Login
Explore the nature of vulnerabilities in this episode of ThreatWise TV.
It’s shaping up to be another big year for vulnerability disclosure. Already the number of Common Vulnerabilities and Exposures (CVEs) disclosed has crossed 18,000 and it’s on track to make this another record-breaking year.
With new CVEs being disclosed daily, it has become increasingly difficult for security teams to stay abreast of the latest risks, let alone quickly determine which ones apply to their network environment. From those, prioritizing which CVEs to patch first adds an additional wrinkle to the process.
If this wasn’t challenging enough, a curve ball that’s often lobbed at security teams are the “breaking news” vulnerabilities— vulnerabilities picked up by the security media, often with much fanfare. The stories surrounding these high-profile vulnerabilities generally carry an implied threat that the CVE in question will throw the doors wide open to attackers if not addressed immediately. What security team hasn’t had someone from the C-suite share an article they’ve read, asking “are we protected from this?”
On the surface, CVEs that appear severe enough to garner media attention do seem like a good place to start when addressing vulnerabilities in your environment. But vulnerabilities are complicated, and what a security researcher manages to do within a controlled environment doesn’t always translate into real-world attacks. In fact, most disclosed vulnerabilities never see active exploitation. And of those that do, not every vulnerability ends up becoming a tool in an attacker’s arsenal. Bad actors generally follow the path of least resistance when they compromise a network, relying on tested exploits long before trying something new and unproven.
This begs the question: how much overlap is there between the most talked about vulnerabilities and those that are widely used in attacks? Moreover, if media attention isn’t a reliable indicator, what else might predict if a vulnerability will be used in an attack?
To answer these questions, we used intelligence tools available from Cisco’s Kenna Security risk-based vulnerability management (RBVM) software. In particular, Kenna.VI+ consolidates a variety of vulnerability intelligence, where a CVE ID lookup can pull back a wealth of information. In addition to this, Kenna.VI+ includes an API that brings in an additional layer of external threat intelligence, enabling further analysis.
We started with a direct comparison of Successful Exploitations and Chatter Count from within Kenna.VI+. The former is a full count of confirmed exploits within the dataset, while the latter is a count of mentions in the news, social media, various forums, and the dark web.
Our first pass at the data included a comparison of the top 50 CVEs in both Successful Exploitations and Chatter Count. However, there were only two CVEs that overlapped. The data showed that many of the top exploited CVEs were old and predated the data in Chatter Count. We quickly decided that this wasn’t a fair comparison.
To get a better look at more relevant CVEs, we limited the dataset to a range of 10 years. Unfortunately, this did not do much to improve things—only three CVEs showed up in both lists.
A more effective approach was to look at CVEs that we know are actively being exploited. The Cybersecurity and Infrastructure Security Agency (CISA) happens to maintain such a list. The Known Exploited Vulnerabilities (KEV) catalog is considered an authoritative compilation of vulnerabilities identified as being actively exploited in the wild.
Running the KEV catalog though Kenna.VI+ resulted in six CVEs that appeared in the top 50 for both lists, with a single overlap in the top 10. This leads us to conclude that the vulnerabilities with the most discussion are not the same as those being actively exploited in the majority of cases.
| CVE | Brief description | |
| 1 | CVE-2017-9841 | PHPUnit vulnerability (used to target popular CMSes) |
| 2 | CVE-2021-44228 | Log4j vulnerability |
| 3 | CVE-2019-0703 | Windows SMB information disclosure vulnerability |
| 4 | CVE-2014-0160 | Heartbleed vulnerability |
| 5 | CVE-2017-9805 | REST plugin in Apache Struts vulnerability |
| 6 | CVE-2017-11882 | Microsoft Office memory corruption vulnerability |
| 7 | CVE-2017-5638 | Apache Struts vulnerability (used in Equifax breach) |
| 8 | CVE-2012-1823 | 10-year-old PHP vulnerability |
| 9 | CVE-2017-0144 | EternalBlue vulnerability |
| 10 | CVE-2018-11776 | Apache Struts RCE vulnerability |
| CVE | Brief description | |
| 1 | CVE-2021-26855 | Microsoft Exchange vulnerability (used in Hafnium attacks) |
| 2 | CVE-2021-40444 | Microsoft MSHTML RCE vulnerability |
| 3 | CVE-2021-26084 | Confluence Server and Data Center vulnerability |
| 4 | CVE-2021-27065 | Microsoft Exchange vulnerability (used in Hafnium attacks) |
| 5 | CVE-2021-34473 | Microsoft Exchange vulnerability (used in Hafnium attacks) |
| 6 | CVE-2021-26858 | Microsoft Exchange vulnerability (used in Hafnium attacks) |
| 7 | CVE-2021-44228 | Log4j vulnerability |
| 8 | CVE-2021-34527 | One of the PrintNightmare vulnerabilities |
| 9 | CVE-2021-41773 | Apache HTTP Server vulnerability |
| 10 | CVE-2021-31207 | One of the ProxyShell vulnerabilities |
Despite the lack of overlap, there are many well-known vulnerabilities at the top of both lists. Heartbleed and EternalBlue appear on the top 10 exploited list, while Hafnium, PrintNightmare, and ProxyShell make the top 10 most talked about CVEs.
The Log4j vulnerability is the only CVE that appears in both lists. This isn’t surprising considering the ubiquity of Log4j in modern software. It’s the second-most exploited vulnerability—far outpacing the CVEs directly below it. This, coupled with its appearance in the chatter list, puts it in a class of its own. In a brief period, it’s managed to outpace older CVEs that are arguably just as well known.
The CVE that recorded the most successful exploitations is a five-year-old vulnerability in PHPUnit. This is a popular unit-testing framework that’s used by many CMSes, such as Drupal, WordPress, MediaWiki, and Moodle.
Since many websites are built with these tools, this exploit can be a handy vector for gaining initial access to unpatched webservers. This also lines up with research we conducted last year, where this vulnerability was one of the most common Snort detections seen by Cisco Secure Firewall.
All four of the Microsoft Exchange Server vulnerabilities used in the Hafnium attacks appear in the most talked about list of CVEs. However, even when you add all four of these CVEs together, they still don’t come anywhere close to the counts seen in the top exploited CVEs.
If media attention is not a good predictor of use for exploitation, then what are the alternatives?
The Common Vulnerability Scoring System (CVSS) is a well-known framework for gauging the severity of vulnerabilities. We looked for CVEs from the KEV catalog that were ranked as “critical”—9.0 and above in the CVSSv3 specification. Examining the entire KEV catalog, 28% of the CVEs have a score of 9.0 or higher. Of the top 50 successfully exploited, 38% had such scores.
This is an improvement, but the CVSSv3 specification was released in 2015. Many CVEs in the KEV catalog predate this—19% of the entire catalog and 28% of the top 50—and have no score.
Using the previous CVSS specification does fill this gap—36% overall and 52% of the top 50 score 9.0 or higher. However, the older CVSS specification comes with its share of issues as well.
Another indicator worth exploring is remote control execution (RCE). A vulnerability with RCE grants an attacker the ability to access and control a vulnerable system from anywhere. It turns out that 45% of the CVEs in our dataset allow for RCE, and 66% of the top 50, making it the most worthwhile indicator analyzed.
Let’s summarize how we’ve honed our approach to determine if media attention and exploitation line up:
| Data set | Exploitation and Chatter lists | Number of CVEs |
| All CVEs | Appears in both top 50 | 2 |
| Appears in both top 50 (last 10 years) | 3 | |
| KEV Catalog | Appears in both top 50 | 6 |
| Appears in both top 10 | 1 |
And here’s a summary of our look at other indicators:
| KEV Catalog | Top 50 exploited | |
| CVSSv3 (9.0+) | 28% | 38% |
| CVSS (9.0+) | 36% | 52% |
| Allows for RCE | 45% | 66% |
All of this analysis provides a clear answer to our original question—the most regularly exploited CVEs aren’t the most talked about. Additional work highlights that monitoring variables like RCE can help with prioritization.
For illustrative purposes we’ve only looked at a few indicators that could be used to prioritize CVEs. While some did better than others, we don’t recommend relying on a single variable in making decisions about vulnerability management. Creating an approach that folds in multiple indicators is a far better strategy when it comes to real-world application of this data. And while our findings here speak to the larger picture, every network is different.
Regardless of which list they appear on, be it Successful Exploitations or Chatter Count, it’s important to point out that all these vulnerabilities are serious. Just because Hafnium has more talk than Heartbleed doesn’t make it any less dangerous if you have assets that are vulnerable to it. The fact is that while CVEs with more talk didn’t make the top of the exploitation list, they still managed to rack up tens of thousands of successful exploitations.
It’s important to know how to prioritize security updates, fixing those that expose you to the most risk as soon as possible. From our perspective, here are some basic elements in the Cisco Secure portfolio that can help.
Kenna Security, a pioneer in risk-based vulnerability management, relies on threat intel and prioritization to keep security and IT teams focused on risks. Using data science, Kenna processes and analyzes 18+ threat and exploit intelligence feeds, and 12.7+ billion managed vulnerabilities to give you an accurate view of your company’s risk. With our risk scoring and remediation intelligence, you get the info you need to make truly data-driven remediation decisions.
To responsibly protect a network, it’s important to monitor all assets that connect to it and ensure they’re kept up to date. Duo Device Trust can check the patch level of devices for you before they’re granted access to connect to corporate applications or sensitive data. You can even block access and enable self-remediation for devices that are found to be non-compliant.
How about remote workers? By leveraging the Network Visibility Module in Cisco Secure Client as a telemetry source, Cisco Secure Cloud Analytics can capture endpoint-specific user and device context to supply visibility into remote worker endpoint status. This can bolster an organization’s security posture by providing visibility on remote employees that are running software versions with vulnerabilities that need patching.
Lastly, for some “lateral thinking” about vulnerability management, take a look at this short video of one of our Advisory CISOs, Wolfgang Goerlich. Especially if you’re a fan of the music of the 1920s…
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Today, we released the latest issue of The Domain Name Industry Brief, which shows that the second quarter of 2022 closed with 351.5 million domain name registrations across all top-level domains, an increase of 1.0 million domain name registrations, or 0.3%, compared to the first quarter of 2022.1,2 Domain name registrations have increased by 10.4 million, or 3.0%, year over year.1,2
Check out the latest issue of The Domain Name Industry Brief to see domain name stats from the second quarter of 2022, including:
• Top 10 Largest TLDs by Number of Reported Domain Names
• Top 10 Largest ccTLDs by Number of Reported Domain Names
• ngTLDs as Percentage of Total TLDs
• Geographical ngTLDs as Percentage of Total Corresponding Geographical TLDs
To see past issues of The Domain Name Industry Brief, please visit verisign.com/dnibarchives.
The post Verisign Q2 2022 Domain Name Industry Brief: 351.5 Million Domain Name Registrations in the Second Quarter of 2022 appeared first on Verisign Blog.
We’ve been talking a lot about security resilience recently, and for good reason. It’s clear the only way businesses can operate in today’s hybrid world is by taking bold steps to increase visibility, awareness, and integration across their systems. All while maintaining a singular goal of becoming more resilient in the face of evolving threats. But that doesn’t just mean expanding the scope of your security stack. It also means examining the resilience of other pillars of your business, like operations, organizational structure, financial processes, and supply chain functions.
If threats do compromise your business, time is of the essence when it comes to detection, response, and recovery. The longer an organization is unable to operate normally, the more at risk it becomes for damaging financial losses. As Diana Kelley, CSO and CISO at Cybrize notes, “it’s not about giving up, it’s about being better prepared.” Financial and security resilience go together, you can’t have one without the other and both are incredibly important for businesses of all sizes.
While recovering from an attack is important for maintaining resilience, a key feature of strong operational resilience is a business’s ability to operate through adverse conditions, not just recover well after the fact. Trina Ford, SVP and CISO at AEG, notes the importance of “preparedness so that your business can continue to thrive” while your security team addresses threats.
It also relies heavily upon strong staffing models because people are a critical part of any business’s day-to-day operations. What happens when someone is out sick, or is unable to access the necessary tools to do their job? Operational resilience means having a plan in place to be prepared for these situations.
In this video, CISOs and other security professionals explain what operational resilience means to them and why it’s a necessary component of overall security resilience:
If the past few years have taught us anything, it’s that supply chains are fragile. But there are ways to prepare for disruption, such as minimizing negative outcomes like production delays, infrastructure weaknesses, and increasingly complex logistics. When it comes to security resilience, supply chains are important because they expand the attack surface to any third party in your network. Oftentimes, this is where businesses have the lowest visibility, making it hard to detect and respond to threats. Supply chain resilience means preparing for these challenges before they cause real damage and having contingency plans in place.
According to Helen Patton, CISO of the SBG, “security is a risk business”. We couldn’t agree more. In the context of organizational resilience, this means dedicating resources to the areas of the business that are creating the most value and protecting those to minimize the risk of damage from potential threats.
With hybrid work here to stay, the threat landscape is expanding quickly, and security teams are working constantly to stay up to date on the latest attacks. But defending against everything all the time is impossible, so it’s necessary to make informed decisions about how to dedicate resources efficiently. The goal is to maximize flexibility and agility to enable security teams to act confidently when, not if, a threat lands.
Avoiding cyberattacks 100% of the time is impossible, but by ensuring the integrity of each part of your business, you can address threats confidently and emerge stronger. Investing in security resilience will strengthen your business in each of these areas, and help you better prepare for the challenges ahead.
Learn more about how Cisco Secure can help you at any step of the journey.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Self-awareness goes a long way in determining your next professional steps. While job searching, it’s critical to identify how to leverage your transferable skills and network, while also evaluating what environmental factors of work and work culture matter to you most. Learn what it’s like to work at Cisco and the top 10 ways to suss out a workplace that suits your needs from leaders at Cisco Secure, Cisco Talos and Duo Security.
First things first. Emily Reid, the newly appointed director of employee experience at Cisco Secure who came from Duo Security, advises, “Do your own research to see how the company and their employees describe the culture publicly — on the company’s website and through other sites, articles and resources. For tech companies specifically I always think, “What else do you have beyond the ping-pong table?”’
The interview process is the next key opportunity to find out what culture is like beyond amenities. To gain multiple perspectives, Reid recommends asking about company culture in every interview you have.
The question at the top of Reid’s list: Do you have programs and resources to support the development and success of your employees? “I want to know how a company will be investing in my career growth and if I will feel welcome and included as part of the team. Seeing what a company chooses to center and highlight when describing their culture is usually very telling,” she said.
Interning at a company is another way to get firsthand knowledge and can lead to full-time employment. “several former interns are now people leaders managing their own teams — and their own interns — coming full circle,” Reid said.
Knowing that there is safety and support in bringing your whole self to work is vital. What policies, programs and initiatives are in place that demonstrate an organization’s commitment to diversity, equity, inclusion and belonging?
Cisco’s ongoing commitments to social justice and pay parity include twelve action steps as part of Cisco’s Social Justice Blueprint. Cultivating a conscious culture includes on-going dialogue, programs and events meant to increase equality. Employee Resource Organizations and mentorship programs provide more opportunities to build community and share knowledge, resources and advocacy.
What environment allows you to do your best work? Also consider what perks and processes an employer offers to enhance flexibility and adaptability. During the pandemic, Duo and Cisco transitioned all global events, training and professional development workshops to fully virtual. As in person options resumed following the pandemic, all events are designed to ensure an inclusive experience no matter where you’re joining from.
“We don’t want to go back to a world where people not based in an office feel like they are getting a lesser experience,” Reid said.
Considering how to make programs and information accessible to employees regardless of where they work is also important to Sammi Seaman, team lead of employee experience at Cisco Talos. She’s currently spearheading a new hire program that is “more inclusive of folks whether they’re office based, remote or somewhere across the world.”
It’s essential to consider how you want your life and work to intersect, particularly as hybrid work becomes more popular. How important is paid time off, flexible work options or a consistent structure?
Cisco Secure offers “Days for Me,” days off for employees to decompress and do something to fill their cups. Monthly “Focus Days” are days without meetings, so employees can prioritize the projects that need attention.
Curran recalls one candidate who, despite multiple offers from competitors, chose Cisco Secure because of the flexible work environment: “This person has a young child and felt that the “Days for Me” and flexibility to work from home in a hybrid situation would work best for his career long-term.”
As Reid’s team helps lead the transition to hybrid work, the book Out of Office: The Big Problem and Bigger Promise of Working From Home by Charlie Warzel and Anne Helen Petersen has been inspiring. The book “does an amazing job of sharing a vision for an inclusive future that empowers employees to be successful and have a ‘work/life balance’ that truly works,” Reid said.
Currently Cisco Secure offers a hybrid model while many employees still work remotely. In terms of maintaining accessibility through this transition, Marketing Specialist Julie Kramer advocated for more accessibility and saw changes at Cisco as a result.
“Webex pre-COVID didn’t have any closed captioning. So, another deaf person and I reached out and closed captioning and the transcript option got added,” Kramer shared.
Kramer prefers to have high-quality and frequently the same interpreters who “know the terminology for my job, marketing and technology. In business, the security and marketing industry can really talk fast, so you need a high-quality interpreter that can keep up and one that is qualified and certified,” she said.
Consider what pace of your specific role and within an industry is needed for you to feel engaged without overwhelmed. While different roles within the same organization and industry may run at different paces, it’s important to tune into what might be expected on your potential new team.
Seaman finds that the fast pace of cybersecurity can be “delightful and challenging. There’s a lot of fast-paced pivoting that happens, which makes for an interesting workplace because two days are never the same,” she said.
Do you prefer a hierarchical structure, or one that is more flat? Are you most effective and fulfilled riding solo, or while consistently connecting with coworkers? Does contributing your ideas make you feel empowered?
At Cisco Secure, there is space to join conversations. “No matter where you sit in the company, you have a voice and can speak up and collaborate and self-organize on a project. It feels like a bunch of really hard working, humble, smart people who are trying to solve problems together,” said Manager of Duo’s Global Knowledge and Communities Team Kelly Davenport.
To enhance communication and knowledge among distributed teams, Seaman started a dialogue series called “The More You Know.” Questions include: What do you do? How do you do it? How can that help other parts of Cisco Talos? The conversations lead to future collaboration and resource sharing.
Do you want to grow professionally and increase your skills and knowledge? A culture of teaching and learning within an organization can help hone and expand your skills and connections.
Lead of Strategic Business Intelligence Ashlee Benge finds the security world “very dynamic. You really can never stop learning. Within Cisco Talos, the people around me are such smart, dedicated people that there’s really a lot that you can gain from just being involved in the group as a whole.”
For Seaman, who didn’t come from a technical background, Cisco Talos offered opportunities to expand her technical knowledge, including from colleagues. “Coming into Cisco Talos, people are like, “Here, let me teach you. You can totally do this. Just because you didn’t know how to do it doesn’t mean you can’t learn. Let’s go,” Seaman shared. Seaman’s colleagues have also learned from her expertise in information and knowledge management given her background as a librarian.
More formally, the Learning and Development team recently launched a comprehensive talent development program with enablement resources and support for people leaders. Aspects include: “really thoughtful templates for employees to use with their manager to talk through career goals, development areas, and to define an actionable investment plan. These resources are fueling great career conversations, strong alignment, and thoughtful development plans,” Reid said.
Do you want to refine your skills within your wheelhouse? Or are you driven to try new tasks and potentially change roles within your next organization?
Benge, whose background is in computational astrophysics, has found her interests shift from technical security research to business strategy and data science. At Cisco Talos, she’s been involved in everything from detection research and threat hunting, to community outreach, conference talks and traveling to support sales engagements. Currently, she’s helping to lead threat hunting in Ukraine.
“My leaders have always made it very clear that if there’s an interest, it’s okay to pursue it and it doesn’t have to necessarily be within the scope of my role. Having that freedom to pursue interests within the industry has been really engaging,” Benge said.
In addition to company values and mission statements, leaders and employees contribute to an organization’s culture every day. If you want to enhance your company’s culture, participate.
“Feedback on what employees want to see is crucial,” Reid said. “The easiest way to contribute to developing culture and a positive employee experience in your workplace is to add to what’s already happening! Culture takes participation and ownership from all employees.”
Reid shared that in performance reviews at Cisco, “‘Team Impact” is equally as important as “Results.” Contributing positively to company culture should contribute to performance reviews and promotion justification,” she said.
To learn more about Cisco’s company culture and how you can contribute to it, check out our open roles.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Security tools are only as good as the intelligence and expertise that feeds them. We’re very fortunate to have our security technologies powered by Cisco Talos, one of the largest and most trusted threat intelligence groups in the world. Talos is comprised of highly skilled researchers, analysts, and engineers who provide industry-leading visibility, actionable intelligence, and vulnerability research to protect both our customers and the internet at large.
The Talos team serves as a crucial pillar of our innovation — alerting customers and the public to new threats and mitigation tactics, enabling us to quickly incorporate protection into our products, and stepping in to help organizations with incident response, threat hunting, compromise assessments and more. Talos can also be found securing large-scale events such as the Super Bowl, and working with government and law enforcement organizations across the globe to share intelligence.
With Cisco’s vast customer base and broad portfolio — from routers and switches to email and endpoints — Talos has visibility into worldwide telemetry. Once a threat is seen, whether it’s a phishing URL or an IP address hosting malware, detections are created and indicators of compromise are categorized and blocked across our Cisco Secure portfolio.
Talos also leverages its unique insights to help society as a whole better understand and combat the cyberattacks facing us daily. During the war in Ukraine, the group has taken on the additional task of defending over 30 critical infrastructure providers in the country by directly managing and monitoring their endpoint security.
The reality of security today is that organizations must be constantly ready to detect and contain both known and unknown threats, minimize impact, and keep business going no matter what happens in the cyber realm. In light of hybrid work, evolving network architectures, and increasingly insidious attacks, all organizations must also be prepared to rapidly recover if disaster strikes, and then emerge stronger. We refer to this as security resilience, and Talos plays a critical role in helping our customers achieve it.
For several years, our integrated, cloud-native Cisco SecureX platform has been delivering extended detection and response (XDR) capabilities and more. SecureX allows customers to aggregate, analyze, and act on intelligence from disparate sources for a coordinated response to cyber threats.
Through the SecureX platform, intelligence from Talos is combined with telemetry from our customers’ environments — including many third-party tools — to provide a more complete picture of what’s going on in the network. Additionally, built-in, automated response functionality helps to speed up and streamline mitigation. This way, potential attacks can be identified, prioritized, and remediated before they lead to major impact.
For XDR to be successful, it must not only aggregate data, but also make sense of it. Through combined insights from various resources, SecureX customers obtain the unified visibility and context needed to rapidly prioritize the right threats at the right time. With SecureX, security analysts spend up to 90 percent less time per incident.
One of Australia’s largest universities, Deakin University, needed to improve its outdated security posture and transition from ad hoc processes to a mature program. Its small security team sought an integrated solution to simplify and strengthen threat defense.
With a suite of Cisco security products integrated through SecureX, Deakin University was able to reduce the typical investigation and response time for a major threat down from over a week to just an hour. The university was also able to decrease its response time for malicious emails from an hour to as little as five minutes.
“The most important outcome that we have achieved so far is that security is now a trusted function.”
– Fadi Aljafari, Information Security and Risk Manager, Deakin University
Also in the education space, AzEduNet provides connectivity and online services to 1.5 million students and 150,000 teachers at 4,300 educational institutions in Azerbaijan. “We don’t have enough staff to monitor every entry point into our network and correlate all the information from our security solutions,” says Bahruz Ibrahimov, senior information security engineer at AzEduNet.
The organization therefore implemented Cisco SecureX to accelerate investigations and incident management, maximize operational efficiency with automated workflows, and decrease threat response time. With SecureX, AzEduNet has reduced its security incidents by 80 percent.
“The integration with all our Cisco Secure solutions and with other vendors saves us response and investigation time, as well as saving time for our engineers.”
– Bahruz Ibrahimov, Senior Information Security Engineer, AzEduNet
The sophistication of attackers and sheer number of threats out there today make it extremely challenging for most cybersecurity teams to effectively stay on top of alerts and recognize when something requires their immediate attention. According to a survey by ESG, 81 percent of organizations say their security operations have been affected by the cybersecurity skills shortage.
That’s why Talos employs hundreds of researchers around the globe — and around the clock — to collect and analyze massive amounts of threat data. The group uses the latest in machine learning logic and custom algorithms to distill the data into manageable, actionable intelligence.
“Make no mistake, this is a battle,” said Nick Biasini, head of outreach for Cisco Talos, who oversees a team of global threat hunters. “In order to keep up with the adversaries, you really need a deep technical understanding of how these threats are constructed and how the malware operates to quickly identify how it’s changing and evolving. Offense is easy, defense is hard.”
Earlier this year, we unveiled our strategic vision for the Cisco Security Cloud to deliver end-to-end security across hybrid, multicloud environments. Talos will continue to play a pivotal role in our technology as we execute on this vision. In addition to driving protection in our products, Talos also offers more customized and hands-on expertise to customers when needed.
Cisco Talos Incident Response provides a full suite of proactive and emergency services to help organizations prepare for, respond to, and recover from a breach — 24 hours a day. Additionally, the recently released Talos Intel on Demand service delivers custom research unique to your organization, as well as direct access to Talos security analysts for increased awareness and confidence.
Visit our dedicated Cisco Talos web page to learn more about the group and the resources it offers to help keep global organizations cyber resilient. Then, discover how XDR helps Security Operations Center (SOC) teams hunt for, investigate, and remediate threats.
Watch video: What it means to be a threat hunter
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Earlier this month, the administrator of the cybercrime forum Breached received a cease-and-desist letter from a cybersecurity firm. The missive alleged that an auction on the site for data stolen from 10 million customers of Mexico’s second-largest bank was fake news and harming the bank’s reputation. The administrator responded to this empty threat by purchasing the stolen banking data and leaking it on the forum for everyone to download.
On August 3, 2022, someone using the alias “Holistic-K1ller” posted on Breached a thread selling data allegedly stolen from Grupo Financiero Banorte, Mexico’s second-biggest financial institution by total loans. Holistic-K1ller said the database included the full names, addresses, phone numbers, Mexican tax IDs (RFC), email addresses and balances on more than 10 million citizens.
There was no reason to believe Holistic-K1ller had fabricated their breach claim. This identity has been highly active on Breached and its predecessor RaidForums for more than two years, mostly selling databases from hacked Mexican entities. Last month, they sold customer information on 36 million customers of the Mexican phone company Telcel; in March, they sold 33,000 images of Mexican IDs — with the front picture and a selfie of each citizen. That same month, they also sold data on 1.4 million customers of Mexican lending platform Yotepresto.
But this history was either overlooked or ignored by Group-IB, the Singapore-based cybersecurity firm apparently hired by Banorte to help respond to the data breach.
“The Group-IB team has discovered a resource containing a fraudulent post offering to buy Grupo Financiero Banorte’s leaked databases,” reads a letter the Breach administrator said they received from Group-IB. “We ask you to remove this post containing Banorte data. Thank you for your cooperation and prompt attention to this urgent matter.”
The administrator of Breached is “Pompompurin,” the same individual who alerted this author in November 2021 to a glaring security hole in a U.S. Justice Department website that was used to spoof security alerts from the FBI. In a post to Breached on Aug. 8, Pompompurin said they bought the Banorte database from Holistic-K1ller’s sales thread because Group-IB was sending emails complaining about it.
“They also attempted to submit DMCA’s against the website,” Pompompurin wrote, referring to legal takedown requests under the Digital Millennium Copyright Act. “Make sure to tell Banorte that now they need to worry about the data being leaked instead of just being sold.”
Group-IB CEO Dmitriy Volkov said the company has seen some success in the past asking hackers to remove or take down certain information, but that making such requests is not a typical response for the security firm.
“It is not a common practice to send takedown notifications to such forums demanding that such content be removed,” Volkov said. “But these abuse letters are legally binding, which helps build a foundation for further steps taken by law enforcement agencies. Actions contrary to international rules in the regulated space of the Internet only lead to more severe crimes, which — as we know from the case of Raidforums — are successfully investigated and stopped by law enforcement.”
Banorte did not respond to requests for comment. But in a brief written statement picked up on Twitter, Banorte said there was no breach involving their infrastructure, and the data being sold is old.
“There has been no violation of our platforms and technological infrastructure,” Banorte said. “The set of information referred to is inaccurate and outdated, and does not put our users and customers at risk.”
That statement may be 100 percent true. Still, it is difficult to think of a better example of how not to do breach response. Banorte shrugging off this incident as a nothingburger is baffling: While it is almost certainly true that the bank balance information in the Banorte leak is now out of date, the rest of the information (tax IDs, phone numbers, email addresses) is harder to change.
“Is there one person from our community that think sending cease and desist letter to a hackers forum operator is a good idea?,” asked Ohad Zaidenberg, founder of CTI League, a volunteer emergency response community that emerged in 2020 to help fight COVID-19 related scams. “Who does it? Instead of helping, they pushed the organization from the hill.”
Kurt Seifried, director of IT for the CloudSecurityAlliance, was similarly perplexed by the response to the Banorte breach.
“If the data wasn’t real….did the bank think a cease and desist would result in the listing being removed?” Seifried wondered on Twitter. “I mean, isn’t selling breach data a worse crime usually than slander or libel? What was their thought process?”
A more typical response when a large bank suspects a breach is to approach the seller privately through an intermediary to ascertain if the information is valid and what it might cost to take it off the market. While it may seem odd to expect cybercriminals to make good on their claims to sell stolen data to only one party, removing sold stolen items from inventory is a fairly basic function of virtually all cybercriminal markets today (apart from perhaps sites that traffic in stolen identity data).
At a minimum, negotiating or simply engaging with a data seller can buy the victim organization additional time and clues with which to investigate the claim and ideally notify affected parties of a breach before the stolen data winds up online.
It is true that a large number of hacked databases put up for sale on the cybercrime underground are sold only after a small subset of in-the-know thieves have harvested all of the low-hanging fruit in the data — e.g., access to cryptocurrency accounts or user credentials that are recycled across multiple websites. And it’s certainly not unheard of for cybercriminals to go back on their word and re-sell or leak information that they have sold previously.
But companies in the throes of responding to a data security incident do themselves and customers no favors when they underestimate their adversaries, or try to intimidate cybercrooks with legal threats. Such responses generally accomplish nothing, except unnecessarily upping the stakes for everyone involved while displaying a dangerous naiveté about how the cybercrime underground works.
Update, Aug. 17, 10:32 a.m.: Thanks to a typo by this author, a request for comment sent to Group-IB was not delivered in advance of this story. The copy above has been updated to include a comment from Group-IB’s CEO.
One way to tame your email inbox is to get in the habit of using unique email aliases when signing up for new accounts online. Adding a “+” character after the username portion of your email address — followed by a notation specific to the site you’re signing up at — lets you create an infinite number of unique email addresses tied to the same account. Aliases can help users detect breaches and fight spam. But not all websites allow aliases, and they can complicate account recovery. Here’s a look at the pros and cons of adopting a unique alias for each website.
What is an email alias? When you sign up at a site that requires an email address, think of a word or phrase that represents that site for you, and then add that prefaced by a “+” sign just to the left of the “@” sign in your email address. For instance, if I were signing up at example.com, I might give my email address as krebsonsecurity+example@gmail.com. Then, I simply go back to my inbox and create a corresponding folder called “Example,” along with a new filter that sends any email addressed to that alias to the Example folder.
Importantly, you don’t ever use this alias anywhere else. That way, if anyone other than example.com starts sending email to it, it is reasonable to assume that example.com either shared your address with others or that it got hacked and relieved of that information. Indeed, security-minded readers have often alerted KrebsOnSecurity about spam to specific aliases that suggested a breach at some website, and usually they were right, even if the company that got hacked didn’t realize it at the time.
Alex Holden, founder of the Milwaukee-based cybersecurity consultancy Hold Security, said many threat actors will scrub their distribution lists of any aliases because there is a perception that these users are more security- and privacy-focused than normal users, and are thus more likely to report spam to their aliased addresses.
Holden said freshly-hacked databases also are often scrubbed of aliases before being sold in the underground, meaning the hackers will simply remove the aliased portion of the email address.
“I can tell you that certain threat groups have rules on ‘+*@’ email address deletion,” Holden said. “We just got the largest credentials cache ever — 1 billion new credentials to us — and most of that data is altered, with aliases removed. Modifying credential data for some threat groups is normal. They spend time trying to understand the database structure and removing any red flags.”
According to the breach tracking site HaveIBeenPwned.com, only about .03 percent of the breached records in circulation today include an alias.
Email aliases are rare enough that seeing just a few email addresses with the same alias in a breached database can make it trivial to identify which company likely got hacked and leaked said database. That’s because the most common aliases are simply the name of the website where the signup takes place, or some abbreviation or shorthand for it.
Hence, for a given database, if there are more than a handful of email addresses that have the same alias, the chances are good that whatever company or website corresponds to that alias has been hacked.
That might explain the actions of Allekabels, a large Dutch electronics web shop that suffered a data breach in 2021. Allekabels said a former employee had stolen data on 5,000 customers, and that those customers were then informed about the data breach by Allekabels.
But Dutch publication RTL Nieuws said it obtained a copy of the Allekabels user database from a hacker who was selling information on 3.6 million customers at the time, and found that the 5,000 number cited by the retailer corresponded to the number of customers who’d signed up using an alias. In essence, RTL argued, the company had notified only those most likely to notice and complain that their aliased addresses were suddenly receiving spam.
“RTL Nieuws has called more than thirty people from the database to check the leaked data,” the publication explained. “The customers with such a unique email address have all received a message from Allekabels that their data has been leaked – according to Allekabels they all happened to be among the 5000 data that this ex-employee had stolen.”
HaveIBeenPwned’s Hunt arrived at the conclusion that aliases account for about .03 percent of registered email addresses by studying the data leaked in the 2013 breach at Adobe, which affected at least 38 million users. Allekabels’s ratio of aliased users was considerably higher than Adobe’s — .14 percent — but then again European Internet users tend to be more privacy-conscious.
While overall adoption of email aliases is still quite low, that may be changing. Apple customers who use iCloud to sign up for new accounts online automatically are prompted to use Apple’s Hide My Email feature, which creates the account using a unique email address that automatically forwards to a personal inbox.
What are the downsides to using email aliases, apart from the hassle of setting them up? The biggest downer is that many sites won’t let you use a “+” sign in your email address, even though this functionality is clearly spelled out in the email standard.
Also, if you use aliases, it helps to have a reliable mnemonic to remember the alias used for each account (this is a non-issue if you create a new folder or rule for each alias). That’s because knowing the email address for an account is generally a prerequisite for resetting the account’s password, and if you can’t remember the alias you added way back when you signed up, you may have limited options for recovering access to that account if you at some point forget your password.
What about you, Dear Reader? Do you rely on email aliases? If so, have they been useful? Did I neglect to mention any pros or cons? Feel free to sound off in the comments below.
During our threat hunting exercises in recent months, we’ve started to observe a distinguishing pattern of msiexec.exe usage across different endpoints. As we drilled down to individual assets, we found traces of a recently discovered malware called Raspberry Robin. The RedCanary Research Team first coined the name for this malware in their blog post, and Sekoia published a Flash Report about the activity under the name of QNAP Worm. Both articles offer great analysis of the malware’s behavior. Our findings support and enrich prior research on the topic.
Raspberry Robin is a worm that spreads over an external drive. After initial infection, it downloads its payload through msiexec.exe from QNAP cloud accounts, executes its code through rundll32.exe, and establishes a command and control (C2) channel through TOR connections.
Let’s walkthrough the steps of the kill-chain to see how this malware functions.
Raspberry Robin is delivered through infected external disks. Once attached, cmd.exe tries to execute commands from a file within that disk. This file is either a .lnk file or a file with a specific naming pattern. Files with this pattern exhibit a 2 to 5 character name with an usually obscure extension, including .swy, .chk, .ico, .usb, .xml, and .cfg. Also, the attacker uses an excessive amount of whitespace/non printable characters and changing letter case to avoid string matching detection techniques. Example command lines include:
File sample for delivery can be found in this URL:
https://www.virustotal.com/gui/file/04c13e8b168b6f313745be4034db92bf725d47091a6985de9682b21588b8bcae/relations
Next, we observe explorer.exe running with an obscure command line argument, spawned by a previous instance of cmd.exe. This obscure argument seems to take the name of an infected external drive or .lnk file that was previously executed. Some of the samples had values including USB, USB DISK, or USB Drive, while some other samples had more specific names. On every instance of explorer.exe we see that the adversary is changing the letter case to avoid detection:
After delivery and initial execution, cmd.exe spawns msiexec.exe to download the Raspberry Robin payload. It uses -q or /q together with standard installation parameter to operate quietly. Once again, mixed case letters are used to bypass detection:
As you can see above, URLs used for payload download have a specific pattern. Domains use 2 to 4 character names with obscure TLDs including .xyz, .hk, .info, .pw, .cx, .me, and more. URL paths have a single directory with a random string 11 characters long, followed by hostname and the username of the victim. On network telemetry, we also observed the Windows Installer user agent due to the usage of msiexec.exe. To detect Raspberry Robin through its URL pattern, use this regex:
^http[s]{0,1}\:\/\/[a-zA-Z0-9]{2,4}\.[a-zA-Z0-9]{2,6}\:8080\/[a-zA-Z0-9]+\/.*?(?:-|\=|\?).*?$
If we look up the WHOIS information for given domains, we see domain registration dates going as far back as February 2015. We also see an increase on registered domains starting from September 2021, which aligns with initial observations of Raspberry Robin by our peers.
| WHOIS Creation Date | Count |
| 12/9/2015 | 1 |
| … | … |
| 10/8/2020 | 1 |
| 11/14/2020 | 1 |
| 7/3/2021 | 1 |
| 7/26/2021 | 2 |
| 9/11/2021 | 2 |
| 9/23/2021 | 9 |
| 9/24/2021 | 6 |
| 9/26/2021 | 4 |
| 9/27/2021 | 2 |
| 11/9/2021 | 3 |
| 11/10/2021 | 1 |
| 11/18/2021 | 2 |
| 11/21/2021 | 3 |
| 12/11/2021 | 7 |
| 12/31/2021 | 7 |
| 1/17/2022 | 6 |
| 1/30/2022 | 11 |
| 1/31/2022 | 3 |
| 4/17/2022 | 5 |
Table 1: Distribution of domain creation dates over time
Associated domains have SSL certificates with the subject alternative name of q74243532.myqnapcloud.com, which points out the underlying QNAP cloud infra. Also, their URL scan results return login pages to QTS service of QNAP:
Once the payload is downloaded, it is executed through various system binaries. First, rundll32.exe uses the ShellExec_RunDLL function from shell32.dll to leverage system binaries such as msiexec.exe, odbcconf.exe, or control.exe. These binaries are used to execute the payload stored in C:\ProgramData\[3 chars]\
It is followed by the execution of fodhelper.exe, which has the auto elevated bit set to true. It is often leveraged by adversaries in order to bypass User Account Control and execute additional commands with escalated privileges [3]. To monitor suspicious executions of fodhelper.exe, we suggest monitoring its instances without any command line arguments.
Raspberry Robin sets up its C2 channel through the additional execution of system binaries without any command line argument, which is quite unusual. That likely points to process injection given elevated privileges in previous steps of execution. It uses dllhost.exe, rundll32.exe, and regsvr32.exe to set up a TOR connection.
In Cisco Global Threat Alerts available through Cisco Secure Network Analytics and Cisco Secure Endpoint, we track this activity under the Raspberry Robin threat object. Image 3 shows a detection sample of Raspberry Robin:
Raspberry Robin tries to remain undetected through its use of system binaries, mixed letter case, TOR-based C2, and abuse of compromised QNAP accounts. Although we have similar intelligence gaps (how it infects external disks, what are its actions on objective) like our peers, we are continuously observing its activities.
| Type | Stage | IOC |
| Domain | Payload Delivery | k6j[.]pw |
| Domain | Payload Delivery | kjaj[.]top |
| Domain | Payload Delivery | v0[.]cx |
| Domain | Payload Delivery | zk4[.]me |
| Domain | Payload Delivery | zk5[.]co |
| Domain | Payload Delivery | 0dz[.]me |
| Domain | Payload Delivery | 0e[.]si |
| Domain | Payload Delivery | 5qw[.]pw |
| Domain | Payload Delivery | 6w[.]re |
| Domain | Payload Delivery | 6xj[.]xyz |
| Domain | Payload Delivery | aij[.]hk |
| Domain | Payload Delivery | b9[.]pm |
| Domain | Payload Delivery | glnj[.]nl |
| Domain | Payload Delivery | j4r[.]xyz |
| Domain | Payload Delivery | j68[.]info |
| Domain | Payload Delivery | j8[.]si |
| Domain | Payload Delivery | jjl[.]one |
| Domain | Payload Delivery | jzm[.]pw |
| Domain | Payload Delivery | k6c[.]org |
| Domain | Payload Delivery | kj1[.]xyz |
| Domain | Payload Delivery | kr4[.]xyz |
| Domain | Payload Delivery | l9b[.]org |
| Domain | Payload Delivery | lwip[.]re |
| Domain | Payload Delivery | mzjc[.]is |
| Domain | Payload Delivery | nt3[.]xyz |
| Domain | Payload Delivery | qmpo[.]art |
| Domain | Payload Delivery | tiua[.]uk |
| Domain | Payload Delivery | vn6[.]co |
| Domain | Payload Delivery | z7s[.]org |
| Domain | Payload Delivery | k5x[.]xyz |
| Domain | Payload Delivery | 6Y[.]rE |
| Domain | Payload Delivery | doem[.]Re |
| Domain | Payload Delivery | bpyo[.]IN |
| Domain | Payload Delivery | l5k[.]xYZ |
| Domain | Payload Delivery | uQW[.]fUTbOL |
| Domain | Payload Delivery | t7[.]Nz |
| Domain | Payload Delivery | 0t[.]yT |
Private tech companies gather tremendous amounts of user data. These companies can afford to let you use social media platforms free of charge because it’s paid for by your data, attention, and time.
Big tech derives most of its profits by selling your attention to advertisers — a well-known business model. Various documentaries (like Netflix’s “The Social Dilemma”) have attempted to get to the bottom of the complex algorithms that big tech companies employ to mine and analyze user data for the benefit of third-party advertisers.
This article will help you better understand what information is being collected by tech companies, how it’s being used, and how you can protect your privacy online.
Tech companies benefit from personal information by being able to provide personalized ads. When you click “yes” at the end of a terms and conditions agreement found on some web pages, you may be allowing the companies to collect the following data:
For someone unfamiliar with privacy issues, it is important to understand the extent of big tech’s tracking and data collection. Once these companies collect data, all this information can be supplied to third-party businesses or used to improve user experience.
The problem with this is that big tech has blurred the line between collecting customer data and violating user privacy in some cases. While tracking what content you interact with can be justified under the garb of personalizing the content you see, big tech platforms have been known to go too far. Prominent social networks like Facebook and LinkedIn have faced past legal trouble for accessing personal user data like private messages and saved photos.
The information you provide helps build an accurate character profile and turns it into knowledge that gives actionable insights to businesses. Private data usage can be classified into three cases: selling it to data brokers, using it to improve marketing, or enhancing customer experience.
Along with big data, another industry has seen rapid growth: data brokers. Data brokers buy, analyze, and package your data. Companies that collect large amounts of data on their users stand to profit from this service. Selling data to brokers is an important revenue stream for big tech companies.
Advertisers and businesses benefit from increased information on their consumers, creating a high demand for your information. The problem here is that companies like Facebook and Alphabet (Google’s parent company) have been known to mine massive amounts of user data for the sake of their advertisers.
Marketing can be highly personalized thanks to the availability of large amounts of consumer data. Tracking your response to marketing campaigns can help businesses alter or improve certain aspects of their campaign to drive better results.
The problem is that most AI-based algorithms are incapable of assessing when they should stop collecting or using your information. After a point, users run the risk of being constantly subjected to intrusive ads and other unconsented marketing campaigns that pop up frequently.
Analyzing consumer behavior through reviews, feedback, and recommendations can help improve customer experience. Businesses have access to various facets of data that can be analyzed to show them how to meet consumer demands. This could help improve any part of a consumer’s interaction with the company, from designing special offers and discounts to improving customer relationships.
For most social media platforms, the goal is to curate a personalized feed that appeals to the users and allows them to spend more time on the app. When left unmonitored, the powerful algorithms behind these social media platforms can repeatedly subject you to the same kind of content from different creators.
Here are the big tech companies that collect and mine the most user data.
Users need a comprehensive data privacy solution to tackle the rampant, large-scale data mining carried out by big tech platforms. While targeted advertisements and easily found items are beneficial, many of these companies collect and mine user data through several channels simultaneously, exploiting them in many different ways.
It’s important to make sure your personal information is protected. Protection solutions like McAfee’s Personal Data Cleanup feature can help. With this feature, our teams scour the web for traces of your personal information and assist in getting it removed to enhance your online privacy.
McAfee’s Total Protection provides antivirus software for all of your digital devices and a secure VPN connection to avoid exposure to malicious third parties while browsing the internet. Our identity monitoring and personal data removal solutions further remove gaps in your devices’ security systems.
With our airtight data protection and custom guidance (complete with a protection score for each platform and tips to keep you safer), you can be sure that your internet identity is protected.
The post What Personal Data Do Companies Track? appeared first on McAfee Blog.
The 911 service as it existed until July 28, 2022.
911[.]re, a proxy service that since 2015 has sold access to hundreds of thousands of Microsoft Windows computers daily, announced this week that it is shutting down in the wake of a data breach that destroyed key components of its business operations. The abrupt closure comes ten days after KrebsOnSecurity published an in-depth look at 911 and its connections to shady pay-per-install affiliate programs that secretly bundled 911’s proxy software with other titles, including “free” utilities and pirated software.
911[.]re is was one of the original “residential proxy” networks, which allow someone to rent a residential IP address to use as a relay for his/her Internet communications, providing anonymity and the advantage of being perceived as a residential user surfing the web.
Residential proxy services are often marketed to people seeking the ability to evade country-specific blocking by the major movie and media streaming providers. But some of them — like 911 — build their networks in part by offering “free VPN” or “free proxy” services that are powered by software which turns the user’s PC into a traffic relay for other users. In this scenario, users indeed get to use a free VPN service, but they are often unaware that doing so will turn their computer into a proxy that lets others use their Internet address to transact online.
From a website’s perspective, the IP traffic of a residential proxy network user appears to originate from the rented residential IP address, not from the proxy service customer. These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.
As noted in KrebsOnSecurity’s July 19 story on 911, the proxy service operated multiple pay-per-install schemes that paid affiliates to surreptitiously bundle the proxy software with other software, continuously generating a steady stream of new proxies for the service.
A cached copy of flashupdate[.]net circa 2016, which shows it was the homepage of a pay-per-install affiliate program that incentivized the silent installation of 911’s proxy software.
Within hours of that story, 911 posted a notice at the top of its site, saying, “We are reviewing our network and adding a series of security measures to prevent misuse of our services. Proxy balance top-up and new user registration are closed. We are reviewing every existing user, to ensure their usage is legit and [in] compliance with our Terms of Service.”
At this announcement, all hell broke loose on various cybercrime forums, where many longtime 911 customers reported they were unable to use the service. Others affected by the outage said it seemed 911 was trying to implement some sort of “know your customer” rules — that maybe 911 was just trying to weed out those customers using the service for high volumes of cybercriminal activity.
Then on July 28, the 911 website began redirecting to a notice saying, “We regret to inform you that we permanently shut down 911 and all its services on July 28th.”
According to 911, the service was hacked in early July, and it was discovered that someone manipulated the balances of a large number of user accounts. 911 said the intruders abused an application programming interface (API) that handles the topping up of accounts when users make financial deposits with the service.
“Not sure how did the hacker get in,” the 911 message reads. “Therefore, we urgently shut down the recharge system, new user registration, and an investigation started.”
The parting message from 911 to its users, posted to the homepage July 28, 2022.
However the intruders got in, 911 said, they managed to also overwrite critical 911[.]re servers, data and backups of that data.
“On July 28th, a large number of users reported that they could not log in the system,” the statement continues. “We found that the data on the server was maliciously damaged by the hacker, resulting in the loss of data and backups. Its [sic] confirmed that the recharge system was also hacked the same way. We were forced to make this difficult decision due to the loss of important data that made the service unrecoverable.”
Operated largely out of China, 911 was an enormously popular service across many cybercrime forums, and it became something akin to critical infrastructure for this community after two of 911’s longtime competitors — malware-based proxy services VIP72 and LuxSocks — closed their doors in the past year.
Now, many on the crime forums who relied on 911 for their operations are wondering aloud whether there are any alternatives that match the scale and utility that 911 offered. The consensus seems to be a resounding “no.”
I’m guessing we may soon learn more about the security incidents that caused 911 to implode. And perhaps other proxy services will spring up to meet what appears to be a burgeoning demand for such services at the moment, with comparatively little supply.
In the meantime, 911’s absence may coincide with a measurable (if only short-lived) reprieve in unwanted traffic to top Internet destinations, including banks, retailers and cryptocurrency platforms, as many former customers of the proxy service scramble to make alternative arrangements.
Riley Kilmer, co-founder of the proxy-tracking service Spur.us, said 911’s network will be difficult to replicate in the short run.
“My speculation is [911’s remaining competitors] are going to get a major boost in the short term, but a new player will eventually come along,” Kilmer said. “None of those are good replacements for LuxSocks or 911. However, they will all allow anyone to use them. For fraud rates, the attempts will continue but through these replacement services which should be easier to monitor and stop. 911 had some very clean IP addresses.”
911 wasn’t the only major proxy provider disclosing a breach this week tied to unauthenticated APIs: On July 28, KrebsOnSecurity reported that internal APIs exposed to the web had leaked the customer database for Microleaves, a proxy service that rotates its customers’ IP addresses every five to ten minutes. That investigation showed Microleaves — like 911 — had a long history of using pay-per-install schemes to spread its proxy software.
Microleaves, a ten-year-old proxy service that lets customers route their web traffic through millions of Microsoft Windows computers, recently fixed a vulnerability in their website that exposed their entire user database. Microleaves claims its proxy software is installed with user consent, but data exposed in the breach shows the service has a lengthy history of being supplied with new proxies by affiliates incentivized to distribute the software any which way they can — such as by secretly bundling it with other titles.
The Microleaves proxy service, which is in the process of being rebranded to Shifter[.[io.
Launched in 2013, Microleaves is a service that allows customers to route their Internet traffic through PCs in virtually any country or city around the globe. Microleaves works by changing each customer’s Internet Protocol (IP) address every five to ten minutes.
The service, which accepts PayPal, Bitcoin and all major credit cards, is aimed primarily at enterprises engaged in repetitive, automated activity that often results in an IP address being temporarily blocked — such as data scraping, or mass-creating new accounts at some service online.
In response to a report about the data exposure from KrebsOnSecurity, Microleaves said it was grateful for being notified about a “very serious issue regarding our customer information.”
Abhishek Gupta is the PR and marketing manager for Microleaves, which he said in the process of being rebranded to “Shifter.io.” Gupta said the report qualified as a “medium” severity security issue in Shifter’s brand new bug bounty program (the site makes no mention of a bug bounty), which he said offers up to $2,000 for reporting data exposure issues like the one they just fixed. KrebsOnSecurity declined the offer and requested that Shifter donate the amount to the Electronic Frontier Foundation (EFF), a digital rights group.
From its inception nearly a decade ago, Microleaves has claimed to lease between 20-30 million IPs via its service at any time. Riley Kilmer, co-founder of the proxy-tracking service Spur.us, said that 20-30 million number might be accurate for Shifter if measured across a six-month time frame. Currently, Spur is tracking roughly a quarter-million proxies associated with Microleaves/Shifter each day, with a high rate of churn in IPs.
Early on, this rather large volume of IP addresses led many to speculate that Microleaves was just a botnet which was being resold as a commercial proxy service.
Proxy traffic related to top Microleaves users, as exposed by the website’s API.
The very first discussion thread started by the new user Microleaves on the forum BlackHatWorld in 2013 sought forum members who could help test and grow the proxy network. At the time, the Microleaves user said their proxy network had 150,000 IPs globally, and was growing quickly.
One of BlackHatWorld’s moderators asked the administrator of the forum to review the Microleaves post.
“User states has 150k proxies,” the forum skeptic wrote. “No seller on BHW has 150k working daily proxies none of us do. Which hints at a possible BOTNET. That’s the only way you will get 150k.”
Microleaves has long been classified by antivirus companies as adware or as a “potentially unwanted program” (PUP), the euphemism that antivirus companies use to describe executable files that get installed with ambiguous consent at best, and are often part of a bundle of software tied to some “free” download. Security vendor Kaspersky flags the Microleaves family of software as a trojan horse program that commandeers the user’s Internet connection as a proxy without notifying the user.
“While working, these Trojans pose as Microsoft Windows Update,” Kaspersky wrote.
In a February 2014 post to BlackHatWorld, Microleaves announced that its sister service — reverseproxies[.]com — was now offering an “Auto CAPTCHA Solving Service,” which automates the solving of those squiggly and sometimes frustrating puzzles that many websites use to distinguish bots from real visitors. The CAPTCHA service was offered as an add-on to the Microleaves proxy service, and ranged in price from $20 for a 2-day trial to $320 for solving up to 80 captchas simultaneously.
“We break normal Recaptcha with 60-90% success rate, recaptcha with blobs 30% success, and 500+ other captcha,” Microleaves wrote. “As you know all success rate on recaptcha depends very much on good proxies that are fresh and not spammed!”
The exposed Microleaves user database shows that the first user created on the service — username “admin” — used the email address alex.iulian@aol.com. A search on that email address in Constella Intelligence, a service that tracks breached data, reveals it was used to create an account at the link shortening service bit.ly under the name Alexandru Florea, and the username “Acidut.” [Full disclosure: Constella is currently an advertiser on this website].
According to the cyber intelligence company Intel 471, a user named Acidut with the email address iulyan87_4u@gmail.com had an active presence on almost a dozen shadowy money-making and cybercrime forums from 2010 to 2017, including BlackHatWorld, Carder[.]pro, Hackforums, OpenSC, and CPAElites.
The user Microleaves (later “Shifter.io”) advertised on BlackHatWorld the sale of 31 million residential IPs for use as proxies, in late 2013. The same account continues to sell subscriptions to Shifter.io.
In a 2011 post on Hackforums, Acidut said they were building a botnet using an “exploit kit,” a set of browser exploits made to be stitched into hacked websites and foist malware on visitors. Acidut claimed their exploit kit was generating 3,000 to 5,000 new bots each day. OpenSC was hacked at one point, and its private messages show Acidut purchased a license from Exmanoize, the handle used by the creator of the Eleonore Exploit Kit.
By November 2013, Acidut was advertising the sale of “26 million SOCKS residential proxies.” In a March 2016 post to CPAElites, Acidut said they had a worthwhile offer for people involved in pay-per-install or “PPI” schemes, which match criminal gangs who pay for malware installs with enterprising hackers looking to sell access to compromised PCs and websites.
Because pay-per-install affiliate schemes rarely impose restrictions on how the software can be installed, such programs can be appealing for cybercriminals who already control large collections of hacked machines and/or compromised websites. Indeed, Acidut went a step further, adding that their program could be quietly and invisibly nested inside of other programs.
“For those of you who are doing PPI I have a global offer that you can bundle to your installer,” Acidut wrote. “I am looking for many installs for an app that will generate website visits. The installer has a silence version which you can use inside your installer. I am looking to buy as many daily installs as possible worldwide, except China.”
Asked about the source of their proxies in 2014, the Microleaves user responded that it was “something related to a PPI network. I can’t say more and I won’t get into details.”
Acidut authored a similar message on the forum BlackHatWorld in 2013, where they encouraged users to contact them on Skype at the username “nevo.julian.” That same Skype contact address was listed prominently on the Microleaves homepage up until about a week ago when KrebsOnSecurity first reached out to the company.
There is a Facebook profile for an Alexandru Iulian Florea from Constanta, Romania, whose username on the social media network is Acidut. Prior to KrebsOnSecurity alerting Shifter of its data breach, the Acidut profile page associated Florea with the websites microleaves.com, shrooms.io, leftclick[.]io, and online[.]io. Mr. Florea did not respond to multiple requests for comment, and his Facebook page no longer mentions these domains.
Leftclick and online[.]io emerged as subsidiaries of Microleaves between 2017 and 2018. According to a help wanted ad posted in 2018 for a developer position at online[.]io, the company’s services were brazenly pitched to investors as “a cybersecurity and privacy tool kit, offering extensive protection using advanced adblocking, anti-tracking systems, malware protection, and revolutionary VPN access based on residential IPs.”
A teaser from Irish Tech News.
“Online[.]io is developing the first fully decentralized peer-to-peer networking technology and revolutionizing the browsing experience by making it faster, ad free, more reliable, secure and non-trackable, thus freeing the Internet from annoying ads, malware, and trackers,” reads the rest of that help wanted ad.
Microleaves CEO Alexandru Florea gave an “interview” to the website Irishtechnews.ie in 2018, in which he explained how Online[.]io (OIO) was going to upend the online advertising and security industries with its initial coin offering (ICO). The word interview is in air quotes because the following statements by Florea deserved some serious pushback by the interviewer.
“Online[.]io solution, developed using the Ethereum blockchain, aims at disrupting the digital advertising market valued at more than $1 trillion USD,” Alexandru enthused. “By staking OIO tokens and implementing our solution, the website operators will be able to access a new non-invasive revenue stream, which capitalizes on time spent by users online.”
“At the same time, internet users who stake OIO tokens will have the opportunity to monetize on the time spent online by themselves and their peers on the World Wide Web,” he continued. “The time spent by users online will lead to ICE tokens being mined, which in turn can be used in the dedicated merchant system or traded on exchanges and consequently changed to fiat.”
Translation: If you install our proxy bot/CAPTCHA-solver/ad software on your computer — or as an exploit kit on your website — we’ll make millions hijacking ads and you will be rewarded with heaps of soon-to-be-worthless shitcoin. Oh, and all your security woes will disappear, too.
It’s unclear how many Internet users and websites willingly agreed to get bombarded with Online[.]io’s annoying ads and search hijackers — and to have their PC turned into a proxy or CAPTCHA-solving zombie for others. But that is exactly what multiple security companies said happened when users encountered online[.]io, which operated using the Microsoft Windows process name of “online-guardian.exe.”
Incredibly, Crunchbase says Online[.]io raised $6 million in funding for an initial coin offering in 2018, based on the plainly ludicrous claims made above. Since then, however, online[.]io seems to have gone…offline, for good.
Until this week, Shifter.io’s website also exposed information about its customer base and most active users, as well as how much money each client has paid over the lifetime of their subscription. The data indicates Shifter has earned more than $11.7 million in direct payments, although it’s unclear how far back in time those payment records go, or how complete they are.
The bulk of Shifter customers who spent more than $100,000 at the proxy service appear to be digital advertising companies, including some located in the United States. None of the several Shifter customers approached by KrebsOnSecurity agreed to be interviewed.
Shifter’s Gupta said he’d been with the company for three years, since the new owner took over the company and made the rebrand to Shifter.
“The company has been on the market for a long time, but operated under a different brand called Microleaves, until new ownership and management took over the company started a reorganization process that is still on-going,” Gupta said. “We are fully transparent. Mostly [our customers] work in the data scraping niche, this is why we actually developed more products in this zone and made a big shift towards APIs and integrated solutions in the past year.”
Ah yes, the same APIs and integrated solutions that were found exposed to the Internet and leaking all of Shifter’s customer information.
Gupta said the original founder of Microleaves was a man from India, who later sold the business to Florea. According to Gupta, the Romanian entrepreneur had multiple issues in trying to run the company, and then sold it three years ago to the current owner — Super Tech Ventures, a private equity company based in Taiwan.
“Our CEO is Wang Wei, he has been with the company since 3 years ago,” Gupta said. “Mr. Florea left the company two years ago after ending this transition period.”
Google and other search engines seem to know nothing about a Super Tech Ventures based in Taiwan. Incredibly, Shifter’s own PR person claimed that he, too, was in the dark on this subject.
“I would love to help, but I really don’t know much about the mother company,” Gupta said, essentially walking back his “fully transparent” statement. “I know they are a branch of the bigger group of asian investment firms focused on private equity in multiple industries.”
Adware and proxy software are often bundled together with “free” software utilities online, or with popular software titles that have been pirated and quietly fused with installers tied to various PPI affiliate schemes.
But just as often, these intrusive programs will include some type of notice — even if installed as part of a software bundle — that many users simply do not read and click “Next” to get on with installing whatever software they’re seeking to use. In these cases, selecting the “basic” or “default” settings while installing usually hides any per-program installation prompts, and assumes you agree to all of the bundled programs being installed. It’s always best to opt for the “custom” installation mode, which can give you a better idea of what is actually being installed, and can let you control certain aspects of the installation.
Either way, it’s best to start with the assumption that if a software or service online is “free,” that there is likely some component involved that allows the provider of that service to monetize your activity. As KrebsOnSecurity noted at the conclusion of last week’s story on a China-based proxy service called 911, the rule of thumb for transacting online is that if you’re not the paying customer, then you and/or your devices are probably the product that’s being sold to others.
Further reading on proxy services:
July 18, 2022: A Deep Dive Into the Residential Proxy Service ‘911’
June 28, 2022: The Link Between AWM Proxy & the Glupteba Botnet
June 22, 2022: Meet the Administrators of the RSOCKS Proxy Botnet
Sept. 1, 2021: 15-Year-Old Malware Proxy Network VIP72 Goes Dark
Aug. 19, 2019: The Rise of “Bulletproof” Residential Networks
Over her 25-year-plus career, Saleema Syed has seen the information security industry from a variety of vantage points, all while championing women in technology. Syed worked as director of business systems and data management for Duo Security before rising to vice president of information technology. Later, after Duo was acquired by Cisco, she transitioned to new roles within the larger organization and now heads up operations for Webex Marketing. In this position Syed brings structure across different functions of marketing including brand, events and technology while also serving as chief operating officer for Chief Marketing Officer Aruna Ravichandran.
“I fell in love with the culture, the kindness, the heart of this company,” Syed said.
Recently, she shared her passion for problem solving and inclusion with the Duo Blog, along with the advice she gives mentees navigating their own career paths.
Saleema Syed: I like chaos and I love putting a method to the madness. With marketing we have to react to the market, react to the business, react internally. What energizes me is there’s never a dull day and there is always this ability to bring some overall end to end process.
I love running towards a burning car and figuring out how to put it out. I love change. I know change is the only constant and rather than running away from it, I thrive in it. I like to look at it and ask, “What can we do to break it down and figure out what we need to do?”
My brain works in terms of boxes and flows and charts and spreadsheets so when I look at something I’m like, “Okay, what is a box? What is a process? How do I untangle it?” I like sitting in the discomfort and understanding what to do to get out of it.
Saleema Syed: There are three things I always keep in mind when I look at what I’m doing and where I want to be. One is, at the core of it, does it fill my cup of empathy and allow me to be true to who I am in how I treat people or how I build a team?
The second thing is, will I have the opportunity to influence and impact the people on the team or my family? How do I show myself to my daughter who is growing and seeing how to become who she is as a career person?
The third thing is, is it something new and am I learning something? Continuous learning is a huge part of who I am, so that drives me to get out of my comfort zone constantly.
When I’m changing jobs people usually say, “You’ve set up this team, you’re so comfortable. Now all you have to do is sit back and execute.” And my answer is, “That’s exactly why I am moving.”
If I am comfortable I’m not learning, and I don’t know if I’m adding any more value than I’ve set up. That means it’s time for me to move on and elevate somebody. What I’m doing is sending the elevator down to somebody on the team to grow.
That’s why I’ve had people who work for me for many years follow me through multiple organizations, which as a leader has been my pinnacle of what I call my success. Success is not my role; it is how many people I have impacted and influenced.
Saleema Syed: I keep going back to Duo because working at that organization and meeting those people defined me as a human being. One of the strategic pillars of that organization is to be kinder than necessary.
However complicated the work challenges are, those around me must be aligned with what my integral values are and who I am. They have to have empathy and kindness in their heart. If that is not there, no matter how much I love solving challenges and know I can solve them, I’m not going to go for it. I’ve been extremely lucky at Duo, Cisco and Webex that I’ve been around those kinds of people.
If you look at Webex, I love the core of what we are, the journey we are on, the inclusivity. We are not just selling Webex messaging or other products. At the heart of it we are looking at how we are influencing people and things around us by making sure that there is inclusivity in the collaboration tools that we are launching.
Saleema Syed: My leadership style is pretty simple: nobody works for me; people work with me. I lead with making sure that people know this is the problem you’re trying to solve, here is the context of what we are trying to do. Now, let’s figure out how we solve it. That is something that has helped my team be part of the problem solving that I love to do.
When I interview people my first questions are, “What does the job bring to you? How would this job fill your cup?” That throws people off every time. You can teach any technology, you can teach any skill set, but if you don’t have the basic passion, the attitude to be able to do this job, then everything else can just go out the door.
Saleema Syed: I have a very diverse background. I am an Indian by birth and grew up in the Middle East. When I went into engineering, finished my education and started my career, one of the things I realized was that as a woman of color, I always wanted to apply for positions that I was fully qualified for. I wanted to make sure I knew everything about the job because a very big fear was being asked a question in the interview I didn’t know. LinkedIn’s Gender Insights Report found that women apply for 20% fewer jobs than men despite similar job search behaviors. That has been a very challenging mental barrier for me to break.
Trey Boynton, who was at Duo and now she’s leading Cisco in a beautiful journey of diversity as the senior director of inclusion and collaboration strategy always said, “We have to have that bicycle lane on the road, whether it is for females, whether it is for people of color or any LGBTQIA+ community members. That is how we get people to bring that confidence in to learn, grow and then they can merge easily.”
“Passion is a part of who I am and is contributing to my growth.” – Saleema Syed
Whatever I faced as I was growing up, whether it was my dark skin, whether it was my accent, whether it was, “Oh, you’re way too passionate” has been some of the feedback that I’ve gotten. In my career if I’m told I’m way too passionate I turn that around and say, “Passion is a part of who I am and is contributing to my growth.”
Saleema Syed: Within Webex, within Cisco, I try to be part of anything that I can do in terms of giving back to the community. I’m definitely a big proponent of women in technology. In the local Dallas area I run a program by myself and go into schools and advocate for girls in STEM. Cisco is amazing in how it gives us time to volunteer. I love that educating kids is part of my journey of giving back. That’s the generation you can influence.
How do we enable children and women to be more open to technology and being part of the technology field? Let’s look at the percentage of diversity in the technology field and be aware of it. It’s not only about the diversity numbers, but are we bringing in candidates at the leadership level and giving them not just a seat at the table but a voice at the table, too?
You also have to talk about what you do and with passion and energy because if you don’t, people get intimidated. If you can influence one person who comes from an underrepresented community, imagine what you are doing, not just for that person, but for his household, for his family, for his extended community. I have a lot more to do, but as I get into the next decade of my life and my career, that is something that is a huge focus for me.
Saleema Syed: First and foremost it’s very important to spend time and understand the business and the products in whatever industry you’re going into. It is key to your growth. Especially if it’s a security industry, take time to understand the products, the technology or the function that you’re trying to get into. Contextual understanding and product understanding are extremely important.
The second piece is to keep learning. Cisco is amazing in trying to help you learn and support you financially to be able to do it. I went back and got my executive MBA four years ago. Give yourself a goal of learning a new something, whether it is a new function, new technology or new leadership skill.
The third piece is to create a spreadsheet of where you want to be in two years. Put that out there and then work back just like you would do a project plan. Work back month by month, quarter by quarter. What are the skill sets you need to learn to get there?
The last part is: Do the job you want versus the job you are in. Of course, you have to do the job you are in, but do the job you want to get to. Don’t wait for a title, don’t wait for a promotion to act. No. What do you want to be? Show that to your leaders and yourself. The title will come, money will come, everything will come, but am I doing the job that I want and enjoy and I want to get to?
To learn more about Webex, Cisco and Duo Security and how you can apply your passion, advocacy and problem solving to make a difference in cybersecurity, browse our open roles.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
FreshRSS