The digital threat landscape offers threat actors a plethora of resources they can use to camouflage their activities and cover their tracks, such as swaths of cheap and readily available hosts and IPs that can be continually switched out and rotated. For this reason, successfully tracking suspicious activity requires as much data as threat researchers can get their hands on.
For example, in early May, RiskIQ noticed a spike in the number of blacklist incidents associated with certain web components; in this case, certain versions of PHP and NGINX. Having identified these suspect web components with a "bad reputation," we were able to find all hosts running them and pair that information with our PDNS data to find a total of 42 distinct IP addresses. Notably, most of these hosts were clustered on five of these IP addresses:
Scanning each of these addresses revealed that they are all are dedicated to fake software scams, with host names such as "freechecknow[.]clickforultimateandbest2updatepc[.]download" and "upgrade4life[.]pressingupgradeforcontinue[.]info."
Our PDNS data further reveals that this scammer has been setting up hundreds of hosts per day, starting on April 19. Although they tried to hide their tracks behind privacy-protected WHOIS registration as well as isolate their hosts to only one IP each, web component analysis can connect the dots across IP addresses to distinguish a single, coordinated campaign.
Multiple web components and web component “profiling” can also be used to track other actors across domains and IP addresses. We wrote a short time ago about NoTrove, a prolific scam actor that uses thousands of domains and IPs to run its operations. We were able to track NoTrove through learning patterns of their operations and finding those patterns in our treasure trove of passive DNS and our scam detection engine, but another piece of the puzzle comes from web component detection.
Start Pivoting for Yourself
Internet data can be sorted, classified, and monitored over time to provide a complete picture of your attackers and their evolving techniques. Infrastructure chaining leverages the relationships between these highly connected data sets, such as web components and PDNS, to build out a thorough investigation. This process is the core of Threat Infrastructure Analysis and allows organizations to surface new connections, group similar attack activity, and substantiate assumptions during incident response.
With RiskIQ Community Edition, security teams can proactively address digital threats that are related to already observed events or alerts. Unique data sets in the RiskIQ PassiveTotal product does this by uncovering other infrastructure associated with a bad actor that might be previously unknown or difficult to associate. Security teams can block these connected sources, and set up monitors to alert on changes to that infrastructure that could indicate an impending attack.
To start pivoting on these data sets for yourself, try RiskIQ PassiveTotal Community Edition for free by visiting https://www.riskiq.com/community/.