Blog

External Threat Management

Cryptocurrency: A Boom in Value Begets a Boom in Crime

When cryptocurrency value rises, we can expect a parallel rise in crypto-related crime, including phishing, fake brokers, and scams impersonating exchanges and other legitimate services. As expected, the recent surge in the global cryptocurrency market has made it a hot target for cybercrime

While the blockchain technology that protects cryptocurrency investments is robust, widespread fraud on social media and across the web circumvents those protections, targeting the general public directly to fool and ultimately rob them. As a result, keeping the pulse of the crypto-threat landscape requires an always-on, internet-wide view. At RiskIQ, we've been tracking crypto-threats to understand their prevalence and how they're evolving. 

Below, we've outlined the most prevalent that we see, including infrastructure analysis via our Internet Intelligence Graph to drill down into the mechanics of each threat and show how they work and why they're effective. 

Continue Reading
External Threat Management Analyst

Microsoft Exchange Server Remote Code Execution Vulnerability: RiskIQ’s Response

On March 2, 2021, Microsoft announced that four previously unknown zero-day vulnerabilities were exploited to attack on-premises versions of the Microsoft Exchange Servers.  Microsoft has reported that attackers exploited these vulnerabilities to gain access to Exchange servers, gain access to email accounts, and deploy malware (typically web shells) for long-term persistent access to victim organizations.  Microsoft credited a security company called Volexity for first observing these exploits on January 6, 2021. These vulnerabilities do not affect Microsoft Office 365 or Azure Cloud deployments of Exchange email servers.

Microsoft has reported they have attributed these attacks to a threat actor group it calls HAFNIUM and assessed it is a People’s Republic of China sponsored campaign.  Additional details of HAFNIUM targeting and attack techniques are included in Microsoft’s security blog. Meanwhile, FireEye’s analysis indicates this attack has ties activity it tracks across three unknown attack clusters and provides additional analysis and indicators in their blog.

Continue Reading
External Threat Management Labs

Turkey Dog Continues to Target Turkish Speakers with RAT Trojans via COVID Lures

Shortly after the COVID-19 pandemic began, there was a spike in threat infrastructure using the crisis to bait, deceive, and social engineer victims. Reports of threat campaigns attempting to fool Turkish-speaking users into downloading Android apps containing the Cerberus and Anubis banking trojans surfaced. Today, new RiskIQ data shows these attacks have not stopped, shedding light on the full extent of these campaigns. 

In May 2020, threat researcher BushidoToken authored a blog pulling together multiple indicators, some appearing as early as April 2020, from researchers tracking Cerberus and Anubis activity targeting Turkish speakers. These two remote access Trojans (RATs), which follow a malware-as-a-service model, steal user credentials to access bank accounts. Highly deceptive, they can overlay over other apps (dynamic overlays), capture keystrokes, SMS harvest and send, call forward, and access other sensitive data across the device. 

The campaigns exploited the pandemic to distribute malicious Android applications via web pages promising free internet packages to encourage people to stay home. To get the "free internet," users only had to install an application on their phones. In all, BushidoToken compiled 24 .apk filenames connected to the campaigns and a long list of domains and URLs. However, recent RiskIQ research shows these campaigns went on for much longer, with more infrastructure and tactics than outlined in May reporting.

Continue Reading
External Threat Management Analyst

Threat Hunting in a Post-WHOIS World

A recent Interisle Consulting Group research report, WHOIS Contact Data Availability, and Registrant Classification Study, finds that more than half of the top-level-domains under ICANN's remit are now controlled by unidentifiable parties. According to the report, "ICANN's policy has allowed registrars and registry operators to hide much more contact data than is required by the GDPR-perhaps five times as much..." 

Regardless of if contact data is ultimately needed to maintain a secure and interoperable Internet, it is now more important than ever to leverage available threat intelligence to combat harmful cyber activity. Traditionally, WHOIS has told analysts who owns a domain. Threat hunters used to be able to use this information to pivot on names, addresses, and phone numbers to find other domains registered to the same owner. For the most part, GDPR broke that.

With WHOIS becoming significantly less useful to build out threat investigations, threat analysts must rely more frequently on other internet data sets as part of their digital tool belt. RiskIQ has made it a core part of our business to collect and correlate as much relevant Internet data as possible to supercharge threat investigations—data that's become even more valuable to analysts since the advent of the GDPR. 

Continue Reading
External Threat Management Analyst

The Business of LogoKit: The Actors and Marketing Behind a Popular Phishing Tool

We recently analyzed LogoKit, a simple, modularized, and adaptable phish kit running on thousands of domains. Easy to use and able to accommodate a wide range of attacker skill levels, LogoKit is a hot commodity on the black market. 

LogoKit's popularity has given rise to enterprising threat actors who manufacture, package, and sell the kit to meet a strong and still growing demand among cybercriminals worldwide. However, these crimeware purveyors are more than just cybercriminals; they're also expert marketers who use social media sites, web forums, and messaging apps to build their brand, advertise their product, and streamline transactions.

After analyzing LogoKit itself last week, we took a closer look at the infrastructure and criminal enterprise behind it. The resulting investigation illuminated a massive phishing ecosystem and thriving crimeware economy driven by a high demand for simple, effective phishing tools. Below, we'll look at a major player in the sale of LogoKit. 

Continue Reading
External Threat Management

2020 Mobile App Threat Landscape: New Threats Arise, But the Ecosystem Got Safer

Each year, businesses invest more in mobile as the lifestyle of the average consumer becomes more mobile-centric. Mobile growth exploded in 2020, with the COVID-19 pandemic advancing mobile adoption "by at least two to three years." According to App Annie, due to the pandemic, Americans are now spending more time on mobile than watching live TV, and social distancing has caused them to migrate more of their physical needs to mobileApp Annie also shows that mobile spending grew to a staggering $143 billion in 2020, year over year growth of 20%. 

This ravenous demand for mobile creates a massive proliferation of mobile apps. Users downloaded 218 billion apps in 2020 and spent more than $240 billion in app stores worldwide. Meanwhile, RiskIQ noted a 33% overall growth in mobile apps available. For organizations, these apps drive business outcomes. However, they can be a dual-edged sword—the app landscape is a significant portion of an enterprise's overall attack surface that exists beyond the firewall, where their security teams often suffer from a critical lack of visibility. 

Continue Reading
External Threat Management Labs

LogoKit: Simple, Effective, and Deceptive

As sophisticated attacks dominate the headlines, it's important to remember that the vast majority of cybercrime results from simple, effective, and tested tools. These tools are easy to use and accommodate a wide range of attacker skill levels. The LogoKit phishing kit, which RiskIQ has detected running on more than 300 unique domains in the past week and 700 over the past month, is a prime example. 

Simple deception is still useful for picking off large groups of victims, and operators of LogoKit know this all too well. Unlike many other phishing kits, the LogoKit family is an embeddable set of JavaScript functions designed to interact within the Document Object Model (DOM), the site's presentation layer. Integrating with the DOM allows for the script to dynamically alter the visible content and HTML form data within a page, all without user interaction. This capability gives attackers a wide range of options for visually deceiving their victims by easily integrating it into existing HTML pretext templates or building fake forms to mimic corporate login portals. 

Continue Reading
External Threat Management

Attacks on the Capitol Showed the Pitfalls of Having a Narrow View of the Internet

In the wake of the tragic events that unfolded on Capitol Hill on January 6, 2021, it is now clear that abundant warning signs existed to alert lawmakers and law enforcement that a dangerous storm was brewing.  It is uncommon for threats of this nature to be so blatantly forecasted. Yet, not enough people did. On December 21, 2020, writer and political analyst Arieh Kovler tweeted, “On January 6, armed Trumpist militias will be rallying in [D.C.], at Trump’s orders. It’s highly likely that they’ll try to storm the capitol after it certifies Joe Biden’s win. I don’t think this has sunk in yet.”

Now that so much of the world has turned to social media, and with the proliferation of so many various platforms, it has become increasingly difficult to monitor where threats broadcast themselves, particularly when so many discovery platforms are keyword based.  If a threat actor makes a post that slips past your keyword threat matrix, it will slip through your detection. Your security teams and corporate leadership will be caught off guard by the threat you will later discover was forecast right in front of your very eyes. It didn’t pop up out of nowhere; unfortunately, you just missed it.

Continue Reading
Labs Magecart

New Analysis Puts Magecart Interconnectivity into Focus

RiskIQ's recent analysis of Magecart infrastructure has shown its massive scale and put its interconnectivity into focus. Our most recent research takes two email addresses evoking the name of one of the most prominent bulletproof hosting providers on earth and ties them to newly discovered batches of Magecart infrastructure. From there, we show how this infrastructure overlaps with previously reported Magecart activity and highlight some common Magecart operator practices that can help researchers identify skimming infrastructure.

Continue Reading