Blog

At the request of our customers, March 9th, RiskIQ's team of trained intelligence analysts began compiling disparate data and intelligence related to COVID-19 into comprehensive reports. Each report combines major updates around COVID-19 and its impacts on cities, neighborhoods, schools, and businesses as well as essential cybercrime data that helps raise the situational awareness of both physical and cybersecurity teams.

Purpose

This intelligence will help inform the decisions of security teams, who face new requirements during these unprecedented times. Here, RiskIQ strives to provide the security community with a single source of factual reporting and informed analysis to help the security community discover unknowns about their environment and investigate threats.

Notice

RiskIQ will be changing the format and frequency of the COVID-19 Daily Update beginning Friday, 05/15/2020. The report will be released every Friday rather than every day. The report will compile the week’s major stories and events and present them in the Notable Events and Digital Exploitation sections. RiskIQ has established a microsite for COVID-19 coverage, located at https://www.riskiq.com/covid19-cybersecurity/. Thank you for your continued readership.

At the request of our customers, March 9th, RiskIQ's team of trained intelligence analysts began compiling disparate data and intelligence related to COVID-19 into comprehensive reports. Each report combines major updates around COVID-19 and its impacts on cities, neighborhoods, schools, and businesses as well as essential cybercrime data that helps raise the situational awareness of both physical and cybersecurity teams.

Purpose

This intelligence will help inform the decisions of security teams, who face new requirements during these unprecedented times. Here, RiskIQ strives to provide the security community with a single source of factual reporting and informed analysis to help the security community discover unknowns about their environment and investigate threats.

5/22/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Weekly Report - 5/22

As attack surfaces grow outside the corporate firewall, cybersecurity teams need to be able to do two things well and at-scale: discover unknowns and investigate threats across their organization's digital presence. The basis of these two capabilities is always-on detection. 

Reliable threat detection has never been more critical now that COVID-19 has changed the way we do business, spreading our operations and entire staff outside the corporate perimeter to the open internet and cloud. The rush to stand up new assets and systems to enable a remote workforce has led to an increase in shadow IT activities and potential access points for hackers—a 112% boost in VPN usage and 26.11% increase in Microsoft Remote Access Gateway instances, to name a couple.

With attack surfaces expanding quicker and more radically than ever before, and the threat landscape growing along with them, organizations need proactive threat detection that sees their entire digital presence for what it really is and, as importantly, never takes a break. 

This post is the second of an eight-part blog series exploring what makes RiskIQ different in a crowded, noisy market. Today we'll outline RiskIQ's always-on detection. 

Always-on detection requires full visibility

A modern organization's digital presence is a mosaic of internet-connected services—hardware, software, and digital supply chains. More internet services mean complexity goes up, and "non-standard" becomes the norm. However, while these digital services boost functionality, they can also unexpectedly change how organizations appear to attackers and, at any time, open up exposures across an attack surface. Just recently, the massive boost in VPN and remote access to enable staff forced to work from home has created an array of new access points for attackers to interrogate.

With your attack surface regularly in flux, keeping tabs on its composition as well as the infrastructure of attackers targeting it is one of the most challenging jobs facing security teams today. However, deep insight across the public internet makes it not only possible but also manageable. 

Discover Unknowns

Enterprise digital attack surfaces are dynamic, complicated, and hard to keep under control. They're a tangle of IP-connected devices and third-party dependencies across the web and in the cloud that continuously change, go out of date, and become exposed. 

Many of these systems were stood up without the oversight of security teams and then forgotten, so they cannot be evaluated or pen-tested. Some were stood up to accommodate a suddenly homebound workforce, and IT teams, moving quickly, may have mistakenly misconfigured them. Others, like third-party shopping platforms, are entirely outside the purview of most organization's security tools and can become vulnerable without anyone ever knowing. 

The global response to COVID-19 revealed a host of new opportunities for threat actors, with FBI cybercrime reports quadrupling during the pandemic.

The mad dash by IT teams to stand up new systems outside the firewall to enable a remote workforce has expanded attack surfaces quicker and more radically than ever before. VPN usage surged 112%, and over just six weeks, and RiskIQ noted a 26.11% increase in Microsoft Remote Access Gateway instances (peaking around March 20th when stay-at-home orders took full effect). Many of these access points were stood up outside of the security teams' purview, and two recent remote-code-execution vulnerabilities now make them at risk of being used in attacks. 

Meanwhile, as concern over the outbreak was sweeping the globe, attackers got to work to take advantage of it. Phishing attacks immediately grew 350%, and hospitals and other healthcare facilities suffered an onslaught of ransomware attacks, 70% of which targeted smaller providers. 

However, no crime technique has flourished during the pandemic quite like scams. RiskIQ noted 317k new websites related to 'COVID-19' or 'coronavirus' in the two weeks between March 9th and 23rd, and Google currently blocks 18 million COVID-19 scam emails daily. Many of these messages promise treatment or a cure for the virus, while others offer promotions, discounts, and free products. In RiskIQ's analysis of scam and spam messages, we encounter such subject lines as "Fight COVID-19 with $100 at Drive Thru!" and "The 3 plants you need to throw in your shopping cart to fight coronavirus." On a typical day, 30k of the emails we analyze send an executable file for Windows machines, which is a reliable indicator of malware.

To take the fight to the scammers, RiskIQ has launched the COVID-19 Internet Intelligence Gateway. The microsite is a one-stop cybersecurity resource center that includes a new crawl submission and lookup service that taps into RiskIQ's massive global crawling infrastructure to analyze and compile malicious URLs related to COVID-19.

The internet is like a tapestry that's ever-expanding in all directions. Each of its components—websites, IP addresses, components, frameworks, and code—are individual threads that are all woven together to create the web as we know it. Being a part of this tapestry isn't a choice; if you have an internet presence, you are interwoven with every other entity on the web, including attackers. Those who understand how these connections work, good guy or bad guy, are the ones who win. 

This is the first of an eight-part blog series exploring what makes RiskIQ different in a crowded, noisy market. The first differentiator we'll outline is RiskIQ's Internet Intelligence graph. 

Graphing the internet and its relationships 

Extending security and IT protection outside the firewall requires mapping these billions of relationships between the internet components belonging to every organization, business, and threat actor on Earth. RiskIQ built our Internet Intelligence Graph to prepare enterprises for this reality by enabling them to discover unknowns across their attack surface and investigate threats to their organization. 

For more than ten years, RiskIQ has been crawling and absorbing the internet to define the web's identity and composition by fingerprinting each component, connection, service, IP-connected device, and infrastructure to show customers how they—and attackers targeting them—fit within it. Our global sensor network continuously extracts, analyzes, and assembles internet data, updating each customer's unique Intelligence Graph with a current and 10-year history.

The outbreak of COVID-19 and the anxiety and the uncertainty brought with it has proven to be an opportunity for ransomware actors to go on the offensive. 

Along with leveraging concern over the virus itself, threat actors have thrived on the rapid dispersal of workforces and business operations and the resulting widened protection gaps and decreased visibility security teams have into their organizations' attack surfaces. Attackers now have far more access points to probe or exploit, with little-to-no security oversight. Meanwhile, IT is standing up new systems, new access, and new channels at a breakneck pace. In many cases, they're succumbing to human error, such as critical misconfigurations. 

Attackers are searching for these entry points—unknown, unprotected, misconfigured, and unmonitored digital assets. Microsoft, for example, has seen one operation known as REvil, which targets vulnerabilities in VPN devices and gateway appliances to breach networks, and many other groups are operating the same way. 

Given the recent successes of deploying ransomware via malware attacks, especially during pandemics, RiskIQ assessed in March that it was only a matter of time before cybercriminals returned to it. Now, ransomware attacks are rampant and will increasingly impact healthcare facilities and COVID-19 responders. 

BleepingComptuer found that on March 24, cybercriminals targeted hospitals with Ryuk ransomware. Likewise, Forbes reported on March 23 that Hammersmith Medicines Research, a British medical facility on standby to test COVID-19 vaccines, was attacked by a ransomware group called Maze. Fortune also reported a rise in ransomware attacks against medical facilities. 

For the past ten years, RiskIQ has been crawling and passive-sensing the internet to help security teams prepare for a digital revolution that would cause their attack surfaces to move beyond the firewall and outpace traditional security. New initiatives would demand migration to the cloud and call for the immediate adoption of web, mobile, and social platforms, demonstrating the limitations of network security controls. 

This digital revolution happened quickly, but with the outbreak of COVID-19, it has suddenly gone into hyperdrive. Almost overnight, workforces and business operations decentralized and were flung all over the world, widening the protection gaps. In only the past two weeks, security protocols have completely changed—firewalls, DLP, and network monitoring are no longer valid. Attackers now have far more access points to probe or exploit, with little-to-no security oversight. Meanwhile, IT is feverishly standing up new systems, new access, and new channels and likely succumbing to human error, such as critical misconfigurations. 

The COVID-19 pandemic is a grave and challenging situation for enterprises, but RiskIQ and our customers are uniquely prepared. 

With a network of globally-placed sensors, proxies, and web crawlers, RiskIQ has been collecting, analyzing, and storing internet data for more than ten years. This data shows us what the internet looks like, its interconnectivity, how each business, organization, government, and threat actor appears on the open web and the cloud. This includes new infrastructure that's stood up remotely. 

The COVID-19 pandemic requires immediate action by security teams. Here's what you should do to get started.

At RiskIQ, we track many different Magecart groups. We continually observe evolutions in the techniques they employ to skim card data and obfuscate the code that they use for that purpose. These skimmers are becoming increasingly capable, fulfilling a variety of functions to optimize the work of the operators that deploy them. 

On January 24th, we first became aware of a new Magecart skimmer, which we dubbed MakeFrame after its ability to make iframes for skimming payment data. We initially flagged it with our machine learning model for detecting obfuscated code. 

Since then, we have captured several different versions of the skimmer, each sporting various levels of obfuscation, from dev versions in clear code to finalized versions using encrypted obfuscation. So far, RiskIQ has observed MakeFrame on 19 different victim sites. 

In some cases, we've seen MakeFrame using compromised sites for all three of its functions—hosting the skimming code itself, loading the skimmer on other compromised websites, and exfiltrating the stolen data. There are several elements of the MakeFrame skimmer that are familiar to us, but it's this technique in particular that reminds us of Magecart Group 7.

The following is our analysis of this unique skimmer and the process we followed to attribute this skimmer to Magecart Group 7.