Extortion, Sale, Reconnaissance, & Impersonation: 4 Ways Your Digital Footprint Enables Attackers

Extortion, Sale, Reconnaissance, & Impersonation: 4 Ways Your Digital Footprint Enables Attackers
Michael Marriott
Read More From Michael Marriott
July 2, 2019 | 6 Min Read

Whether it’s intellectual property, proprietary code, personal data, or financial information, the goal of information security is to protect those assets. However, when we only focus on the network, our visibility is impaired. This lack of visibility gives attackers a huge advantage.

When these assets get shared across growing ecosystems, third parties, cloud services, or hosted on infrastructure-as-a-service, it’s easy to lose track. If you then throw social media, mobile apps, and Shadow IT into the mix, it’s practically impossible to know where your sensitive assets reside online, never mind manage them.

So why is this even an issue? It’s obviously embarrassing if a security researcher alerts you to the fact that you’re exposing a misconfigured database. However, this moves from embarrassment to a business issue if that database held personally identifiable information that could leave you the wrong side of compliance laws. It would be equally bad if that exposed data contained intellectual property which enabled corporate espionage.

 

In this blog, I want to move beyond non-compliance and corporate espionage and understand how attackers make use of your online footprint.

 

Extorting and Encrypting

You may well remember the swathes of ransomware attempts against open databases that began in late 2016 and continued into 2017. We wrote a detailed analysis at the time but, in short, several extortion actors accessed thousands of unauthenticated MongoDB installations and replaced their contents with a ransom note, usually containing an email and Bitcoin address and the usual “we have your data” message.

Unfortunately, more than two years later, this type of problem has endured – at a larger scale. In a recent piece of research, Too Much Information: The Sequel, Digital Shadows’ Photon Team discovered that ransomware is looking to capitalize on other types of misconfigurations. Searching across publicly-available SMB, FTP, rsync, Photon discovered that over 17 million files across these online file repositories, which are often used for backing up data, had been encrypted by ransomware.

One variant, in particular, caught our eye: NamPoHyu. It was discovered in April 2019 as an update to the MegaLocker variant, and targets systems a little differently than traditional ransomware, by brute-forcing its way into Samba servers. Over 2 million files have been encrypted with the .nampohyu file extension, beginning around the first week of April 2019.

NamPoHyu ransomware message

Fig 1: NamPoHyu ransomware message

 

Selling Exposed Data

If a cybercriminal stumbles across a database of sensitive data, choosing to extort the responsible party might not be the most effective way to monetize it. In some cases, the data might pertain to intellectual property, patent applications, or other sensitive information.

The opportunities are certainly there for this to happen more frequently. In previous Digital Shadows research, we discovered a host of intellectual property that would be perfect for a cybercriminal to sell on to the highest bidder. In Figure 2, the entire source code of a technology company’s new app was publicly-available. Indeed, with 2.3 billion files publicly-exposed through misconfigurations, we’re making life considerably easier for attackers.

 

intro page for copyright application

Fig 2: A finding from Digital Shadows previous research: The introductory page for a copyright application containing the source code for a company‘s app.

 

There are several examples of this happening, and it’s likely under-reported. For example, before opting to extort their victims, the group known as the thedarkoverlord sought to sell healthcare databases on dark web marketplaces. While the tactics of thedarkoverlord are still unknown, several reports suggested the exploitation of a vulnerability in RDP (Remote Desktop Protocol).

More recently, when a Reaper drone manual was offered for sale on the dark web in June 2018, it’s worth noting that the vendor acquitted the data from a misconfigured FTP server. The cybercriminal didn’t need to compromise anything – the information was already public.

 

Reconnaissance and Information Gathering

A good deal of exposed data is not immediately easy to monetize. However, social media, code-sharing sites, and other sources reveal a wealth of personal, technical, or organizational information that’s incredibly useful for adversaries looking to gather information as part of the reconnaissance stage of their campaigns.

For those of you unfamiliar with Mitre ATT&CK, it is a great way to create a common language for understanding the behavior of attackers. (If you are interested, check out our blog series on Mitre ATT&CK). A newer addition to the framework is Mitre Pre-ATT&CK; the stage before an intrusion takes place where the attackers gather the necessary information about the target and its weaknesses. This invariably includes information exposed on social media, or technical information inadvertently shared on code-sharing sites. The attacks attributed to cyber offensive contractor “Rana Institute” nicely demonstrated how these two stages combine, and the types of information threat actors seek as part of their reconnaissance.

ATTCK and PREATTCK

preattck tactics

 

Impersonation of Online Assets

When we think of “assets”, this can mean very different things depending on your role in the organization. In the digital world, your assets can be your primary sales websites, or your social media handles that your customers and prospects engage with online.

Attackers increasingly impersonate these assets, creating spoof domains and social media accounts to either sell fraudulent goods, target your employees, or attempt to harvest customer details. A failure to identify these impersonations can lead to a damaged brand and decreased revenue.

domain impersonation

 

Control your Digital Footprint and Limit Opportunities for Attackers

Now that assets have moved outside of your traditional view, it’s incredibly difficult to understand if and where they have become exposed. However, by failing to control our digital footprints, we’re gifting the advantage to our adversaries.

With company brands increasing in importance, it’s no surprise that more and more organizations are looking to get a handle on this exposure, learn about it before it hits the news, and get ahead of an attack.

 

To see how Digital Shadows helps monitor your organization’s digital footprint to protect against digital risks, try SearchLight for free for 7 days.

digital risk management solution SearchLight

 

And if you want to keep learning more about protecting your digital footprint online, make sure to subscribe to our newsletter below to get the latest tips and tricks.

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us

Related Posts

Quarterly Update: Ransomware Trends in Q3

Quarterly Update: Ransomware Trends in Q3

October 19, 2020 | 8 Min Read

As we embark on the final months of 2020,...
Digital Shadows Analysis of Europol’s Cybercrime Report

Digital Shadows Analysis of Europol’s Cybercrime Report

October 14, 2020 | 12 Min Read

In early October 2020, Europol released...
Cybersecurity Awareness Month: Week 2 – Security Devices at Home and Work

Cybersecurity Awareness Month: Week 2 – Security Devices at Home and Work

October 14, 2020 | 7 Min Read

This week, National Cyber Security Awareness...
Help your development teams keep their keys safe

Help your development teams keep their keys safe

October 7, 2020 | 3 Min Read

Modern development practices are a blessing...
Four Ways to Validate Credentials in SearchLight

Four Ways to Validate Credentials in SearchLight

September 29, 2020 | 3 Min Read

Amid the billions of credentials that are...
Access Keys Exposed: More Than 40% Are For Database Stores

Access Keys Exposed: More Than 40% Are For Database Stores

September 14, 2020 | 6 Min Read

By now, we’ve all heard news about AWS...
Revisiting Typosquatting and the 2020 US Presidential Election

Revisiting Typosquatting and the 2020 US Presidential Election

September 2, 2020 | 11 Min Read

In October 2019, Digital Shadows’ Photon...
Saving the SOC from overload by operationalizing digital risk protection

Saving the SOC from overload by operationalizing digital risk protection

August 5, 2020 | 4 Min Read

As you may have seen last week, the latest...
Account takeover: Expanding on impact

Account takeover: Expanding on impact

July 27, 2020 | 7 Min Read

Digital Shadows has collected over 15 billion...
From Exposure to Takeover: Part 1. Beg, borrow, and steal your way in

From Exposure to Takeover: Part 1. Beg, borrow, and steal your way in

July 7, 2020 | 9 Min Read

Account Takeover: Why criminals can’t...
3 Phishing Trends Organizations Should Watch Out For

3 Phishing Trends Organizations Should Watch Out For

May 20, 2020 | 16 Min Read

It’s only May, and is it just me, or has this...
The 2020 Verizon Data Breach Investigations Report: One CISO’s View

The 2020 Verizon Data Breach Investigations Report: One CISO’s View

May 19, 2020 | 6 Min Read

Sadly, Marvel’s Black Widow release date was...
A NEW DECADE OF CYBER THREATS: LOOKING BACK AT THE TRENDING CYBER TOPICS OF Q1 2020

A NEW DECADE OF CYBER THREATS: LOOKING BACK AT THE TRENDING CYBER TOPICS OF Q1 2020

May 14, 2020 | 10 Min Read

Q1 2020 was packed full of significant...
COVID-19: Risks of Third-Party Apps

COVID-19: Risks of Third-Party Apps

April 7, 2020 | 7 Min Read

As the global community continues to pursue...
Threat Model of a Remote Worker

Threat Model of a Remote Worker

March 25, 2020 | 7 Min Read

Threat models are an often discussed but...
The Complete Guide to Online Brand Protection

The Complete Guide to Online Brand Protection

March 18, 2020 | 17 Min Read

  I’m not one for cheesy belief...
The Ecosystem of Phishing: From Minnows to Marlins

The Ecosystem of Phishing: From Minnows to Marlins

February 20, 2020 | 31 Min Read

YOU JUST WON $1,000. CLICK HERE TO CLAIM YOUR...
Third Party Risk: 4 ways to manage your security ecosystem

Third Party Risk: 4 ways to manage your security ecosystem

January 16, 2020 | 5 Min Read

  The digital economy has multiplied the...
Combatting Domain-Centric Fraud: Why Mimecast is partnering with Digital Shadows

Combatting Domain-Centric Fraud: Why Mimecast is partnering with Digital Shadows

November 7, 2019 | 3 Min Read

This is a guest blog, authored by Matthew...
Typosquatting and the 2020 U.S. Presidential election: Cyberspace as the new political battleground

Typosquatting and the 2020 U.S. Presidential election: Cyberspace as the new political battleground

October 16, 2019 | 15 Min Read

Typosquatting. It’s a phrase most of us know in...
Domain Squatting: The Phisher-man’s Friend

Domain Squatting: The Phisher-man’s Friend

October 1, 2019 | 8 Min Read

In the past we have talked about the internal...
Facebook’s Libra Cryptocurrency: Cybercriminals tipping the scales in their favor

Facebook’s Libra Cryptocurrency: Cybercriminals tipping the scales in their favor

June 27, 2019 | 8 Min Read

The announcements of Facebook’s new...
Managing Digital Risk: 4 Steps to Take

Managing Digital Risk: 4 Steps to Take

June 18, 2019 | 9 Min Read

Organizations are finding it increasingly...
Automating 2FA phishing and post-phishing looting with Muraena and Necrobrowser

Automating 2FA phishing and post-phishing looting with Muraena and Necrobrowser

May 21, 2019 | 6 Min Read

Phishing remains one of the most pervasive...
Cyber Talent Gap: How to Do More With Less

Cyber Talent Gap: How to Do More With Less

May 14, 2019 | 5 Min Read

The challenge facing us today is twofold: not...
Enabling Soi Dog’s Digital Transformation: A Case Study

Enabling Soi Dog’s Digital Transformation: A Case Study

May 8, 2019 | 3 Min Read

At the beginning of this year I was introduced to...
Easing into the extortion game

Easing into the extortion game

April 3, 2019 | 4 Min Read

One of the main ideas which flowed through...
Dark Web Typosquatting: Scammers v. Tor

Dark Web Typosquatting: Scammers v. Tor

March 21, 2019 | 7 Min Read

Time and time again, we see how the cybercriminal...
How to Secure Your Online Brand

How to Secure Your Online Brand

March 20, 2019 | 4 Min Read

What is online brand security? As we outlined in...
Extortion Exposed: Sextortion, thedarkoverlord, and SamSam

Extortion Exposed: Sextortion, thedarkoverlord, and SamSam

February 21, 2019 | 3 Min Read

In our most recent research, A Tale of Epic...
Introducing Our Practical Guide to Reducing Digital Risk

Introducing Our Practical Guide to Reducing Digital Risk

February 12, 2019 | 5 Min Read

Download a copy of A Practical Guide to Reducing...
Understanding Digital Risk Protection

Understanding Digital Risk Protection

February 8, 2019 | 3 Min Read

There has been a lot of talk recently about...
You’ve got a digital strategy, but how are you managing digital risks?

You’ve got a digital strategy, but how are you managing digital risks?

February 7, 2019 | 3 Min Read

Download a free copy of Digital Risk: The...
Security Practitioner’s Guide to Email Spoofing and Risk Reduction

Security Practitioner’s Guide to Email Spoofing and Risk Reduction

January 24, 2019 | 13 Min Read

In our previous extended blog, Tackling Phishing:...
Tackling Phishing: The Most Popular Phishing Techniques and What You Can Do About It

Tackling Phishing: The Most Popular Phishing Techniques and What You Can Do About It

December 12, 2018 | 8 Min Read

Overall, the infosec community has done a...
Law Firm Uncovers Exposed Sensitive Details About Top Attorney Online

Law Firm Uncovers Exposed Sensitive Details About Top Attorney Online

November 15, 2018 | 2 Min Read

VIPs and executives who are critical to your...
Phishing Site Impersonates Financial Services Institution

Phishing Site Impersonates Financial Services Institution

October 10, 2018 | 3 Min Read

If the infamous bank robber, Willie Sutton, were...
Business Email Compromise: When You Don’t Need to Phish

Business Email Compromise: When You Don’t Need to Phish

October 4, 2018 | 4 Min Read

According to the FBI, Business Email Compromise...
Cyber Security Awareness Month: Week 1 – Credential Hygiene

Cyber Security Awareness Month: Week 1 – Credential Hygiene

October 3, 2018 | 5 Min Read

It’s the opening week of the annual National...
Sextortion – When Persistent Phishing Pays Off

Sextortion – When Persistent Phishing Pays Off

September 6, 2018 | 4 Min Read

You may have heard of a recent surge in...
Five Threats to Financial Services: Phishing Campaigns

Five Threats to Financial Services: Phishing Campaigns

August 8, 2018 | 7 Min Read

In our last blog, we highlighted how banking...
Reducing Your Attack Surface: From a Firehose to a Straw

Reducing Your Attack Surface: From a Firehose to a Straw

July 5, 2018 | 6 Min Read

What is Attack Surface Reduction? Attack Surface...
It’s Accrual World: Tax Return Fraud in 2018

It’s Accrual World: Tax Return Fraud in 2018

March 7, 2018 | 5 Min Read

With just over a month until Tax Deadline Day,...
Protecting Your Brand: Return on Investment

Protecting Your Brand: Return on Investment

February 27, 2018 | 3 Min Read

Last week I was joined by Brett Millar, Director...
Phishing for Gold: Threats to the 2018 Winter Games

Phishing for Gold: Threats to the 2018 Winter Games

February 6, 2018 | 7 Min Read

Digital Shadows has been monitoring major...
Why Marketing Leaders Must Take Action To Manage Digital Risk And Protect Their Brand

Why Marketing Leaders Must Take Action To Manage Digital Risk And Protect Their Brand

January 30, 2018 | 7 Min Read

I am one of you. I have been in the marketing...
Don’t Rely on One Star to Manage Digital Risk, The Key is Total Coverage

Don’t Rely on One Star to Manage Digital Risk, The Key is Total Coverage

January 16, 2018 | 5 Min Read

This post originally appeared on...
Groupthink

Know Where to Find Your Digital Risk

November 10, 2017 | 4 Min Read

This post originally appeared on SecurityWeek....
NIST Authentication

Authentication Nation: 5 Ways NIST is Changing How We Think About Passwords

May 9, 2017 | 4 Min Read

Passwords have taken a beating over the past...
Brand Reputation Digital Risk

The 3 Pillars of Digital Risk Management: Part 3 – The Top 5 Main Risks of Reputational Damage

April 27, 2017 | 2 Min Read

In this 3-part blog series, we discuss how each...
Cyber Threats

The 3 Pillars of Digital Risk Management: Part 1 Understanding Cyber Threats

April 13, 2017 | 3 Min Read

What is Digital Risk Management? The National...
Mobile Threats

Monitoring the Mobile Threat Landscape

April 4, 2017 | 4 Min Read

The UK’s National Cyber Security Centre (NCSC)...
Mobile App Screen

5 Risks Posed By Mobile Applications That SearchLight Helps You Manage

March 14, 2017 | 2 Min Read

Organizations face a wide range of risks online,...
Social Media Oversharing

Overexposed and Under-Prepared; The Risks of Oversharing Online

November 8, 2016 | 4 Min Read

I have a confession to make. I know where you...
Email Security

Five Tips For Better Email Security

November 8, 2016 | 4 Min Read

While security is everyone’s responsibility,...
Professional Services Digital Shadows

Digital Risk Monitoring Is A Service, Not a Distinct Capability

October 11, 2016 | 2 Min Read

Digital Shadows was recently recognized as a...
Five Tips To Make Your Passwords Better

Five Tips To Make Your Passwords Better

September 26, 2016 | 4 Min Read

While security is everyone’s responsibility,...
Forrester

Digital Risk Monitoring Can Negate ‘Indicators of Exhaustion’

September 26, 2016 | 2 Min Read

When I first joined Digital Shadows in January, I...