Blog

In October, RiskIQ discovered what we believe to be a new Magecart skimmer placed on several e-commerce sites, including websites for the well-known hair treatment company Bosely and the Chicago Architecture Center (CAC), one of Chicago's largest cultural organizations. The skimmer was or has been on both these sites for several months.

RiskIQ researchers have dubbed the skimmer used in these attacks "Meyhod," after a mistyped function in the skimming code. Meyhod itself is simple compared to the Magecart skimmers we've recently analyzed, such as the new variant of the Grelos skimmer and the Ant and Cockroach skimmer. However, Meyhod is carefully crafted to blend in with victim sites' appearance and functions, indicating experienced Magecart operators wield it.

The Meyhod skimmer works by appending code to seemingly benign JavaScript resources ranging from commonly used JavaScript libraries to custom code. These resources have been embedded in cart and checkout pages using script tags that could easily be mistaken for an ordinary call to a library.  

The FireEye hack resulting in the theft of sophisticated red team tools was part of one of the most devastating cyberattacks in recent history. Today, with the news that Russian operatives also breached SolarWinds' Orion software, the attack has proven much worse than anyone thought. 

FireEye's investigation surfaced a supply chain attack trojanizing legitimate SolarWinds Orion business software updates to distribute malware. This hacking campaign, which may date back to as early as fall 2019, affects vulnerable Orion versions 2019.4 HF 5 through 2020.2.1.

According to FireEye, a SolarWinds digitally-signed component of the Orion software framework contains a backdoor, dubbed SUNBURST, that communicates via HTTP to attacker-owned CC servers. This takeover of SolarWinds' Orion software, an IT performance monitoring platform that integrates into a businesses' full IT stack, is akin to handing over the keys to SolarWinds' customers' networks to attackers. 

CISA has issued an emergency directive calling on all organizations to review their networks and disconnect from any SolarWinds systems. Still, real-time global visibility is the most effective weapon against this new breach. 

This week, FireEye’s proprietary red team tools (pen-testing and hacking) were stolen. It appears the attack was executed by highly advanced nation-state threat groups after breaching FireEye systems with "novel” and “previously unseen” techniques.

This successful attack has critical implications. A new set of sophisticated hacking tools have joined the cyberattack arena that gives skilled threat actors a powerful new way to target attack surface weaknesses, vulnerabilities, and exposures worldwide. While these hijacked red team tools did not contain any 0-day exploits, they put digital assets outside the firewall, such as web apps, devices, services, pages, in immediate jeopardy.

RiskIQ's unique internet-wide visibility gives our customers an advantage in protecting their attack surfaces from this newly heightened threat. Our Illuminate Platform finds digital assets connected to an organization outside their internal network, providing visibility into those that may be vulnerable to attacks, including their critical CVEs.

In early July 2020, RiskIQ began tracking a phishing campaign identified through our internet intelligence graph targeting colleges and universities worldwide. From July 2020 into October 2020, RiskIQ systems uncovered 20 unique targets in Australia, Afghanistan, the UK, and the USA.  

All these attacks used similar tactics, techniques, and procedures (TTPs) as Mabna Institute, an Iranian company that, according to the FBI, was created for illegally gaining access "to non-Iranian scientific resources through computer intrusions." Mabna Institute earned the moniker "Silent Librarian" due to its focused efforts to compromise university students and faculty by impersonating university library resources using domain shadowing to harvest credentials. 

However, while RiskIQ's findings are consistent with TTPs in use by Silent Librarian, they alone are not sufficient to attribute the threat activity we've detected against these 20 universities directly to Mabna Institute. Therefore, RiskIQ has named actors identified during this research as "Shadow Academy."

E-commerce has the potential to break records this year, with extraordinary circumstances funneling more shoppers to digital outlets than ever before. Due to COVID-19, eMarketer projects a 10% fall in overall holiday sales but a 17% rise in e-commerce sales, and Deloitte projects a continued increase in retail sales over last year's figures. The latter forecasts that e-commerce sales could rise by as much as 35% due to limited in-store retail options.

At RiskIQ, we cannot help but view this uptick in digital spending for what it presents: more opportunities for cybercriminals to take advantage of increased e-commerce activity. RiskIQ researchers have tracked evolutions in Magecart digital credit card skimming infrastructure leading up to the holiday shopping season. Meanwhile, RiskIQ systems detect one phishing domain and five domain infringement events every minute. These numbers are expected to rise for e-commerce brands as the holiday shopping season continues to ramp up. 

But how does this extremely active threat landscape affect shoppers? 

As security researchers shine more light on the world of Magecart, we see that this vast card-skimmer underworld is more and more intertwined and connected. As we draw these parallels between different attacks, skimmers, and other infrastructure, many things become more transparent, like which groups are responsible, how they target their victims, and how their tooling evolves. Just last week, RiskIQ published a report tying the ubiquitous 'Ant and Cockroach' skimmer to Magecart Group 12, which indicated just how far-reaching the group's infrastructure and activity have become. 

However, as more of the Magecart landscape comes to the surface, things also get more murky and complicated. In many recent Magecart compromises, we've seen increasing overlaps in infrastructure used to host different skimmers that seem to be deployed by unrelated groups using various techniques and code structures. We also observe new variants of skimmers reusing code seen in the past. For instance, the compromise of boom! Mobile involved the Full(z) House skimmer hosted on infrastructure not previously associated with Full(z) House. This same infrastructure hosted skimming domains we observed loading other skimmers, including different versions of the grelos skimmer. This pattern may indicate that different skimming groups use the same infrastructure to host their skimming domains, possibly purchasing hosting services from the same third party. 

Deloitte expects holiday e-commerce sales to amount to $182 billion to $196 billion this year, increasing by 25% to 35%, compared with year-over-year growth online of 14.7% in 2019. With this surge in online holiday shopping due to COVID-19, malicious actors will be looking to capitalize. 

RiskIQ now detects one phishing domain and at least five domain infringement events every minute, with those numbers expected to increase for e-commerce brands as the holiday shopping season continues to ramp up. In response, RiskIQ announced its new Holiday Shopping Microsite, a free, one-stop cybersecurity resource center that tracks and reports new web hosts and domains that leverage holiday shopping events, including Black Friday, Cyber Monday, and Cyber Week. 

The site will serve as an authoritative source of intelligence that security practitioners can use to block and investigate holiday shopping scams as they increase on an unprecedented scale. Already, RiskIQ’s systems have observed 10,727 instances of new holiday shopping infrastructure stood up in advance of Black Friday and Cyber Week since November 1.

COVID-19 changed the rules of the game virtually overnight.

The news has covered the broader impacts of the pandemic, particularly the hit to our healthcare, the drops in our economy, and the changes in education. But when a massive portion of our workforce was sent home, and companies moved operations online, no one thought about how vulnerable to cyberattacks those companies had now become. The attack surface had changed, giving malicious actors new inroads that no one had previously watched out for.

The thing is, cybersecurity isn't a battle that's ultimately won, but an ongoing game to play every day against attackers who want to take your systems down. We won't find a one-size-fits-all solution for the vulnerabilities that were exposed by the pandemic. Instead, each company needs to charge the field and fend off their opponent based on the rules of play. Today, those rules are that anything connected to the internet is fair game for cybercriminals, and it's on organizations to protect these digital assets. 

COVID may have changed the rules, but the game is still on. Despite the security threat, this pandemic may have caused a massive opportunity for companies — if they're willing to take it.

Ryuk Ransomware has flooded US hospitals, threatening to shut down their operations when they're needed most. Ryuk now accounts for a third of all ransomware attacks in 2020, with its operators finding success while many healthcare organizations are most vulnerable. 

However, the cybersecurity community is coming together to combat this rash of attacks, combining resources to provide network defenders with alerts and intelligence to protect our healthcare institutions. 

To do our part, RiskIQ released the entirety of the infrastructure related to the Ryuk strain of ransomware collected by RiskIQ's Internet Intelligence Graph.