November 08, 2017
On November 6, 2017, cyber security company Volexity released a blog post highlighting an espionage campaign targeting ASEAN nations via compromised websites and typosquatting infrastructure. The campaign is believed to be linked to the OceanLotus Group, also known as APT 32, which has carried out targeted attacks against foreign governments, private companies, and journalists and dissidents—potentially on behalf of Vietnam. Because the group used compromised web infrastructure as its avenue of attack, RiskIQ’s global network of web crawlers yielded data that gave greater context around its campaign by shedding light on its scope and scale, including more than 140 compromised parent websites.
This data, which can be found in RiskIQ Community Edition, added several new layers to the investigation below.
Diving Into OceanLotus
Examining the associations between the infrastructure identified by Volexity and RiskIQ’s web crawling data available in RiskIQ Community Edition, we can surface connections that indicate that the campaign has been active since at least February of 2016. Investigating this malicious infrastructure for redirection sequences, links, and dependent requests in RiskIQ’s Host Pair data shows that the malicious domain ad[.]adthis[.]org has a script association to danchimviet[.]info, an online Vietnamese newspaper first seen by RiskIQ on February 1, 2016:
July 05, 2017
John is a tier-two threat analyst on a SOC team that consists of five analysts. John, whose team works for a public sector organization, uses RiskIQ PassiveTotal daily to aid his investigations of indicators of compromise (IOCs) with minimal false positives during incident response.
The team leverages the relationships between the highly connected data collected by RiskIQ inside the RiskIQ PassiveTotal platform, pivoting on its unique data sets to surface new connections, group similar attack activity, and substantiate assumptions for each IOC.
However, John's team did not always use RiskIQ PassiveTotal.
Once upon a time, they used a manual, highly segmented workflow comprised of a cocktail of different tools. According to John, below is an example of what a typical incident response might have looked like for him in the pre-PassiveTotal days. We will use an IP from a recent event in which the Lazarus Group attacked Polish banking establishments as the example.
The IP 109[.]164[.]247[.]169 is flagged through IDS.
June 21, 2017
As part of our research process, RiskIQ uses open source indicators paired with our internet data sets to surface more connections that may be relevant to defenders. When the Citizen Lab published new research exposing abuse against civil society in Mexico—including journalists and reporters— using tools created by the NSO Group, I was able to apply infrastructure chaining in RiskIQ PassiveTotal to build off of artifacts identified in the report.
Contained within the Citizen Lab report are ten domains we can use as a starting point for research. In conducting searches within PassiveTotal, we observed several overlapping details within WHOIS records and one key IP address. Using the WHOIS record from fb-accounts[.]com, we have some viable pivot points with which we can identify more connections.
Using just the email of email@example.com as an example, we not only identify never-before classified infrastructure, but we also see infrastructure previously reported on and associated with the NSO Group from the Citizen Lab.
June 16, 2017
Also by Steve Ginty
The cyber threat actor group Turla is leaving behind breadcrumbs in the form of trackers. Infamous for their targeted attack campaigns aimed at visitors of foreign affairs, embassy, and visa and passport websites in 2016, research shows Turla continues to execute watering hole campaigns against those same visitors.
Visitors of these websites, many of which are listed in the riskIQ PassiveTotal Public Project dedicated to Turla, are redirected to malicious command and control servers because of a code snippet added to the original page inserted by the cyber threat actor. According to a recent WeLiveSecurity post, attackers added a reference to Clicky, a real-time web analytics framework, to compromised pages. This tracking code (ClickyId100673048) acted as a cover for the appended script, making it appear legitimate to cursory or novice examination.
When investigating attack campaigns like this, every piece of information is important for tracking down and stopping cyber threats against your organization. Below, you can see the Clicky ID inside RiskIQ PassiveTotal. By clicking on one of the domains inside the Public Project, www.namibianembassyusa[.]org, and pivoting on the “trackers” data set, you can see the rest of the domains compromised by Turla leveraging the same tracker:
May 25, 2017
The cookie data set in RiskIQ PassiveTotal is fresh from the oven.
When most people hear the word cookies, they imagine fresh-baked confectionary treats. Here at RiskIQ however, we think of web crawling, browser sessions and most importantly, data! After several weeks of testing, we are finally happy to release a new data set into PassiveTotal— cookies.
For those not familiar with web cookies, they are small pieces of data sent from a server to a client as the user browses the internet. These values sometimes contain state for the application or little bits of tracking data. In previous blog posts, we’ve highlighted how RiskIQ crawlers work and noted that cookies were one of the many data items we collect and store. With this new data set inside of PassiveTotal, analysts can now make connections using this web cookie data.
Let’s take a real-world example to show the value this new data set can bring to your threat investigations. Several months ago, Forcepoint blogged about several legitimate websites that appeared to be compromised by suspected Russian actors. Viewing the various indicators inside of PassiveTotal showed linkages to the known malicious command and control servers through our “Host Pairs” data set (Figure-1).
While testing out our new cookie data set, we revisited several PassiveTotal public projects to see if we could find anything interesting. In viewing some of the websites compromised by the Russian actors, we observed an interesting cookie artifact (Figure-2).
May 23, 2017
The Citizen Lab is an interdisciplinary research group at the Munk School of Global Affairs, University of Toronto, that investigates targeted digital espionage operations against civil society groups. We are dependent on the generous support of companies, like RiskIQ, to help us access and work with cyber threat intelligence products for our research.
Citizen Lab has been making key discoveries with RiskIQ PassiveTotal since the beginning of the service in May 2014. PassiveTotal is essential to our investigative and research workflow, and recently, a search using PassiveTotal led to the discovery of NSO Group’s Pegasus malware and iOS 0day delivery infrastructure, as well as other malware, phishing, and disinformation campaigns in the Middle East, Latin America, and the Tibetan community.
Million Dollar Dissident: A RiskiQ PassiveTotal Jackpot
While investigating the Stealth Falcon operation, a cyber threat actor targeting UAE dissidents, we ran a series of IP addresses through RiskIQ PassiveTotal. It returned to us a domain, as well as an email address that looked different from the Stealth Falcon infrastructure we were familiar with.
May 03, 2017
The RiskIQ PassiveTotal team continually strives to improve our platform's capabilities and make it even easier for our analyst community to investigate threats, track actor groups, and proactively monitor malicious infrastructure in response to an ever-evolving threat environment. Today, we are happy to announce the launch of our updated API, which adds projects and monitoring capabilities to our endpoints, making it even easier to interact with our platform and integrate PassiveTotal into your security operations.
Projects allow users to organize investigative leads and collaborate with colleagues on research easily. Organizations can now create and manage projects directly from our API enabling them to quickly add, delete, or update artifacts for any given project either on an individual basis or in bulk.
April 04, 2017
Also by Sunder Srinivasan
When we relaunched PassiveTotal with RiskIQ, we took the opportunity to re-implement the user experience (UX) of the site hoping to improve both information architecture and workflow. With the myriad of changes to the experience, we knew that we would have to do follow up work via interviews, testing, and analytics to determine if our changes were for the better. The feedback has been positive, but there were certain recurring themes from our interviews pointing at ways to improve the analyst experience.
- Relevant Data was not visible right when the page loaded
- Project workflow was confusing
March 28, 2017
Civil society groups such as journalists, humanitarians, and activists face the same level of threat from targeted digital espionage as major companies and governments but have fewer resources to defend themselves. The Citizen Lab, an interdisciplinary research group based at the Munk School of Global Affairs, University of Toronto, is their guardian.
Often, threat actors that target civil society groups also go after well-resourced governments and businesses and are equipped accordingly. But their civil society victims are usually limited in their capacity to identify and mitigate threats, even when the consequences can mean imprisonment or physical harm.
Infrastructure Chaining with PassiveTotal
RiskIQ PassiveTotal™ helps the Citizen Lab enrich its investigations of targeted espionage operations by mapping their infrastructure and noting how it changes. The unique Internet data sets in PassiveTotal—such as Host Pairs, WHOIS, and DNS—are sorted, classified, and monitored over time to provide a complete picture of digital adversaries. Infrastructure chaining, a process that leverages the relationships between these highly connected data sets to build out a thorough investigation, allows the Citizen Lab to surface new connections, group similar attack activity, and substantiate assumptions.
Starting with a single point, these analysts can look at any connected data sets to find more indicators. As they branch out at each stage of the investigation, they form a link back to the original starting point. This process uses the highly connected nature of internet data to expand one indicator into many based on overlapping details or shared characteristics, and is self-documenting in the sense that any other analyst can see how connections were made from one data set to the next.