Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
2018 Holiday Shopping Season Threat Activity: A Snapshot
The 2018 holiday shopping season was the largest ever for online retailers, but threat actors filled their pockets, too.
So what did the threat activity around this shopping frenzy look like?
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
Polish banking establishments have been under siege by threat actors installing unauthorized code on their websites and using those sites against the computer systems of global monetary institutions. According to a report by the Wall Street Journal, these attacks are part of a larger international hacking effort targeting financial institutions within the U.S., Mexico, and the United Kingdom—an attack that shares traits with the 2014 assault on Sony Corp linked to the Lazarus Group.
A preliminary investigation by BadCyber suggests that the starting point for the infection could have been located on the web server of Polish financial sector regulatory body, Polish Financial Supervision Authority (www.knf.gov.pl). Due to a slight modification of one of the local JS files, an external JS file was loaded, which could have executed malicious payloads on selected targets.
The investigation used PassiveTotal, which generates its unique Host Pairs data set when RiskIQ crawling infrastructure identifies references or redirections on a page to other websites, to confirm that the attack originated from external sources. Below, under the “Host Pairs” tab in PassiveTotal, you can see RiskIQ crawlers observed the KNF website pointing to the malicious URLS “[http]://www[.]sap.misapor.ch/vishop/view.jsp?pagenum=1″ and “https://www[.]eye-watch.in/design/fancybox/Pnf.action” via an iframe:
Fig-1 Host Pairs show the KNF.gov website referencing two URLs cited as malicious by BadCyber
Host pair connections can range from a top-level redirect (HTTP 302) to something more complex like an iframe or script source reference. What makes this data set powerful is the ability to understand relationships between hosts based on details from visiting the actual page. Host Pairs relies on knowing web site content, so it’s likely to surface different values that other sources like passive DNS and SSL certificates do not.
RiskIQ’s web-crawling infrastructure captured the iframe in question here:
Fig-2 Malicious iframe captured by RiskIQ’s crawling infrastructure redirecting traffic to malicious URLs
Since our inception, RiskIQ has been gathering petabytes of passive DNS and WHOIS data, and through our crawling of the entire internet, have amassed data sets that include SSL certificates, newly observed domains, web and analytics trackers, mobile apps, Host Pairs, and web components. These data sets can be used by security professionals and threat analysts to connect the dots between threat infrastructure and understand the attack vectors and patterns used by attackers.
To test these data sets out, sign up for RiskIQ Community Edition today.
Millions of Exim Mail Servers Are Currently Being Attacked - by @serghei
People have been actively patching Exim servers the day the CVE-2019-10149 was published. Attackers have begun abusing the vulnerability as seen by @0xAmit (https://t.co/kRdeqbAvsW). Here's @RiskIQ's breakdown of observed Exim service versions for 4.8x and higher. Keep patching!
Today @morphisec published their (good) article on FIN8 activities. However, the "back in business" part which media just jumped on doesn't seem to hold true. Those IOCs are just a continuation of campaigns dating to 2017, they are not "back" they were just spotted :). Thread 1/n
Elevate your investigations with collaboration & organization: PassiveTotal Projects https://t.co/CgyarvA6TN #ThreatHunting
Magecart's 'shotgun approach' to payment card theft is wreaking havoc on e-commerce sites https://t.co/rCBdQAAUqz by @jeffstone500