Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
RiskIQ Digital Threat Management Platform Datasheet
Learn about our platform and products.
Read the Datasheet
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
March 14, 2017, Mike Browning
To try pivoting across RiskIQ’s unique internet data sets for yourself, sign up for RiskIQ Community Today.
Internet data sets help digital threat hunters investigate and expose the infrastructure being used by attackers against their organization so they can find, block, and prevent attacks.
Every day, security professionals are leveraging the relationships between the highly connected data collected by RiskIQ, pivoting on the unique data sets in PassiveTotal to surface new connections, group similar attack activity, and substantiate assumptions during incident response. Recently, there has been an abundance of examples of researchers using PassiveTotal to uncover clues that unmask the threat actors targeting them.
While researching the Nebula EK, threat researcher John Swanson used PassiveTotal to research a known Nebula EK delivery subdomain linked to the Yugoslavian Business Network. From this one artifact, he determined a trove of information crucial to his investigation:
Fig-1 WHOIS information for the subdomain listed in PassiveTotal
Swanson found an identical 114 domains registered with “Kreb’s” email@example.com e-mail address and phone number. Pivoting on these domains returned only one IP address, which meant the group relied heavily on subdomains. This information provided crucial context to his investigation, which ultimately helped him conclude that that Nebula is a new iteration on the Sundown exploit kit, probably operated by the Yugoslavian Business Group or a closely related group of actors.
You can see Swanson’s public project here.
According to ClearSky Cyber Security, RiskIQ’s Host Pairs data set helped uncover infrastructure belonging to a threat group targeting Israel Electric Company, the largest supplier of electrical power in Israel. Host pairs are a unique PassiveTotal data set, the connections of which can range from a top-level redirect (HTTP 302) to something more complex like an iframe or script source reference. What makes this data set compelling is it gives researchers the ability to understand relationships between hosts based on details from visiting the actual page. Host Pairs relies on knowing website content, so it’s likely to surface different values that other sources like passive DNS and SSL certificates do not.
According to ClearSky’s blog, between April 2016 and February 2017, the threat group spread malware via breached Israeli websites, as well as self-hosted and cloud-based sites. Within the site journey-in-israel[.]com, the attackers inserted an exploit code for CVE-2014-6332, a Windows code execution vulnerability. The attackers also registered and built the malicious websites:
sourcefarge[.]net (similar to legitimate software website sourceforge.net)
According to PassiveTotal, the latter was redirecting to journey-in-israel[.]com and iec-co-il[.]com, which is confirmed below:
Fig-2 The Host Pairs data set shows “sourcefarge” pointing to the malicious URLs via a redirect
The PassiveTotal public project for this campaign, dubbed “Operation Electric Powder,” which includes all the artifacts used by the threat actors, can be found here.
Host pairs were also used in an investigation of threat actors installing unauthorized code on the websites of Polish banking establishments and using them against the computer systems of global monetary institutions. According to a report by the Wall Street Journal, these attacks share traits with the 2014 assault on Sony Corp linked to the Lazarus Group.
A preliminary investigation by BadCyber suggests that the starting point for the infection could have been located on the web server of Polish financial sector regulatory body, Polish Financial Supervision Authority (www.knf.gov.pl). Due to a slight modification of one of the local JS files, an external JS file was loaded, which could have executed malicious code on selected targets.
The investigation used PassiveTotal’s Host Pairs to confirm that the attack originated from external sources. Below, under the “Host Pairs” tab in PassiveTotal, you can see RiskIQ crawlers observed the KNF website pointing to the malicious URLS via an iframe:
Fig-3 Host Pairs show the KNF.gov website referencing two URLs cited as malicious by BadCyber
PassiveTotal’s ever-expanding data provides new context to adversaries’ infrastructure and now includes deeper monitoring capabilities. Security teams can be alerted in real-time to changes in DNS and domain resolution, WHOIS registration, and the appearance of other new keywords of interest. The latest release also includes a project workflow to quickly organize and group related threat infrastructure components found during investigations. This allows analysts and research teams to be more effective and agile in their investigations.
For more on RiskIQ’s unique internet data sets, download Using Internet Data Sets to Understand Digital Threats.