Group-IB announces that its Threat Intelligence & Attribution system has been found compliant with the recommendations issued by United States Department of Justice for cybersecurity and cyber intelligence companies. Based on innovative technologies confirmed by over 30 patents worldwide, Group-IB TI&A is intended for collecting data on threats and attackers relevant for a specific organization, examining of and proactive hunting for hackers, and the protection of the network infrastructure. The independent assessment of Group-IB Threat … More
The post Group-IB TI&A found compliant with recommendations by US Department of Justice appeared first on Help Net Security.
Group-IB has revealed the results of its yearslong development of proprietary high-tech products for threat hunting and research — Threat Intelligence & Attribution and Threat Hunting Framework.
Group-IB has become the first company to offer a new type of solution called Threat Intelligence & Attribution. The system is designed to create and customize a cyber threat map for a specific company, correlate individual cybersecurity events in real time, and attribute attacks to a particular threat actor.
The creation of TI&A marks the emergence of a new type of solutions for collecting data on threats and attackers relevant for a particular organization with the aim of examination and proactive hunting for threat actors, research, and protection of network infrastructure. Currently, there no analogues to TI&A on the international market.
Yet another innovation presented by Group-IB is Threat Hunting Framework – a system for IT and OT networks that protects against unknown threats and targeted attacks, hunts for threats both within and outside the protected organization’s perimeter, and helps investigate and respond to cybersecurity incidents and minimize their impact.
According to Hi-Tech Crime Trends 2020-2021, a report that provides an analysis of high-tech crimes worldwide, the merge of various cybercrime segments has led to the appearance of new threats, which resulted in increased damage as a result of attacks. Thus, analysts’ most conservative estimates suggest that the overall damage to companies in 45 countries caused by known ransomware incidents amounts to over $1 billion.
The market for selling access to compromised corporate infrastructures has grown at an explosive pace: in one year it has increased four-fold reaching $6,189,388. The number of sellers has jumped to 63, with both cybercriminals and state-sponsored actors among them.
Compared to the previous period, the size of the carding market, which is connected with the theft of bank card data, has grown by 116% nearing $2 billion. In the face of these challenges, public and private sector companies have to reevaluate their cybersecurity strategies and focus on hunting threats, relevant to their specific industry.
Today, Group-IB presented the result of the evolution of its proprietary high-tech crime investigation and cyberattack prevention product line, which includes two innovative solutions: Threat Hunting Framework (THF) and Threat Intelligence & Attribution (TI&A).
The complex engineering systems are connected to each other brought together in a single smart ecosystem capable of automatically halting targeted attacks against organizations.
The ecosystem provides security teams with tools for linking individual events, attributing threats, analyzing malicious code, and instantly responding to cyber incidents. It is based on the patented technologies developed by Group-IB’s analysts and engineering teams.
Group-IB currently has 33 patents (including 6 in the United States, 5 in the Netherlands, 4 in Singapore, and elsewhere). All of them were issued for the technologies lying at the heart of TI&A, THF and the company’s other innovative products.
In addition, Group-IB has 55 patent applications (14 in the United States, 5 in the Netherlands, 12 in Singapore, and 24 more internationally).
“The dynamic of cybercrime is signaling to the market that companies should be able to prevent most threats automatically, but this is not enough,” says Group-IB CTO Dmitry Volkov.
“Smart threat actors with money and resources will eventually learn to bypass any automated detection system. You need to prepare for that by building your experience in hunting for threats using tools customized to this task. In this fight, blocking will not help: tomorrow you will be attacked based on how you stop the threat today.
“Hunting for threats is an ongoing process based on the ability to handle huge amounts of internal and external data lakes, ranging from system events and traffic metadata to domains, hosts, and hacker groups’ profiles. To be able to work with this data means to be a professional threat hunter. This is the future of cybersecurity.”
Group-IB’s team of engineers base their development of cybersecurity technologies on several principles. Firstly, detection systems and algorithms have to be adversary-centric; this means that cybersecurity experts should receive alerts with either clear technical justification or full intelligence context on a given threat: who the attackers are, what their motivation is, what their tactic is, and what IOCs and TTPs are expected to be used in further attacks.
When possible, a solution has to block threats immediately, but detection and blocking is not enough. This is only the beginning of building effective security systems.
Secondly, the enrichment process has to be fully automated and should provide as much context related to IOCs and TTPs as possible. To achieve that, an analysis engine must go beyond simple threat detection: it is crucial to extract and fully detonate discovered payloads in a safe isolated environment, harvesting indicators of compromise that help in subsequent threat hunting activities.
Thirdly, threat hunting is a crucial process of proactive searching for something that could have been missed in the past and potentially might be missed in the future.
Detection is never enough
Group-IB Threat Hunting Framework (THF) is the first all-in-one solution for protection of both IT and OT networks. The fact that Group-IB AI-driven Threat Hunting Framework, the only of its kind, serves as a single cybersecurity solution and unites standards for two different network segments is a quantum leap in cybersecurity market that changes the rules inside the industry.
The new product’s key goals are the detection of previously unknown threats and targeted attacks, the containing of detected threats and automation of instruments for identifying links between threats both inside and outside of the protected perimeter.
The THF has a patented malware detonation technology that goes beyond traditional sandboxing and sets up new industry standards for file analysis solutions and an innovative endpoint module for real-time host protection and malicious behavior detection with a unique patented server-side classifier.
Threat Hunting Framework architecture has several main modules, each of which is innovative in its nature and whose functionality goes beyond the existing product categories defining absolutely new type of cybersecurity solutions.
THF Sensor is designed to identify threats at the network level thanks to an in-depth analysis of network traffic. The solution identifies threats and infected hosts by analyzing the network traffic protecting not only IT segment of the network, but also OT network with the help of its Sensor Industrial module.
The module ensures that the integrity of ICS software is under control by analyzing industrial protocols and protecting corporate networks comprehensively, detecting threats with the use of its high-performance AI-driven classifier.
Group-IB’s another innovation is THF Polygon. This platform is designed to detonate malware. It detects threats by performing behavior analysis of emails, files, and links and runs malware in an isolated environment. It is crucial to fully detonate the discovered payloads and extract all related IOCs and artifacts to be able to attribute the attacks.
Email remains a key system for initial compromise for cybercriminals. This problem affects businesses of any size. In response to this threat, Group-IB for the first time presented its cloud-based solution for the prevention of all types of email attacks — Atmosphere.
Atmosphere aims to make cutting-edge technologies for detecting email threats affordable and easily deployable, while at the same time keeping the technology part of Threat Hunting Framework and offering not only qualitative filtering of emails, but also the rest of THF’s advantages: malware detonation, attack attribution and integration with other modules of the ecosystem.
For the first time, Group-IB has introduced a solution for protecting end hosts: Huntpoint. This module creates a complete timeline of events on the host, which is available both in real time and retrospectively, detects abnormal behavior, and blocks malicious files. What is more, it isolates hosts from the network and collects forensic data for further research.
The Huntbox module is responsible for fully automated analysis and correlation of network events. This module provides a full picture of threats within and beyond an organization’s network, helping to hunt for threats and identify malicious activity targeting the company.
Group-IB Threat Hunting Framework capabilities are enhanced by the Decryptor module, which is designed to decrypt TLS/SSL traffic in the protected infrastructure.
Group-IB provides access to its internal tools for tracking hackers
Threat Intelligence & Attribution, which is one of the most heavily loaded Group-IB systems — it handles petabytes of data on adversaries and their tools and infrastructure, — has leaped forward.
TI&A marks the creation of a new type of solutions for collecting data on threats and attackers relevant to a specific organization. It helps analyze adversaries and their tools in order to proactively hunt for criminal groups and protect network infrastructure.
TI&A combines unique data sources and experience in investigating high-tech crimes and responding to complex multi-stage attacks worldwide to enrich all other Group-IB products with data for hunting for attackers and threats.
The system stores data on threat actors, domains, IPs, and infrastructures collected over the last 15 years, including those that criminals attempted to wipe out. The extensive functionality of the system helps customize it to the threat landscape not only relevant to a particular industry, but also to a specific company in a certain country.
TI&A takes an adversary-centric approach to threat protection. The idea behind the system is that it hunts not only for threats, but also for the adversaries behind them. The data lakes operated by the system help quickly link attacks to specific groups or even individuals.
TI&A helps promptly analyze and attribute threats that a company faces, detect leaks, insiders and compromised user accounts. Moreover, it identifies insiders who sell company data on underground resources and detects and thwarts attacks targeting companies and their customers regardless of industry.
The launch of TI&A on the market provides access to Group-IB’s internal tools, which were previously used only by Group-IB’s DFIR, threat hunting, and cyber threat intelligence teams.
Every specialist who uses TI&A now has access to the largest collection of dark web data, an advanced hacker group profiling model, and a fully automated graph analysis tool that helps correlate data and attribute threats to specific criminal groups in seconds.
As such, TI&A makes it possible to detect attacks overlooked by common cyber defense tools. It helps understand how advanced adversaries behave and whether the protected infrastructure can counteract them. This approach helps motivate and improve internal cybersecurity teams as well as enhance their capabilities through an in-depth insight into threats targeting their organizations.
TI&A is a complex engineering system developed by Group-IB and integrated into a smart technological ecosystem that is capable of automatically halting targeted attacks on organization. The ecosystem provides security teams with tools for linking individual events, attributing threats, analyzing malicious code, and instantly responding to cyber incidents.
Group-IB has presented a report which examines key shifts in the cybercrime world internationally between H2 2019 and H1 2020 and gives forecasts for the coming year. The most severe financial damage has occurred as a result of ransomware activity.
The past year — a harrowing period for the world economy — culminated in the spike of cybercrime. It was also marked by the rise of the underground market for selling access to corporate networks and an over two-fold growth of the carding market. The stand-off between various pro-government hacker groups saw new players come onto the scene, while some previously known groups resumed their operations.
The report examines various aspects of cybercrime industry operations and predicts changes to the threat landscape for various sectors, namely the financial industry, telecommunications, retail, manufacturing, and the energy sector. The authors also analyze campaigns targeting critical infrastructure facilities, which are an increasingly frequent target of intelligence services worldwide.
Forecasts and recommendations set out seek to prevent financial damage and manufacturing downtimes. Its purpose is also to help companies adopt preventive measures for counteracting targeted attacks, cyber espionage, and cyberterrorist operations.
The cost of ransomware
Late 2019 and all of 2020 were marked by an unprecedented surge in ransomware attacks. Neither private sector companies nor government agencies turned out to be immune to the ransomware plague.
Over the reporting period, more than 500 successful ransomware attacks in more than 45 countries were reported. Since attackers are motivated by financial gain alone, any company regardless of size and industry could fall victim to ransomware attacks.
Meanwhile, if the necessary technical toolsets and data restoring capabilities are not in place, ransomware attacks could not only cause downtime in manufacturing but also bring operations to a standstill.
According to conservative estimates, the total financial damage from ransomware operations amounted to over $1 billion ($1,005,186,000), but the actual damage is likely to be much higher. Victims often remain silent about incidents and pay ransoms quietly, while attackers do not always publish data from compromised networks.
A major ransomware outbreak was detected in the United States, with the country accounting for about 60% of all known incidents. The US is followed by European countries (mainly the UK, France, and Germany), which together make up roughly 20% of all ransomware attacks.
Countries of North and South America (excluding the US) are at 10% and Asian states are at 7%. The top five most frequently attacked industries include manufacturing (94 victims), retail (51 victims), state agencies (39 victims), healthcare (38 victims), and construction (30 victims).
Maze and REvil are considered to have the largest appetite: the operators of these two strains are believed to be behind more than half of all successful attacks. Ryuk, NetWalker, and DoppelPaymer come second.
The ransomware pandemic was triggered by an active development of private and public affiliate programs that bring together ransomware operators and cybercriminals involved in compromising corporate networks.
Another reason for an increase in ransomware attacks is that traditional security solutions, still widely used by a lot of companies on the market, very often fail to detect and block ransomware activity at early stages.
Ransomware operators buy access and then encrypt devices on the network. After receiving the ransom from the victim, they pay a fixed rate to their partners under the affiliate program.
The main ways to gain access to corporate networks include brute-force attacks on remote access interfaces (RDP, SSH, VPN), malware (e.g., downloaders), and new types of botnets (brute-force botnets). The latter are used for distributed brute-force attacks from a large number of infected devices, including servers.
In late 2019, ransomware operators adopted a new technique. They began downloading all the information from victim organizations and then blackmailed them to increase the chances of the ransom being paid.
Maze (who allegedly called it quits not long ago) pioneered the tactic of publishing sensitive data as leverage to extort money. If a victim refuses to pay the ransom, they risk not only losing all their data but also having it leaked. In June 2020, REvil started auctioning stolen data.
Seven new APT groups joined the global intelligence service stand-off
Military operations conducted by various intelligence services are becoming increasingly common. A continuing trend was identified, where physical destruction of infrastructure is replacing espionage. Attacker toolkits are being updated with instruments intended for attacks on air-gapped networks.
The nuclear industry is turning into the number one target for state-sponsored threat actors. Unlike the previous reporting period, during which no attacks were observed, the current one was marked by attacks on nuclear energy facilities in Iran and India.
A blatant attack was attempted in Israel, where threat actors gained access to some of Israel’s water treatment systems and tried altering water chlorine levels. Had it been successful, the attack would have led to water shortages or even civilian casualties.
State-sponsored APT groups are not losing interest in the telecommunications sector. Over the review period, it was targeted by at least 11 groups affiliated with intelligence services. Threat actors’ main goals remain spying on telecommunications operators or attempts to disable infrastructure.
Threat actors have also set a new record in DDoS attack power: 2.3 Tb per second and 809 million packets per second. BGP hijacking and route leaks remain a serious problem as well. Over the past year, nine significant cases have been made public.
Most state-sponsored threat actors originate from China (23), followed by Iran (8 APT groups), North Korea and Russia (4 APT groups each), India (3), and Pakistan and Gaza (2 each). South Korea, Turkey, and Vietnam are reported to have only one APT group each.
According to data analyzed, Asia-Pacific became the most actively attacked region by state-sponsored threat actors. A total of 34 campaigns were carried out in this region, and APT groups from China, North Korea, Iran, and Pakistan were the most active.
At least 22 campaigns were recorded on the European continent, with attacks carried out by APT groups from China, Pakistan, Russia, and Iran. Middle East and Africa were the scene of 18 campaigns conducted by pro-government attackers from Iran, Pakistan, Turkey, China, and Gaza.
Cybersecurity researchers have also detected seven previously unknown APT groups, namely Tortoiseshell (Iran),Poison Carp (China), Higaisa (South Korea), AVIVORE (China), Nuo Chong Lions (Saudi Arabia), as well as Chimera and WildPressure, whose geographical affiliation remains unknown. In addition, six known groups that remained unnoticed in recent years resumed their operations.
Sales of access to compromised corporate networks grow four-fold
Sales of access to compromised corporate networks have been increasing from year to year and peaked in 2020. It is difficult to assess the size of the market for selling access, however, as offers published on underground forums often do not include the price, while some deals are cut in private.
Nevertheless, technologies for monitoring underground forums (which make it possible to see deleted and hidden posts) helped the experts assess the total market size for access sold in the review period (H2 2019 to H1 2020): $6.2 million. This is a four-fold increase compared to the previous review period (H2 2018 to H1 2019), when it totaled $1.6 million.
Surprisingly, state-sponsored attackers joined this segment of the cybercriminal market seeking additional revenue. As such, in the summer of 2020, on an underground forum a seller offered access to several networks, including some belonging to US government departments, defense contractors (Airbus, Boeing, etc.), IT giants, and media companies. The cost of the access to the companies listed was close to $5 million.
In H1 2020 alone, 277 offers of access to corporate networks were put up for sale on underground forums. The number of sellers has also grown. During that period, 63 sellers were active, and 52 of them began selling access in 2020.
For comparison, during all of 2018, only 37 access sellers were active, while in 2019 there were 50 sellers who offered access to 130 corporate networks. In total, the sales of corporate network access grew by 162% compared to the previous period (138 offers against 362).
After analyzing offers of access to corporate networks, experts found correlations with ransomware attacks: most threat actors offered access to US companies (27%), while manufacturing was the most frequently attacked industry in 2019 (10.5%). In 2020, access to state agency networks (10.5%), educational institutions (10.5%), and IT companies (9%) was high in demand.
It should be noted that sellers of access to corporate networks increasingly rarely mention company names, their geographical location and industry, which makes it almost impossible to identify the victim without contacting the attackers.
Selling access to a company’s network is usually only one stage of the attack: the privileges gained might be used for both launching ransomware and stealing data, with the aim of later selling it on underground forums or spying.
Market of stolen credit card data reached almost $2 billion
Over the review period, the carding market grew by 116%, from $880 million to $1.9 billion. The quick growth applies to both textual data (bank card numbers, expiration dates, holder names, addresses, CVVs) and dumps (magnetic stripe data). The amount of textual data offered for sale increased by 133%, from 12.5 to 28.3 million cards, while dumps surged by 55%, from 41 to 63.7 million. The maximum price for card textual data is $150 and $500 for a dump.
Dumps are mainly obtained by infecting computers with connected POS terminals with special Trojans and thereby collecting data from random-access memory. Over the review period, 14 Trojans used for collecting dumps were found to be active.
Cybercriminals seek to obtain data relating to credit and debit cards issued by US banks: these account for over 92% of all compromised bank cards. Bank card data of bank customers in India and South Korea are the second and third most desirable targets for cybercriminals. Over the review period, the total price of all the bank card dumps offered for sale amounted to $1.5 billion, while textual data – to $361.7 million.
Textual data is collected through phishing websites and PC/Android banking Trojans, by compromising e-commerce websites, and by using JS sniffers. The latter were one of the main instruments for stealing large amounts of payment data over the past year. JS sniffers also became more popular in light of the trend of reselling access to various websites and organizations on underground forums.
Group-IB is currently monitoring the activities of 96 JS sniffer families. This is a 2.5-fold increase compared to the previous reporting period, during which there were 38 families on the company’s radar. According to the findings, over the past year nearly 460,000 bank cards were compromised using JS sniffers.
The threat of bank card data leaks is most acute for retail companies that have online sales channels, e-commerce companies that offer goods and services online, and banks that unwittingly become involved in incidents.
The main scenarios for illegally harvesting bank card data and most frequently attacked countries (the United States, India, South Korea) will remain the same. Latin America might become an increasingly attractive target for carders since it already has mature hacker community experienced in using Trojans for this purpose.
Phishing grows by 118%
Between H2 2019 and H1 2020, the number of phishing web resources found and blocked rose by 118% compared to the previous reporting period. Analysts mention the global pandemic and lockdowns as the main reasons: web-phishing, which is one of the simplest ways to earn money in the cybercriminal industry, attracted those who lost their incomes.
The increased demand for online purchases created a favorable environment for phishers. They quickly adapted to this trend and began carrying out phishing attacks on services and individual brands that previously did not have much financial appeal to them.
Scammers also changed their tactics. In previous years, attackers ended their campaigns after fraudulent websites were taken down and quickly switched to other brands. Today, they are automating their attacks instead and replacing the blocked pages with new ones.
Since the start of the year, there has been a rise in advanced social engineering, namely when multi-stage scenarios are used in phishing attacks. As part of such increasingly popular phishing schemes, threat actors first stake out the victim. They establish contact with the targeted individual (e.g., through a messenger), create an atmosphere of trust, and only then do they direct the victim to a phishing page.
One-time links turned out to be another phishing trend of the past year. After a user receives a link and clicks on it at least once, it will not be possible to obtain the same content again in order to collect evidence. This significantly complicates the process of taking down phishing resources.
Most web-phishing pages mimicked online services (39.6%). Phishers in particular gathered login credentials from user accounts on Microsoft, Netflix, Amazon, eBay, Valve Steam, etc. Online services were followed by email service providers (15.6%), financial organizations (15%), cloud storage systems (14.5%), payment services (6.6%), and bookmakers (2.2%).
Group-IB has discovered that QakBot (aka Qbot) operators have abandoned ProLock for Egregor ransomware. Egregor has been actively distributed since September 2020 and has so far hit at least 69 big companies in 16 countries. The biggest ransom demand detected by Group-IB team has been at $4 million worth of BTC.
During recent incident response engagements Group-IB DFIR (Digital Forensics and Incident Response) team has noticed a significant change in QakBot operators’ tactics, the gang started to deploy a new Egregor ransomware family.
This ransomware strain emerged in September 2020, but the threat actors behind already managed to lock quite big companies, such as game developers Crytek, booksellers Barnes & Noble, and most recently a retail giant Cencosud from Chile.
ProLock = Egregor
The analysis of attacks where Egregor has been deployed revealed that the TTPs used by the threat actors are almost identical to the ones used by the ProLock operators, whose campaigns have been described in Group-IB blog post in May.
First, the initial access is always gained via QakBot delivered through malicious Microsoft Excel documents impersonating DocuSign-encrypted spreadsheets. Moreover, Egregor operators have been using Rclone for data exfiltration – same as with ProLock.
Same tools and naming convention have been used as well, for example md.exe, rdp.bat, svchost.exe. Hence, all of the above considered, Group-IB experts assess it’s very likely that QakBot operators have switched from ProLock to Egregor ransomware.
Geography and victims
The gang behind Egregor followed in Maze’s footsteps, who called it quits not long ago. Egregor operators leverage the intimidation tactics, they threaten to release sensitive info on the leak site they operate instead of just encrypting compromised networks. The biggest ransom demand registered by the Group-IB team so far was at $4 million worth of BTC.
In less than 3 months Egregor operators have managed to successfully hit 69 companies around the world with 32 targets in the US, 7 victims in France and Italy each, 6 in Germany, and 4 in the UK. Other victims happened to be from the APAC, the Middle East, and Latin America. Egregor’s favorite sectors are Manufacturing (28.9% of victims) and Retail (14.5%).
While TTP’s of Egregor operators are almost identical to that of ProLock, the analysis of Egregor ransomware sample obtained during a recent incident response engagement revealed that the executable code of Egregor is very similar to Sekhmet. The two strains share some core features, use similar obfuscation technique.
Egregor source code bears similarities with Maze ransomware as well. The decryption of the final payload is based on the command-line provided password, so it is impossible to analyze Egregor if you don’t have command-line arguments provided by the attacker. Egregor operators use the combination of ChaCha8 stream cipher and RSA-2048 for file encryption.
“At the same time, we see that these methods are still very effective and allow threat actors to compromise quite big companies with high success rate. It’s important to note, that the fact many Maze partners started to move to Egregor will most likely result in the shift in TTPs, so defenders should focus on known methods associated with Maze affiliates”.
Group-IB launches Fraud Hunting Platform, a digital identity protection and fraud prevention solution
In H1 2020, Group-IB’s Fraud Hunting Platform shielded banking and eCommerce portals in Europe and Asia from bot activities, malware, and social engineering attacks and saved them roughly $140 million.
Malware attacks, social engineering and bot activity are the top 3 threats for users of eCommerce and banking portals, based on the analysis of dozens of millions of user sessions around the world over the same period.
To combat these 3 categories of threats, companies deploy a range of scattered security solutions that significantly degrade user experience. Fraud Hunting Platform becomes an integrated solution that will play a key role in protecting users. It is the successor to Group-IB’s Secure Bank/Secure Portal product line, which Group-IB has been developing since 2013.
During the presentation of Fraud Hunting Platform, streamed from the recently opened Europe HQ in Amsterdam, Group-IB also announced the launch of its new module called Preventive Proxy, designed to fight against bad bots disrupting eCommerce, online banking, and government portals. According to Group-IB’s estimates, malicious bots account for around 30% of Internet traffic.
Digital identity’s own ID
Group-IB’s Fraud Hunting Platform analyzes each session and examines user behavior (keystrokes, mouse movements, etc.) in web and in mobile channels in real-time. Based on user behavioral data and machine learning algorithms, the system creates a unique digital fingerprint for devices and identities.
Just like a facial recognition authentication, the system correlates and matches user behavior with their devices, which helps distinguish between legitimate actions and malicious activity even if the criminals have gained access to a user’s smartphone or payment information.
Using these unique data, the technology called “Global ID” marks devices across online resources globally where the Fraud Hunting Platform is running and allows to identify fraudsters at early stages.
Moreover, thanks to the company’s unified ecosystems of Group-IB products, Fraud Hunting Platform uses relevant Threat Intelligence data, which helps detect hidden threats and suspicious connections, speed up investigations, and identify specific individuals involved in incidents.
Unlike Secure Bank/Secure Portal, the Fraud Hunting Platform is used not only to simply detect and prevent fraud but also to investigate thefts and hunt criminals and their infrastructure.
“We are delighted to introduce Fraud Hunting Platform to market. The solution operates in a high-load mode, protecting 130 million users of web resources and mobile apps while blocking related malicious activity,” commented Dmitry Volkov, Group-IB CTO.
“The new system evolved from Group-IB’s range of online fraud protection products. It is high-performance and easy to integrate, and it uses patented technologies to detect attacks at early stages. Fraud Hunting Platform’s global mission is to protect user digital identity while hunting for threats and the adversaries behind them.”
Good bad bots
The newly released Preventive Proxy is designed specifically for eCommerce companies and financial organizations offering products and services online. As a module of Fraud Hunting Platform, Preventive Proxy distinguishes “good” bots (for automated web app testing for example) from “bad” bots leveraged by cybercriminals to attack company websites, web and mobile applications in a number of different ways.
Group-IB estimates that legitimate bots account for about 20% of all Internet traffic, while malicious ones make up 30%. The goal of Preventive Proxy is to protect websites, mobile apps, and their users against criminals hacking into personal accounts, collecting personal data, scraping website content protected by copyright law, and attacking mobile APIs and using them without authorization.
While there are automated bots that snatch best deals and win giveaways, there are also smart and dangerous ones that break into your online accounts, steal users’ payment and personal data, and abuse API while imitating human behavior.
The analysis of dozens of millions of user sessions in banks and eCommerce portals around the world revealed that Selenium, PhantomJS, and Headless Chrome are the three most frequently used tools in bot attacks that cybercriminals use to imitate user actions for credential stuffing or brute force purposes.
The fact all three are legitimate instruments makes it hard for traditional fraud detection solutions to spot them. Preventive Proxy offers smart protection against all types of bot attacks and can be either deployed in web or mobile app infrastructure or used through Group-IB’s cloud.
“Smart” bot protection also uses behavioral analysis algorithms to detect malicious bot activity. Preventive Proxy examines user behavior to assess whether a human being or a bot is performing a given action in the network. In addition, the solution collects browser, app, and device parameters, preventing the real user session from being re-used by malicious bots. Preventive Proxy does not block requests from trusted sources or legitimate bots.
Group-IB reports that up to 60% of bad bot activity is attributed to credential stuffing (attacks leveraging stolen credentials). The share of web scraping attacks (i.e. using bots to extract content and data from website pages) is 30%. The remaining 10% covers other types of fraud involving bots.
Today’s Internet is a hectic place. A lot of different web technologies and services are “glued together” and help users shop online, watch the newest movies, or stream the newest hits while jogging. But these (paid) services are also constantly threatened by attackers – and no company, no matter how big, is completely immune. Take the recent Twitter compromise as an example: the attackers hijacked a number of influential Twitter accounts, including those belonging to … More
Group-IB’s Threat Hunting and Intelligence conference, CyberCrimeCon, will for the first time dive online to literally remove the borders and bring together over 2,000 cybersecurity experts from all around the world.
As cybercrime rate is skyrocketing year after year and tensions between states are escalating, including in cyberspace, Group-IB provides a platform for universal dialogue, in which cybersecurity thought leaders, ideologists and practitioners exchange data and make public outcomes of their research work.
The eighth edition of the iconic event, held on November 25-26, will traditionally unite cybersecurity professionals from the financial and tech sectors, retail and industrial giants, as well as law enforcement agencies and will, in addition to two major streams — analytical and technological, contain a Threat Hunting Game. The conference’s speaker lineup includes representatives of Europol EC3, leading banks, FMCG companies, and independent researchers.
CyberCrimeCon 2020 will focus on the analysis of hacker attacks, the detailed examination of threat actors’ TTPs as well as instruments to compromise organizations all around the world and will reveal previously unknown cybercrime investigations and international operations to fight digital crime. The event will also look at the ongoing ransomware “plague,” the key trends of the underground carding market and will provide an overview of the underground forums that sell access to compromised corporate networks.
One of the conference’s highlights will be the presentation of Group-IB’s almanac revealing key cybercrime tendencies — Hi-Tech Crime Trends report, which for years has been serving as a roadman for businesses in telecoms, energy, financial, and retail industries in developing their information security strategies.
On top of it, as part of CyberCrimeCon 2020, Group-IB will reveal the results of the company’s 17-year-long evolution in the development of highly sophisticated products for investigating cybercrime and hunting for threat actors. Group-IB has united its complex engineering solutions into a smart technological ecosystem, which is capable of preventing targeted attacks in an automated mode. It also provides corporate security teams with instruments for correlating separate events as part of a single attack, attributing threats, analyzing malware and responding to an incident promptly.
The main conference days, will be followed by a Threat Hunting Game on November 27, during which registered participants will get access to Group-IB Threat Hunting Framework and will be tasked with individual challenges that will test their skills in analyzing malware and network traffic, handling alerts, and hunting for threats.
Group-IB has opened the doors of its European headquarters in Amsterdam, which will serve as a central hub for the company’s research into the European threat landscape.
Having been operating on the continent for years, the company now formalizes its operations by inaugurating its new HQ that will be consolidating and maturing the expertise gathered in cyber investigations, incident response and threat hunting activities across the region under one roof.
The Amsterdam office, located at Prinsengracht 919 (1017 KD Amsterdam), is set to intensify the strong European cyber threat knowledge Group-IB had previously, broaden the company’s global threat hunting infrastructure and strengthen the on-the-ground support for the company’s customer base in the region, which, among others, includes major banks of the Netherlands.
In the spirit of its global strategy to develop a distributed international network of autonomous cybersecurity centers with a deep grasp of the local cybersecurity environment, the initial team that settled in Amsterdam includes the representatives of Group-IB’s key business units.
These are Сyber Investigation, Digital Forensics, Incident Response, Security Assessment, Anti-Piracy and Brand Protection teams, paired with frontline Threat Intelligence analysts who honed their skills in studying the most notorious threat actors targeting companies across the globe.
The choice of host for the European HQ comes as no surprise: the Netherlands, which is home to Europol, the Hague Security Delta, NATO Cyber Security Agency, and European Network for Cyber Security, has been one of the key players of the European cybersecurity world.
According to Group-IB experts, the exodus of global tech and financial companies from London to Amsterdam is likely to escalate the city’s attractiveness in the eyes of cybercriminals, which will inevitably lead to the increase of the number of cyberattacks there.
According to Group-IB Hi-Tech Crime Trends 2019/2020 report, the Netherlands is one of the rare victims of banking botnets, including infamous Dridex, Qbot and Trickbot. Europe in general provides a far more diverse threat landscape, being a target of at least 16 APT groups, numerous ransomware operators and online scammers.
The above determines the density of cyberspace in the area, which, to be protected duly, requires thorough exploration. Thus, the short-term objective of the Amsterdam team will be the in-depth examination of the local cybercrime with the ultimate goal of rendering a strong regional angle to Group-IB products and solutions and creating a map of online threats menacing this specific district. Group-IB also plans to cooperate closely with law enforcement locally in order to disrupt cybercrime for the European region and build resiliency.
“Banks in the Netherlands and financial organizations in Europe were among our first customers to purchase Group-IB attribution-based Threat Intelligence, which indicates the market’s high level of maturity,” comments Group-IB CEO and founder Ilya Sachkov.
“Our team is scattered around the continent being on guard of our clients in France, Germany, Italy, Spain, the United Kingdom, and other states. We were consistent in our development on the European market and today have the expertise to scale up the installations of our products and to continue aiding European companies in fighting cybercrime, now being close by when needed.
“Without even officially announcing our Amsterdam office opening, we received several cooperation requests from our potential partners. Our short term goal in the region is the active recruitment of cybersecurity experts. We’ll be using this challenging time to capture the opportunities. Thanks for a warm welcome and stay safe!”
The Amsterdam team plans to strengthen its expertise not only in depth but also in width by actively engaging local talents, with cyber investigation and threat intelligence experts being in the focus of the current recruitment policy in the region.
The close cooperation with European universities is yet another dimension of this mission, with Group-IB seeking to provide gifted youngsters with a chance to try their hand on the forefront of the modern cyberwarfare by taking an internship at the company that has been fighting online crime worldwide for nearly two decades.
Group-IB has already tried its hand in the educational activities in the country and trained corporate security teams of banks in the Netherlands as well as local law enforcement, including those employed with EC3.
It is planned that the collaboration with universities in the region will give an impetus to Group-IB’s initiative for fostering so-called future professions. Its main idea is to fill the gap between the enduring educational programs and the constantly evolving needs of the cybersecurity labor market by grooming professionals with a foundational skill-set allowing them to jump-start their cybersecurity careers.
Group-IB leadership has stated on numerous occasions that they cannot fully rely on the academic knowledge only and have been actively investing resources in newcomers. Given the above, Group-IB has been actively developing its partnership network with universities to provide young talents with internship opportunities.
“Instead of uniting people with the same profession, Group-IB unites people with the same mindset,” comments Sergey Lupanin, the Group-IB Chief Operating Officer, European HQ.
“Intolerance toward cybercrime lies at the core of our company, and it is not always easy to find people of like mind. That is why we grab every chance to find people with this sense of social responsibility and spare no effort to share our knowledge with them. In Europe, we see many opportunities to find those who will embrace our global mission to make the world a cyber safer place to live in.”
As part of its regional engagements, Group-IB plans to occupy itself with pro bono activities facilitating the access of socially important facilities in the region, like hospitals, charities, and educational organizations, to proactive cybersecurity solutions to enhance the resiliency in the region.
Ransomware, the headliner of the previous half-year, walked off stage: only 1 percent of emails analyzed contained this kind of malware. Every third email, meanwhile, contained spyware, which is used by threat actors to steal payment data or other sensitive info to then put it on sale in the darknet or blackmail its owner.
Downloaders, intended for the installation of additional malware, and backdoors, granting cybercriminals remote access to victims’ computers, also made it to top-3. They are followed by banking Trojans, whose share in the total amount of malicious attachments showed growth for the first time in a while.
Opened email lets spy in
According to the data, in H1 2020, 43 percent of the malicious mails on the radars of Group-IB Threat Detection System had attachments with spyware or links leading to their downloading.
Another 17 percent contained downloaders, while backdoors and banking Trojans came third with a 16- and 15-percent shares, respectively. Ransomware, which in the second half of 2019 hid in every second malicious email, almost disappeared from the mailboxes in the first six months of this year with a share of less than 1 percent.
These findings confirm adversaries’ growing interest in Big Game Hunting. Ransomware operators have switched from attacks en masse on individuals to corporate networks. Thus, when attacking large companies, instead of infecting the computer of a separate individual immediately after the compromise, attackers use the infected machine to move laterally in the network, escalate the privileges in the system and distribute ransomware on as many hosts as possible.
Top-10 tools used in attacks were banking Trojan RTM (30%); spyware LOKI PWS (24%), AgentTesla (10%), Hawkeye (5%), and Azorult (1%); and backdoors Formbook (12%), Nanocore (7%), Adwind (3%), Emotet (1%), and Netwire (1%).
The new instruments detected in the first half of the year included Quasar, a remote access tool based on the open source; spyware Gomorrah that extracts login credentials of users from various applications; and 404 Keylogger, a software for harvesting user data that is distributed under malware-as-a-service model.
Almost 70 percent of malicious files were delivered to the victim’s computer with the help of archives, another 18% percent of malicious files were masked as office documents (with .doc, .xls and .pdf file extensions), while 14% more were disguised as executable files and scripts.
In the first six months of 2020, a total of 9 304 phishing web resources were blocked, which is an increase of 9 percent compared to the previous year. The main trend of the observed period was the two-fold surge in the number of resources using safe SSL/TLS connection – their amount grew from 33 percent to 69 percent in just half a year.
This is explained by the cybercriminals’ desire to retain their victim pool – the majority of web browsers label websites without SSL/TLS connection as a priori dangerous, which has a negative impact on the effectiveness of phishing campaigns.
Experts predict that the share of web-phishing with insecure connection will continue to decrease, while websites that do not support SSL/TLS will become an exception.
Just as it was the case in the second half of 2019, in the first half of this year, online services like ecommerce websites turned out to be the main target of web-phishers. In the light of global pandemic and the businesses’ dive into online world, the share of this phishing category increased to remarkable 46 percent.
The attractiveness of online services is explained by the fact that by stealing user login credentials, threat actors also gain access to the data of bank cards linked to user accounts.
Online services are followed by email service providers (24%), whose share, after a decline in 2019, resumed growth in 2020, and financial organizations (11%). Main web-phishing target categories also included payment services, cloud storages, social networks, and dating websites.
The leadership in terms of the number of phishing resources registered has persistently been held by .com domain zone – it accounts for nearly a half (44%) of detected phishing resources in the review period. Other domain zones popular among the phishers included .ru (9%), .br (6%), .net (3%) and .org (2%).
“The beginning of this year was marked by changes in the top of urgent threats that are hiding in malicious emails,” comments CERT-GIB deputy head Yaroslav Kargalev.
“Ransomware operators have focused on targeted attacks, choosing large victims with a higher payment capacity. The precise elaboration of these separate attacks affected the ransomware share in the top threats distributed via email en masse.
“Their place was taken by backdoors and spyware, with the help of which threat actors first steal sensitive information and then blackmail the victim, demanding a ransom, and, in case the demand is refused, releasing the info publicly.
“The ransomware operators’ desire to make a good score is likely to result in the increase of the number of targeted attacks. As email phishing remains the main channel of their distribution, the urgency of securing mail communication is more relevant than ever.”
The lifespan of phishing attacks in H2 2019 has grown considerably and resulted in the tremendous increase in the number of phishing websites blockages, says Group-IB’s Computer Emergency Response Team (CERT-GIB).
Phishers have also revised their target pool and have increasingly been targeting online services and cloud storage providers.
In H2 2019 CERT-GIB blocked a total of 8, 506 phishing web resources, while in H2 2018, the figure stood at 2,567.
This sharp upsurge in the number of blockages stems from the growing duration of phishing attacks: cybercriminals used to stop their fraudulent campaign as soon as their web pages were blocked, quickly mobilizing efforts for attacks on other brands. Today, they no longer dwell on it and continue replacing removed pages with new ones.
“Several years ago, creators of phishing pages were likely to have some technical background, they created phishing pages, putting much effort into the launch of their campaigns, preventing them from being detected and relentlessly supporting their sustainability,” CERT-GIB deputy head Yaroslav Kargalev told Help Net Security.
“This industry has changed its face — those pioneers no longer create phishing pages, they create tools for operators of web phishing campaigns who do not necessarily have any programming skills, and last year became the culmination of this trend. Since this new generation of phishers are not that experienced in maintaining the web resources viable, the phishing community’s focus has shifted toward the number of scam resources.”
According to the figures for the past year, the Top-3 of web phishers’ targets were online services (namely client software, online streaming services, e-commerce, delivery services and etc.) (29,3%), cloud storages (25,4%), and financial organizations (17,6%).
In H2 2019, phishing attack perpetrators have revised their target pool: the number of phishing attacks on cloud storages nearly doubled, while Internet providers have seen the three-fold increase in the number of phishing scams targeting them. Both access to users’ cloud storages and accounts with internet service provider enables the attackers to get much sensitive information like personal and payment data.
This was accompanied by a lower interest to email service providers — the share of attacks on them decreased from 19,9 percent to 5,9 percent — and cryptocurrency projects, which became less attractive to cybercriminals as hype surrounding them started fading away.
Malware delivery: what’s on the menu?
In H2 2019, mail remained the main method of delivering ransomware, spyware, backdoors and other malware, used by cyber crooks in 94 percent of cases.
In the majority of cases — 98 percent — malicious items were delivered as attachments, while only 2 percent of phishing emails contained links pointing to malware. To compare, according to CERT-GIB, in H1 2019, 23 percent of phishing emails had a link in them, which might mean that malicious attachments proved to have a greater “ROI” for scammers.
To bypass corporate security systems in H2 2019, cybercriminals continued to archive their malicious attachments. About 70% of all malicious objects detected were delivered in archive files, mainly in .rar (29%) and .zip (16%) formats. Threat actors included the passwords for accessing the archives’ contents in the subject of the email, the name of the archive, or in their subsequent correspondence with the victim.
In the second half of 2019, ransomware remained the most frequent “stuffing” of phishing emails, accounting for 47 percent of the total number of malicious attachments.
Banking trojans continued losing its popularity and represented only 9 percent of malicious attachments. They, in turn, let spyware and backdoors move ahead and become the second most popular malware with a 35-percent share. The reason behind it might be the expanding functionality of backdoors, which also enables them to steal financial data and replace instruments designed for harvesting banking data only, like banking trojans.
Phishing kits are the new bestsellers of the underground market, with the number of phishing kit ads on underground forums and their sellers having doubled in 2019 compared to the previous year, Group-IB reveals.
The growing demand for phishing kits is also reflected in its price that skyrocketed last year by 149 percent and exceeded $300 per item. Last year, phishing kit creators’ favorite brands were Amazon, Google and Office 365.
Phishing kits represent archive files with a set of scripts that ensure the work of a phishing website. This toolset enables attackers with modest programming skills carry out massive malicious campaigns, which is the reason for why they represent a point of interest for cybersecurity researchers.
The detection of a phishing kit not only helps to discover hundreds or even thousands of phishing pages, but can also serve as a starting point of an investigation to identify the toolkit’s creator and bring them to justice.
Thus the number of phishing kit sellers active on underground forums increased by over 120% in 2019 year-on-year. Relatively the same growth showed the number of online ads posted on such web resources.
The price range
In 2019, the average price of a phishing kit more than doubled compared to the year before and totaled $304, with the prices generally ranging between $20 and $880. In comparison, in 2018, the prices for a phishing kit varied between $10 and $824, while the average price stood at $122.
The price for phishing kits depends on their complexity – the quality and the number of phishing pages, as well as the existence of side services like “technical support” on behalf of their creator.
What is remarkable – some of the phishing kits were offered free of charge, which was explained not by human generosity but likely by backdoors contained in them, which enabled their creators to access all the gathered data.
Detect and neutralize: How to hunt for phishing kits?
The process of phishing kit detection is becoming more and more challenging, with the statistics for the previous year showing a frustrating trend: hackers grow more cautious in their malicious activities since only 113,460 out of 2.7 million phishing pages detected contained a phishing kit.
The cyber crooks normally remove them or resort to various means to hide them and prevent from being detected by cybersecurity researchers.
To collect data, phishing kits normally have a designated email address, to which the illegally harvested info should be sent. One more trend saying in favor of phishing kits’ expanding place on the underground market is the number of unique email addresses detected in them – the figure saw an 8% growth last year. The increased amount of unique email addresses in phishing kits might reflect the rising number of their operators.
To attract more buyers, the developers of phishing kits usually make them targeting well-known brands with large audience – the fact that potentially should facilitate the conduct of fraudulent campaigns for the toolkit future owner.
The brands most commonly found in phishing kits in 2019 were Amazon, Google, Instagram, Office 365, and PayPal. Top 3 “online markets” for trafficking in phishing kits last year were Exploit, OGUsers, and Crimenetwork.
“Phishing kit creators are the driving force of this criminal marketplace – one individual might be behind the creation of hundreds of phishing pages and, even worse, behind the compromise of the personal information of thousands of people,” Group-IB CTO and Head of Threat Hunting Intelligence team Dmitry Volkov said.
“Therefore, the fight against phishing kit creators should be at the core of struggle to eradicate phishing.”
Group-IB is a known quantity in the information security arena: in the sixteen years since its inception, the company – now headquartered in Singapore – has detected and detailed many high-profile threats, performed over a thousand successful investigations across the globe and gained widespread recognition for helping private and public entities and law enforcement worldwide track down and prosecute cybercriminals.
To be able to do that, it has been steadily building an international infrastructure for threat detection, hunting and investigating cybercrime around the world. This infrastructure includes, among other things:
- The largest computer forensics laboratory in Eastern Europe
- An early warning system for proactive cyber defense based on their own threat intelligence, attribution and incident response practices
- A certified emergency response service (CERT-GIB), which is member of the Forum of Incident Response and Security Teams (FIRST) and Trusted Introducer
- Databases containing extensive threat and threat actor information
The company was, at the beginning, mostly a provider of digital forensics and cyber investigation services. In time, though, they realized that the solutions available to organizations were not keeping pace with the ever-morphing threat landscape, so they decided to work on and offer their own.
It all started with the creation of Group-IB Threat Intelligence (TI), an attack attribution and prediction system and service that’s based on data collected from a wide variety of sources (investigations, network sensors, honeypots, OSINT, card shops, and much more), automated information extraction and correlation technologies, and is supported by expert analysts, incident responders and investigators around the world.
It was followed by:
- Group-IB Threat Detection System (TDS) – A threat-actor-centric (instead of malware-centric) detection and proactive threat hunting solution
- Secure Bank – A fraud and attack prevention solution for the financial services industry, which detects threats like account takeovers, credit fraud, malicious web injections, banking trojans, remote access software, social engineering, etc. (keeps more than 100 million banking customers secure by monitoring 16 million online banking sessions every day)
- Secure Portal – A fraud and attack prevention solution for ecommerce websites and online services (prevents account takeovers, identifies fake accounts and blocks bots, fraudulent activities, fraudulent ticket sales, and so on)
- Brand Protection – A service designed to detect and eliminate threats to one’s brand on the Internet (brand abuse, Internet fraud, copyright infringement, counterfeiting)
- Anti-Piracy – intelligence-driven protection of content online
Most of these solutions are powered by Group-IB TI. More recently, though, they gained another thing in common: an integrated Graph Network Analysis system for cybercrime investigations, threat attribution, and detection of phishing and fraud.
Graph Network Analysis
Many threat intelligence solutions have graph-making capabilities and the company has considered a number of graph network analysis providers before finally deciding to develop their own tool for mapping adversary infrastructure, Group-IB CTO and Head of Threat Intelligence Dmitry Volkov told Help Net Security.
None of the considered solutions gathered and used the wide variety of data and historic data Group-IB experts deem crucial for creating a complete picture for better visibility. None of them had the automated graph creation option and were able to reliably identify and exclude irrelevant results. Finally, none allowed operators to specify the ownership timeframe of the entered suspicious domain, IP address, email or SSL certificate fingerprint.
“Domain name and IP addresses change ownership – today they are used by a threat actor, tomorrow by a legitimate company or a random individual, so the timeframe within which the threat actor owned the suspicious domain name or IP address is very important information for the creation of a relevant and accurate graph,” Volkov explained.
The interface of the graph network analysis tool
The user decides how wide they want to cast the net by specifying the number of steps the tool should take when identifying direct links between elements, but the tool’s automated mode builds the graph of the links to the searched element. And, if they switch on the “refine” option, it will automatically remove from the resulting graph all the elements it deems irrelevant.
The graph network analysis tool attributing the search element to a specific threat actor
Analysts and investigators who don’t trust the tool to create a graph that contains all the crucial elements can always turn “refine” off and specify one step to build the graph themselves and then remove irrelevant elements from it.
Though, Volkov pointed out, after performing numerous manual checks and consistently seeing that the tool did a great job when allowed to do it automatically, their own experts have come to trust and prefer that option.
Improving graph accuracy
“The initial goal was just to create a useful tool for our internal analysts, and we didn’t plan to incorporate it in our products. But some of our clients saw how we were using it to do our research in-house and wanted to be able to do the same, so we decided to share it,” Volkov shared.
The company’s developers and experts have been working on the Graph Network Analysis tool for the past few years. The first version was good, but very slow. In time, they managed to improve both the speed and the effectiveness by experimenting with different types of data and different approaches to data enrichment, processing and correlation.
There are still two versions of the tool: a standalone one that’s used by Group-IB’s experts and one that’s incorporated in the company’s products. New features are first added and tested on the former, then incorporated in the latter if they prove useful.
Group-IB is constantly working on enriching the tool with data and designing new algorithms using machine learning to improve the graph’s accuracy.
“All of Group-IB’s products are being constantly fine-tuned thanks to the permanent monitoring of the cyberspace for new threats and our incident response operations and cyber investigations,” Volkov pointed out. “And we’re always analyzing existing solutions on the market, pinpointing their weak spots and shortcomings, thinking of ways to eliminate them and striving to provide the best technologies to our customers.”
The tool’s capabilities
Mapping adversary infrastructure and (hopefully) identifying the threat actor has many advantages for the targeted organization and its customers, but also for other organizations, their customers and, in general, the wider populace.
“The main goal of network graph analysis is to track down projects that cybercriminals carried out in the past — legal and illegal projects that bear similarities, links in their infrastructure, and connections to the infrastructure involved in the incident being investigated,” Volkov explained.
If the users are very lucky and a cybercriminal’s legal project is detected, discovering their real identity becomes simple. If only illegal projects are detected, that goal becomes more difficult to achieve.
But even if the identity of the attacker remains elusive, discovering details about their previous attacks can help pinpoint their preferred tactics, techniques, procedures, tools and malware, and that information can be handy for disrupting ongoing attacks or even preventing those that are yet to be launched (e.g., by identifying attacker infrastructure at the preparation stage).
The tool can be leveraged by SOC/CERT analysts, threat hunters, threat intelligence analysts and digital forensic specialists, and it’s great for improving the speed of incident response, fast cybercrime investigations, proactive phishing and global threat hunting, and pinpointing malicious servers hidden behind proxy services.
It’s also used for IoC enrichment and event correlation (i.e., discovering when certain attacks are linked and are likely different stages of a single multiphase attack).
Group-IB Graph Network Analysis was designed based on indicators of compromise discovered and collected by the company’s cybercrime investigators, incident responders and malware analysts in the last 16 years.
To this have been added or made available through data-sharing agreements and subscriptions many other data sets containing:
- Domain registration data
- DNS records (domain records, files, profiles, tags)
- Service banners (domains, redirections, error codes)
- Service fingerprints on IP addresses (which services are running and which ports are open)
- Hidden registration data (IDs, hosting providers)
- Historic registration data and that related to hosting transfers
- SSL certificate registration data.
They have also made an effort to come up with new methods of extracting data that is not available using ordinary means. “We cannot reveal details for obvious reasons, but in some cases, mistakes made by hackers during domain registration or server configuration help us discover their emails, pseudonyms, or backend addresses,” Volkov said.
An advantage for all threat hunters
The tool queries both the company’s internal databases and external sources of information (e.g., WHOIS, public sandboxes, etc.) and the whole network graph creation happens in mere seconds.
And everybody wins in the scenario where the tool is used by Group-IB’s clients.
“By giving visibility to our clients, we reduce our analysts’ load and get interesting feedback from our clients. When they do the analyses themselves, they may achieve results that are more interesting and relevant to them, and when they share those results with us, we have a better understanding about the threats that target organizations in their industry, sector or geographic region,” Volkov concluded.
“This allows us to tune our research capabilities and detection engines to improve our whole ecosystem and, on a global scale, it improves our detection, prevention and hunting processes for every client.”