Blog

In much of our recent analysis of threat infrastructure, we've seen the digital credit card skimming ecosystem grow as we uncover more actors, tooling, services, and economies that comprise it. We also see distinct patterns emerge in the infrastructure used and shared by these entities. 

Over the last few years, Alibaba IP space has hosted many domains used for digital skimming and other malicious behavior. As bulletproof hosting providers host a considerable portion of skimming campaigns, the popularity of Alibaba IP space may result from one of these bulletproof services abusing Alibaba hosting services. Recently, some of these domains have also abused Google user content hosting.

While investigating infrastructure related to the MobileInter skimmer, our researchers found that a Google IP address briefly played host to one of its skimmer domains. This IP then hosted a domain offering a helpful service for card skimmers, allowing them to authenticate stolen payment data for a fee. From this data point, RiskIQ's Internet Intelligence Graph helped our researchers identify several related websites, services, and social media accounts connected to this authentication activity known as bit2check. Some bit2check domains share the same hosting pattern as Magecart domains observed abusing Alibaba and Google hosting services.

The Microsoft Exchange vulnerability was a global-scale security issue that affected thousands of organizations across the world. With the prevalence of Microsoft Exchange servers across the global attack surface, the sheer size of this incident goes well beyond security. In reality, this is a big data problem. 

RiskIQ has continuously collected internet data for more than a decade to put the vulnerability's scope into context so our customers can respond rapidly. However, in the process, we noticed that not all countries are patching this critical vulnerability effectively. 

The results of scans from our global sensors show that despite this being a ubiquitous issue, each country has reacted very differently, with patching success varying wildly across borders and continents.

How did different organizations and hosting providers fare in different regions around the world? We looked at our data to break it down:

The Sysrv-hello botnet is deployed on both Windows and Linux systems by exploiting multiple vulnerabilities and deployed via shell scripts. 

Like many of the threat actor tools we've covered, it continuously evolves to fit the needs of its operators and stay ahead of security researchers and law enforcement. 

Over time, there have been several slight changes in the shell scripts that install the Sysrv-hello implant on machines. There have also been incremental changes in how the executable gets deployed on host systems. In our latest threat intel analysis, RiskIQ researchers have identified one of its latest developments, including the use of drive-by downloads and two new Monero wallets. 

The world has never been as vulnerable to cyber attacks as it is today. The sheer number of attacks organizations face, and the global scope of many of those attacks—the SolarWinds and the Microsoft Exchange vulnerabilities affected almost everyone—is putting today's CISOs on the hot seat. 

In the past several months alone, there have been more than a dozen zero-day exploits, an unprecedented rate of successful infiltration making the lack of control and visibility for security leaders painfully evident. 

Advanced persistent threats (APTs) are not only rising in frequency; their impact is increasingly devastating and widespread. Initially, the Microsoft Exchange vulnerability affected more than 400 thousand servers worldwide. These sophisticated attackers are taking advantage of the digital transformation resulting in the digital enterprise extending to the internet and the internet's innate connectedness. 

To truly understand the Magecart skimming groups that have become a mainstay of the e-commerce threat landscape, you have to understand the tools of the trade. The Inter Skimmer kit is one of today's most common digital skimming solutions globally. However, a hallmark of widely used skimmers is their propensity to evolve as more actors use and tweak them to suit their unique needs and purposes. 

Several different actors have used the Inter kit to steal payment data since late 2018. It affects thousands of sites and likely thousands of consumers, and RiskIQ continues to see new iterations of Inter in our Internet Intelligence Graph. One of these that should be firmly on the radar of security teams monitoring their organization's web assets is MobileInter, a modified and expanded take on Inter skimmer code that focuses exclusively on mobile users. 

With nearly three out of every four dollars spent online done via a mobile device, it's no wonder Magecart operators are looking to target this lucrative landscape. RiskIQ researchers have analyzed this newer model to determine its functionality, prevalence, and links to other skimmer activity.

DarkSide, the group behind the infamous ransomware used in the attack against Colonial Pipeline that caused a national panic and sent gas prices soaring, stated on May 13 that they were immediately ceasing operations.

DarkSide operators promised to issue decryptors for all ransomware targets and compensate for outstanding financial obligations by May 23. While news of the group's capitulation is welcomed, the danger associated with the threat actors that use its ransomware has not necessarily been neutralized. 

DarkSide operates as a ransomware-as-a-service (RaaS), and its developers receive a share of the proceeds from its deployment by other malicious cyber actors known as affiliates. On May 11, 2021, FireEye released a Threat Intelligence report on the Tactics, Techniques, and Procedures (TTPs) used by three different Darkside affiliates they identify as UNC2465, UNC2628, and UNC2659. 

Defending your organization's attack surface in today's threat landscape is a global-scale challenge full of continuously changing elements. 

Attacker tools have flooded the web, and advanced adversaries target massive vulnerabilities in ubiquitous systems used across the world. To defend their organizations, security teams need actionable threat intelligence that provides a bird's eye view of the global attack surface and shows precisely how their organization's unique Internet relationships fit inside it—and how these relationships are affected by new threats. 

Unfortunately, analysts usually aren’t equipped with the threat intelligence they need. Often, they have intel that's too generic or entirely irrelevant to their organization’s attack surface. And, even if their threat intel is relevant and actionable, applying it across the teams, tools, and systems in their organization is an incredible challenge. 

Versatile, easy to use, and widely available, TrickBot has become a favorite tool of threat actors of all skill levels and a formidable threat that security teams in all organizations should be familiar with. 

Over the last five years, TrickBot has earned a reputation as a remarkably adaptive modular malware, with its operators regularly updating its software to be more effective and potent against a wide range of targets worldwide. Over its history, TrickBot has largely been propagated through phishing and MalSpam attacks, tactics that remain prominent in TrickBot operations today.

Though the Russian espionage campaign that compromised the SolarWinds supply chain is progressing, public-facing research into the campaign seems to have stopped. The last significant public-facing research into the SolarWinds campaign from the private industry came in March of 2021, more than a month before this publication. Since then, our collective understanding of the campaign has atrophied due primarily to the adversary's steps to thwart forensic analysis. These impediments to analysis impacted both the tactical and strategic responses to the campaign.

This gap in the analysis happened mainly because piecing together what has happened so far is exceptionally challenging. The threat actor, identified by the U.S. Government as APT29 but tracked in the private industry as UNC2452 (Nobelium, StellarParticle, Dark Halo), went to great lengths to avoid creating the type of patterns that make tracking them simple. For months, the Russians successfully compromised or blinded the very security companies and government agencies most likely to pursue them.

RiskIQ’s Team Atlas detected an additional 18 servers with high confidence that likely communicated with the targeted, secondary Cobalt Strike payloads delivered via the TEARDROP and RAINDROP malware. These servers represent a 56% increase in the size of the adversary's known command-and-control footprint and will likely lead to newly identified targets after further analysis.