Blog

External Threat Management Labs

Discord CDN Abuse Found to Deliver 27 Unique Malware Types

Discord, a popular VoIP, instant messaging, and digital distribution platform used by 140 million people in 2021, is being abused by cybercriminals to deploy malware files. 

Users can organize Discord servers into topic-based channels in which they can share text or voice files. They can attach any type of file within the text-based channels, including images, document files, and executables. These files are stored on Discord's Content Delivery Network (CDN) servers. 

Continue Reading
External Threat Management

The Threat Landscape is Dynamic and Ever-Changing — Can You Keep Up?

Attack surfaces are massive — and significantly different than they were in the past. Not long ago, cyber security for an organization was like defending a building — a relatively straightforward, one-dimensional task. But organizations today have turned into sprawling cities, with expanding neighborhoods, unmapped alleyways, and every-changing borders — yet, in many ways, many organizations are still defending this new, broader attack surface as they did more than a decade ago. 

In today's enterprise attack surface, there's simply far more available for threat actors to target than ever before. Additionally, the less awareness an organization has of their attack surface, the slower they can respond to attacks when they happen.

Continue Reading
External Threat Management Labs Analyst

Mana Tools: A Malware C2 Panel with a Past

Knowing the infrastructure and its connections helps security teams map, monitor, and track adversary-threat infrastructure and its composition—malware, suspicious activity, threat capabilities, shareable attack tools, and their relationships within the worldwide attack surface. 

As part of our ongoing research into malware distribution infrastructure, we investigated "Mana Tools," a malware distribution and command and control (C2) panel associated with several big names in the malware world, including RevengeRat, AzoRult, Lokibot, Formbook, and Agent Tesla. 

Mana Tools was first reported in 2019 by Yoroi researchers who identified it as a fork of the AzoRult 3.2 malware created by a Pakistani actor known as Hagga. The Mana Tools logo appears on current samples of the Mana Tools panel. Using RiskIQ's dataset, we were able to find several Mana Tools login pages

Continue Reading
External Threat Management Analyst

What 10,000 Analysts Showed Us About the State of Threat Hunting

Cybersecurity has gotten pretty tough lately. Today's teams contend with an ever-growing IT ecosystem accelerated by critical digital transformation efforts and moving workforces into remote environments. At the same time, they're managing a rapidly evolving threat landscape composed of both sophisticated nation-state actors and a crush of low-level criminals armed with off-the-shelf crimeware. All told, cybercrime now costs organizations a whopping $1,797,945 per minute. 

As cyberthreats increase, security analysts are our first line of defense. Their skills, know-how, and passion for their work meet attackers head-on. Unfortunately, these analysts often lack the resources, technology, and latest techniques to defeat them. 

Continue Reading
External Threat Management Labs Magecart

“Bom” Skimmer is Magecart Group 7’s Latest Model

RiskIQ has tracked Magecart since skimmers first surfaced in 2016 and burst into the headlines in the landmark attack against British Airways. In the time since, our researchers have cataloged hundreds of iterations of Magecart skimmers as different threat groups build, appropriate, tweak, and develop them to suit their unique purposes. 

Despite their ongoing changes, these skimmers often maintain enough of the same characteristics and infrastructure for keen eyes to link them to past attacks and the responsible groups. In the case of the newly identified "bom" skimmer, which has been deployed on dozens of counterfeit online stores, distinct features and TTPs linked us directly to its predecessor skimmers, including the widespread MakeFrame version. It also pointed us to its operators, Magecart Group 7. 

Continue Reading
External Threat Management Labs

Untangling the Spider Web

RiskIQ’s Team Atlas assesses with high confidence that the network infrastructure supporting the exploitation of a Windows zero-day vulnerability disclosed by Microsoft on September 7, CVE-2021-40444, shares historical connections with that of a ransomware syndicate known as WIZARD SPIDER. This group, also tracked separately under the names UNC1878 and RYUK, deploys several different ransomware families in targeted Big-Game Hunting campaigns. More recently, they have come to rely on a backdoor known as BazaLoader/BazarLoader to deliver payloads, the most common of which is Cobalt Strike.

Continue Reading
External Threat Management Labs

Flowspec Bulletproof Services Enable Cybercrime Worldwide

In our analysis of threat infrastructure spanning the global attack surface, we see bulletproof hosting providers continue to play an integral role in threat campaigns and provide essential services for cybercriminals. Flowspec, a bulletproof hosting provider that has been around since October 2018, is a one-stop-shop for threat groups, facilitating phishing campaigns, malware delivery, Magecart skimmers, and large swaths of other malicious infrastructure. 

The service's IP space enables phishing campaigns that have targeted various banks and domain names spoofing the Steam Community, Counter-Strike: Global Offensive, and Amazon. Flowspec also facilitates the theft of payment data by hosting several Magecart domains. Researchers have associated many different malware files with Flowspec IP space, including banking trojans, ransomware, various backdoors, and more.

Continue Reading
External Threat Management Labs

RiskIQ Analysis Links EITest and Gootloader Campaigns, Once Thought to Be Disparate

As RiskIQ tracks malware families to identify infrastructure patterns and common threads between threat campaigns via our Internet Intelligence Graph, we often surface strong links between seemingly disparate threat campaigns. In the case of EITest and GootLoader, these campaigns may have turned out to be one and the same.

Researchers around the industry have tracked EITest and its evolution for the better part of a decade. Thus far, no one has connected it to the much newer GootLoader malware delivery campaign. However, infrastructure connections in RiskIQ data belonging to GootLoader directly correlate with past EITest activity and the current malware delivery campaign.

Continue Reading
External Threat Management

Introducing Next-Gen Vulnerability Intelligence to Identify and Prioritize CVEs in Real-time

In 2021, landmark cyberattacks told us just how exposed we were. Mere months removed from the SolarWinds breach, a watershed attack some thought would set the standard for the impact a vulnerability could have, we dealt with the Microsoft Exchange vulnerability. The Exchange incident was exploited by potentially dozens of APTs and signified yet another critical global-scale incident some thought we'd only see once in a decade. It affected more than 300,000 servers and hundreds of thousands of organizations worldwide, and many organizations are still exposed. 

The biggest problem? Today's organizations have far too much to patch. 

RiskIQ's Illuminate Vulnerability Intelligence was purpose-built to change that. This native feature within the Illuminate Platform allows every organization to see their attack surface for what it really is, providing security teams a consistent way to prioritize, analyze, and triage vulnerabilities based on the likelihood of a successful attack. This real-time insight shrinks workloads and reduces time-to-remediation. 

Continue Reading