Blog

Labs Analyst

What a Custom OceanLotus SSL Certificate Can Tell Us About Their Windows C2 Operations

Ocean Lotus, or APT32, is a now-notorious threat group active since 2014, best known for its relentless malware attacks and spy campaigns against Southeast Asian governments, dissidents, and journalists worldwide.

While investigating previously reported OceanLotus activity, RiskIQ analysts came across a unique SSL certificate associated with the espionage group's infrastructure. Unique to them, the SSL correlated with more than 70 IP addresses since 2017, a connection that earlier this month helped reporters from German Publications BR24 and Zeit Online track Ocean Lotus activity across Europe.

Further analysis of this custom certificate and its associated IP addresses led us to conclude that it is part of the infrastructure OceanLotus uses to deploy Windows-based malware. Based on RiskIQ's first observation of the SSL certificate in our Internet Intelligence Graph, which links together infrastructure across the entire web, the group has been using this certificate since at least February 27, 2020, and continues to use it today.

Continue Reading
External Threat Management Labs

An Indicator From Twitter Brings The Donot Android Espionage Group Back Into Focus

The Donot APT group (APT-C-35) is an espionage group that focuses its attacks on Pakistan and other South Asian government agencies. One of their hallmarks has been using customized malicious Android APKs to spy on their targets of interest and steal sensitive information. Not much has been released about the group recently, but a recent investigation by RiskIQ has uncovered large swaths of its existing and past mobile C2 infrastructure. These attackers are constantly redeveloping and redeploying tools even though their activity levels may appear to taper off.

Donot has kept mostly quiet for the past year with hardly any new open-source intelligence on them published by the security community. However, on May 31 and then again on June 1, two new malware samples linked to the group surfaced on Twitter. These samples were all RiskIQ needed to leverage our Internet Intelligence Graph to build an update around this well-known APT's most recent activity and malware distribution framework. 

Continue Reading
External Threat Management Labs

Just How Much Threat Activity Can You Link Together With a Cookie?

In part one of 'Adventures in Cookie Land', our researchers linked a cookie to a trove of new threat activity. In part two, we see just how far we can take this single indicator.

Continue Reading
External Threat Management Labs

Inter: The Magecart Skimming Tool Now on More than 1,500 Sites

Digital web skimming attacks continue to increase. By now, anyone running an e-commerce shop is aware of the dangers of groups like Magecart, which infect a website every 16 minutes

However, to truly understand these skimmer groups, you have to understand the tools of the trade. The Inter Skimmer kit is one of today's most common and widely used digital skimming solutions globally. It has been involved in some of the most high-profile magecart attacks to date, most notably Group 7's breach of the Nutribullet website

RiskIQ has identified more than 1,500 sites compromised by the Inter skimmer, but the data theft tool is still misunderstood by those tasked with defending their organization against it. To demystify Inter, RiskIQ tapped our unmatched body of research into Magecart and its dozens of groups, open-source intelligence (OSINT), and our global internet telemetry. 

Continue Reading
External Threat Management Analyst

Partner Deep-Dive: RiskIQ Digital Footprint for Splunk

Organizations lack visibility into their digital assets, their external network of internet-connected services and devices growing wildly outside their firewalls to support a workforce that will be remote for the foreseeable future. 

The enterprise digital attack surface is now regularly in flux and no longer in the purview of most security controls. More internet devices and services stood up outside the firewall mean complexity goes up, and "non-standard" becomes the norm. Keeping tabs on its composition and the infrastructure of attackers targeting it is one of the most challenging jobs facing security teams today. While organizations grapple with their attack surface, attackers are more active than ever before. More than 375 new threats sprout up every minute, with a wave of phishing attacks, typosquat registrations, and disinformation taking advantage of the COVID-19 pandemic. 

In this new security environment, attack surface management and a 360-degree view of your attack surface. Deep insight across the public internet makes it not only possible but also manageable. 

Continue Reading
External Threat Management Analyst

The Strongest Defense Against Ransomware is Situational Awareness

Ransomware defense is a perpetual cat and mouse game between incident responders and attackers who are continuously evolving their tactics, tools, and strategy. With Ransomware attacks on the rise and costing the US a whopping $7.5 billion in 2019, SOCs and threat hunters must maintain full situational awareness to protect their organization and customers' data—and avoid massive material loss. However, ransomware defense is no easy task and requires a 360-degree view of your organization's attack surface. 

A Ransomware' Perfect Storm' is Brewing

Ransomware adversaries are a unique breed of threat actor with hyperspecialized tradecraft. Today, these professional cybercriminals form threat ecosystems of malware operators, fraud specialists, and black markets that enable best-of-breed intrusions. More professional criminals are joining the ransomware industry every day, bringing with them a focus on malware R & D and optimizing tactics. The result is a faster payout for actors, meaning increased frequency and volume of attacks. 

These cybercriminals are also now capitalizing on COVID-19 to up the success rate of their attacks. The remote workforce has presented security challenges for organizations, and the deluge of information and disinformation around the outbreak has provided ample bait to make intrusions easier. 

Continue Reading
External Threat Management Analyst

Partner Deep-Dive: The RiskIQ PassiveTotal for Splunk

Attackers are more active than ever before, taking advantage of organizations' expanded attack surfaces outside the corporate firewall and across the internet. Phishing attacks, typosquat registrations, and disinformation campaigns aiming to take advantage of COVID-19 and political turmoil are running rampant. Security teams lacking visibility into this new attack surface are coming up dangerously short. 

RiskIQ has been collecting internet data for more than a decade to help organizations meet the challenge of this new generation of threats. The RiskIQ PassiveTotal App puts petabytes of this external Internet security intelligence into Splunk's Data-to-Everything Platform, giving security teams the visibility they need in a platform and workflow they already use. 

The app enables teams to investigate and respond to threats across their organization's attack surface by laying the RiskIQ Internet Intelligence Graph on top of Splunk data—all in one location—to show how internal assets interact with external infrastructure. With this 360-degree view of their attack surface, analysts have unparalleled context and intelligence to detect, investigate, and remediate IoC's and security events.

Continue Reading
External Threat Management

ScamNation: Monetizing the Pandemic Through Partisan Content Farms and Subscription Traps

During major global events, threat actors take advantage of charged political environments and a prevailing overload of information to help lend credence to the delivery mechanisms they use to carry out malicious activity. This tactic has proven especially effective during the COVID-19 pandemic as scams purporting to contain information, news, and remedies related to the virus—many with a political lean—have saturated the internet. 

In "ScamNation," RiskIQ's latest research report, RiskIQ researchers leveraged our internet-wide visibility and unique data sets to identify and explicitly define scam ecosystems exploiting the pandemic for monetary gain through the spread of false information and the sale of fraudulent products online. The report identifies a network of "content farm" websites publishing misleading, highly partisan articles that have lately focused on COVID-19. Scammers use these sites to promote ads that lure users into "subscription traps," which, through misleading messaging and hidden language in the fine print, trap buyers into making monthly payments that are difficult, if not impossible, to escape.

Continue Reading
External Threat Management

RiskIQ and CrowdStrike Combine for Enhanced Situational Awareness and 360-Degree Attack Surface View

Earlier this month, RiskIQ announced our Interlock Partner Program, making our Internet Intelligence Graph—RiskIQ's unique global view of the internet comprised of data from more than ten years of crawling the web—available in cybersecurity platforms around the world.

One of our first key integrations was the RiskIQ Illuminate app for CrowdStrike, which enriches CrowdStrike Falcon Insight detections with our internet-wide telemetry, enhancing internal alerts with external context. When automatically correlated with CrowdStrike Intelligence, RiskIQ's internet data sets boost incident response by enabling researchers to quickly search across an organization's endpoints for indicators of compromise or find activity related to suspicious indicators they observe on an endpoint.

During an investigation, the RiskIQ app automatically identifies impacted endpoints so analysts can understand all the related infrastructure belonging to a given threat actor. This way, companies can stay a step ahead of their adversaries and optimize their attack surface management.

Continue Reading