External Threat Management
April 09, 2020
The outbreak of COVID-19 and the anxiety and the uncertainty brought with it has proven to be an opportunity for ransomware actors to go on the offensive.
Along with leveraging concern over the virus itself, threat actors have thrived on the rapid dispersal of workforces and business operations and the resulting widened protection gaps and decreased visibility security teams have into their organizations' attack surfaces. Attackers now have far more access points to probe or exploit, with little-to-no security oversight. Meanwhile, IT is standing up new systems, new access, and new channels at a breakneck pace. In many cases, they're succumbing to human error, such as critical misconfigurations.
Attackers are searching for these entry points—unknown, unprotected, misconfigured, and unmonitored digital assets. Microsoft, for example, has seen one operation known as REvil, which targets vulnerabilities in VPN devices and gateway appliances to breach networks, and many other groups are operating the same way.
Given the recent successes of deploying ransomware via malware attacks, especially during pandemics, RiskIQ assessed in March that it was only a matter of time before cybercriminals returned to it. Now, ransomware attacks are rampant and will increasingly impact healthcare facilities and COVID-19 responders.
BleepingComptuer found that on March 24, cybercriminals targeted hospitals with Ryuk ransomware. Likewise, Forbes reported on March 23 that Hammersmith Medicines Research, a British medical facility on standby to test COVID-19 vaccines, was attacked by a ransomware group called Maze. Fortune also reported a rise in ransomware attacks against medical facilities.
April 03, 2020
For the past ten years, RiskIQ has been crawling and passive-sensing the internet to help security teams prepare for a digital revolution that would cause their attack surfaces to move beyond the firewall and outpace traditional security. New initiatives would demand migration to the cloud and call for the immediate adoption of web, mobile, and social platforms, demonstrating the limitations of network security controls.
This digital revolution happened quickly, but with the outbreak of COVID-19, it has suddenly gone into hyperdrive. Almost overnight, workforces and business operations decentralized and were flung all over the world, widening the protection gaps. In only the past two weeks, security protocols have completely changed—firewalls, DLP, and network monitoring are no longer valid. Attackers now have far more access points to probe or exploit, with little-to-no security oversight. Meanwhile, IT is feverishly standing up new systems, new access, and new channels and likely succumbing to human error, such as critical misconfigurations.
The COVID-19 pandemic is a grave and challenging situation for enterprises, but RiskIQ and our customers are uniquely prepared.
With a network of globally-placed sensors, proxies, and web crawlers, RiskIQ has been collecting, analyzing, and storing internet data for more than ten years. This data shows us what the internet looks like, its interconnectivity, how each business, organization, government, and threat actor appears on the open web and the cloud. This includes new infrastructure that's stood up remotely.
The COVID-19 pandemic requires immediate action by security teams. Here's what you should do to get started.
March 19, 2020
The COVID-19 pandemic is making life unrecognizable for most of us and has presented a host of new, unique challenges for security teams. Suddenly, the digital transformation has gone into hyperdrive. Personnel, forced to work from home, have dispersed entire businesses and their operations, and moved the perimeters of their organization's digital attack surfaces with them.
Making things even harder for practitioners is a surge of attacks against people and businesses by criminals exploiting the global anxiety around the outbreak. These attacks are reprehensible, but, unfortunately, increasing in volume each day.
As a cybersecurity community, we need to work together, pool our resources, and enable one another to defend our organizations during this period of uncertainty and heightened danger. To do our part, RiskIQ is now offering the following to the community for no charge.
RiskIQ COVID-19 daily update Intelligence report from the i3 team
This intelligence will help inform the decisions of security teams, who face new requirements during these unprecedented times. With these reports, RiskIQ strives to provide the security community with a single source of factual reporting and informed analysis to help them discover unknowns about their environment and investigate threats. Each report combines major updates around COVID-19 and its impacts on cities, neighborhoods, schools, and businesses as well as other essential data that helps raise the situational awareness of both physical and cybersecurity teams.
March 11, 2020
Global epidemics spread cybercrime as well. Cybercriminals will likely use the global anxiety over the coronavirus to execute ransomware attacks via social engineering.
Cybercriminals have been hugely successful using disasters and global anxiety over virus outbreaks to execute malware attacks via social engineering. Eventually, these types of infections almost always give way to ransomware.
Ebola, Zika, SARs—over the years, actors leveraging pandemics have developed a distinct pattern with the only significant difference being improvements to attack tools. They execute layered attack campaigns, first with phishing and social engineering to infect users with malware, then taking over the entire system with ransomware or other forms of malware. With the novel coronavirus now a top concern worldwide, that pattern is continuing.
The latest intelligence brief by the RiskIQ i3 threat intelligence group* assesses that these attacks will focus primarily on large corporations, which rely on markets and supply chains originating in China and other coronavirus-affected regions. Personnel at these organizations have heightened interest in news and developments related to the virus, potentially making them more susceptible to social engineering that tricks them into clicking on malicious links.
The briefing assesses there are two possible methods of attack, both the result of phishing campaigns. The first involves the AZORult malware, which researchers witnessed was the basis for a phishing campaign targeting members of the shipping industry in January of this year. On at least three different occasions since 2018, however, attackers have used AZORult to deploy ransomware.
RiskIQ’s 2019 Mobile App Threat Landscape Report: The Mobile Ecosystem Swells, but Google Leads a Decline in Malicious Apps
February 27, 2020
The digital revolution is causing businesses to invest significantly in mobile not only to make more frequent and meaningful interactions with consumers but also to feed a ravenous demand. Users downloaded over 200 billion apps in 2019 and spent more than $120 billion in app stores worldwide. In 2020, consumers will surpass those marks, as mobile usage takes up more and more of our daily lives—3.7 hours on average and rising, according to App Annie.
Although mobile apps help drive business, the mobile app threat landscape is a significant portion of an enterprise’s overall attack surface that exists beyond the firewall, where security teams often suffer from a critical lack of visibility. Threat actors have made a living taking advantage of this myopia to produce “rogue apps” that mimic well-known brands and are purpose-built to fool customers into downloading them. These imposter apps are an effective tactic because our brains recognize and make instantaneous judgments about visual stimuli. Once downloaded, they can phish users for sensitive information or upload malware to their devices.
On rare occasions, these rogue apps appear in official stores, even breaching the robust defenses of the Google Play and the Apple App stores. However, there are hundreds of less reputable app stores within the mobile app threat landscape, that represent a murky mobile underworld that exists outside of the relative safety of major stores. With many of these apps found in stores hosted in countries known for cybercrime, such as China, or outside of stores altogether on the open web (often referred to as feral apps), it’s no wonder CISOs can’t keep tabs on them. However, for businesses, even though they don’t own or manage these apps, they’re still a part of their attack surface and thus are responsible for detecting and addressing them.
With a proactive, store-first scanning mentality, RiskIQ observes and categorizes the mobile app threat landscape as a user would see it, monitoring both the well-known stores like the Apple App Store and Google Play, but also more than 120 others around the world. RiskIQ also leverages daily scans of nearly two billion resources to look for mobile apps in the wild. Every app we encounter is downloaded, analyzed, and stored so that we can record changes and new versions.
RiskIQ Illuminate App in the CrowdStrike Store Combines Unmatched External Telemetry with Endpoint Intelligence | Attack Surface Management
February 20, 2020
It's incredible to think how far organizations have come in gaining visibility into their enterprise in just the last five years. Analysts used to have conversations about how and where to enable logging. One quantum leap later, and these conversations are now about how optimizing queries to get the most out of the vast amounts of internal data available to them.
Today, analysts operate with an extreme amount of context, but their own collection is just one side of what their organization looks like. The most successful businesses recognize that they must pair this internal data collection with external intelligence to have real visibility into their attack surface—and how it appears to would-be attackers.
RiskIQ has worked to provide this external view for over a decade, collecting and storing internet data to feed technology that functions like a TIVO for the Internet, giving security teams the ability to look back at attacks and understand why and how they happened, as well as to detect new ones. Over that time, RiskIQ has built unmatched data sets found nowhere else that power several defense-based products and enables a community of over 85,000 security practitioners to conduct thorough investigations into cyber security threats.
Although it fuels threat investigations worldwide, RiskIQ’s data becomes even more powerful when combined with endpoint telemetry. That’s why RiskIQ, the global leader in attack surface management, is excited to announce that we’ve partnered up with CrowdStrike to deliver RiskIQ Illuminate for Falcon, a solution that offers truly unique visibility into cyber security threats by pairing unmatched external intelligence with leading endpoint-visibility data sets.
February 18, 2020
Perhaps no organization is entrusted with more highly sensitive consumer data than the credit bureau Equifax. So when it suffered one of the most massive data breaches in history in 2017, the result was catastrophic for its millions of customers, their trust in Equifax—and consumer trust in credit reporting agencies in general.
The breach, which led to the theft of 147 million people's personal information, left us asking how something on that scale and with such far-reaching implications could happen. There seemed to be an illusion that because Equifax is so big, so ubiquitous, and holds so much data that they were taking better care than most organizations to protect it. They were invincible, right?
With the recently-released Senate Committee on Homeland Security and Governmental Affairs' report on its investigation into the breach, the reason is painfully clear. Equifax, like most organizations, was unaware of the scope of its attack surface—especially that which resides outside the firewall—and therefore was unable to maintain an adequate patch-management policy.
It seems to be a terrifying trend, as many of the large-scale breaches that now surface in the news all too regularly are a result of compromised external assets that organizations weren't aware existed. According to Senators Rob Portman and Tom Carper, who authored the report, that is precisely what happened to Equifax. What's even more terrifying? The audit report mentioned that Equifax lacked a comprehensive IT asset inventory and did not fully understand the scope of the digital assets it owned.
Equifax was hacked via a consumer complaint web portal with a widely known vulnerability their security team should have patched. Once the attackers moved laterally into their network, they exfiltrated encrypted data for months because Equifax did not renew an encryption certificate on one of their internal security tools--which meant that this encrypted traffic wasn't being inspected.
January 31, 2020
What concerns keep CEOs and other business leaders up at night? What doesn't?
Financial results and competitive challenges are top of mind for sure. Still, today's c-suiters also face more modern anxieties like the chance of a cyberattack on the company - or the executives themselves.
In the new economy, business executives are more and more digitally connected to family, colleagues, and work through mobile devices and social platforms. Like everyone, each leader's digital interactions and online behaviors leave cyber breadcrumbs across the internet. Hackers can easily search for these digital clues, leaving executives susceptible to having their net worth, intellectual property, and personal reputation exploited. For example, hackers tend to follow the social media feeds of executives to learn about their activities and the colleagues with whom they regularly interact – from personal assistants to other company leaders. A hacker may be able to "crack" the credentials of these trusted colleagues, then begin impersonating them to lure the victim into sharing sensitive corporate or personal information.
What’s the end game for hackers? There could be any number of motives behind a cyber crook’s endeavors to manipulate or sabotage an executive—financial gain, political aims, even revenge, are all examples. A hacker may also target executives to sell their information to others. For example, an executive may post her workout metrics on a fitness app. Cyber-crooks can use this information to uncover the woman’s home address, which they can pass along to known buglers. Or the hacker may follow a person’s notification about attending events, knowing they will not be home at a certain time.
The critical need for executive protection
January 30, 2020
This holiday shopping season was a boon for retailers, who raked in a record $1 trillion, an incredible increase of nearly $300 billion from 2018. Meanwhile, overall online sales increased 13%, while Black Friday and Cyber Monday saw 17% and 19% increases, respectively.
But online holiday shopping is a goldmine for more than just e-commerce businesses—threat actors try to get a piece of every dollar that consumers spend. Over the 2019 holiday shopping frenzy, these cyber-crooks used the brand names of leading e-tailers, as well as the poor online security hygiene of consumers, to pocket some of these earnings for themselves.