Blog

Analyst

Labs Analyst

What a Custom OceanLotus SSL Certificate Can Tell Us About Their Windows C2 Operations

Ocean Lotus, or APT32, is a now-notorious threat group active since 2014, best known for its relentless malware attacks and spy campaigns against Southeast Asian governments, dissidents, and journalists worldwide.

While investigating previously reported OceanLotus activity, RiskIQ analysts came across a unique SSL certificate associated with the espionage group's infrastructure. Unique to them, the SSL correlated with more than 70 IP addresses since 2017, a connection that earlier this month helped reporters from German Publications BR24 and Zeit Online track Ocean Lotus activity across Europe.

Further analysis of this custom certificate and its associated IP addresses led us to conclude that it is part of the infrastructure OceanLotus uses to deploy Windows-based malware. Based on RiskIQ's first observation of the SSL certificate in our Internet Intelligence Graph, which links together infrastructure across the entire web, the group has been using this certificate since at least February 27, 2020, and continues to use it today.

Continue Reading
External Threat Management Analyst

Partner Deep-Dive: RiskIQ Digital Footprint for Splunk

Organizations lack visibility into their digital assets, their external network of internet-connected services and devices growing wildly outside their firewalls to support a workforce that will be remote for the foreseeable future. 

The enterprise digital attack surface is now regularly in flux and no longer in the purview of most security controls. More internet devices and services stood up outside the firewall mean complexity goes up, and "non-standard" becomes the norm. Keeping tabs on its composition and the infrastructure of attackers targeting it is one of the most challenging jobs facing security teams today. While organizations grapple with their attack surface, attackers are more active than ever before. More than 375 new threats sprout up every minute, with a wave of phishing attacks, typosquat registrations, and disinformation taking advantage of the COVID-19 pandemic. 

In this new security environment, attack surface management and a 360-degree view of your attack surface. Deep insight across the public internet makes it not only possible but also manageable. 

Continue Reading
External Threat Management Analyst

The Strongest Defense Against Ransomware is Situational Awareness

Ransomware defense is a perpetual cat and mouse game between incident responders and attackers who are continuously evolving their tactics, tools, and strategy. With Ransomware attacks on the rise and costing the US a whopping $7.5 billion in 2019, SOCs and threat hunters must maintain full situational awareness to protect their organization and customers' data—and avoid massive material loss. However, ransomware defense is no easy task and requires a 360-degree view of your organization's attack surface. 

Continue Reading
External Threat Management Analyst

Partner Deep-Dive: The RiskIQ PassiveTotal for Splunk

Attackers are more active than ever before, taking advantage of organizations' expanded attack surfaces outside the corporate firewall and across the internet. Phishing attacks, typosquat registrations, and disinformation campaigns aiming to take advantage of COVID-19 and political turmoil are running rampant. Security teams lacking visibility into this new attack surface are coming up dangerously short. 

RiskIQ has been collecting internet data for more than a decade to help organizations meet the challenge of this new generation of threats. The RiskIQ PassiveTotal App puts petabytes of this external Internet security intelligence into Splunk's Data-to-Everything Platform, giving security teams the visibility they need in a platform and workflow they already use. 

The app enables teams to investigate and respond to threats across their organization's attack surface by laying the RiskIQ Internet Intelligence Graph on top of Splunk data—all in one location—to show how internal assets interact with external infrastructure. With this 360-degree view of their attack surface, analysts have unparalleled context and intelligence to detect, investigate, and remediate IoC's and security events.

Continue Reading
Analyst

Discover | COVID-19 Daily Update

At the request of our customers, March 9th, RiskIQ's team of trained intelligence analysts began compiling disparate data and intelligence related to COVID-19 into comprehensive reports. Each report combines major updates around COVID-19 and its impacts on cities, neighborhoods, schools, and businesses as well as essential cybercrime data that helps raise the situational awareness of both physical and cybersecurity teams.

Purpose

This intelligence will help inform the decisions of security teams, who face new requirements during these unprecedented times. Here, RiskIQ strives to provide the security community with a single source of factual reporting and informed analysis to help the security community discover unknowns about their environment and investigate threats.

Notice

RiskIQ will be changing the format and frequency of the COVID-19 Daily Update beginning Friday, 05/15/2020. The report will be released every Friday rather than every day. The report will compile the week’s major stories and events and present them in the Notable Events and Digital Exploitation sections. RiskIQ has established a microsite for COVID-19 coverage, located at https://www.riskiq.com/covid19-cybersecurity/. Thank you for your continued readership.

Continue Reading
Analyst

Investigate | COVID-19 Cybercrime Weekly Update

At the request of our customers, March 9th, RiskIQ's team of trained intelligence analysts began compiling disparate data and intelligence related to COVID-19 into comprehensive reports. Each report combines major updates around COVID-19 and its impacts on cities, neighborhoods, schools, and businesses as well as essential cybercrime data that helps raise the situational awareness of both physical and cybersecurity teams.

Purpose

This intelligence will help inform the decisions of security teams, who face new requirements during these unprecedented times. Here, RiskIQ strives to provide the security community with a single source of factual reporting and informed analysis to help the security community discover unknowns about their environment and investigate threats.

5/22/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Weekly Report - 5/22

Continue Reading
Labs Analyst

Misconfigured Amazon S3 Buckets Continue to be a Launchpad for Malicious Code

Ocean Lotus, or APT32, is a now-notorious threat group active since 2014, best known for its relentless malware attacks and spy campaigns against Southeast Asian governments, dissidents, and journalists worldwide.

While investigating previously reported OceanLotus activity, RiskIQ analysts came across a unique SSL certificate associated with the espionage group's infrastructure. Unique to them, the SSL correlated with more than 70 IP addresses since 2017, a connection that earlier this month helped reporters from German Publications BR24 and Zeit Online track Ocean Lotus activity across Europe.

Further analysis of this custom certificate and its associated IP addresses led us to conclude that it is part of the infrastructure OceanLotus uses to deploy Windows-based malware. Based on RiskIQ's first observation of the SSL certificate in our Internet Intelligence Graph, which links together infrastructure across the entire web, the group has been using this certificate since at least February 27, 2020, and continues to use it today.

Continue Reading
Analyst

Illuminate Malware-free Attacks with RiskIQ and CrowdStrike

CrowdStrike recently released its Global Threat Report, an outline of their observations of threat actors and their techniques, covering the year of 2019. While the report itself contains numerous points of interest, one in particular caught the eye of the RiskIQ Research Team. CrowdStrike states, "...the trend toward malware-free attacks is accelerating with these types of attacks surpassing the volume of malware attacks." This shift in tactics requires a corresponding shift by defenders. 

This post will take a more in-depth look at the implications of this shift and how defenders need to adapt to stay ahead of their adversaries, whether they wield malware or not.

Continue Reading
External Threat Management Analyst

RiskIQ Illuminate App in the CrowdStrike Store Combines Unmatched External Telemetry with Endpoint Intelligence | Attack Surface Management

It's incredible to think how far organizations have come in gaining visibility into their enterprise in just the last five years. Analysts used to have conversations about how and where to enable logging. One quantum leap later, and these conversations are now about how optimizing queries to get the most out of the vast amounts of internal data available to them. 

Today, analysts operate with an extreme amount of context, but their own collection is just one side of what their organization looks like. The most successful businesses recognize that they must pair this internal data collection with external intelligence to have real visibility into their attack surface—and how it appears to would-be attackers. 

RiskIQ has worked to provide this external view for over a decade, collecting and storing internet data to feed technology that functions like a TIVO for the Internet, giving security teams the ability to look back at attacks and understand why and how they happened, as well as to detect new ones. Over that time, RiskIQ has built unmatched data sets found nowhere else that power several defense-based products and enables a community of over 85,000 security practitioners to conduct thorough investigations into cyber security threats.

Although it fuels threat investigations worldwide, RiskIQ’s data becomes even more powerful when combined with endpoint telemetry. That’s why RiskIQ, the global leader in attack surface management, is excited to announce that we’ve partnered up with CrowdStrike to deliver RiskIQ Illuminate for Falcon, a solution that offers truly unique visibility into cyber security threats by pairing unmatched external intelligence with leading endpoint-visibility data sets.

RiskIQ data beside CrowdStrike data in the Illuminate app. Customers can now trial functionality through the CrowdStrike app store.

Continue Reading