Cyber attackers cashing in on ‘hidden’ attack surface
Cyber attackers are cashing in on organisations’ lack of visibility into all online interactions that can involve multiple third parties, a report reveals
There are five main ways cyber attackers are exploiting traditional approaches to cyber security, which typically overlook organisations’ online interactions, according to a report by threat management firm RiskIQ.
“Increased risk of cyber attack and associated consequences like data theft, operational disruption, brand erosion, and employee and customer compromise have become a natural side effect of digital transformation,” the report said.
The report is based on RiskIQ’s repository of internet data collected by its web-crawling infrastructure, focusing on researchers’ mapping of the global internet attack surface over a two-week period to reveal the true extent of the attack surface of an enterprise.
“Today, organisations are responsible for defending their networks all the way to the edges of the internet,” said RiskIQ CEO Lou Manousos. “Bringing the massive scope of an organisation’s attack surface into focus helps frame the challenges faced by organisations in keeping their employees, customers and brand safe.”
RiskIQ said it analyses more than two billion web requests a day, takes in terabytes of passive domain name system (DNS) data, collects millions of security certificates and monitors millions of mobile apps.
As organisations harden their network perimeter and internal defences, attackers are increasingly finding ways to make money by capitalising on weaknesses in online customer and partner interactions, the report showed.
“But there are many companies that still do not have an official external threat programme as part of their security practice,” said Jay Huff, international marketing director at RiskIQ.
Businesses must address digital transformation security risks.
“If you look inside, you see people tasked with identity and access management, endpoint security and network security, but they are only dabbling in stuff that is outside the firewall, a decade after the banks started setting up external threat groups.”
Many organisations are still failing to view themselves as an attacker would view them, said Huff, which sheds new light on the real security issues that they need to address.
“The problem has changed because all engagements now are online across web, mobile and social media platforms, which are all used by attackers,” he said.
Security teams need to look beyond their organisation’s network to consider everything that targets their brand and assets online
The report showed there is a wide range of digital assets that are discoverable and exploitable by cyber attackers, underlining that security teams need to look beyond their organisation’s network to consider everything that targets their brand and assets online.
“In today’s world of digital engagement, users sit outside the perimeter, along with an increasing number of exposed corporate digital assets and the majority of malicious actors. As such, companies need to adopt strategies to encompass this change,” the report said.
RiskIQ researchers highlighted five areas, detailed below, to help security teams understand the challenges in keeping the internet a safe environment and broaden their awareness to foster a more informed approach to cyber defence.
RiskIQ observed 3.4 million new domains (nearly 250,000 a day) and 77.2 million new hosts (5.5 million a day) across the internet in a two-week period.
Each of these represents a possible target for threat actors, and the commonality of approach used in modern websites is attractive to attackers because a successful exploit for a vulnerability on one site can be re-used, potentially millions of times.
RiskIQ research showed that during the two-week period covered by the report, 3,390 of the Alexa top 10,000 domains were running at least one potentially vulnerable web component, with more than a million potentially vulnerable web components found overall.
2. Company attack surface
Sometimes hackers know more about an organisation’s attack surface than the organisation itself, the report said.
According to RiskIQ, the company typically finds in new customers 30% more assets than they thought they had, mainly due to shadow IT and mergers and acquisitions.
The security team is frequently in the dark about shadow IT activities and, as a result, cannot bring the associated assets within the scope of the official security programme, the report said, adding that orphaned assets form the Achilles heel of an organisation’s attack surface.
“They are not regularly patched or security tested, and the operating systems, frameworks and third-party applications of which they are comprised can quickly age and become vulnerable to hacking tools,” the report said, noting that mergers and acquisitions often brought with them incomplete and inaccurate lists of public-facing digital assets that further exacerbate the problem.
The RiskIQ research found that there is a large and complex attack surface in the top 30 UK companies, with each organisation having an average of 5,322 hosts, 9,896 dormant websites, 3,846 live websites, 596 websites hosted on Amazon, 67 websites hosted on Azure, 1,766 registered domains, 626 web pages collecting personal information, 120 websites with a potentially critical vulnerability, and 123 test sites.
“When we looked at the FT30 companies, we saw that there are a lot of things that security teams are not aware of, particularly as organisations adopt various cloud-based services, such as AWS [Amazon Web Services] and [Microsoft] Azure. The question organisations need to ask is if that is really as well protected as what organisations have behind their own firewall,” said Fabian Libeau, vice-president for Europe at RiskIQ.
3. Hidden attack surface
Attackers do not have to compromise an organisation’s assets to attack the organisation or its customers, the report said.
Social engineering through impersonation remains a top tactic for threat actors, and impersonating domains, sub-domains, landing pages, websites, mobile apps and social media are all used – sometimes in combination – to trick consumers and employees into giving up credentials and other personal information or installing malware.
In the first three months of 2018, RiskIQ identified 26,671 phishing domains impersonating 299 brands.
“Apart from their own digital assets, organisations must be on the lookout for impersonating or affiliating assets created to target their customers and employees. Early detection and takedown of infringing assets are one of the most effective ways of disrupting targeted campaigns,” the report said.
If an adversary cannot attack an organisation directly, they will look for ways to compromise customers and employees, said Libeau.
“In a recent phish, an attacker created their own version of the bitcoin wallet MyEthernetWallet and distributed it via Signal, showing that attackers are now using a wide variety of channels, not just email, to lure people to fake websites and apps,” he said.
4. Mobile attack surface
Organisations have so much more to worry about than just Apple and Google Play mobile app stores, the report said.
“There is a large number of secondary and affiliate stores, primarily serving the Android market, which provide an opportunity for malicious actors to compromise legitimate apps and launch fake apps,” the report warned.
RiskIQ discovered 21,948 blacklisted mobile apps across 120 mobile app stores and the open internet.
“Organisations must do more to monitor the app store ecosystem for stores hosting their apps without permission and for apps impersonating their brand. Users should stick to the primary app stores where possible and be vigilant in researching apps they want to download,” the report said.
5. Cryptocurrency miners
Cryptocurrency miners are the latest attack surface compromise, the report said.
“While spyware, ransomware and other forms of malware still proliferate, cyber criminals are augmenting their activities by stealing computer resources,” the report said, adding that RiskIQ found more than 50,000 websites running the Coinhive cryptocurrency mining script.
Across the websites of the top 50 UK companies, RiskIQ found 11 instances of cryptocurrency miners. “Some of the crypto mining scripts we found have been active for more than 160 days, suggesting that organisations are failing to detect them,” the report said.
“This new trend once again underlines the fact that attackers are mainly looking for ways of making money and they are taking advantage of forgotten assets to do it. For example, we found 326 Drupal injections on hosts running Coinhive, suggesting that this is one of the ways sites are being infected,” said Libeau.
Huff said that apart from the latency, power cost, equipment degradation and privacy issues, the rise of illicit cryptocurrency mining – also known as cryptojacking – further underlines the fact that there is a lack of visibility in organisations.
“People don’t know what they are running. If you look at a website from inside, you see one thing, but if you look at it from the outside, you see stuff that people inside the organisation never see because it is not sitting on their site because it is called dynamically.
“The world looks like a different place when you look from the outside in,” he said.
