Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
To try pivoting across RiskIQ’s unique internet data sets for yourself, sign up for RiskIQ Community Today.
Internet data sets help digital threat hunters investigate and expose the infrastructure being used by digital attackers against their organization so they can find, block, and prevent digital attacks.
Every day, security professionals are leveraging the relationships between the highly connected data collected by RiskIQ, pivoting on the unique data sets in PassiveTotal to surface new connections, group similar digital attack activity, and substantiate assumptions during incident response. Recently, there has been an abundance of examples of researchers using PassiveTotal to uncover clues that unmask the threat actors targeting them.
While researching the Nebula EK, threat researcher John Swanson used PassiveTotal to research a known Nebula EK delivery subdomain linked to the Yugoslavian Business Network. From this one artifact, he determined a trove of information crucial to his investigation:
Fig-1 WHOIS information for the subdomain listed in PassiveTotal
Swanson found an identical 114 domains registered with “Kreb’s” firstname.lastname@example.org e-mail address and phone number. Pivoting on these domains returned only one IP address, which meant the group relied heavily on subdomains. This information provided crucial context to his investigation, which ultimately helped him conclude that that Nebula is a new iteration on the Sundown exploit kit, probably operated by the Yugoslavian Business Group or a closely related group of actors.
You can see Swanson’s public project here.
According to ClearSky Cyber Security, RiskIQ’s Host Pairs data set helped uncover infrastructure belonging to a threat group targeting Israel Electric Company, the largest supplier of electrical power in Israel. Host pairs are a unique PassiveTotal data set, the connections of which can range from a top-level redirect (HTTP 302) to something more complex like an iframe or script source reference. What makes this data set compelling is it gives researchers the ability to understand relationships between hosts based on details from visiting the actual page. Host Pairs relies on knowing website content, so it’s likely to surface different values that other sources like passive DNS and SSL certificates do not.
According to ClearSky’s blog, between April 2016 and February 2017, the threat group spread malware via breached Israeli websites, as well as self-hosted and cloud-based sites. Within the site journey-in-israel[.]com, the attackers inserted an exploit code for CVE-2014-6332, a Windows code execution vulnerability. The digital attackers also registered and built the malicious websites:
sourcefarge[.]net (similar to legitimate software website sourceforge.net)
According to PassiveTotal, the latter was redirecting to journey-in-israel[.]com and iec-co-il[.]com, which is confirmed below:
Fig-2 The Host Pairs data set shows “sourcefarge” pointing to the malicious URLs via a redirect
The PassiveTotal public project for this campaign, dubbed “Operation Electric Powder,” which includes all the artifacts used by the threat actors, can be found here.
Host pairs were also used in an investigation of threat actors installing unauthorized code on the websites of Polish banking establishments and using them against the computer systems of global monetary institutions. According to a report by the Wall Street Journal, these digital attacks share traits with the 2014 assault on Sony Corp linked to the Lazarus Group.
A preliminary investigation by BadCyber suggests that the starting point for the infection could have been located on the web server of Polish financial sector regulatory body, Polish Financial Supervision Authority (www.knf.gov.pl). Due to a slight modification of one of the local JS files, an external JS file was loaded, which could have executed malicious code on selected targets.
The investigation used PassiveTotal’s Host Pairs to confirm that the attack originated from external sources. Below, under the “Host Pairs” tab in PassiveTotal, you can see RiskIQ crawlers observed the KNF website pointing to the malicious URLS via an iframe:
Fig-3 Host Pairs show the KNF.gov website referencing two URLs cited as malicious by BadCyber
PassiveTotal’s ever-expanding data provides new context to adversaries’ infrastructure and now includes deeper monitoring capabilities. Security teams can be alerted in real-time to changes in DNS and domain resolution, WHOIS registration, and the appearance of other new keywords of interest. The latest release also includes a project workflow to quickly organize and group related threat infrastructure components found during investigations. This allows analysts and research teams to be more effective and agile in their investigations.
For more on RiskIQ’s unique internet data sets, download Using Internet Data Sets to Understand Digital Threats.
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
Wondering where to spend your Monday night at #RSAC 2020? Look no further! RSVP now to come celebrate with Flashpoint, @elastic, @ThreatQuotient, @Siemplify, and @RiskIQ at IGNITE! http://bit.ly/2VrsOpJ
Tomorrow: Stop by the @CrowdStrike booth at 11:30 to see the RiskIQ Illuminate app in action! It analyzes CrowdStrike endpoint coverage and compares it to RiskIQ's unmatched external data to provide a 360-degree view of your attack surface: https://bit.ly/2ujagwt #RSAC2020
The RiskIQ Illuminate app for @CrowdStrike shows your organization's security visibility gaps by analyzing CrowdStrike endpoint coverage and comparing it to @RiskIQ's view of your digital attack surface https://bit.ly/2HFXStG
🛡️#CyberSecurityBrief #Alert: @FTC Refunds Victims Of @OfficeDepot Tech Support Scam via @BleepinComputer @AthertonLab #CyberSecurity #InfoSec #Malware #Ransomware #DDoS #DataBreach #ITsecurity #CyberThreats #CloudSecurity #CyberSecurityInsights https://cybersecurityinsights.substack.com/p/your-friday-morning-cybersecurity?r=63k3&utm_campaign=post&utm_medium=web&utm_source=twitter