Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
On May 28, 2020, the United States National Security Agency (NSA) released a Cyber Security Advisory that warned of a Russian Espionage campaign associated with the Sandworm group that was actively exploiting vulnerabilities in the Exim mail transfer agent.
The vulnerabilities leveraged impact Exim Internet Mailer version 4.87 – 4.92. Searching RiskIQ’s internet intelligence database, from May 1, 2020, RiskIQ has observed over 900K vulnerable Exim instances.
We can break down this data into daily observations of versions detected for May. As the graph below shows, RiskIQ has observed a gradual decrease in observed daily vulnerable instances, indicating that organizations are upgrading their Exim mail servers.
The advisory recommends that organizations running vulnerable instances upgrade to the latest version Exim Internet Mailer (version 4.93) immediately. In the chart below, we highlight patching trends observed globally over the past month for Exim systems.
Vulnerable versions of Exim are noted in green above, while patched versions (those running Exim 4.93) are showing in orange. Again, we can see a gradual trend of daily vulnerable instances decreasing while patched instances are increasing.
RiskIQ customers can get visibility into their exposure to this threat through RiskIQ’s Attack Intelligence dashboard available in our Digital Footprint product.
While the NSA Advisory only calls out CVE-2019-10149 by name, there were three critical vulnerabilities announced in 2019 involving remote code/command execution (RCE). All three were leveraged in this broader attack campaign.
Additionally, the NSA released a few IOCs associated with this recent Sandworm activity. These IOCs are available for further investigations in this RiskIQ PassiveTotal community.
A modern organization’s digital presence is a mosaic of internet-connected services—hardware, software, and digital supply chains. More internet services mean complexity goes up, and “non-standard” becomes the norm. However, while these digital services boost functionality, they can also unexpectedly change how organizations appear to attackers and, at any time, open up exposures across an attack surface. Just recently, the massive boost in VPN and remote access to enable staff forced to work from home has created an array of new access points for attackers to interrogate.
With your attack surface regularly in flux, keeping tabs on its composition as well as the infrastructure of attackers targeting it is one of the most challenging jobs facing security teams today. However, deep insight across the public internet makes it not only possible but also manageable.
RiskIQ collects data at an unmatched scale. Our systems conduct daily scanning of ports and service banners across the entire IPv4 space to collect host data, including when it was first and last seen, service banners, and much more. These observations are saved within the RiskIQ Internet Intelligence Graph and made available to customers.
Explore RiskIQ’s exposed services data set in RiskIQ PassiveTotal, and learn how RiskIQ can help you discover and protect your attack surface today.
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
Enrich @Splunk security with attacker-facing asset discovery. Build reports, dashboards, identify vulnerabilities, and enable proactive attack surface management. Learn more and get the app! https://bit.ly/38wV3rm
Security in Google Play is improving, but bad actors can still place mobile apps there. In 2019, RiskIQ detected 25,647 blacklisted apps in the Google Play Store.
'Joker' Android Malware Pulls Another Trick to Land on Google's Play Store http://ow.ly/xniR50AuqJ6 by @jaivijayan #Android #malware #GooglePlay #mobile
Digital change expands what lives outside the firewall. We checked and counted up what we saw. Get the report and take command of your digital attack surface. https://bit.ly/3cOzJ0T
Ready to achieve #ThreatHunting mastery? Check out our most recent threat hunting workshop - we'll show you how to discover unknowns and investigate threats across your organization's attack surface https://bit.ly/2BUDF3V
As the pandemic rages on, we have an election coming up and that brings another round of targeted and themed attacks. RiskIQ Security Intelligence Services Add-on for Splunk helps you extend your program, protecting your organization and constituents. #protect2020 https://twitter.com/RiskIQ/status/1281241793040916483
RiskIQ Security Intelligence Services for @Splunk puts our unmatched internet telemetry at the fingertips of Splunk users, a powerful shield from the onslaught of cybercrime leveraging current events such as #COVID19 and the election. Read more: https://bit.ly/2Oa8ZhH