Threat Intelligence to Remediate Platform Abuse
A publicly traded technology company (the Client) with thousands of global employees maintains a premier business unit application platform regularly abused by eCrime and cyber espionage actors. The Client requested Nisos’ expertise in threat intelligence to inform efforts to build more efficient automated detections and alerts around their commercial product focused on platform abuse.
The Client requested our access and expertise in analyzing edge network telemetry beyond the reach of their SOC. While their SOC is robust, they have limited resources dedicated to threat intelligence and do not have access to the external telemetry and datasets maintained by Nisos.
While the Client monitors threat intelligence for their platforms on a daily basis and coordinates with the SOC to set up a variety of alerts, they called in our expertise when it was clear the totality of information was too much for their threat intelligence team to consume and analyze. The threat intelligence team wanted to focus on creating actionable alerts and needed our expertise to provide the in depth baseline of their threat landscape.
We did not require network access to the Client’s environment. We used our access to discreet, external telemetry and proprietary datasets to support the engagement.
On the eCrime side, we discovered unsophisticated actors actively selling stolen Client application credentials, dangling the false promise of free or “hacked” access as bait for phishing schemes, or using the application as a tool to take over a victim’s computer in tech support scams.
More sophisticated actors with nation-state backing have used a variety of remote access tools for Advanced Persistent Threat (APT) attacks, including tools from the Client’s larger suite of applications. Although we saw no evidence of the specific platform under study being used or targeted, a review of such attacks shed light on how the platform could potentially be deployed for espionage or criminal purposes on third parties.
- At least three sophisticated APT campaigns originating out of China and Iran used Client’s remote access tools to carry out a series of exploits against high-profile business and military targets.
- A sophisticated cyber-criminal organization used the Client’s product suite in conjunction with a third-party game app to deliver malware to business targets.
We highlighted reporting about vulnerabilities in Client’s code that Client’s application development team was able to ultimately secure. For example the storage of the URL parameter “lang” and use of Cross Site Request Forgery protection were problematic vulnerabilities that were ultimately remedied.
The Client recognized our solution was more comprehensive, analytic, and actionable than a simple threat intelligence feed. Nisos’ reporting enabled them to address the complex issue of platform abuse in a new way. To protect their brand and increase customer confidence in their product, the Client took the comprehensive list of doppelganger domains we compiled and initiated unauthorized domain takedowns with the various domain providers.
The Client was also able to blacklist IP addresses of doppelganger domains on their own firewall and they passed the cross-site forgery problems to the internal development team for remediation. In addition, they provided the list of IPs to their customers to also block at their network border devices, effectively forcing the threat actors to start from scratch or find a new platform to abuse.
Nisos is the Managed Intelligence company. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.
For additional information, contact firstname.lastname@example.org