Blog

The internet is like a tapestry that's ever-expanding in all directions. Each of its components—websites, IP addresses, components, frameworks, and code—are individual threads that are all woven together to create the web as we know it. Being a part of this tapestry isn't a choice; if you have an internet presence, you are interwoven with every other entity on the web, including attackers. Those who understand how these connections work, good guy or bad guy, are the ones who win.

This is the first of an eight-part blog series exploring what makes RiskIQ different in a crowded, noisy market. The first differentiator we'll outline is RiskIQ's Internet Intelligence graph.

Graphing the internet and its relationships

Extending security and IT protection outside the firewall requires mapping these billions of relationships between the internet components belonging to every organization, business, and threat actor on Earth. RiskIQ built our Internet Intelligence Graph to prepare enterprises for this reality by enabling them to discover unknowns across their attack surface and investigate threats to their organization.

For more than ten years, RiskIQ has been crawling and absorbing the internet to define the web's identity and composition by fingerprinting each component, connection, service, IP-connected device, and infrastructure to show customers how they—and attackers targeting them—fit within it. Our global sensor network continuously extracts, analyzes, and assembles internet data, updating each customer's unique Intelligence Graph with a current and 10-year history.

The outbreak of COVID-19 and the anxiety and the uncertainty brought with it has proven to be an opportunity for ransomware actors to go on the offensive. 

Along with leveraging concern over the virus itself, threat actors have thrived on the rapid dispersal of workforces and business operations and the resulting widened protection gaps and decreased visibility security teams have into their organizations' attack surfaces. Attackers now have far more access points to probe or exploit, with little-to-no security oversight. Meanwhile, IT is standing up new systems, new access, and new channels at a breakneck pace. In many cases, they're succumbing to human error, such as critical misconfigurations. 

Attackers are searching for these entry points—unknown, unprotected, misconfigured, and unmonitored digital assets. Microsoft, for example, has seen one operation known as REvil, which targets vulnerabilities in VPN devices and gateway appliances to breach networks, and many other groups are operating the same way. 

Given the recent successes of deploying ransomware via malware attacks, especially during pandemics, RiskIQ assessed in March that it was only a matter of time before cybercriminals returned to it. Now, ransomware attacks are rampant and will increasingly impact healthcare facilities and COVID-19 responders. 

BleepingComptuer found that on March 24, cybercriminals targeted hospitals with Ryuk ransomware. Likewise, Forbes reported on March 23 that Hammersmith Medicines Research, a British medical facility on standby to test COVID-19 vaccines, was attacked by a ransomware group called Maze. Fortune also reported a rise in ransomware attacks against medical facilities. 

For the past ten years, RiskIQ has been crawling and passive-sensing the internet to help security teams prepare for a digital revolution that would cause their attack surfaces to move beyond the firewall and outpace traditional security. New initiatives would demand migration to the cloud and call for the immediate adoption of web, mobile, and social platforms, demonstrating the limitations of network security controls. 

This digital revolution happened quickly, but with the outbreak of COVID-19, it has suddenly gone into hyperdrive. Almost overnight, workforces and business operations decentralized and were flung all over the world, widening the protection gaps. In only the past two weeks, security protocols have completely changed—firewalls, DLP, and network monitoring are no longer valid. Attackers now have far more access points to probe or exploit, with little-to-no security oversight. Meanwhile, IT is feverishly standing up new systems, new access, and new channels and likely succumbing to human error, such as critical misconfigurations. 

The COVID-19 pandemic is a grave and challenging situation for enterprises, but RiskIQ and our customers are uniquely prepared. 

With a network of globally-placed sensors, proxies, and web crawlers, RiskIQ has been collecting, analyzing, and storing internet data for more than ten years. This data shows us what the internet looks like, its interconnectivity, how each business, organization, government, and threat actor appears on the open web and the cloud. This includes new infrastructure that's stood up remotely. 

The COVID-19 pandemic requires immediate action by security teams. Here's what you should do to get started.

At RiskIQ, we track many different Magecart groups. We continually observe evolutions in the techniques they employ to skim card data and obfuscate the code that they use for that purpose. These skimmers are becoming increasingly capable, fulfilling a variety of functions to optimize the work of the operators that deploy them. 

On January 24th, we first became aware of a new Magecart skimmer, which we dubbed MakeFrame after its ability to make iframes for skimming payment data. We initially flagged it with our machine learning model for detecting obfuscated code. 

Since then, we have captured several different versions of the skimmer, each sporting various levels of obfuscation, from dev versions in clear code to finalized versions using encrypted obfuscation. So far, RiskIQ has observed MakeFrame on 19 different victim sites. 

In some cases, we've seen MakeFrame using compromised sites for all three of its functions—hosting the skimming code itself, loading the skimmer on other compromised websites, and exfiltrating the stolen data. There are several elements of the MakeFrame skimmer that are familiar to us, but it's this technique in particular that reminds us of Magecart Group 7.

The following is our analysis of this unique skimmer and the process we followed to attribute this skimmer to Magecart Group 7.

The COVID-19 pandemic is making life unrecognizable for most of us and has presented a host of new, unique challenges for security teams. Suddenly, the digital transformation has gone into hyperdrive. Personnel, forced to work from home, have dispersed entire businesses and their operations, and moved the perimeters of their organization's digital attack surfaces with them. 

Making things even harder for practitioners is a surge of attacks against people and businesses by criminals exploiting the global anxiety around the outbreak. These attacks are reprehensible, but, unfortunately, increasing in volume each day. 

As a cybersecurity community, we need to work together, pool our resources, and enable one another to defend our organizations during this period of uncertainty and heightened danger. To do our part, RiskIQ is now offering the following to the community for no charge. 

RiskIQ COVID-19 daily update Intelligence report from the i3 team

This intelligence will help inform the decisions of security teams, who face new requirements during these unprecedented times. With these reports, RiskIQ strives to provide the security community with a single source of factual reporting and informed analysis to help them discover unknowns about their environment and investigate threats. Each report combines major updates around COVID-19 and its impacts on cities, neighborhoods, schools, and businesses as well as other essential data that helps raise the situational awareness of both physical and cybersecurity teams.   

On Thursday, February 20th, around 3 pm GMT, criminals RiskIQ identifies as Magecart Group 8 placed a JavaScript skimmer on the international website for blender manufacturer NutriBullet, nutribullet.com. Our systems caught the cyber attack as it happened and continue to detect new developments.

After multiple attempts to contact NutriBullet and receiving no response*, RiskIQ decided to initiate the takedown of the attacker exfiltration domain with the help of AbuseCH and ShadowServer. Group 8 operators were using this domain to receive stolen credit card information, and its takedown prevented there being new victims.

On March 1st, we observed the skimmer had been removed, but on March 5th, around 7 pm GMT, the cyber attackers placed a new skimmer on the NutriBullet website. We again scrambled to get the infrastructure neutralized. Unfortunately, the criminals still have access to NutriBullet's infrastructure and can continue to replace the skimmer domain in the code to make it work again. Again on March 10th, the cyber attackers were back with another skimmer in yet another script on the NutriBullet website. Until NutriBullet acknowledges our outreach and performs a cleanup, we highly advise against making any purchases on the site as customer data is endangered.

As with all breaches, RiskIQ’s technology and researchers will continue to keep a close eye on the breach and work to take down any additional domains stood up by the criminals. 

The First Skimmer

CrowdStrike recently released its Global Threat Report, an outline of their observations of threat actors and their techniques, covering the year of 2019. While the report itself contains numerous points of interest, one in particular caught the eye of the RiskIQ Research Team. CrowdStrike states, "...the trend toward malware-free attacks is accelerating with these types of attacks surpassing the volume of malware attacks." This shift in tactics requires a corresponding shift by defenders. 

This post will take a more in-depth look at the implications of this shift and how defenders need to adapt to stay ahead of their adversaries, whether they wield malware or not.

Figure–1: CrowdStrike interface showing detection and ThreatGraph

In the report, CrowdStrike defines malware-free attacks as "those in which the initial tactic did not result in a file or file fragment being written to disk." Code executed from memory, stolen credentials used for remote login, and domain-spoofing are all examples of malware-free attacks. Existing CrowdStrike customers have deep visibility into internal endpoint activity along with prevention capabilities, making these attacks less of a concern. Still, it does suggest that defenders will have to work harder and deploy new approaches to identify attackers.

Figure–2: RiskIQ diagram showing how signals can be chained together to find related activity

Global epidemics spread cybercrime as well. Cybercriminals will likely use the global anxiety over the coronavirus to execute ransomware attacks via social engineering.

Cybercriminals have been hugely successful using disasters and global anxiety over virus outbreaks to execute malware attacks via social engineering. Eventually, these types of infections almost always give way to ransomware. 

Ebola, Zika, SARs—over the years, actors leveraging pandemics have developed a distinct pattern with the only significant difference being improvements to attack tools. They execute layered attack campaigns, first with phishing and social engineering to infect users with malware, then taking over the entire system with ransomware or other forms of malware. With the novel coronavirus now a top concern worldwide, that pattern is continuing. 

The latest intelligence brief by the RiskIQ i3 threat intelligence group* assesses that these attacks will focus primarily on large corporations, which rely on markets and supply chains originating in China and other coronavirus-affected regions. Personnel at these organizations have heightened interest in news and developments related to the virus, potentially making them more susceptible to social engineering that tricks them into clicking on malicious links. 

The briefing assesses there are two possible methods of attack, both the result of phishing campaigns. The first involves the AZORult malware, which researchers witnessed was the basis for a phishing campaign targeting members of the shipping industry in January of this year. On at least three different occasions since 2018, however, attackers have used AZORult to deploy ransomware. 

The digital revolution is causing businesses to invest significantly in mobile not only to make more frequent and meaningful interactions with consumers but also to feed a ravenous demand. Users downloaded over 200 billion apps in 2019 and spent more than $120 billion in app stores worldwide. In 2020, consumers will surpass those marks, as mobile usage takes up more and more of our daily lives—3.7 hours on average and rising, according to App Annie. 

Although mobile apps help drive business, the mobile app threat landscape is a significant portion of an enterprise’s overall attack surface that exists beyond the firewall, where security teams often suffer from a critical lack of visibility. Threat actors have made a living taking advantage of this myopia to produce “rogue apps” that mimic well-known brands and are purpose-built to fool customers into downloading them. These imposter apps are an effective tactic because our brains recognize and make instantaneous judgments about visual stimuli. Once downloaded, they can phish users for sensitive information or upload malware to their devices.

On rare occasions, these rogue apps appear in official stores, even breaching the robust defenses of the Google Play and the Apple App stores. However, there are hundreds of less reputable app stores within the mobile app threat landscape, that represent a murky mobile underworld that exists outside of the relative safety of major stores. With many of these apps found in stores hosted in countries known for cybercrime, such as China, or outside of stores altogether on the open web (often referred to as feral apps), it’s no wonder CISOs can’t keep tabs on them. However, for businesses, even though they don’t own or manage these apps, they’re still a part of their attack surface and thus are responsible for detecting and addressing them.

With a proactive, store-first scanning mentality, RiskIQ observes and categorizes the mobile app threat landscape as a user would see it, monitoring both the well-known stores like the Apple App Store and Google Play, but also more than 120 others around the world. RiskIQ also leverages daily scans of nearly two billion resources to look for mobile apps in the wild. Every app we encounter is downloaded, analyzed, and stored so that we can record changes and new versions.

The report found Blacklisted Apps were on the decline, possibly led by efforts by Google.