Blog

In part one of 'Adventures in Cookie Land', our researchers linked a cookie to a trove of new threat activity. In part two, we see just how far we can take this single indicator.

Digital web skimming attacks continue to increase. By now, anyone running an e-commerce shop is aware of the dangers of groups like Magecart, which infect a website every 16 minutes. 

However, to truly understand these skimmer groups, you have to understand the tools of the trade. The Inter Skimmer kit is one of today's most common and widely used digital skimming solutions globally. It has been involved in some of the most high-profile magecart attacks to date, most notably Group 7's breach of the Nutribullet website. 

RiskIQ has identified more than 1,500 sites compromised by the Inter skimmer, but the data theft tool is still misunderstood by those tasked with defending their organization against it. To demystify Inter, RiskIQ tapped our unmatched body of research into Magecart and its dozens of groups, open-source intelligence (OSINT), and our global internet telemetry. 

Organizations lack visibility into their digital assets, their external network of internet-connected services and devices growing wildly outside their firewalls to support a workforce that will be remote for the foreseeable future. 

The enterprise digital attack surface is now regularly in flux and no longer in the purview of most security controls. More internet devices and services stood up outside the firewall mean complexity goes up, and "non-standard" becomes the norm. Keeping tabs on its composition and the infrastructure of attackers targeting it is one of the most challenging jobs facing security teams today. While organizations grapple with their attack surface, attackers are more active than ever before. More than 375 new threats sprout up every minute, with a wave of phishing attacks, typosquat registrations, and disinformation taking advantage of the COVID-19 pandemic. 

In this new security environment, attack surface management and a 360-degree view of your attack surface. Deep insight across the public internet makes it not only possible but also manageable. 

Ransomware defense is a perpetual cat and mouse game between incident responders and attackers who are continuously evolving their tactics, tools, and strategy. With Ransomware attacks on the rise and costing the US a whopping $7.5 billion in 2019, SOCs and threat hunters must maintain full situational awareness to protect their organization and customers' data—and avoid massive material loss. However, ransomware defense is no easy task and requires a 360-degree view of your organization's attack surface. 

A Ransomware' Perfect Storm' is Brewing

Ransomware adversaries are a unique breed of threat actor with hyperspecialized tradecraft. Today, these professional cybercriminals form threat ecosystems of malware operators, fraud specialists, and black markets that enable best-of-breed intrusions. More professional criminals are joining the ransomware industry every day, bringing with them a focus on malware R & D and optimizing tactics. The result is a faster payout for actors, meaning increased frequency and volume of attacks. 

These cybercriminals are also now capitalizing on COVID-19 to up the success rate of their attacks. The remote workforce has presented security challenges for organizations, and the deluge of information and disinformation around the outbreak has provided ample bait to make intrusions easier. 

Attackers are more active than ever before, taking advantage of organizations' expanded attack surfaces outside the corporate firewall and across the internet. Phishing attacks, typosquat registrations, and disinformation campaigns aiming to take advantage of COVID-19 and political turmoil are running rampant. Security teams lacking visibility into this new attack surface are coming up dangerously short. 

RiskIQ has been collecting internet data for more than a decade to help organizations meet the challenge of this new generation of threats. The RiskIQ PassiveTotal App puts petabytes of this external Internet security intelligence into Splunk's Data-to-Everything Platform, giving security teams the visibility they need in a platform and workflow they already use. 

The app enables teams to investigate and respond to threats across their organization's attack surface by laying the RiskIQ Internet Intelligence Graph on top of Splunk data—all in one location—to show how internal assets interact with external infrastructure. With this 360-degree view of their attack surface, analysts have unparalleled context and intelligence to detect, investigate, and remediate IoC's and security events.

During major global events, threat actors take advantage of charged political environments and a prevailing overload of information to help lend credence to the delivery mechanisms they use to carry out malicious activity. This tactic has proven especially effective during the COVID-19 pandemic as scams purporting to contain information, news, and remedies related to the virus—many with a political lean—have saturated the internet. 

In "ScamNation," RiskIQ's latest research report, RiskIQ researchers leveraged our internet-wide visibility and unique data sets to identify and explicitly define scam ecosystems exploiting the pandemic for monetary gain through the spread of false information and the sale of fraudulent products online. The report identifies a network of "content farm" websites publishing misleading, highly partisan articles that have lately focused on COVID-19. Scammers use these sites to promote ads that lure users into "subscription traps," which, through misleading messaging and hidden language in the fine print, trap buyers into making monthly payments that are difficult, if not impossible, to escape.

Earlier this month, RiskIQ announced our Interlock Partner Program, making our Internet Intelligence Graph—RiskIQ's unique global view of the internet comprised of data from more than ten years of crawling the web—available in cybersecurity platforms around the world.

One of our first key integrations was the RiskIQ Illuminate app for CrowdStrike, which enriches CrowdStrike Falcon Insight detections with our internet-wide telemetry, enhancing internal alerts with external context. When automatically correlated with CrowdStrike Intelligence, RiskIQ's internet data sets boost incident response by enabling researchers to quickly search across an organization's endpoints for indicators of compromise or find activity related to suspicious indicators they observe on an endpoint.

During an investigation, the RiskIQ app automatically identifies impacted endpoints so analysts can understand all the related infrastructure belonging to a given threat actor. This way, companies can stay a step ahead of their adversaries and optimize their attack surface management.

Over the past several months, the enterprise attack surface has changed radically, and many security teams are struggling to catch up. The recent scramble to patch a dangerous security flaw in F5 Networks' BIG-IP product marked the beginning of a new reality facing the enterprise in the post-COVID world: network controls are coming up dangerously short. 

Organizations are lacking visibility into the external network of internet-connected services and devices growing wildly outside their firewalls to support a workforce that will be remote for the foreseeable future. However, these IP-connected assets aren't in the purview of most security controls. In fact, most organizations don't have any security controls for the new IT needed to enable remote employees, such as remote access devices, VPNs, and perimeter network devices.

The F5 hack wasn't the first critical vulnerability to come to light since widespread remote work began, and it's certainly won't be the last. Recent headlines have been full of dozens of new vulnerabilities found in these devices, including Cisco, Microsoft, Citrix, and IBM products. Each of these vulnerabilities can take down an organization, whether or not its security team knows it's part of its attack surface. 

Realizing they're invisible to many security teams, threat actors note these security flaws and use them as inroads for attacks. Both the US and Australian governments have advised companies to immediately address the recent spike in critical vulnerabilities, with US Cyber Command recommending that organizations patch both the F5 and PAN-OS vulnerabilities.

When the Covid-19 pandemic forced businesses to shift overnight, even companies with robust cybersecurity measures were caught unprepared.

A massive influx in remote employees, coupled with a boom in hacker activity, forced businesses to overlook best practices in the name of immediate convenience. In some cases, that meant connecting employees to networks without proper safety precautions. Wider digital attack surfaces presented a bounty of opportunities to unscrupulous actors looking to steal money, data, or both.

By now, most organizations have taken steps to reduce their exposure to threats and have educated employees on the importance of staying vigilant while working from home. These short-term measures will not last forever, though, nor do they replace the need for sweeping change. The pandemic changed the face of cybercrime overnight. Now, businesses must not only round out their responses to the current crisis but start preparing for what comes next.

New Remote Ecosystems

Companies should take this opportunity to invest in permanent remote work changes rather than using Band-Aids until employees can return to offices. Many employees may find that remote work suits their lifestyles better, and if one company won't honor their wishes, another will.

The age of remote work, recently in its infancy, hit a coronavirus-inspired growth spurt and has now become an awkward teenager. More businesses will soon reconsider what types of work employees can do remotely as the market demands a shift away from traditional environments. As that happens, companies will face sustained pressure from threat actors at new remote weak points.

Technology leaders can combat the repercussions of larger attack surfaces by investing in cybersecurity tools and better communication practices. IT departments should work with internal marketing teams and HR to develop regular reminders to keep employees' attention on good security habits while working remotely.

Short emails with actionable advice can help, but many employees don't fully internalize one-off communications. Companies should also conduct regular tests, and practice runs on dealing with potential bad actors to keep employees on their toes.

Executives and their teams should also use this chance to formalize layers of protection. Remote workers should use VPNs when working in company systems. Some employees may not welcome mandatory two-factor authentication, but they must be ready to embrace additional security for the convenience of remote work.

More Practiced Threat Actors

Threat actors typically seek the least effort for the highest return. Before the pandemic, that meant probing for weaknesses in company systems or using basic social manipulation on unsuspecting employees. In the future, threat actors will be able to review their most successful practices from pandemic times and adapt their strategies.

Think of hackers and opportunists as their own type of business. They A/B test different strategies, perform cost/benefit analyses on opportunities, and generally try to make more money than they lose. State-sponsored actors, with greater resources and a wider variety of motivations, may act differently. For the most part, though, companies can avoid becoming prey by making themselves as unappealing a target as possible.

In the face of more capable thieves, the safest businesses will be the ones with the least to steal. Businesses should only keep the customer information they need, so they don't lose that data (and take a big PR hit) in a breach. To combat more severe threats, technology leaders should rely on the latest cybersecurity tools, stay updated on industry trends, and conduct regular checks to patch vulnerabilities.

Back To Social Basics

To stay safe in a post-pandemic world, technology leaders must develop workforces prepared to act as the first line of defense against all manner of threats.

Social manipulators infiltrate secure systems by taking advantage of obvious human flaws. You can prevent the most straightforward attacks with basic rules, such as no writing passwords on sticky notes and mandatory two-factor authentication. Train employees to feel more comfortable with their technology, so they don't rely on unsafe and outdated practices.

Leaders are not exempt from these rules. A CEO may be a brilliant negotiator, but that same person may keep a small book of passwords in a desk drawer. A thief who knows the right address could slip through a window and gain access not only to cash and valuables but also to company logins with millions of dollars on the line. Even a simple Twitter password in the wrong hands could lead to crashing stocks, as evidenced by Elon Musk's latest comment.

Get buy-in from everyone, from the C-suite to the greenest employee. The future of cybersecurity is about cooperation and shared responsibility. Practice social manipulation avoidance, and stay updated with tools and technologies. Keep team members vigilant. Every remote and in-office worker should feel comfortable playing a role in a broader cybersecurity strategy.