Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Today, it’s WannaCry, yesterday it was Struts2, the day before it was Heartbleed, and tomorrow will be a brand new threat to your organization’s digital attack surface.
While digital threats increase in velocity, volume, and adaptability, two things are certain: organizations need to think about their automating defenses for external threats, and need a complete and continuous inventory of their entire digital footprint from the perspective of the internet, as customers and adversaries see it.
Unfortunately, many security teams have a blind spot comprised of unknown and unmanaged internet-facing assets that often act as inroads for cyber attacks and data breaches from outside the firewall. According to the Ovum “On the Radar” Report, which recognized RiskIQ’s Digital Threat Management Platform, business operations, which are more often positioned outside the sight or management of IT, can prove difficult to control, and put business operations and reputation at risk.
To protect your organization from the next wave of threats, here are three things you need to consider.
Note: Acces the RiskIQ PassiveTotal Public Project for WannaCry here>>
The May 2017 attack leveraged the ETERNALBLUE exploit that was leaked by Shadow Brokers in March of 2017. The specific vulnerability utilized in this attack was found in Microsoft Windows systems, detailed by CVE-2017-0144, and was likely introduced into organizations through a malicious email attachment opened by a user connected to a corporate network. From the point of entry, the malware spread laterally as a worm.
The following are resources we recommend to harden SMB usage in internal networks:
Before last week’s now infamous attack with WanaCrypt0r ransomware, most organizations were mainly concerned with compliance fines, financial liability, and material loss of customer confidence through theft of data or fraud. Now, organizations need to consider the cost of the access to and resumption of their data and systems as well, which can be held hostage by automated ransomware attacks at internet scale.
Attackers performing reconnaissance will often find unknown, unprotected, and unmonitored assets to use as attack vectors. For a large enterprise, these types of assets are typically easy for even novice hackers and threat groups to find, and because they’re unmonitored, provide an easy way in and out. To defend yourself, you need to know what attackers see when they’re looking at your business from outside the firewall. After all, following an attack or breach, saying “we didn’t know that asset existed,” doesn’t alleviate the damage done.
The “On the Radar” report highlights RiskIQ Digital Footprint, which is a digital footprint discovery, generation, and management solution that is responsible for discovering the external web and digital assets associated with an organization. It provides the mapping, monitoring, and management facilities needed to plot an organization’s Internet attack surface accurately, and therefore, its external risk posture. It uses RiskIQ’s volumes of telemetric Internet data to generate a dynamic and evolving picture of an organization’s threat footprint, assessing at-risk domains, websites, applications, URLs, web page content, autonomous system numbers (ASNs), IP addresses, SSL certificates, and other online associations.
Once you have an accurate and current picture of your digital footprint—including the frameworks and web applications running on your external assets—it is far easier to understand and execute problem-resolution techniques to ensure that your external assets remain secure. This inventory of your assets is also critical for compliance with numerous industry and government regulations.
It is useful to have security analysts capable of investigating and working within the security community, as most enterprises were working this issue as it happened throughout the weekend. Those people need the right tools. With RiskIQ PassiveTotal(r), analysts can track indicators such as IPs and SSL certificates related to attacks, which in the case of WannaCry, could have pointed to other infected systems.
The Ovum report cited that RiskIQ offers security analysts detailed access to broad, correlated, and derived data presented in a way that enables faster, more revealing, threat investigations, as well as enabling collaboration and proactive monitoring. As a starting point for incident response teams and threat hunters, we have put together a public project that includes IP addresses and certificates associated with this most recent WannaCry attack that you can use in your to find related infrastructure and investigate across your organization: https://www.passivetotal.org/projects/cc66064c-f94d-4b84-6bcc-4ff3cf51afa9
If you don’t have the right people with the right tools, you don’t have a seat at the table, and that means you find out later—and those couple of hours could have put you at greater risk.
Get your #RSAC 2020 party started by joining RiskIQ at IGNITE, hosted by @FlashpointIntel! Register now: https://t.co/XhmW7kUCY8
Now you can see why we named it Magecart 🙃 it’s where it started in 2014. A group normally skimming data through Mage.php when a cart checkout is done, started pioneering a client-side JS skimmer.
The rest of the story can be read in our 2018 report: https://t.co/aGlU984pTU https://t.co/AwDlwdb36p
Based on data from @riskiq it appears this campaign by the Russian GRU to hack and breach Burisma in Ukraine started around 11-11-2019 (and possibly earlier) with the registration of the domain kub-gas[.]com cc @Ushadrons @file411 @IdeaGov #infosec #phishing #malware #disinfo
RiskIQ is excited to announce that growth expert Christophe Culine has joined our team as Chief Revenue Officer, leading our sales organization to great things in 2020 and beyond https://t.co/DYCAOfYeIa
RiskIQ's @ydklijnsma was on @DarknetDiaries to talk about the global phenomenon of #Magecart. Listen in on how credit card skimming on online purchases is happening—and happening often.