Blog

Knowing the infrastructure and its connections helps security teams map, monitor, and track adversary-threat infrastructure and its composition—malware, suspicious activity, threat capabilities, shareable attack tools, and their relationships within the worldwide attack surface. 

As part of our ongoing research into malware distribution infrastructure, we investigated "Mana Tools," a malware distribution and command and control (C2) panel associated with several big names in the malware world, including RevengeRat, AzoRult, Lokibot, Formbook, and Agent Tesla. 

Mana Tools was first reported in 2019 by Yoroi researchers who identified it as a fork of the AzoRult 3.2 malware created by a Pakistani actor known as Hagga. The Mana Tools logo appears on current samples of the Mana Tools panel. Using RiskIQ's dataset, we were able to find several Mana Tools login pages. 

Cybersecurity has gotten pretty tough lately. Today's teams contend with an ever-growing IT ecosystem accelerated by critical digital transformation efforts and moving workforces into remote environments. At the same time, they're managing a rapidly evolving threat landscape composed of both sophisticated nation-state actors and a crush of low-level criminals armed with off-the-shelf crimeware. All told, cybercrime now costs organizations a whopping $1,797,945 per minute. 

As cyberthreats increase, security analysts are our first line of defense. Their skills, know-how, and passion for their work meet attackers head-on. Unfortunately, these analysts often lack the resources, technology, and latest techniques to defeat them. 

Defending your organization's attack surface in today's threat landscape is a global-scale challenge full of continuously changing elements. 

Attacker tools have flooded the web, and advanced adversaries target massive vulnerabilities in ubiquitous systems used across the world. To defend their organizations, security teams need actionable threat intelligence that provides a bird's eye view of the global attack surface and shows precisely how their organization's unique Internet relationships fit inside it—and how these relationships are affected by new threats. 

Unfortunately, analysts usually aren’t equipped with the threat intelligence they need. Often, they have intel that's too generic or entirely irrelevant to their organization’s attack surface. And, even if their threat intel is relevant and actionable, applying it across the teams, tools, and systems in their organization is an incredible challenge. 

On March 2, 2021, Microsoft announced that four previously unknown zero-day vulnerabilities were exploited to attack on-premises versions of the Microsoft Exchange Servers.  Microsoft has reported that attackers exploited these vulnerabilities to gain access to Exchange servers, gain access to email accounts, and deploy malware (typically web shells) for long-term persistent access to victim organizations.  Microsoft credited a security company called Volexity for first observing these exploits on January 6, 2021. These vulnerabilities do not affect Microsoft Office 365 or Azure Cloud deployments of Exchange email servers.

Microsoft has reported they have attributed these attacks to a threat actor group it calls HAFNIUM and assessed it is a People’s Republic of China sponsored campaign.  Additional details of HAFNIUM targeting and attack techniques are included in Microsoft’s security blog. Meanwhile, FireEye’s analysis indicates this attack has ties activity it tracks across three unknown attack clusters and provides additional analysis and indicators in their blog.

A recent Interisle Consulting Group research report, WHOIS Contact Data Availability, and Registrant Classification Study, finds that more than half of the top-level-domains under ICANN's remit are now controlled by unidentifiable parties. According to the report, "ICANN's policy has allowed registrars and registry operators to hide much more contact data than is required by the GDPR-perhaps five times as much..." 

Regardless of if contact data is ultimately needed to maintain a secure and interoperable Internet, it is now more important than ever to leverage available threat intelligence to combat harmful cyber activity. Traditionally, WHOIS has told analysts who owns a domain. Threat hunters used to be able to use this information to pivot on names, addresses, and phone numbers to find other domains registered to the same owner. For the most part, GDPR broke that.

With WHOIS becoming significantly less useful to build out threat investigations, threat analysts must rely more frequently on other internet data sets as part of their digital tool belt. RiskIQ has made it a core part of our business to collect and correlate as much relevant Internet data as possible to supercharge threat investigations—data that's become even more valuable to analysts since the advent of the GDPR. 

We recently analyzed LogoKit, a simple, modularized, and adaptable phish kit running on thousands of domains. Easy to use and able to accommodate a wide range of attacker skill levels, LogoKit is a hot commodity on the black market. 

LogoKit's popularity has given rise to enterprising threat actors who manufacture, package, and sell the kit to meet a strong and still growing demand among cybercriminals worldwide. However, these crimeware purveyors are more than just cybercriminals; they're also expert marketers who use social media sites, web forums, and messaging apps to build their brand, advertise their product, and streamline transactions.

After analyzing LogoKit itself last week, we took a closer look at the infrastructure and criminal enterprise behind it. The resulting investigation illuminated a massive phishing ecosystem and thriving crimeware economy driven by a high demand for simple, effective phishing tools. Below, we'll look at a major player in the sale of LogoKit. 

There will be many more breaches like the one of SolarWinds. 

Moving into 2021 and beyond, the ability to view your organization from the outside-in, as attackers do, will be the best defense against these internet-scale attacks by advanced APTs. FireEye and other security experts analyzing early information on SunBurst have said mass scanning and internet-scale data are critical to incident response efforts. This real-time global visibility shows security teams if their organization is affected and helps uncover attacker fingerprints on the network. 

RiskIQ is helping organizations respond to attacks like SunBurst with our Internet Intelligence Graph, built by mapping the Internet via over ten years of crawling and mass scanning. Our brand new JARM feature will help incident responders quickly query this graph, putting the world’s largest index of applications, components, and behaviors at their fingertips for a smarter, faster response.

Ryuk Ransomware has flooded US hospitals, threatening to shut down their operations when they're needed most. Ryuk now accounts for a third of all ransomware attacks in 2020, with its operators finding success while many healthcare organizations are most vulnerable. 

However, the cybersecurity community is coming together to combat this rash of attacks, combining resources to provide network defenders with alerts and intelligence to protect our healthcare institutions. 

To do our part, RiskIQ released the entirety of the infrastructure related to the Ryuk strain of ransomware collected by RiskIQ's Internet Intelligence Graph.

In incident response, speed and visibility are everything, but they can’t be achieved without a 360-degree view of your attack surface. 

RiskIQ PassiveTotal now integrates directly with Microsoft Defender and Azure Sentinel, bringing Microsoft Defender endpoint telemetry and Azure Sentinel alert data directly to the PassiveTotal threat hunting platform. This combination of RiskIQ and Microsoft data enriches threat infrastructure to show pertinent SIEM alerts and endpoint details alongside RiskIQ's rich Internet intelligence to speed up and supercharge investigations. 

RiskIQ and Microsoft joint customers can enable integrations for both Microsoft Defender and Azure Sentinel separately in their organization's account settings in RiskIQ PassiveTotal. Once enabled, analysts can pivot across RiskIQ data during an investigation to understand all the related infrastructure affecting impacted endpoints or existing security tickets.