Blog

In incident response, speed and visibility are everything, but they can’t be achieved without a 360-degree view of your attack surface. 

RiskIQ PassiveTotal now integrates directly with Microsoft Defender and Azure Sentinel, bringing Microsoft Defender endpoint telemetry and Azure Sentinel alert data directly to the PassiveTotal threat hunting platform. This combination of RiskIQ and Microsoft data enriches threat infrastructure to show pertinent SIEM alerts and endpoint details alongside RiskIQ's rich Internet intelligence to speed up and supercharge investigations. 

RiskIQ and Microsoft joint customers can enable integrations for both Microsoft Defender and Azure Sentinel separately in their organization's account settings in RiskIQ PassiveTotal. Once enabled, analysts can pivot across RiskIQ data during an investigation to understand all the related infrastructure affecting impacted endpoints or existing security tickets. 

Recently, RiskIQ's suspicious domain classifier surfaced several Google analytics typosquatting domains. One, in particular, led RiskIQ's research team to a phishing campaign impersonating Saudi Arabian government websites.

Based on infrastructure overlap in RiskIQ's Internet Intelligence Graph, our researchers determined that the campaign is connected to a previous research report from March of 2019, which outlined a phishing campaign against the Saudi Arabian government it dubbed Bad Tidings. According to the research—and corroborated by RiskIQ's data—the Bad Tidings campaign dates as far back as 2017.

Analysis of the new infrastructure found by RiskIQ appears to be a follow-on to the Bad Tidings campaign and has been ongoing since the middle of 2019. Based on our analysis of the domain infrastructure used in this new crop of attacks, the attackers appear to be impersonating several organizations, including the Saudi ministries of the interior, foreign affairs, and labor and social development. They are also impersonating the Enjazit e-visa platform and the Absher mobile app, which allows Saudi citizens to access government services. 

Ocean Lotus, or APT32, is a now-notorious threat group active since 2014, best known for its relentless malware attacks and spy campaigns against Southeast Asian governments, dissidents, and journalists worldwide.

While investigating previously reported OceanLotus activity, RiskIQ analysts came across a unique SSL certificate associated with the espionage group's infrastructure. Unique to them, the SSL correlated with more than 70 IP addresses since 2017, a connection that earlier this month helped reporters from German Publications BR24 and Zeit Online track Ocean Lotus activity across Europe.

Further analysis of this custom certificate and its associated IP addresses led us to conclude that it is part of the infrastructure OceanLotus uses to deploy Windows-based malware. Based on RiskIQ's first observation of the SSL certificate in our Internet Intelligence Graph, which links together infrastructure across the entire web, the group has been using this certificate since at least February 27, 2020, and continues to use it today.

Through 2020, the pace of digitalization has only increased as the global pandemic has forced businesses to accelerate the trend of moving assets online. However, as companies shift their infrastructure into the vast and poorly mapped territories of the web, hostile actors are looking to exploit vulnerabilities into company networks – often to devastating effect.

The responsibility of keeping an organization safe falls upon the CISO and their security team, but as the cybersecurity climate has worsened – and threats have grown more sophisticated – simply preventing an attack is no longer enough. CISOs must now act as an intelligence asset to their organization and contextualize attacks to the broader company.
COVID-19 has brought together two tangents that have both exacerbated the risk posed to organizations online.

The Donot APT group (APT-C-35) is an espionage group that focuses its attacks on Pakistan and other South Asian government agencies. One of their hallmarks has been using customized malicious Android APKs to spy on their targets of interest and steal sensitive information. Not much has been released about the group recently, but a recent investigation by RiskIQ has uncovered large swaths of its existing and past mobile C2 infrastructure. These attackers are constantly redeveloping and redeploying tools even though their activity levels may appear to taper off.

Donot has kept mostly quiet for the past year with hardly any new open-source intelligence on them published by the security community. However, on May 31 and then again on June 1, two new malware samples linked to the group surfaced on Twitter. These samples were all RiskIQ needed to leverage our Internet Intelligence Graph to build an update around this well-known APT's most recent activity and malware distribution framework. 

In part one of 'Adventures in Cookie Land', our researchers linked a cookie to a trove of new threat activity. In part two, we see just how far we can take this single indicator.

Digital web skimming attacks continue to increase. By now, anyone running an e-commerce shop is aware of the dangers of groups like Magecart, which infect a website every 16 minutes. 

However, to truly understand these skimmer groups, you have to understand the tools of the trade. The Inter Skimmer kit is one of today's most common and widely used digital skimming solutions globally. It has been involved in some of the most high-profile magecart attacks to date, most notably Group 7's breach of the Nutribullet website. 

RiskIQ has identified more than 1,500 sites compromised by the Inter skimmer, but the data theft tool is still misunderstood by those tasked with defending their organization against it. To demystify Inter, RiskIQ tapped our unmatched body of research into Magecart and its dozens of groups, open-source intelligence (OSINT), and our global internet telemetry. 

Organizations lack visibility into their digital assets, their external network of internet-connected services and devices growing wildly outside their firewalls to support a workforce that will be remote for the foreseeable future. 

The enterprise digital attack surface is now regularly in flux and no longer in the purview of most security controls. More internet devices and services stood up outside the firewall mean complexity goes up, and "non-standard" becomes the norm. Keeping tabs on its composition and the infrastructure of attackers targeting it is one of the most challenging jobs facing security teams today. While organizations grapple with their attack surface, attackers are more active than ever before. More than 375 new threats sprout up every minute, with a wave of phishing attacks, typosquat registrations, and disinformation taking advantage of the COVID-19 pandemic. 

In this new security environment, attack surface management and a 360-degree view of your attack surface. Deep insight across the public internet makes it not only possible but also manageable. 

Ransomware defense is a perpetual cat and mouse game between incident responders and attackers who are continuously evolving their tactics, tools, and strategy. With Ransomware attacks on the rise and costing the US a whopping $7.5 billion in 2019, SOCs and threat hunters must maintain full situational awareness to protect their organization and customers' data—and avoid massive material loss. However, ransomware defense is no easy task and requires a 360-degree view of your organization's attack surface.