Blog

External Threat Management Labs

Taking a Closer Look at a Malicious Infrastructure Mogul

In our article "Bulletproof Hosting Services: Investigating Media Land LLC," we examined Media Land LLC, the organization ran by cyberthreat mogul Alexander Volosovik. We delved into its hosting infrastructure and activities, including domain registration services that facilitate and enable various malicious campaigns. 

We've done further infrastructure analysis to connected our previous research on Media land activities, including our articles on the Grelos Skimmer, the Inter Skimmer, and Bulletproof hosting, to Volosovik's domain registration and fast-flux services. Fast flux is a DNS technique used to mask botnets by quickly shifting among a network of compromised hosts, which act as proxies to enable criminals to evade detection.

Here, we'll analyze Volosovik's fast-flux offering patterns as seen in RiskIQ data, using several indicators to identify additional aliases, accounts, and domains connected to Volosovik. As we surface these digital relationships, we'll be able to connect previous research from RiskIQ and other security companies to Volosovik's services, showing their prevalence across the global threat landscape. 

Continue Reading
External Threat Management

Joining Microsoft is the Next Stage of the RiskIQ Journey

Today Microsoft announced its intent to acquire RiskIQ, representing the next stage of our journey that's been more than a decade in the making. We couldn't be more excited to join forces to enable the global community to defend against the rising tide of cyberattacks. 

RiskIQ was conceived to preserve the original promise of the Internet—bringing people together. Connecting people across the world and making sure those connections are safe is something worth defending every single day. That hasn’t changed.

When RiskIQ first launched, the digital enterprise was shifting to the Internet, the start of digital transformation. SaaS; Mobile apps were suddenly everywhere; the cloud was becoming the basis of development—essentially, the Internet was becoming the network, and the extended enterprise was born.

Continue Reading
External Threat Management

Here’s How Much Threat Activity is in Each Internet Minute

What happens in the span of a minute across the internet? 

Lately, we've seen the global threat landscape get broader, more chaotic, and more unpredictable. As the internet grows, so does the scale of threat activity targeting organizations, which expanded their digital presence and accelerated their cloud adoption in the wake of the COVID-19 pandemic. 

Our 2021 Evil Internet Minute aims to illuminate the top threats facing organizations today and put the year's cybersecurity research into context by framing it on a micro-scale. We leveraged our Internet Intelligence Graph and favorite third-party findings to closely examine the malicious activity that transpires across the world every 60 seconds. 

Continue Reading
External Threat Management Labs

Media Land: Bulletproof Hosting Provider is a Playground for Threat Actors

Bulletproof hosting (BPH) is a collection of service offerings catering to internet-based criminal activity. These businesses often operate in a grey area, attempting to appear legitimate while shielding the illegal activity they host from disruption amid abuse complaints and takedown requests. Providers often foster relationships with authorities in countries prone to corruption or otherwise unconcerned with certain types of illicit activity. 

TrendMicro summarized BPH in a great graph covering three different types of BPH providers: those using stolen/compromised assets, those with a short-term lease, and providers leveraging their own data center/co-location.

In this first post in a new series of articles, we'll focus on bulletproof hosting providers with more established infrastructure, including Media Land LLC, one of the most infamous providers in the threat landscape. Our analysis of this infrastructure surfaced thousands of domains linked to threat campaigns of all kinds, showing the ubiquity, and utility, of bulletproof hosting providers. 

Continue Reading
External Threat Management Magecart

Bit2check: Stolen Card Validation Service Illuminates A New Corner of the Skimming Ecosystem

In much of our recent analysis of threat infrastructure, we've seen the digital credit card skimming ecosystem grow as we uncover more actors, tooling, services, and economies that comprise it. We also see distinct patterns emerge in the infrastructure used and shared by these entities. 

Over the last few years, Alibaba IP space has hosted many domains used for digital skimming and other malicious behavior. As bulletproof hosting providers host a considerable portion of skimming campaigns, the popularity of Alibaba IP space may result from one of these bulletproof services abusing Alibaba hosting services. Recently, some of these domains have also abused Google user content hosting.

While investigating infrastructure related to the MobileInter skimmer, our researchers found that a Google IP address briefly played host to one of its skimmer domains. This IP then hosted a domain offering a helpful service for card skimmers, allowing them to authenticate stolen payment data for a fee. From this data point, RiskIQ's Internet Intelligence Graph helped our researchers identify several related websites, services, and social media accounts connected to this authentication activity known as bit2check. Some bit2check domains share the same hosting pattern as Magecart domains observed abusing Alibaba and Google hosting services.

Continue Reading
External Threat Management

Microsoft Exchange is a Global Vulnerability. Patching Efforts Reveal Regional Inconsistencies 

The Microsoft Exchange vulnerability was a global-scale security issue that affected thousands of organizations across the world. With the prevalence of Microsoft Exchange servers across the global attack surface, the sheer size of this incident goes well beyond security. In reality, this is a big data problem. 

RiskIQ has continuously collected internet data for more than a decade to put the vulnerability's scope into context so our customers can respond rapidly. However, in the process, we noticed that not all countries are patching this critical vulnerability effectively. 

The results of scans from our global sensors show that despite this being a ubiquitous issue, each country has reacted very differently, with patching success varying wildly across borders and continents.

How did different organizations and hosting providers fare in different regions around the world? We looked at our data to break it down:

Continue Reading
External Threat Management Labs

The Sysrv-hello Cryptojacking Botnet: Here’s What’s New

The Sysrv-hello botnet is deployed on both Windows and Linux systems by exploiting multiple vulnerabilities and deployed via shell scripts. 

Like many of the threat actor tools we've covered, it continuously evolves to fit the needs of its operators and stay ahead of security researchers and law enforcement. 

Over time, there have been several slight changes in the shell scripts that install the Sysrv-hello implant on machines. There have also been incremental changes in how the executable gets deployed on host systems. In our latest threat intel analysis, RiskIQ researchers have identified one of its latest developments, including the use of drive-by downloads and two new Monero wallets. 

Continue Reading
External Threat Management

This is How Your Attack Surface May Be Larger and More Exposed Than You Think

The world has never been as vulnerable to cyber attacks as it is today. The sheer number of attacks organizations face, and the global scope of many of those attacks—the SolarWinds and the Microsoft Exchange vulnerabilities affected almost everyone—is putting today's CISOs on the hot seat. 

In the past several months alone, there have been more than a dozen zero-day exploits, an unprecedented rate of successful infiltration making the lack of control and visibility for security leaders painfully evident. 

Advanced persistent threats (APTs) are not only rising in frequency; their impact is increasingly devastating and widespread. Initially, the Microsoft Exchange vulnerability affected more than 400 thousand servers worldwide. These sophisticated attackers are taking advantage of the digital transformation resulting in the digital enterprise extending to the internet and the internet's innate connectedness. 

Continue Reading
External Threat Management Labs Magecart

MobileInter: A Popular Magecart Skimmer Redesigned For Your Phone

To truly understand the Magecart skimming groups that have become a mainstay of the e-commerce threat landscape, you have to understand the tools of the trade. The Inter Skimmer kit is one of today's most common digital skimming solutions globally. However, a hallmark of widely used skimmers is their propensity to evolve as more actors use and tweak them to suit their unique needs and purposes. 

Several different actors have used the Inter kit to steal payment data since late 2018. It affects thousands of sites and likely thousands of consumers, and RiskIQ continues to see new iterations of Inter in our Internet Intelligence Graph. One of these that should be firmly on the radar of security teams monitoring their organization's web assets is MobileInter, a modified and expanded take on Inter skimmer code that focuses exclusively on mobile users. 

With nearly three out of every four dollars spent online done via a mobile device, it's no wonder Magecart operators are looking to target this lucrative landscape. RiskIQ researchers have analyzed this newer model to determine its functionality, prevalence, and links to other skimmer activity.

Continue Reading