Blog

When the Covid-19 pandemic forced businesses to shift overnight, even companies with robust cybersecurity measures were caught unprepared.

A massive influx in remote employees, coupled with a boom in hacker activity, forced businesses to overlook best practices in the name of immediate convenience. In some cases, that meant connecting employees to networks without proper safety precautions. Wider digital attack surfaces presented a bounty of opportunities to unscrupulous actors looking to steal money, data, or both.

By now, most organizations have taken steps to reduce their exposure to threats and have educated employees on the importance of staying vigilant while working from home. These short-term measures will not last forever, though, nor do they replace the need for sweeping change. The pandemic changed the face of cybercrime overnight. Now, businesses must not only round out their responses to the current crisis but start preparing for what comes next.

Digital initiatives have changed the enterprise attack surface and how organizations appear online, both to users and malicious actors. Meanwhile, the threat landscape has evolved right alongside the digital presence of businesses and remains in flux as attackers continuously adopt new tools and tactics. With the paradigm for keeping organizations secure ever-changing, security teams have no choice but to adapt to the perpetual evolution of both the organizations they defend and the adversaries from which they protect it.

In this new dynamic age of cybersecurity, knowledge and context are power, and being mobile ensures survival. The security solutions that matter are automatic and integrate with existing investments. They also include a game-changing amount of context. The RiskIQ Intelligence Connector, the integration linking RiskIQ's Internet Intelligence Graph and Microsoft Sentinel, was built for this. 

The discussions in the coming days and weeks surrounding yesterday's large-scale compromise of verified Twitter accounts, including those of Joe Biden, Barack Obama, and Bill Gates, will likely be about how the attackers gained access to so many high-profile accounts at once. The sheer breadth of digital landscape this breach covered in such little time shocked the world and is sure to stoke concerns about who can access the means of disseminating information—or disinformation—to the masses. 

However, while examining Twitter's internal security practices and controls is an important focus, it's also worth looking at the #Twitterhack from an external angle. Who were these actors, and why did they go through so much trouble to access those accounts? What did their cryptocurrency scam campaigns look like outside of the Twitter spotlight?

RiskIQ's Passive DNS data gives us our first clue. It shows us that domains belonging to these attackers were registered months or years ago, which means pretending to be famous brands and people to trick victims into giving up their cryptocurrency has been their MO far before the fall of the blue checkmarks. Hacking Twitter was simply their latest—albeit their most successful—tactic to access a massive pool of potential victims and lend credibility to their phishing scheme. Before hacking verified accounts, this group may have been leaning on other dependable vehicles for scam victim acquisition, such as fake social media accounts, spam emails, and scam ads. 

Next, tying together the phishing domains belonging to the attacker shows us the overall scope of the attack and which brands were getting impersonated. The Twitter hack itself made the most headlines, but RiskIQ researchers observed only one attacker-owned domain tweeted from a hacked verified account. However, from that one domain, we mapped out hundreds more that attackers didn't use on Twitter. They were likely using these in other attack vectors. 

The average organization's digital presence has exploded in size. Even before COVID-19 spread their staff and operations outside the firewall, businesses were rapidly migrating to the cloud and increasing their use of web, mobile, and social platforms. This digital transformation expanded their attack surface beyond the scope of network security controls like firewalls, DLP, and network monitoring—and enabled attackers to exploit them in ways not possible before. 

The security implications of the enterprise's digital footprint exploding beyond the firewall's friendly confines are clear. According to the Verizon Data Breach report, external-facing web applications, into which network security tools lack visibility, comprised the vector category most commonly exploited in hacking-related breaches. To defend against the now rampant phishing attacks, typosquat registrations, and misinformation spreading through websites, security teams need to think beyond cybersecurity. Instead, they should be taking a holistic view of defense, focusing on attack surface management. 

In 2020, threat prevention alone won't be enough. The COVID-19 pandemic has revealed cybersecurity cracks in thousands of companies, which won't go away now that the world—and the way we work—has changed forever.

The recent surge in cyberattacks in the wake of the COVID-19 pandemic exploit global anxiety around the pandemic and the patchwork work-from-home setups of suddenly-remote staff to hack organizations, infect them with ransomware, and attack their customers. 

This unprecedented increase in opportunity for digital criminals has ushered in a new era of security, responsibility, and expectations for technical leaders. With breaches and other security incidents causing multi-million dollar losses, digital intelligence and cybersecurity have evolved from something of a maintenance cost into a full-fledged business input. CEOs and boards must know how their security postures affect their companies' trajectories. 

CISOs now find themselves as acting generals in a new kind of war, one in which the digital revolution—and the coronavirus that has sent it into overdrive—have created a surge of new combatants. Advanced nation-state actors are prowling digital attack surfaces of western businesses. Iran's cyberattacks in response to U.S. strikes, Russia's ongoing digital intrusions, and China's ever-looming digital armies—American companies lose more than $57 billion per year as a result of Chinese attacks—are just a few examples. Meanwhile, large organized cyber syndicates, more about making money than gathering intelligence or stealing IP, are growing in scale and sophistication and continually probe businesses for weakness. 

These bad actors work from home, too, and they are more than happy to take advantage of vulnerable or misconfigured remote access points and cloud assets, as well as shadow IT stood up outside the purview of security teams. To win this war and act as valuable assets to their companies, CISOs must become more proactive about threat detection and incident investigation—and be able to explain much more than the time and date of the attack.

At the request of our customers, March 9th, RiskIQ's team of trained intelligence analysts began compiling disparate data and intelligence related to COVID-19 into comprehensive reports. Each report combines major updates around COVID-19 and its impacts on cities, neighborhoods, schools, and businesses as well as essential cybercrime data that helps raise the situational awareness of both physical and cybersecurity teams.

Purpose

This intelligence will help inform the decisions of security teams, who face new requirements during these unprecedented times. Here, RiskIQ strives to provide the security community with a single source of factual reporting and informed analysis to help the security community discover unknowns about their environment and investigate threats.

Notice

RiskIQ will be changing the format and frequency of the COVID-19 Daily Update beginning Friday, 05/15/2020. The report will be released every Friday rather than every day. The report will compile the week’s major stories and events and present them in the Notable Events and Digital Exploitation sections. RiskIQ has established a microsite for COVID-19 coverage, located at https://www.riskiq.com/covid19-cybersecurity/. Thank you for your continued readership.

At the request of our customers, March 9th, RiskIQ's team of trained intelligence analysts began compiling disparate data and intelligence related to COVID-19 into comprehensive reports. Each report combines major updates around COVID-19 and its impacts on cities, neighborhoods, schools, and businesses as well as essential cybercrime data that helps raise the situational awareness of both physical and cybersecurity teams.

Purpose

This intelligence will help inform the decisions of security teams, who face new requirements during these unprecedented times. Here, RiskIQ strives to provide the security community with a single source of factual reporting and informed analysis to help the security community discover unknowns about their environment and investigate threats.

5/22/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Weekly Report - 5/22

Ocean Lotus, or APT32, is a now-notorious threat group active since 2014, best known for its relentless malware attacks and spy campaigns against Southeast Asian governments, dissidents, and journalists worldwide.

While investigating previously reported OceanLotus activity, RiskIQ analysts came across a unique SSL certificate associated with the espionage group's infrastructure. Unique to them, the SSL correlated with more than 70 IP addresses since 2017, a connection that earlier this month helped reporters from German Publications BR24 and Zeit Online track Ocean Lotus activity across Europe.

Further analysis of this custom certificate and its associated IP addresses led us to conclude that it is part of the infrastructure OceanLotus uses to deploy Windows-based malware. Based on RiskIQ's first observation of the SSL certificate in our Internet Intelligence Graph, which links together infrastructure across the entire web, the group has been using this certificate since at least February 27, 2020, and continues to use it today.

As attack surfaces grow outside the corporate firewall, cybersecurity teams need to be able to do two things well and at-scale: discover unknowns and investigate threats across their organization's digital presence. The basis of these two capabilities is always-on detection. 

Reliable threat detection has never been more critical now that COVID-19 has changed the way we do business, spreading our operations and entire staff outside the corporate perimeter to the open internet and cloud. The rush to stand up new assets and systems to enable a remote workforce has led to an increase in shadow IT activities and potential access points for hackers—a 112% boost in VPN usage and 26.11% increase in Microsoft Remote Access Gateway instances, to name a couple.

With attack surfaces expanding quicker and more radically than ever before, and the threat landscape growing along with them, organizations need proactive threat detection that sees their entire digital presence for what it really is and, as importantly, never takes a break. 

This post is the second of an eight-part blog series exploring what makes RiskIQ different in a crowded, noisy market. Today we'll outline RiskIQ's always-on detection. 

Always-on detection requires full visibility