Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
The hacker who allegedly hacked Hacking Team has spoken out about their techniques. The key to their attack strategy is mapping out the target’s attack surface. The hacker’s write-up demonstrates that the vast seas of digital assets existing online can plot a course back to a target’s internal systems if left unsecured.
Below is a breakdown by phases of the hacker’s process of attacking another hacking group:
Phase 1 – Mapping Out the Target
“Mapping out the target…to find all IP address space and domain names associated with an organization.”
“This is actually one of the most important parts, as the larger the attack surface that you are able to map out, the easier it will be to find a hole somewhere in it.”
The hacker proceeds to go into detail on how they began the attack. At a high level they take publicly available information like domains and work backwards to plot out IP ranges. They do this by using a combination of whois data, other publically available information and mostly open source tools. In this fashion they map out the attack surface of their target.
Phase 2 – Scanning & Exploiting
“Is it exposing something it shouldn’t?”
“Is it horribly misconfigured?”
“Is it running an old version of software vulnerable to a public exploit?”
Once the hacker has mapped out the attack surface, phase two is to start poking and prodding for weaknesses. The goal of the assailant is to look for misconfigurations, servers exposing sensitive directories, older versions of software with known vulnerabilities, etc. The hacker basically traverses the immense digital footprint of most organizations operating online to look for tiny slivers or cracks in the defense.
Phase 3 – Escalating
“Root over 50% of linux servers you encounter in the wild with two easy scripts, Linux_Exploit_Suggester , and unix-privesc-check .”
At this point the hacker had penetrated the firewall and was trying to get root access of the server it used to get in. It turns out the first attempt was basically a dead end:
“At any rate, the only thing this server does is host the website, so I already have access to everything interesting on it. Root wouldn’t get much of anything new, so I move on to the rest of the network.”
Phase 4 – Pivot
“The next step is to look around the local network of the box you hacked.”
Once the hacker got all the data they needed from their initial point of entry, they looked to pivot around the hacked server’s local network. It’s essentially a rinse and repeat of the scanning and exploiting phase only, “…this time from inside the firewall”.
Phase 5 – Have Fun
“Once you’re in their networks, the real fun starts.”
At this point the hacker found their route in and basically did whatever they wanted with impunity.
For the hacker’s testimonial read here: http://0x27.me/HackBack/0x00.txt
Looking inside the process helps put into perspective the relatively rudimentary attack methods that are unstoppable unless org’s have security over their digital footprint. This hacker even criticizes the tendency to call successful breaches sophisticated attacks:
At this point I can see the news stories that journalists will write to drum up views; In a sophisticated, multi-step attack, hackers first comprised a web design firm in order to acquire confidential data that would aid them in attacking Gamma Group…
The reality is that for security teams, mapping out one’s digital footprint is the real first line of defense. It’s simply too easy for bad guys to pivot once they can start poking around the dark, often forgotten sections of a target’s network.
Any organization operating at Internet scale needs a solution with the same capability. Otherwise, that organization is leaving to chance that all too common errors like misconfigured systems, exposed directories or unpatched systems aren’t present and easily exploitable.
In this case the attacker was more of a vigilante, but monetarily driven cyber thieves and nation state actors can use the very same methods.
The RiskIQ solution continuously discovers, indexes, and monitors an organization’s digital footprint from the outside-in. The process is ongoing and recursive— allowing security teams to inventory all the org’s digital assets. The technology discovers assets inherited via acquisitions, created by shadow IT, and counter-fitted rogues generated by outsiders with malicious intent.
Do you think you know where your attack surface begins and ends? Our customers typically find 20-40% previously unknown digital assets in their first 90 days. To find out for certain contact us to request a demo.
Reach out via twitter @riskiq with any questions or check out our resources section for more detailed information on digital footprint and the external threat detection.
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
Dream situation for adversaries. Holes open daily in the attack surface to support remote work. Time to adapt! Proud to be helping with free access in @PassiveTotal and via the @RiskIQ Illuminate platform. Purpose built for the #CISO and #cybersecurity teams. https://twitter.com/RiskIQ/status/1266444273207083009
Microsoft Remote Desktop is spiking. Why? Because all work is now remote work and all access is now remote access. RiskIQ scans hundreds of ports and maps exposed services to provide security teams with a picture worth a thousand log lines. https://bit.ly/2xJ1Dgx
RiskIQ's #COVID19 Weekly Update:
➡️Car rental company Hertz filed for bankruptcy protection
➡️For the first time, the Boston Marathon has been canceled
➡️Most of the malicious coronavirus emails are coming from US IP space
Read full update here: http://bit.ly/2Uv3CMV
RiskIQ's #COVID19 Internet Intelligence Gateway will enable the cybersecurity community to fight a surge in pandemic-related cybercrime. Sign up, submit any suspicious COVID-19-related URL, and have RiskIQ's powerful global crawling network at your command http://bit.ly/3eon6ek
Via @InfosecurityMag, @DanRaywood highlights RiskIQ's new #COVID19 Internet Intelligence Gateway. This one-stop cybersecurity resource is the latest weapon in the fight against the surge in pandemic-related cybercrime. Read more here https://bit.ly/36ALU02