External Threat Management
February 10, 2021
We recently analyzed LogoKit, a simple, modularized, and adaptable phish kit running on thousands of domains. Easy to use and able to accommodate a wide range of attacker skill levels, LogoKit is a hot commodity on the black market.
LogoKit's popularity has given rise to enterprising threat actors who manufacture, package, and sell the kit to meet a strong and still growing demand among cybercriminals worldwide. However, these crimeware purveyors are more than just cybercriminals; they're also expert marketers who use social media sites, web forums, and messaging apps to build their brand, advertise their product, and streamline transactions.
After analyzing LogoKit itself last week, we took a closer look at the infrastructure and criminal enterprise behind it. The resulting investigation illuminated a massive phishing ecosystem and thriving crimeware economy driven by a high demand for simple, effective phishing tools. Below, we'll look at a major player in the sale of LogoKit.
February 02, 2021
Each year, businesses invest more in mobile as the lifestyle of the average consumer becomes more mobile-centric. Mobile growth exploded in 2020, with the COVID-19 pandemic advancing mobile adoption "by at least two to three years." According to App Annie, due to the pandemic, Americans are now spending more time on mobile than watching live TV, and social distancing has caused them to migrate more of their physical needs to mobile. App Annie also shows that mobile spending grew to a staggering $143 billion in 2020, year over year growth of 20%.
This ravenous demand for mobile creates a massive proliferation of mobile apps. Users downloaded 218 billion apps in 2020 and spent more than $240 billion in app stores worldwide. Meanwhile, RiskIQ noted a 33% overall growth in mobile apps available. For organizations, these apps drive business outcomes. However, they can be a dual-edged sword—the app landscape is a significant portion of an enterprise's overall attack surface that exists beyond the firewall, where their security teams often suffer from a critical lack of visibility.
January 27, 2021
As sophisticated attacks dominate the headlines, it's important to remember that the vast majority of cybercrime results from simple, effective, and tested tools. These tools are easy to use and accommodate a wide range of attacker skill levels. The LogoKit phishing kit, which RiskIQ has detected running on more than 300 unique domains in the past week and 700 over the past month, is a prime example.
January 21, 2021
In the wake of the tragic events that unfolded on Capitol Hill on January 6, 2021, it is now clear that abundant warning signs existed to alert lawmakers and law enforcement that a dangerous storm was brewing. It is uncommon for threats of this nature to be so blatantly forecasted. Yet, not enough people did. On December 21, 2020, writer and political analyst Arieh Kovler tweeted, “On January 6, armed Trumpist militias will be rallying in [D.C.], at Trump’s orders. It’s highly likely that they’ll try to storm the capitol after it certifies Joe Biden’s win. I don’t think this has sunk in yet.”
Now that so much of the world has turned to social media, and with the proliferation of so many various platforms, it has become increasingly difficult to monitor where threats broadcast themselves, particularly when so many discovery platforms are keyword based. If a threat actor makes a post that slips past your keyword threat matrix, it will slip through your detection. Your security teams and corporate leadership will be caught off guard by the threat you will later discover was forecast right in front of your very eyes. It didn’t pop up out of nowhere; unfortunately, you just missed it.
January 02, 2021
There will be many more breaches like the one of SolarWinds.
Moving into 2021 and beyond, the ability to view your organization from the outside-in, as attackers do, will be the best defense against these internet-scale attacks by advanced APTs. FireEye and other security experts analyzing early information on SunBurst have said mass scanning and internet-scale data are critical to incident response efforts. This real-time global visibility shows security teams if their organization is affected and helps uncover attacker fingerprints on the network.
RiskIQ is helping organizations respond to attacks like SunBurst with our Internet Intelligence Graph, built by mapping the Internet via over ten years of crawling and mass scanning. Our brand new JARM feature will help incident responders quickly query this graph, putting the world’s largest index of applications, components, and behaviors at their fingertips for a smarter, faster response.
December 14, 2020
The FireEye hack resulting in the theft of sophisticated red team tools was part of one of the most devastating cyberattacks in recent history. Today, with the news that Russian operatives also breached SolarWinds' Orion software, the attack has proven much worse than anyone thought.
FireEye's investigation surfaced a supply chain attack trojanizing legitimate SolarWinds Orion business software updates to distribute malware. This hacking campaign, which may date back to as early as fall 2019, affects vulnerable Orion versions 2019.4 HF 5 through 2020.2.1.
According to FireEye, a SolarWinds digitally-signed component of the Orion software framework contains a backdoor, dubbed SUNBURST, that communicates via HTTP to attacker-owned CC servers. This takeover of SolarWinds' Orion software, an IT performance monitoring platform that integrates into a businesses' full IT stack, is akin to handing over the keys to SolarWinds' customers' networks to attackers.
CISA has issued an emergency directive calling on all organizations to review their networks and disconnect from any SolarWinds systems. Still, real-time global visibility is the most effective weapon against this new breach.
December 09, 2020
This week, FireEye’s proprietary red team tools (pen-testing and hacking) were stolen. It appears the attack was executed by highly advanced nation-state threat groups after breaching FireEye systems with "novel” and “previously unseen” techniques.
This successful attack has critical implications. A new set of sophisticated hacking tools have joined the cyberattack arena that gives skilled threat actors a powerful new way to target attack surface weaknesses, vulnerabilities, and exposures worldwide. While these hijacked red team tools did not contain any 0-day exploits, they put digital assets outside the firewall, such as web apps, devices, services, pages, in immediate jeopardy.
RiskIQ's unique internet-wide visibility gives our customers an advantage in protecting their attack surfaces from this newly heightened threat. Our Illuminate Platform finds digital assets connected to an organization outside their internal network, providing visibility into those that may be vulnerable to attacks, including their critical CVEs.
December 02, 2020
In early July 2020, RiskIQ began tracking a phishing campaign identified through our internet intelligence graph targeting colleges and universities worldwide. From July 2020 into October 2020, RiskIQ systems uncovered 20 unique targets in Australia, Afghanistan, the UK, and the USA.
All these attacks used similar tactics, techniques, and procedures (TTPs) as Mabna Institute, an Iranian company that, according to the FBI, was created for illegally gaining access "to non-Iranian scientific resources through computer intrusions." Mabna Institute earned the moniker "Silent Librarian" due to its focused efforts to compromise university students and faculty by impersonating university library resources using domain shadowing to harvest credentials.
However, while RiskIQ's findings are consistent with TTPs in use by Silent Librarian, they alone are not sufficient to attribute the threat activity we've detected against these 20 universities directly to Mabna Institute. Therefore, RiskIQ has named actors identified during this research as "Shadow Academy."
November 24, 2020
E-commerce has the potential to break records this year, with extraordinary circumstances funneling more shoppers to digital outlets than ever before. Due to COVID-19, eMarketer projects a 10% fall in overall holiday sales but a 17% rise in e-commerce sales, and Deloitte projects a continued increase in retail sales over last year's figures. The latter forecasts that e-commerce sales could rise by as much as 35% due to limited in-store retail options.
At RiskIQ, we cannot help but view this uptick in digital spending for what it presents: more opportunities for cybercriminals to take advantage of increased e-commerce activity. RiskIQ researchers have tracked evolutions in Magecart digital credit card skimming infrastructure leading up to the holiday shopping season. Meanwhile, RiskIQ systems detect one phishing domain and five domain infringement events every minute. These numbers are expected to rise for e-commerce brands as the holiday shopping season continues to ramp up.
But how does this extremely active threat landscape affect shoppers?