Cyber Threat Landscape: How it’s Evolving & How to Respond


October 2, 2018, Team RiskIQ

Like many of the conflicts that we see in the world today, the number of cyber threats has grown exponentially in size and scope, from within the confines of the firewall to traversing the whole internet.

Despite this sprawl, CISOs still spend significant money securing their perimeter, employing an average of 35 tools to do so. But this is mostly a reactive approach, and it no longer works. The problem is, in this new age of cyber attacks targeting organizations on the open internet, you can no longer wait for the threats to come to you.

The Cyber Threat Landscape Today

Today, spotting cyber threats lurking around the internet requires high-level visibility.

Organizations finding success in cyber security are those investing in surveillance and reconnaissance tools that can show their digital attack surface appears to attackers, a collection of widely dispersed digital assets that can be exploited in a variety of ways.

Millions of these digital assets appear on the internet every day, most of which are entirely outside the scope of an organization’s security visibility. These can include legitimate items, but also threats like unknown websites, mobile apps that have been compromised to distribute malware, domain and brand infringement, unknown and unmonitored web components and dependencies, and imposter social media accounts.

The Magecart Effect: Ticketmaster, British Airways, and Newegg

Consider the recent breaches of Ticketmaster, British Airways, and Newegg by the credit card-skimming group Magecart.

In the case of the Ticketmaster breach, RiskIQ discovered it wasn’t an isolated incident but a worldwide campaign that affected tens of thousands of e-commerce sites executed by hacking widely used third-party analytics trackers. The affected brands had no visibility into the code running on their website, so they were unaware and powerless to protect their customers, many of which had their data stolen directly from the site as they input their payment information.

British Airways and Newegg were similarly vulnerable to web-based attacks. They were victimized by targeted attacks using unique skimmers that integrated with the victim’s payment system and blended with the infrastructure, staying there as long as possible. These attacks showed that they are not limited to specific geolocations or specific industries—any organization that processes payments online is a target. The elements of the British Airways attacks were all present in the attack on Newegg:

However, when brands understand what they look like from the outside in, they can begin developing a digital threat management program that allows them to discover everything associated with their organization on the internet, including third-party code on their site.

The tools providing insight and visibility into these assets leverage internet data to discover everything associated with an organization on the internet, both legitimate and malicious, and monitor them for compromise to help bring the massive scope of an attack surface into focus. With a wide-spanning, overhead view, organizations can take a proactive approach to defend their organizations and, if necessary, go on the offense against a threat rather than waiting to be breached.

A Unique Solution for a Unique Threat

RiskIQ’s network of web crawlers, which crawls more than two billion web pages a day, views and interacts with websites from the perspective of a user. It’s this unique perspective that allows us to detect web-based attacks like Magecart while no one else can.

When crawling a page, RiskIQ maps its structure and breaks it down to its smallest elements. This data is captured and stored in our massive databases to provide a point-in-time snapshot of how a page appears and functions, including its javascript. With this reference, we can observe changes, such as the addition of a Magecart skimmer, as they happen. It’s this proprietary historical data that allowed us to amend the official timeline of the Ticketmaster attack and prove that the Magecart skimmer was live on Newegg’s website for over a month.

Our researchers direct RiskIQ’s crawlers with custom detection policies they write while hunting for Magecart and taking note of their skimmers’ unique Javascript signatures. From the petabytes of data these crawls collect, RiskIQ builds out static indexes including passive DNS, SSL certificates, host pairs (redirects), and web components. Pivoting on these data sets allows us to uncover Magecart’s tactics and identify victims. For example, our Components data set shows us all the sites running a third-party analytics script compromised by Magecart, and our Host Pairs dataset shows relationships between websites running the Magecart skimmer.

How Else are Brands being Targeted? A Breakdown of a Cyber Attack Surface

RiskIQ is uniquely suited to help brands detect web-based attacks like magecart, but there are are a variety of other reasons having global visibility can protect your brand, customers, and employees:

1. The Global Attack Surface Is Much Bigger Than You Think…

…and it’s growing every day. We deployed our web-crawling infrastructure—which each day executes and analyzes more than 2 billion HTTP requests, takes in terabytes of passive DNS data, collects millions of SSL Certificates, and monitors millions of mobile apps—to map the scope of this attack surface over a two-week period.

RiskIQ observed 3,495,267 new domains (249,662 per day) and 77,252,098 new hosts (5,518,007 per day) across the internet over that two-week period, each representing a possible target for threat actors.

Modern websites are made up of many different elements—the underlying operating system, frameworks, third-party applications, plug-ins, trackers, etc., all designed to deliver a user experience that people have come to expect, as well as reduce the time to market and derive maximum value from user interactions. As in the PC environment, this commonality of approach is attractive to malicious actors as a successful exploit written for a vulnerability or exposure on one site can be reused across a large number of sites.

As an example, Content Management Systems (CMS) are popular amongst web developers for creating dynamic sites that are easy to maintain and update. Their ubiquity makes them a popular target for hackers as we’ve seen many times in the past. Over a two-week period our research found:

  • 13,297 WordPress plugins in the Alexa top 10,000 (most visited websites)
  • 12,536 CMS instances in the Alexa top 10,000
  • 1,713,556 WordPress plugins overall
  • 1,814,997 CMS instances overall

Common Vulnerabilities and Exposures (CVEs) are classified by severity on a scale of 1 to 10 using the Common Vulnerability Scoring System (CVSS), where 7 to 8.9 represent high vulnerabilities, and 9 to 10 represent critical vulnerabilities.

Focusing on these high and critical vulnerabilities, our research showed:

  • 3,390 of the Alexa top 10,000 domains were running at least one potentially vulnerable web component
  • 6,303 potentially vulnerable web components in total were found in the Alexa top 10,000
  • 1,036,657 potentially vulnerable web components were found overall

While some of these instances will have patches or other mitigating controls to prevent the identified vulnerabilities and exposures from being exploited, many will not.

2. Sometimes Hackers Know More About Your Attack Surface Than You Do

Most organizations lack a complete view of their internet assets. In our dealings with new customers, we typically find 30 percent more assets than they thought they had. There are two significant contributors to this lack of visibility: shadow IT and mergers and acquisitions (M&A).

Where IT can’t keep pace with business requirements, the business looks elsewhere for support in the development and deployment of new web assets. The security team is frequently in the dark with regards to these shadow-IT activities and, as a result, cannot bring the created assets within the scope of their security program.

Unmanaged and over time, orphaned assets form the Achilles heel of an organization’s attack surface. They are not regularly patched or security tested, and the operating systems, frameworks, and third-party applications of which they are comprised can quickly age and become vulnerable to common hacking tools.

When you merge with another company, their vulnerabilities become your vulnerabilities. Mergers and acquisitions often bring with them incomplete and inaccurate lists of public-facing digital assets that further exacerbate the problem.

Digital assets can be broken down into many different types, each with associated risks that must be understood and managed. Some of the key asset types are hosts, domains, websites, certificates, third-party applications, and third-party components.

To highlight the scope of the challenge large organizations face in defending their digital assets, we conducted research on the FT30 basket of companies. Summarizing the results, on average each organization has:

  • 5,322 hosts
  • 9,896 dormant websites (parked, defensively registered, etc.)
  • 3,846 live websites—3,201 of which are currently serving content
  • 596 live websites hosted on Amazon, 67 hosted on Azure (20 percent of total)
  • 38 mail servers
  • 1,766 registered domains
  • 616 web pages collecting PII, 35 percent doing so insecurely
  • 4 websites with expired certificates and 3 websites using old, untrusted encryption algorithms
  • Content Management Systems (CMSs) – 96 instances of WordPress and 56 instances of Drupal
  • 120 websites with a potential critical score CVE (CVSS score 9-10)
  • 228 websites with a potential high score CVE (CVSS score 8-9)
  • 123 test sites

Some of these should be exposed on the internet but in our experience, many should not.

These assets comprise a large and complex attack surface that needs to be understood and actively managed to reduce the low-hanging fruit available for cybercriminals to exploit.

3. The Hidden Attack Surface

Hackers don’t have to compromise your assets to attack your organization or your customers.  

Social engineering through impersonation remains a top tactic for threat actors. Impersonating domains, subdomains, landing pages, websites, mobile apps, and social media profiles are all used, many times in combination, to trick consumers and employees into giving up credentials and other personal information or installing malware.

In Q1 2018, RiskIQ identified 26,671 phishing domains impersonating 299 unique brands, 40 percent of which were financial services brands.

Phishing tactics have become increasingly sophisticated, often leveraging multiple digital elements. as we can see in our recent coverage of a MyEtherWallet phish: https://www.riskiq.com/blog/labs/ myetherwallet-android/

Apart from their own assets, organizations must be on the lookout for impersonating or affiliating assets created to target their customers and employees. Early detection and takedown of infringing assets are one of the most effective ways of disrupting targeted campaigns.

4. The Mobile Attack Surface

You have much more to worry about than just the Apple and Google Play mobile app stores.

The general perception is that there are a small number of mobile app stores but the reality is somewhat different. There are a large number of secondary and affiliate stores primarily serving the Android market which provide an opportunity for malicious actors to compromise legitimate apps and launch fake apps, all the while hiding in the vastness of the app store ecosystem. Our Q1 2018 mobile app research revealed:

  • 21,948 blacklisted mobile apps across 120 mobile app stores and the open internet. This equates to 1.5 percent of all new apps detected. Of those, 8,287 were detected in the Google Play store.
  • 46 percent of all feral apps (mobile apps not hosted in a store) were blacklisted. Users are often directed to these apps through mobile and social phishing campaigns.
  • 86 percent of apps blacklisted claimed the READ_SMS permission, which allows the app to read messages and can be used for any number of nefarious purposes, including circumventing two-factor authentication.

Organizations must do more to monitor the app store ecosystem and find the stores hosting their apps without permission and fraudulent apps impersonating their brand(s), in both app stores and across the web.

5. Cryptocurrency Miners Are the Latest Attack Surface Compromise

While spyware, ransomware, and other forms of malware still proliferate, cybercriminals are augmenting their activities by stealing computer resources. With the exponential growth in the value of cryptocurrencies, crypto mining is now a lucrative pursuit.

The primary challenge facing cryptocurrency prospectors is that mining requires an extreme level of computing power, which can be prohibitively expensive. Fundstrat reported that the cost of mining a single Bitcoin reached about $8,038, and the cost of mining other coins are not far behind. To get around it, actors are siphoning computing resources from unwitting users across the internet; hosting crypto-mining scripts on the websites of highly visited sites, which then execute in the web browsers of visitors to those sites. From our research we found:

  • 50,000+ websites have been observed running Coinhive in the past year
  • An average of 495 new hosts running cryptocurrency miners each week over the past 26 weeks
  • 326 Drupal injections on hosts running Coinhive, suggesting that this is one of the ways sites are being infected

Across the websites belonging to the FT30, we found 11 instances of cryptocurrency miners. Some of the crypto mining scripts we found have been active for over 160 days, suggesting that organizations are failing to detect them.

What Now? How to Respond to Today’s Cyber Threats

There’s good news for organizations, however, as there is now much more data available which can allow them to identify changes in attackers’ approaches and protect themselves before they become a target.

Traditionally, the security strategy of most organizations has been a defense-in-depth approach starting at the perimeter and layering back to the assets that should be protected.

However, there are disconnects between that kind of strategy and the attack surface as presented in this article. In today’s world of digital engagement, users sit outside the perimeter along with an increasing number of exposed corporate digital assets—and the majority of the malicious actors. As such, companies need to adopt security strategies that encompass this change.

Do you lack visibility into your organization’s internet-exposed attack surface? Contact us today for a personalized demo and find out what your company looks like to hackers as well as how your team can address threats like Magecart.

Share: