Blog

The world has never been as vulnerable to cyber attacks as it is today. The sheer number of attacks organizations face, and the global scope of many of those attacks—the SolarWinds and the Microsoft Exchange vulnerabilities affected almost everyone—is putting today's CISOs on the hot seat. 

In the past several months alone, there have been more than a dozen zero-day exploits, an unprecedented rate of successful infiltration making the lack of control and visibility for security leaders painfully evident. 

Advanced persistent threats (APTs) are not only rising in frequency; their impact is increasingly devastating and widespread. Initially, the Microsoft Exchange vulnerability affected more than 400 thousand servers worldwide. These sophisticated attackers are taking advantage of the digital transformation resulting in the digital enterprise extending to the internet and the internet's innate connectedness. 

To truly understand the Magecart skimming groups that have become a mainstay of the e-commerce threat landscape, you have to understand the tools of the trade. The Inter Skimmer kit is one of today's most common digital skimming solutions globally. However, a hallmark of widely used skimmers is their propensity to evolve as more actors use and tweak them to suit their unique needs and purposes. 

Several different actors have used the Inter kit to steal payment data since late 2018. It affects thousands of sites and likely thousands of consumers, and RiskIQ continues to see new iterations of Inter in our Internet Intelligence Graph. One of these that should be firmly on the radar of security teams monitoring their organization's web assets is MobileInter, a modified and expanded take on Inter skimmer code that focuses exclusively on mobile users. 

With nearly three out of every four dollars spent online done via a mobile device, it's no wonder Magecart operators are looking to target this lucrative landscape. RiskIQ researchers have analyzed this newer model to determine its functionality, prevalence, and links to other skimmer activity.

DarkSide, the group behind the infamous ransomware used in the attack against Colonial Pipeline that caused a national panic and sent gas prices soaring, stated on May 13 that they were immediately ceasing operations.

DarkSide operators promised to issue decryptors for all ransomware targets and compensate for outstanding financial obligations by May 23. While news of the group's capitulation is welcomed, the danger associated with the threat actors that use its ransomware has not necessarily been neutralized. 

DarkSide operates as a ransomware-as-a-service (RaaS), and its developers receive a share of the proceeds from its deployment by other malicious cyber actors known as affiliates. On May 11, 2021, FireEye released a Threat Intelligence report on the Tactics, Techniques, and Procedures (TTPs) used by three different Darkside affiliates they identify as UNC2465, UNC2628, and UNC2659. 

Defending your organization's attack surface in today's threat landscape is a global-scale challenge full of continuously changing elements. 

Attacker tools have flooded the web, and advanced adversaries target massive vulnerabilities in ubiquitous systems used across the world. To defend their organizations, security teams need actionable threat intelligence that provides a bird's eye view of the global attack surface and shows precisely how their organization's unique Internet relationships fit inside it—and how these relationships are affected by new threats. 

Unfortunately, analysts usually aren’t equipped with the threat intelligence they need. Often, they have intel that's too generic or entirely irrelevant to their organization’s attack surface. And, even if their threat intel is relevant and actionable, applying it across the teams, tools, and systems in their organization is an incredible challenge. 

Versatile, easy to use, and widely available, TrickBot has become a favorite tool of threat actors of all skill levels and a formidable threat that security teams in all organizations should be familiar with. 

Over the last five years, TrickBot has earned a reputation as a remarkably adaptive modular malware, with its operators regularly updating its software to be more effective and potent against a wide range of targets worldwide. Over its history, TrickBot has largely been propagated through phishing and MalSpam attacks, tactics that remain prominent in TrickBot operations today.

Though the Russian espionage campaign that compromised the SolarWinds supply chain is progressing, public-facing research into the campaign seems to have stopped. The last significant public-facing research into the SolarWinds campaign from the private industry came in March of 2021, more than a month before this publication. Since then, our collective understanding of the campaign has atrophied due primarily to the adversary's steps to thwart forensic analysis. These impediments to analysis impacted both the tactical and strategic responses to the campaign.

This gap in the analysis happened mainly because piecing together what has happened so far is exceptionally challenging. The threat actor, identified by the U.S. Government as APT29 but tracked in the private industry as UNC2452 (Nobelium, StellarParticle, Dark Halo), went to great lengths to avoid creating the type of patterns that make tracking them simple. For months, the Russians successfully compromised or blinded the very security companies and government agencies most likely to pursue them.

RiskIQ’s Team Atlas detected an additional 18 servers with high confidence that likely communicated with the targeted, secondary Cobalt Strike payloads delivered via the TEARDROP and RAINDROP malware. These servers represent a 56% increase in the size of the adversary's known command-and-control footprint and will likely lead to newly identified targets after further analysis. 

For several years, researchers have tracked a phishing kit authored by an actor known as Shadow Z118. Unlike many traditional phishing kits designed only to steal credentials, a handful of the observed Shadow Z118 kits also steal victim identities, payment, and even verify the legitimacy of entered credit information under the false pretext of verifying a user for "security purposes." 

Shadow Z118 kits have been active since at least 2017, and Johannes B. Ullrich at SANS has analyzed it here. The kit's occasional focus on stealing a user's identity and credit information, known as 'Fullz,' sets it apart and has earned it a strong reputation as an effective solution for criminals. 

Since the kit initially appeared, there have been multiple iterations, with many actors copying the original version to create unique variants. RiskIQ's threat research team analyzed several of these variants. In most cases, the phishing pages are constructed well and have multiple steps to trick users into a false sense of security.

For many of us, what draws us into cybersecurity is that original promise of the internet—bringing people together. That idea of creating connections across the world and making sure those connections are safe is something worth defending every single day. 

Recently, that promise has come into jeopardy like never before. There have been over a dozen 0days in the past few months alone. We're just months removed from SolarWinds, an unprecedented attack in the level of privilege and access to networks. Since then, we've dealt with the Microsoft Exchange vulnerability, an incident even more significant in scale and effect, initially affecting more than 400,000 servers worldwide.

The sheer size of these attacks goes beyond our original concepts of security. In reality, these new global-scale attacks aren't a security problem; they're a big data problem that requires a new type of security intelligence. 

Fake banking apps laced with malware continue to be an effective tool for threat actors. For the Yanbian Gang, a criminal group centered in Yanbian, China, that targets organizations across Asia, it's a craft they've been improving on for over a decade. 

The Yanbian Gang has targeted South Korean Android mobile banking customers since 2013 with malicious Android apps purporting to be from major banks, namely Shinhan Savings Bank, Saemaul Geumgo, Shinhan Finance, KB Kookmin Bank, and NH Savings Bank. RiskIQ's threat research team examined some of the threat group's more recent activity in this vector to analyze their malware of choice and the large-scale hosting infrastructure they use to distribute and control it.