate jeopardy.

RiskIQ's unique internet-wide visibility gives our customers an advantage in protecting their attack surfaces from this newly heightened threat. Our Illuminate Platform finds digital assets connected to an organization outside their internal network, providing visibility into those that may be vulnerable to attacks, including their critical CVEs.

Continue Reading
External Threat Management Labs

‘Shadow Academy’ Targets 20 Universities Worldwide

In early July 2020, RiskIQ began tracking a phishing campaign identified through our internet intelligence graph targeting colleges and universities worldwide. From July 2020 into October 2020, RiskIQ systems uncovered 20 unique targets in Australia, Afghanistan, the UK, and the USA.  

All these attacks used similar tactics, techniques, and procedures (TTPs) as Mabna Institute, an Iranian company that, according to the FBI, was created for illegally gaining access "to non-Iranian scientific resources through computer intrusions." Mabna Institute earned the moniker "Silent Librarian" due to its focused efforts to compromise university students and faculty by impersonating university library resources using domain shadowing to harvest credentials. 

However, while RiskIQ's findings are consistent with TTPs in use by Silent Librarian, they alone are not sufficient to attribute the threat activity we've detected against these 20 universities directly to Mabna Institute. Therefore, RiskIQ has named actors identified during this research as "Shadow Academy."

Continue Reading
External Threat Management

How Do Consumers View Spending and Safety for Online Shopping this Holiday Season? We Took a Look.

E-commerce has the potential to break records this year, with extraordinary circumstances funneling more shoppers to digital outlets than ever before. Due to COVID-19, eMarketer projects a 10% fall in overall holiday sales but a 17% rise in e-commerce sales, and Deloitte projects a continued increase in retail sales over last year's figures. The latter forecasts that e-commerce sales could rise by as much as 35% due to limited in-store retail options.

At RiskIQ, we cannot help but view this uptick in digital spending for what it presents: more opportunities for cybercriminals to take advantage of increased e-commerce activity. RiskIQ researchers have tracked evolutions in Magecart digital credit card skimming infrastructure leading up to the holiday shopping season. Meanwhile, RiskIQ systems detect one phishing domain and five domain infringement events every minute. These numbers are expected to rise for e-commerce brands as the holiday shopping season continues to ramp up. 

But how does this extremely active threat landscape affect shoppers? 

Continue Reading
External Threat Management

A New Grelos Skimmer Reflects the Depth and Murkiness of the Magecart Ecosystem

As security researchers shine more light on the world of Magecart, we see that this vast card-skimmer underworld is more and more intertwined and connected. As we draw these parallels between different attacks, skimmers, and other infrastructure, many things become more transparent, like which groups are responsible, how they target their victims, and how their tooling evolves. Just last week, RiskIQ published a report tying the ubiquitous 'Ant and Cockroach' skimmer to Magecart Group 12, which indicated just how far-reaching the group's infrastructure and activity have become. 

However, as more of the Magecart landscape comes to the surface, things also get more murky and complicated. In many recent Magecart compromises, we've seen increasing overlaps in infrastructure used to host different skimmers that seem to be deployed by unrelated groups using various techniques and code structures. We also observe new variants of skimmers reusing code seen in the past. For instance, the compromise of boom! Mobile involved the Full(z) House skimmer hosted on infrastructure not previously associated with Full(z) House. This same infrastructure hosted skimming domains we observed loading other skimmers, including different versions of the grelos skimmer. This pattern may indicate that different skimming groups use the same infrastructure to host their skimming domains, possibly purchasing hosting services from the same third party. 

Continue Reading