Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
The hacker who allegedly hacked Hacking Team has spoken out about their techniques. The key to their attack strategy is mapping out the target’s attack surface. The hacker’s write-up demonstrates that the vast seas of digital assets existing online can plot a course back to a target’s internal systems if left unsecured.
Below is a breakdown by phases of the hacker’s process of attacking another hacking group:
Phase 1 – Mapping Out the Target
“Mapping out the target…to find all IP address space and domain names associated with an organization.”
“This is actually one of the most important parts, as the larger the attack surface that you are able to map out, the easier it will be to find a hole somewhere in it.”
The hacker proceeds to go into detail on how they began the attack. At a high level they take publicly available information like domains and work backwards to plot out IP ranges. They do this by using a combination of whois data, other publically available information and mostly open source tools. In this fashion they map out the attack surface of their target.
Phase 2 – Scanning & Exploiting
“Is it exposing something it shouldn’t?”
“Is it horribly misconfigured?”
“Is it running an old version of software vulnerable to a public exploit?”
Once the hacker has mapped out the attack surface, phase two is to start poking and prodding for weaknesses. The goal of the assailant is to look for misconfigurations, servers exposing sensitive directories, older versions of software with known vulnerabilities, etc. The hacker basically traverses the immense digital footprint of most organizations operating online to look for tiny slivers or cracks in the defense.
Phase 3 – Escalating
“Root over 50% of linux servers you encounter in the wild with two easy scripts, Linux_Exploit_Suggester , and unix-privesc-check .”
At this point the hacker had penetrated the firewall and was trying to get root access of the server it used to get in. It turns out the first attempt was basically a dead end:
“At any rate, the only thing this server does is host the website, so I already have access to everything interesting on it. Root wouldn’t get much of anything new, so I move on to the rest of the network.”
Phase 4 – Pivot
“The next step is to look around the local network of the box you hacked.”
Once the hacker got all the data they needed from their initial point of entry, they looked to pivot around the hacked server’s local network. It’s essentially a rinse and repeat of the scanning and exploiting phase only, “…this time from inside the firewall”.
Phase 5 – Have Fun
“Once you’re in their networks, the real fun starts.”
At this point the hacker found their route in and basically did whatever they wanted with impunity.
For the hacker’s testimonial read here: http://0x27.me/HackBack/0x00.txt
Looking inside the process helps put into perspective the relatively rudimentary attack methods that are unstoppable unless org’s have security over their digital footprint. This hacker even criticizes the tendency to call successful breaches sophisticated attacks:
At this point I can see the news stories that journalists will write to drum up views; In a sophisticated, multi-step attack, hackers first comprised a web design firm in order to acquire confidential data that would aid them in attacking Gamma Group…
The reality is that for security teams, mapping out one’s digital footprint is the real first line of defense. It’s simply too easy for bad guys to pivot once they can start poking around the dark, often forgotten sections of a target’s network.
Any organization operating at Internet scale needs a solution with the same capability. Otherwise, that organization is leaving to chance that all too common errors like misconfigured systems, exposed directories or unpatched systems aren’t present and easily exploitable.
In this case the attacker was more of a vigilante, but monetarily driven cyber thieves and nation state actors can use the very same methods.
The RiskIQ solution continuously discovers, indexes, and monitors an organization’s digital footprint from the outside-in. The process is ongoing and recursive— allowing security teams to inventory all the org’s digital assets. The technology discovers assets inherited via acquisitions, created by shadow IT, and counter-fitted rogues generated by outsiders with malicious intent.
Do you think you know where your attack surface begins and ends? Our customers typically find 20-40% previously unknown digital assets in their first 90 days. To find out for certain contact us to request a demo.
Reach out via twitter @riskiq with any questions or check out our resources section for more detailed information on digital footprint and the external threat detection.
Another Magecart group has started to compromise misconfigured S3 buckets! Please secure your buckets.
We detailed how to secure your S3 Buckets in our original reporting: https://t.co/QKrZqWV506
The Columbus, OH #ThreatHunting community is out in full force for today's workshop! Together, we're powering better investigations through data.
Some insights based on reporting by @RiskIQ: Beyond Wipro: Meet the ‘Gift Cardsharks’ Behind the Massive Campaign Targeting Victims with Commercially Available Tools https://t.co/6Vxsnygp1z via @ooda
For today's executives, protecting your organization means protecting yourself—and knowing that personal security sits at the confluence of the physical and digital worlds. https://t.co/HShORi3X6j #ExecutiveProtection #ExecutiveSecurity
Overlap in RiskIQ's unique data sets uncovered a massive threat campaign using popular marketing and analytics tools to target gift card retailers, distributors, and processors. Here's what you need to know https://t.co/GkHsPFwkkd #ThreatIntelligence