- Table of contents
Awarding Cyberint’s Security Efforts
Cyberint researchers invest significant time and effort into researching and trying to mitigate the next cyber attack. In addition, breach reports that detail the mode of attack and how it was discovered are published freely with the aim of sharing the knowledge. While this is not the purpose behind our research, it is nice to be recognized. We have been amassing awards and recognition recently, and have been identified as a Top 100 MSSP (Managed Security Services Provider). CyberInt has also landed on Startup50s list of the year’s top startups judged on their ability to secure funding, land on-the-record customers, and attract top-flight talent.
In addition, Deloitte has listed Cyberint in its Israel 2018 Technology Fast 500 EMEA ranking that recognizes the fastest-growing technology companies.
These awards and recognitions are a testament to the blood, sweat and tears that Cyberint researchers have been putting in to track and dissect the latest cyber threats.
CyberInt’s Research Highlights
Cyberint researchers have been diving deep into the dark web to track the nefarious activities attributed to TA505 following the spear-phishing campaign targeting large US-based retailers in 2018. A surge in tactics, techniques, and procedures (TTPs) had been observed by Cyberint, utilizing legitimate remote access tools that highlight a new level of sophistication to phishing campaigns targeting large retailers and financial companies.
A successful attack using the remote administration tool ‘Remote Manipulator System (RMS), allows the threat actor to gain access to networks and evade traditional security controls. Cyberint’s report on TA505 also dives into the group’s profile and motives, activities since 2014, other attacks targeting financial institutions, and precise details into the anatomy of the attack from 2018. “TA505 is highly motivated, very clever, and persistent,” says Adi Peretz, Head of Research at Cyberint. “It’s critical to monitor their activities to anticipate further attacks.”
To protect digital industries, Cyberint often plays the role of cyber attackers to find vulnerabilities. Last year, Cyberint discovered that 96% of Fortune 500 companies are vulnerable to ‘subdomain hijacking’, which is often caused by poor subdomain management.
CyberInt, along with Check Point Software Technologies Ltd, discovered that EA Games had a subdomain that was still configured with a CNAME to alias a service name with Microsoft Azure cloud services. Cyberint was able to demonstrate how an attacker could easily hijack the subdomain and intercept legitimate EA Games’ user requests. As a result EA Games immediately rolled out an update and patched before vulnerabilities could be exploited by threat actors. Additionally, EA’s cyber security team significantly strengthened its domain-creation policies across the entire organization to avoid subdomain hijacking in the future.
In mid-December of 2018, Cyberint detected a spear-phishing campaign against large USA retailers and other businesses in the food and beverage industry. An email was crafted to appear legitimate by using the targeted organization’s logo. An attached document, when opened, would then initiate a series of events that would deliver several malware families such as Gussdoor, Xrat, and Vimditator.
Cyberint was able to show, by detailing the anatomy of the campaign, that attackers are improving their obfuscation capabilities to hide their attacks. The analysis also revealed that the attackers leveraged commodity malware to deliver sophisticated capabilities.
In 2018, there were a number of high-profile payment scraping attacks targeting online retailers. Newsworthy victims included Ticketmaster, British Airways, Newegg, and ABS-CBN Corporation. The similarities between these and previous payment scraping campaigns leads researchers to believe they are all linked to the threat dubbed ‘Magecart’, reportedly carried out by Russian-speaking cybercriminals. Malicious scripts appear to be injected at the foot of HTML pages, while similar script injections have also been observed between legitimate script tags, possibly indicating a more manual approach to avoid manual code inspection.
Investigations into the TTPs employed by this threat reveals clusters of TTP methods. One particular cluster of TTP indicates multiple threat actors are conducting similar operations. With the apparent success of previous attacks, additional clusters of TTP and potential threat actor profiles will continue to evolve.
Botnet Malware Ramnit
Cyberint Research discovered a re-emerging email phishing campaign targeting large financial organizations in the Philippines. The phishing email contained a link to a malicious phishing website made to appear as a personal information form of the financial organization to steal the user’s personal information and account details. The email also included an embedded payload that contains the Ramnit malware. When executed, it infected the machine with a Ramnit variant to download an executable onto the victim’s machine.
We’re Proud to see that Cyberint’s Research Does Not Go Unnoticed
Discovering these attacks and breaking down the anatomy to reveal the attack source, motive, and other details takes a dedicated team of highly talented people.
Awards and recognition from MSSP Alert and Startup50 attest to the work Cyberint analysts are undertaking in researching the above attacks, and many others.
Being honored as one of the fastest-growing technology companies comes from the consistent results in helping companies detect and protect from cyber attacks.
Follow our blog to see why Cyberint is being recognized as an industry leader.