Blog

Today Microsoft announced its intent to acquire RiskIQ, representing the next stage of our journey that's been more than a decade in the making. We couldn't be more excited to join forces to enable the global community to defend against the rising tide of cyberattacks. 

RiskIQ was conceived to preserve the original promise of the Internet—bringing people together. Connecting people across the world and making sure those connections are safe is something worth defending every single day. That hasn’t changed.

When RiskIQ first launched, the digital enterprise was shifting to the Internet, the start of digital transformation. SaaS; Mobile apps were suddenly everywhere; the cloud was becoming the basis of development—essentially, the Internet was becoming the network, and the extended enterprise was born.

What happens in the span of a minute across the internet? 

Lately, we've seen the global threat landscape get broader, more chaotic, and more unpredictable. As the internet grows, so does the scale of threat activity targeting organizations, which expanded their digital presence and accelerated their cloud adoption in the wake of the COVID-19 pandemic. 

Our 2021 Evil Internet Minute aims to illuminate the top threats facing organizations today and put the year's cybersecurity research into context by framing it on a micro-scale. We leveraged our Internet Intelligence Graph and favorite third-party findings to closely examine the malicious activity that transpires across the world every 60 seconds. 

Bulletproof hosting (BPH) is a collection of service offerings catering to internet-based criminal activity. These businesses often operate in a grey area, attempting to appear legitimate while shielding the illegal activity they host from disruption amid abuse complaints and takedown requests. Providers often foster relationships with authorities in countries prone to corruption or otherwise unconcerned with certain types of illicit activity. 

TrendMicro summarized BPH in a great graph covering three different types of BPH providers: those using stolen/compromised assets, those with a short-term lease, and providers leveraging their own data center/co-location.

In this first post in a new series of articles, we'll focus on bulletproof hosting providers with more established infrastructure, including Media Land LLC, one of the most infamous providers in the threat landscape. Our analysis of this infrastructure surfaced thousands of domains linked to threat campaigns of all kinds, showing the ubiquity, and utility, of bulletproof hosting providers. 

In much of our recent analysis of threat infrastructure, we've seen the digital credit card skimming ecosystem grow as we uncover more actors, tooling, services, and economies that comprise it. We also see distinct patterns emerge in the infrastructure used and shared by these entities. 

Over the last few years, Alibaba IP space has hosted many domains used for digital skimming and other malicious behavior. As bulletproof hosting providers host a considerable portion of skimming campaigns, the popularity of Alibaba IP space may result from one of these bulletproof services abusing Alibaba hosting services. Recently, some of these domains have also abused Google user content hosting.

While investigating infrastructure related to the MobileInter skimmer, our researchers found that a Google IP address briefly played host to one of its skimmer domains. This IP then hosted a domain offering a helpful service for card skimmers, allowing them to authenticate stolen payment data for a fee. From this data point, RiskIQ's Internet Intelligence Graph helped our researchers identify several related websites, services, and social media accounts connected to this authentication activity known as bit2check. Some bit2check domains share the same hosting pattern as Magecart domains observed abusing Alibaba and Google hosting services.

The Microsoft Exchange vulnerability was a global-scale security issue that affected thousands of organizations across the world. With the prevalence of Microsoft Exchange servers across the global attack surface, the sheer size of this incident goes well beyond security. In reality, this is a big data problem. 

RiskIQ has continuously collected internet data for more than a decade to put the vulnerability's scope into context so our customers can respond rapidly. However, in the process, we noticed that not all countries are patching this critical vulnerability effectively. 

The results of scans from our global sensors show that despite this being a ubiquitous issue, each country has reacted very differently, with patching success varying wildly across borders and continents.

How did different organizations and hosting providers fare in different regions around the world? We looked at our data to break it down:

The Sysrv-hello botnet is deployed on both Windows and Linux systems by exploiting multiple vulnerabilities and deployed via shell scripts. 

Like many of the threat actor tools we've covered, it continuously evolves to fit the needs of its operators and stay ahead of security researchers and law enforcement. 

Over time, there have been several slight changes in the shell scripts that install the Sysrv-hello implant on machines. There have also been incremental changes in how the executable gets deployed on host systems. In our latest threat intel analysis, RiskIQ researchers have identified one of its latest developments, including the use of drive-by downloads and two new Monero wallets. 

The world has never been as vulnerable to cyber attacks as it is today. The sheer number of attacks organizations face, and the global scope of many of those attacks—the SolarWinds and the Microsoft Exchange vulnerabilities affected almost everyone—is putting today's CISOs on the hot seat. 

In the past several months alone, there have been more than a dozen zero-day exploits, an unprecedented rate of successful infiltration making the lack of control and visibility for security leaders painfully evident. 

Advanced persistent threats (APTs) are not only rising in frequency; their impact is increasingly devastating and widespread. Initially, the Microsoft Exchange vulnerability affected more than 400 thousand servers worldwide. These sophisticated attackers are taking advantage of the digital transformation resulting in the digital enterprise extending to the internet and the internet's innate connectedness. 

To truly understand the Magecart skimming groups that have become a mainstay of the e-commerce threat landscape, you have to understand the tools of the trade. The Inter Skimmer kit is one of today's most common digital skimming solutions globally. However, a hallmark of widely used skimmers is their propensity to evolve as more actors use and tweak them to suit their unique needs and purposes. 

Several different actors have used the Inter kit to steal payment data since late 2018. It affects thousands of sites and likely thousands of consumers, and RiskIQ continues to see new iterations of Inter in our Internet Intelligence Graph. One of these that should be firmly on the radar of security teams monitoring their organization's web assets is MobileInter, a modified and expanded take on Inter skimmer code that focuses exclusively on mobile users. 

With nearly three out of every four dollars spent online done via a mobile device, it's no wonder Magecart operators are looking to target this lucrative landscape. RiskIQ researchers have analyzed this newer model to determine its functionality, prevalence, and links to other skimmer activity.

DarkSide, the group behind the infamous ransomware used in the attack against Colonial Pipeline that caused a national panic and sent gas prices soaring, stated on May 13 that they were immediately ceasing operations.

DarkSide operators promised to issue decryptors for all ransomware targets and compensate for outstanding financial obligations by May 23. While news of the group's capitulation is welcomed, the danger associated with the threat actors that use its ransomware has not necessarily been neutralized. 

DarkSide operates as a ransomware-as-a-service (RaaS), and its developers receive a share of the proceeds from its deployment by other malicious cyber actors known as affiliates. On May 11, 2021, FireEye released a Threat Intelligence report on the Tactics, Techniques, and Procedures (TTPs) used by three different Darkside affiliates they identify as UNC2465, UNC2628, and UNC2659.