Illuminate Malware-free Attacks with RiskIQ and CrowdStrike

CrowdStrike recently released its Global Threat Report, an outline of their observations of threat actors and their techniques, covering the year of 2019. While the report itself contains numerous points of interest, one in particular caught the eye of the RiskIQ Research Team. CrowdStrike states, "...the trend toward malware-free attacks is accelerating with these types of attacks surpassing the volume of malware attacks." This shift in tactics requires a corresponding shift by defenders. 

This post will take a more in-depth look at the implications of this shift and how defenders need to adapt to stay ahead of their adversaries, whether they wield malware or not.

Figure–1: CrowdStrike interface showing detection and ThreatGraph

In the report, CrowdStrike defines malware-free attacks as "those in which the initial tactic did not result in a file or file fragment being written to disk." Code executed from memory, stolen credentials used for remote login, and domain-spoofing are all examples of malware-free attacks. Existing CrowdStrike customers have deep visibility into internal endpoint activity along with prevention capabilities, making these attacks less of a concern. Still, it does suggest that defenders will have to work harder and deploy new approaches to identify attackers.

Figure–2: RiskIQ diagram showing how signals can be chained together to find related activity

Continue Reading
External Threat Management Analyst

RiskIQ Illuminate App in the CrowdStrike Store Combines Unmatched External Telemetry with Endpoint Intelligence | Attack Surface Management

It's incredible to think how far organizations have come in gaining visibility into their enterprise in just the last five years. Analysts used to have conversations about how and where to enable logging. One quantum leap later, and these conversations are now about how optimizing queries to get the most out of the vast amounts of internal data available to them. 

Today, analysts operate with an extreme amount of context, but their own collection is just one side of what their organization looks like. The most successful businesses recognize that they must pair this internal data collection with external intelligence to have real visibility into their attack surface—and how it appears to would-be attackers. 

RiskIQ has worked to provide this external view for over a decade, collecting and storing internet data to feed technology that functions like a TIVO for the Internet, giving security teams the ability to look back at attacks and understand why and how they happened, as well as to detect new ones. Over that time, RiskIQ has built unmatched data sets found nowhere else that power several defense-based products and enables a community of over 85,000 security practitioners to conduct thorough investigations into cyber security threats.

Although it fuels threat investigations worldwide, RiskIQ’s data becomes even more powerful when combined with endpoint telemetry. That’s why RiskIQ, the global leader in attack surface management, is excited to announce that we’ve partnered up with CrowdStrike to deliver RiskIQ Illuminate for Falcon, a solution that offers truly unique visibility into cyber security threats by pairing unmatched external intelligence with leading endpoint-visibility data sets.

RiskIQ data beside CrowdStrike data in the Illuminate app. Customers can now trial functionality through the CrowdStrike app store.

Continue Reading
Labs Analyst

A Deeper Look at the Phishing Campaigns Targeting Bellingcat Researchers Investigating Russia

On July 26th, ThreatConnect published an analysis of a coordinated phishing attack against Bellingcat, an investigative journalism website that specializes in fact-checking and open-source intelligence. Known for their work investigating Russia, Bellingcat researchers were carefully chosen targets, as stated by Bellingcat’s Eliot Higgins on Twitter

Highly focused, the phishing campaign targeted the digital security of only ten individuals, who have been identified by investigative journalist Christo Grozev. These include some researchers who do not work for Bellingcat but do investigate Russia.

ProtonMail, the email service used in the phishing attack, published a short statement, which included some fascinating details on the phishing attack from their perspective.


In this article, we’ll explore a different angle to this campaign by analyzing it from the unique outside-in perspective of RiskIQ. RiskIQ data reveals multiple phishing campaigns involving different tactics beyond the analysis by ThreatConnect. 

Continue Reading

Elevate Your Investigations With Collaboration & Organization: PassiveTotal Projects

Projects within RiskIQ PassiveTotal make it easy for analysts to gather and share digital threat intelligence about current and ongoing digital threat investigations and known digital threat infrastructure. PassiveTotal Projects help you organize related digital threat infrastructure elements such as:

  •      Domains
  •      IPs
  •      website trackers, and
Continue Reading

Context is Everything: Using Tags and Classifications in RiskIQ PassiveTotal

As an analyst, how much time can you afford to waste at work?

Do you have eight hours to spend investigating those 203 suspect hosts only to learn a fellow analyst has already determined two weeks ago that they are registered to your company?  

Or, what if you had to stop mid-investigation to address a different priority—wouldn’t it be great to come back to an investigation and know how your research had manifested up to that point?

The attack surface of your enterprise is always expanding, and that growth has increased the importance of correlating internal activity with what is happening outside the firewall. This changing threat landscape is why most successful security programs are providing analysts with real-time context to improve the efficiency and outcomes of their investigations so they can discover additional threat infrastructure and block it proactively.

PassiveTotal: Context, All in One Place

Continue Reading
Labs Analyst

MarkOfTheWeb: How a Forgetful Russian Agent Left a Trail of Breadcrumbs

MarkOfTheWeb: A Calling Card for Careless Russian Agents

Digital interference from the Russian Federation is nothing new. Their virtual trespassing efforts have been outed and heavily discussed in the news—even more so in recent months (as you've probably noticed). Russian digital incursion into the United States political climate allows them to adjust the direction of discourse and push buttons when and where needed to help achieve a desirable outcome for the Kremlin. To carry out these active measures, the Russian state relies not only on agents and spies who do physical work but also those who operate digitally.

Luckily, not all Russian digital agents are as smooth as James Bond. Sometimes, they slip up and leave traces of their origins. One such slip up occurred recently. In August 2017, the staff lead of Missouri Democratic Senator Claire McCaskill was spear-phished by the digital arm of the Russian state in an attempt that resembled the infamous attacks against John Podesta and Colin Powell.

By downloading a login page directly from the internet, the agent attempted to fool the high-ranking staffer into giving up his credentials. However, unfortunately for our hapless Russian agent, the phishing page they spun up included more information than intended. With the breadcrumbs they left behind, we were able to tap into RiskIQ’s repository of internet data to trace the origin of the agent and uncover other targets, which gave us clues about their motives, which, suspiciously, seem to align with those of Russia.

Following Breadcrumbs to the Kremlin

Continue Reading
Analyst Interesting Crawls

Not so Fast – Some Online Scams Don’t Take No for an Answer

Some online scams literally don't take no for an answer.

Going beyond tricking users with flashy ads for fake products or prizes or scaring them into trying to download phony software with the goal of redirecting them elsewhere, some scammers go a step further—they don't even let their victims leave their page.

While doing page reviews for RiskIQ's scam model (link), I came across an interesting crawl. Because it was missing a screenshot and, strangely, there seemed to be a phone number in the URL pathway, I decided to take a closer look.


Fig -1 PDF download prompt

Continue Reading
Analyst Interesting Crawls

Phone Scam Uses Scammy App That Infects Phones for Ad-clicking and Info-Stealing Controls Over 60,000 Devices

Also by Aaron Inness

At RiskIQ, we observe thousands of scam web pages in all forms—everything from fake pharmaceutical ads to phony prizes to spurious tech support and label them accordingly. In the mobile ecosystem, popular scams include ‘your device is running low!’, ‘you need to update your device!’ or ‘you need to install this antivirus to save your device!’ In today’s post, we’ll take a look at one of these scams that surfaced in our crawl data.

Although the app these scam pages send users to does its advertised function, it also has a nasty secret—it infects victims’ devices and comes with a side of information stealing and ad-clicking.

Cleanup required!

Many of the millions of scams we crawl at RiskIQ are relatively straightforward, but every once in a while we find something unique. Usually, scams point to other web pages, but in this case, we noticed one that redirects victims who click to Google Play, where they are served a malicious app. To get to the bottom of how the scam works from beginning to end, we pointed our investigative resources at it and outlined our findings below.

Continue Reading
Analyst Interesting Crawls

Linking Infrastructure from Phishing Data Exfiltrations

Phishing is still one of the most relentless and quickly evolving online threats facing today's businesses.

At RiskIQ, we process tons of web-related threat data, including phishing incidents. From various sources, we receive URLs which may be indicative of phishing, examine the pages with our web-crawling infrastructure, which experiences them as a real user would, and feed the data it collects through our machine-learning technology to classify each detected phishing page appropriately.

Phishing pages' infrastructure usually takes two forms: self-maintained custom infrastructure and abused or compromised infrastructure belonging to someone else. Below is an instance of a phishing page for email involving the latter. It's somewhat generic, but an excellent example of something commonly leveled against businesses: 

Phishing is still one of the most relentless threats facing today's businesses. We process tons of web-related threat data, including phishing incidents

Fig-1 Phishing page

Looking through some sources online, I dug up some additional instances of this phishing kit:

Continue Reading