Investigating an Attack Against Recorded Future in Real Time
Recorded Future recently experienced a security incident and felt compelled to share in this blog how we used our own alerting, data sets, and internal resources to resolve it.
At Recorded Future, we monitor for new domain registrations, but we also use a highly customized version of DNSTwist to pattern match for company and product names that might be registered by cybercriminals in order to phish our clients, or even our client’s clients. On June 5, 2019, our new domain registration detection alerted us that the domain recorded-future[.]com (shown below) had been registered. This is one of many alerts that we have received recently about domains similar to ours being registered.
The fake Recorded Future website.
Kyle Ehmke, a researcher at ThreatConnect, also sent me a direct message on Twitter letting me know that the domain had been registered and the cybercriminal had set up a mirror of our site, which correlated nicely with our own alerting.
This attack is not at all surprising — your company can become a high-profile target when it gets sold in one of the biggest cybersecurity transactions of the year and is all over the news.
The newly registered domain was not registered through the same registrar as our domains are, and was not hosted within our usual infrastructure, making it instantly suspicious. Here are the details:
Domain Name: RECORDED-FUTURE.COM
Registry Domain ID: 2398479632_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.directnic.com
Registrar URL: http://www.directnic.com
Updated Date: 2019-06-04T06:33:32Z
Creation Date: 2019-06-04T06:32:14Z
Registrar Registration Expiration Date: 2020-06-04T06:32:14Z
Registrar: DNC Holdings, Inc
Sponsoring Registrar IANA ID: 291
Registrar Abuse Contact Email: abuse@directnic.com
Registrar Abuse Contact Phone: +1.8778569598
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: addPeriod (https://www.icann.org/epp#addPeriod)
Registrant Organization: kaushal karkhanis
Registrant State/Province: MA
Registrant Country: US
Registrant Email: recorded-future.com-registrant@directnicwhoiscompliance.com
Admin Email: recorded-future.com-admin@directnicwhoiscompliance.com
Tech Email: recorded-future.com-tech@directnicwhoiscompliance.com
Name Server: NS1.THCSERVERS.COM
Name Server: NS2.THCSERVERS.COM
While a quick, open source scan of the site (shown below) did not reveal anything immediately suspicious, there was something that our predictive intelligence picked up on: the IP address of the fake site, 149.56.251[.]106, already had a risk score of 13 — “suspicious” in Recorded Future — generated by our predictive risk scoring algorithm.
The predictive risk score is calculated by a machine learning algorithm that learns from the historic risk scores and context of IP addresses, and also captures the notion of an IP being in a “risky neighborhood” in the IPv4 address space. The domain was also suspicious because it was hosted within an OVH data center, which an unattributed security researcher referred to as the “dumpster fire of hosting.” Because of their overall poor reputation, assessed according to their IP risk score, our systems were already suspicious of the IP address even before the site was hosted there.
More information from the Intelligence Card™ is shown below.
URLScan of the suspicious site.
Recorded Future also offers a takedown service — one that we use internally for incident response and other matters. After our analysts scoured the site for as much information as they could find, and matched up any activity from the fake site against our server logs to try to understand when and how our site was mirrored, we opened a ticket with our takedown service provider to get the fake site shut down.
We began our incident response work around 9:15 AM ET. After our investigation, we reported the site for takedown at 11:10 AM ET, and by 11:44 AM ET, it was offline (shown below). There is still more work to do in terms of reviewing the incident and putting protections in place to prevent it from happening again, such as expanding our program to proactively register typosquatting domains. However, every step of our incident response process was informed by our own threat intelligence capabilities and prowess, allowing us to act swiftly and forcefully in dealing with the incident.
The suspended site.
Pivoting on 149.56.251[.]106
By analyzing the IP address that the spoof domain was hosted on, we can deduc
e from historical passive DNS data provided by the Recorded Future Farsight Security extension that the IP has hosted over 200 domains (download the appendix for the full list), many of which are spoofing various companies, including:
Google (gmallll[.]com)
PayPal (paypal.com-secures[.]ga)
Salarium (salariumphp[.]com), a fintech SaaS company based in the Philippines.
Looking at the other domains hosted on the 149.56.251[.]106 IP, it appears that the attackers may have a tendency to register domains pertaining to the technology sector and have repeatedly registered domains with the “autodiscover” hostname. This behavior likely indicates an intent to either spoof or use the Autodiscover service in Microsoft Exchange Server to set up a mail server. Examples include:
autodiscover.recorded-future[.]com
autodiscover.salariumphp[.]com
autodiscover.gmallll[.]com
To view a full list of the associated indicators of compromise, download the appendix.
Editor’s Note: To be abundantly clear, this typosquatting event did not impact Recorded Future’s systems in any way and did not lead to any unauthorized access to our infrastructure or any data. Typosquatting is an unfortunate reality of the internet, and that’s why organizations should ensure that they are able to monitor for these type of events with threat intelligence solutions such as Recorded Future.
Related