RiskIQ Data Sets: Powering Threat Investigations Around the World

RiskIQ Data Sets: Powering Threat Investigations Around the World

March 14, 2017, Mike Browning

To try pivoting across RiskIQ’s unique internet data sets for yourself, sign up for RiskIQ Community Today.

Internet data sets help digital threat hunters investigate and expose the infrastructure being used by attackers against their organization so they can find, block, and prevent attacks.

Every day, security professionals are leveraging the relationships between the highly connected data collected by RiskIQ, pivoting on the unique data sets in PassiveTotal to surface new connections, group similar attack activity, and substantiate assumptions during incident response. Recently, there has been an abundance of examples of researchers using PassiveTotal to uncover clues that unmask the threat actors targeting them.

Making Nebula A lot Less Nebulous

While researching the Nebula EK, threat researcher John Swanson used PassiveTotal to research a known Nebula EK delivery subdomain linked to the Yugoslavian Business Network. From this one artifact, he determined a trove of information crucial to his investigation:

  • Via the PassiveDNS heatmap, he determined the age of the subdomain, which he found to be brand new
  • Pivoting on the IP address, he was able to see it was a Worldstream IP out of the Netherlands
  • Seeing the WHOIS information, he got a name, email, organization, and phone number of someone (cheekily) calling themselves Brian Krebs
Internet data sets help digital threat hunters investigate and expose the infrastructure being used by attackers against their organization

Fig-1 WHOIS information for the subdomain listed in PassiveTotal

Swanson found an identical 114 domains registered with “Kreb’s” nista@pusikurac.com e-mail address and phone number. Pivoting on these domains returned only one IP address, which meant the group relied heavily on subdomains. This information provided crucial context to his investigation, which ultimately helped him conclude that that Nebula is a new iteration on the Sundown exploit kit, probably operated by the Yugoslavian Business Group or a closely related group of actors.

You can see Swanson’s public project here.

Powering the Investigation of Israel Electric Company

According to ClearSky Cyber Security, RiskIQ’s Host Pairs data set helped uncover infrastructure belonging to a threat group targeting Israel Electric Company, the largest supplier of electrical power in Israel. Host pairs are a unique PassiveTotal data set, the connections of which can range from a top-level redirect (HTTP 302) to something more complex like an iframe or script source reference. What makes this data set compelling is it gives researchers the ability to understand relationships between hosts based on details from visiting the actual page. Host Pairs relies on knowing website content, so it’s likely to surface different values that other sources like passive DNS and SSL certificates do not.

According to ClearSky’s blog, between April 2016 and February 2017, the threat group spread malware via breached Israeli websites, as well as self-hosted and cloud-based sites. Within the site journey-in-israel[.]com, the attackers inserted an exploit code for CVE-2014-6332, a Windows code execution vulnerability. The attackers also registered and built the malicious websites:

users-management[.]com and

sourcefarge[.]net (similar to legitimate software website sourceforge.net)

According to PassiveTotal, the latter was redirecting to journey-in-israel[.]com and iec-co-il[.]com, which is confirmed below:

Internet data sets help digital threat hunters investigate and expose the infrastructure being used by attackers against their organization

Fig-2 The Host Pairs data set shows “sourcefarge” pointing to the malicious URLs via a redirect

 The PassiveTotal public project for this campaign, dubbed “Operation Electric Powder,” which includes all the artifacts used by the threat actors, can be found here.

Pairing Infrastructure with the Lazarus Group

Host pairs were also used in an investigation of threat actors installing unauthorized code on the websites of Polish banking establishments and using them against the computer systems of global monetary institutions. According to a report by the Wall Street Journal, these attacks share traits with the 2014 assault on Sony Corp linked to the Lazarus Group.

A preliminary investigation by BadCyber suggests that the starting point for the infection could have been located on the web server of Polish financial sector regulatory body, Polish Financial Supervision Authority (www.knf.gov.pl). Due to a slight modification of one of the local JS files, an external JS file was loaded, which could have executed malicious code on selected targets.

The investigation used PassiveTotal’s Host Pairs to confirm that the attack originated from external sources. Below, under the “Host Pairs” tab in PassiveTotal, you can see RiskIQ crawlers observed the KNF website pointing to the malicious URLS via an iframe:

[http]://www[.]sap.misapor.ch/vishop/view.jsp?pagenum=1 and  

https://www[.]eye-watch.in/design/fancybox/Pnf.action

Internet data sets help digital threat hunters investigate and expose the infrastructure being used by attackers against their organization

Fig-3 Host Pairs show the KNF.gov website referencing two URLs cited as malicious by BadCyber

About PassiveTotal

PassiveTotal’s ever-expanding data provides new context to adversaries’ infrastructure and now includes deeper monitoring capabilities. Security teams can be alerted in real-time to changes in DNS and domain resolution, WHOIS registration, and the appearance of other new keywords of interest. The latest release also includes a project workflow to quickly organize and group related threat infrastructure components found during investigations. This allows analysts and research teams to be more effective and agile in their investigations.

For more on RiskIQ’s unique internet data sets, download Using Internet Data Sets to Understand Digital Threats.

Share: