Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
A modern organization’s digital presence is a mosaic of internet-connected services—hardware, software, and digital supply chains. More internet services mean complexity goes up, and “non-standard” becomes the norm. However, while these digital services boost functionality, they can also unexpectedly change how organizations appear to attackers and, at any time, open up exposures across an attack surface. Just recently, the massive boost in VPN and remote access to enable staff forced to work from home has created an array of new access points for attackers to interrogate.
With your attack surface regularly in flux, keeping tabs on its composition as well as the infrastructure of attackers targeting it is one of the most challenging jobs facing security teams today. However, deep insight across the public internet makes it not only possible but also manageable.
Enterprise digital attack surfaces are dynamic, complicated, and hard to keep under control. They’re a tangle of IP-connected devices and third-party dependencies across the web and in the cloud that continuously change, go out of date, and become exposed.
Many of these systems were stood up without the oversight of security teams and then forgotten, so they cannot be evaluated or pen-tested. Some were stood up to accommodate a suddenly homebound workforce, and IT teams, moving quickly, may have mistakenly misconfigured them. Others, like third-party shopping platforms, are entirely outside the purview of most organization’s security tools and can become vulnerable without anyone ever knowing.
Threat actors know these internet-connected services can be easy inroads to corporate networks and are always scanning for vulnerable services to attack. To counter hackers, security teams must have visibility into the IPV4 space so they can develop a full inventory of digital assets connected to them outside their internal network and flag assets that become vulnerable so they can be patched and put under management.
Here are a few recently exploited services that far too many organizations could not identify and address:
Threat actors continue to threaten organizations with unknown and misconfigured web servers across their attack surface. ZDNet reported that a malicious actor has been scanning the internet for unsecure Elasticsearch instances connected to the internet, wiping over 15,000 servers. Most organizations have dozens of servers across their attack surface, any of which can become exposed.
Shopping platforms like Shopify and Magento can become vulnerable, especially out of date versions. Magento vulnerabilities have been a target for Magecart operatives over the years and have led to skimmers on thousands of e-commerce sites.
VPN usage has surged 112% with stay-at-home orders forcing staff to work remotely. Unfortunately, many VPNs, like Palo Alto GlobalProtect, have had glaring vulnerabilities in the past. A report from ClearSky Security uncovered a campaign waged by Iranian state-sponsored hackers using vulnerabilities in VPNs, including GlobalProtect, to gain access to dozens of organizations around the world.
Remote Access points
Remote access points are being stood up at a record pace. In March, RiskIQ noted a 26.11% increase in Microsoft Remote Access Gateway instances, stood up to support people working from home, which have several known vulnerabilities.
There are likely seemingly innumerable routers across the average attack surface of large organizations, many of which are set up without oversight by the security team. For example, ZTE Routers are among the most commonly seen network devices in our data. As always, vulnerabilities exist for such devices, which attackers can use to collect data or tamper with your network.
It’s likely your organization’s websites use jQuery, but many security teams aren’t familiar with every line of the library but trust that it’s secure. However, vulnerabilities in jQuery have occurred, and because of the library’s ubiquity, it can leave a vast swath of the web exposed. Often jQuery has been open to Cross-site Scripting (XSS) attacks, where malicious code can be injected that the browser (unknowingly) executes.
Access systems and IoT devices
Attack surfaces have changed drastically in industries like manufacturing and energy, where work can’t get done without access systems and internet-connected equipment. For example, webcams dominate the most popular searches in Shodan, indicating that they are a frequent target among attackers. AVTECH devices and firmware have suffered from numerous well-known security vulnerabilities.
Security teams must arm themselves with the power of seeing their entire business from the perspective of the internet. Defining your attack surface by fingerprinting each component, connection, service, IP-connected device, and infrastructure provides a strategic advantage in dealing with your living, breathing attack surface.
For security teams, knowing which IP-connected services are part of the attacker’s infrastructure and how they’re wielding them against you can be just as important as knowing your own attack surface. In our recent blog post highlighting our Internet Intelligence Graph, we note that its power lies in a deep understanding of the internet and knowing how both the good guys and the bad guys fit inside it. In each of the attacks highlighted above, threat actors used IP-connected services of their own to attack businesses. Defenders with the right tools could have used this to their advantage.
Intelligence from regular port scans across systems responsive online gives analysts immediate insight into infrastructure used in attacks against their organization. Knowing the services running on malicious IPs can point you to enemy vitals like c2 servers and certificates.
When investigating an adversary, data from port scanning alone isn’t enough. Visibility into internet-connected services is good, but combining it with deep intelligence from web-crawling makes it powerful.
After an analyst identifies a particular asset running on an attacker-owned IP, say a C2 server, crawl data shows you the rest of the story: which other components are running on that page, what pages share those components, and to which IPs do those components resolve. Suddenly, an attacker’s entire toolset becomes illuminated.
When you’re under attack, time is of the absolute essence. For analysts and incident responders, visibility into the entire IPV4 space is key to uncovering attacker infrastructure and taking decisive action quickly. Being able to detect specific technologies in use by your adversary and then quickly note the build and its relationship with the rest of the components on a web page or sever—all on one platform—can be the difference between preventing a breach and a successful attack.
RiskIQ collects data at an unmatched scale. Our systems conduct daily scans of more than 228 unique ports and service banners across the entire IPv4 space to collect host data, including when it was first and last seen, service banners, and much more. These observations are saved within the RiskIQ Internet Intelligence Graph and made available to customers.
Meanwhile, our network of virtual users make billions of HTTP requests, and take in terabytes of passive DNS data, collect millions of components such as SSL Certificates, tracking codes, and cookies. RiskIQ is currently mapping 157 billion relationships across the internet to help organizations discover their attacks surface and add a whole new layer to their threat investigations.
Explore RiskIQ’s exposed services data set in RiskIQ PassiveTotal, and learn how RiskIQ can help you discover and protect your attack surface today.
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
RiskIQ's #COVID19 Weekly Update:
➡️Car rental company Hertz filed for bankruptcy protection
➡️For the first time, the Boston Marathon has been canceled
➡️Most of the malicious coronavirus emails are coming from US IP space
Read full update here: http://bit.ly/2Uv3CMV
Microsoft Remote Desktop is spiking. Why? Because all work is now remote work and all access is now remote access. RiskIQ scans hundreds of ports and maps exposed services to provide security teams with a picture worth a thousand log lines. https://bit.ly/2xJ1Dgx
RiskIQ's #COVID19 Internet Intelligence Gateway will enable the cybersecurity community to fight a surge in pandemic-related cybercrime. Sign up, submit any suspicious COVID-19-related URL, and have RiskIQ's powerful global crawling network at your command http://bit.ly/3eon6ek
Via @InfosecurityMag, @DanRaywood highlights RiskIQ's new #COVID19 Internet Intelligence Gateway. This one-stop cybersecurity resource is the latest weapon in the fight against the surge in pandemic-related cybercrime. Read more here https://bit.ly/36ALU02