External Threat Management
November 19, 2021
This year, our goal is to help brands fight back by sharing approachable ways for beginners and seasoned cybersecurity professionals alike to keep their organizations safe. Phishing and other malicious sites have distinct characteristics we can use to identify and defeat them. These 'red flags' can help determine which pages, apps, and URLs are legitimate and those spun up by threat actors to target brands and customers.
You don't need a holiday miracle to keep your brand and organization safe this holiday shopping season. We hope this guide will be a force multiplier and empower e-commerce stakeholders to overcome resources shortages or cyber skills gaps to identify cyber threats endemic to the holiday shopping season.
November 17, 2021
Aggah is a threat group known for espionage and information theft worldwide, as well as its deft use of free and open-source infrastructure to conduct its attacks. We've recently reported that the group is linked with the Mana Tools malware distribution and command and control (C2) panel. RiskIQ recently identified a new Aggah campaign via our global monitoring of malicious VBScript code posted on websites.
In this latest campaign, operators deployed clipboard hijacking code that replaces a victim's cryptocurrency address with an address specified by the actor. This code also deploys several malicious code files.
November 03, 2021
In early 2021, RiskIQ first detected a new phishing campaign targeting PayPal. The campaign, authored by an actor calling themself "Vagabon," looks to collect PayPal login credentials and complete credit card information from the victim.
The kit doesn't display many unique characteristics and is a textbook example of a "Frankenstein" kit. In this increasingly popular trend, threat actors piece together new phish kits from modular, free, or readily available kits and services.
October 27, 2021
Relevant, actionable threat intelligence gives security teams line-of-sight to attackers and threat systems and infrastructure. Modern, dynamic security intelligence should have five critical elements fully loaded and operationalized. Recently, RiskIQ released a white paper reviewing these five fundamental tenets of a next-gen security intelligence program that give your organization a distinct advantage over its cyber assailants.
Over the past several months, RiskIQ has led a cyberthreat workshop program that covers each of these tenets. These five sessions have helped hundreds of cybersecurity pros define their organizations’ digital attack surface, risks and dependencies, and those targeting them to stay ahead of adversaries. Below, get the rundown on each of these five tenets and watch the workshops on demand.
October 21, 2021
Discord, a popular VoIP, instant messaging, and digital distribution platform used by 140 million people in 2021, is being abused by cybercriminals to deploy malware files.
Users can organize Discord servers into topic-based channels in which they can share text or voice files. They can attach any type of file within the text-based channels, including images, document files, and executables. These files are stored on Discord's Content Delivery Network (CDN) servers.
October 19, 2021
Attack surfaces are massive — and significantly different than they were in the past. Not long ago, cyber security for an organization was like defending a building — a relatively straightforward, one-dimensional task. But organizations today have turned into sprawling cities, with expanding neighborhoods, unmapped alleyways, and every-changing borders — yet, in many ways, many organizations are still defending this new, broader attack surface as they did more than a decade ago.
In today's enterprise attack surface, there's simply far more available for threat actors to target than ever before. Additionally, the less awareness an organization has of their attack surface, the slower they can respond to attacks when they happen.
October 06, 2021
Knowing the infrastructure and its connections helps security teams map, monitor, and track adversary-threat infrastructure and its composition—malware, suspicious activity, threat capabilities, shareable attack tools, and their relationships within the worldwide attack surface.
As part of our ongoing research into malware distribution infrastructure, we investigated "Mana Tools," a malware distribution and command and control (C2) panel associated with several big names in the malware world, including RevengeRat, AzoRult, Lokibot, Formbook, and Agent Tesla.
Mana Tools was first reported in 2019 by Yoroi researchers who identified it as a fork of the AzoRult 3.2 malware created by a Pakistani actor known as Hagga. The Mana Tools logo appears on current samples of the Mana Tools panel. Using RiskIQ's dataset, we were able to find several Mana Tools login pages.
September 30, 2021
Cybersecurity has gotten pretty tough lately. Today's teams contend with an ever-growing IT ecosystem accelerated by critical digital transformation efforts and moving workforces into remote environments. At the same time, they're managing a rapidly evolving threat landscape composed of both sophisticated nation-state actors and a crush of low-level criminals armed with off-the-shelf crimeware. All told, cybercrime now costs organizations a whopping $1,797,945 per minute.
As cyberthreats increase, security analysts are our first line of defense. Their skills, know-how, and passion for their work meet attackers head-on. Unfortunately, these analysts often lack the resources, technology, and latest techniques to defeat them.
September 22, 2021
RiskIQ has tracked Magecart since skimmers first surfaced in 2016 and burst into the headlines in the landmark attack against British Airways. In the time since, our researchers have cataloged hundreds of iterations of Magecart skimmers as different threat groups build, appropriate, tweak, and develop them to suit their unique purposes.
Despite their ongoing changes, these skimmers often maintain enough of the same characteristics and infrastructure for keen eyes to link them to past attacks and the responsible groups. In the case of the newly identified "bom" skimmer, which has been deployed on dozens of counterfeit online stores, distinct features and TTPs linked us directly to its predecessor skimmers, including the widespread MakeFrame version. It also pointed us to its operators, Magecart Group 7.