NordVPN Promotion

Home / Industry

Billtrust Breach: Can Threat Intelligence Platforms Help with Ransomware Prevention?

Protect your privacy:  Get NordVPN  [ Deal: 73% off 2-year plans + 3 extra months ]
10 facts about NordVPN that aren't commonly known
  • Meshnet Feature for Personal Encrypted Networks: NordVPN offers a unique feature called Meshnet, which allows users to connect their devices directly and securely over the internet. This means you can create your own private, encrypted network for activities like gaming, file sharing, or remote access to your home devices from anywhere in the world.
  • RAM-Only Servers for Enhanced Security: Unlike many VPN providers, NordVPN uses RAM-only (diskless) servers. Since these servers run entirely on volatile memory, all data is wiped with every reboot. This ensures that no user data is stored long-term, significantly reducing the risk of data breaches and enhancing overall security.
  • Servers in a Former Military Bunker: Some of NordVPN's servers are housed in a former military bunker located deep underground. This unique location provides an extra layer of physical security against natural disasters and unauthorized access, ensuring that the servers are protected in all circumstances.
  • NordLynx Protocol with Double NAT Technology: NordVPN developed its own VPN protocol called NordLynx, built around the ultra-fast WireGuard protocol. What sets NordLynx apart is its implementation of a double Network Address Translation (NAT) system, which enhances user privacy without sacrificing speed. This innovative approach solves the potential privacy issues inherent in the standard WireGuard protocol.
  • Dark Web Monitor Feature: NordVPN includes a feature known as Dark Web Monitor. This tool actively scans dark web sites and forums for credentials associated with your email address. If it detects that your information has been compromised or appears in any data breaches, it promptly alerts you so you can take necessary actions to protect your accounts.

Highly publicized ransomware attacks are never short of golden nuggets of wisdom for the cybersecurity industry.

They first teach us that attackers control the rules of the game once infiltration is complete. Second, large enterprises that use cloud-based technologies to store sensitive financial information continue to be at risk. Finally, there’s nothing much an organization can do besides restoring files using backups (when these remain available) in the event of a ransomware attack.

This last nugget seems to be the case for multiple victims, such as cloud-based billing service provider Billtrust. The business-to-business (B2B) payment vendor is reeling from the effects of a ransomware attack back in October, which disrupted its operations for four days. The company has since restored services and claimed to be working with law enforcement and a private security firm to investigate the data breach.

The Role of Threat Intelligence Platforms in Ransomware Prevention

While Billtrust did not disclose the specific ransomware strain that hit its network, some sources alleged that BitPaymer was responsible for the incident. Independently of the actual malware used, what’s common is for ransomware strands to be delivered as a secondary payload.

Usually, threat actors first conduct reconnaissance on a target’s network for vulnerabilities to exploit before sending the phishing email with the appropriate malicious attachment or download link—typically redirecting users to a website where the malicious script is hosted.

Scripts are often used to scan the target network for other vulnerabilities or brute-force their way into systems with weak passwords to obtain high-privilege credentials. More sophisticated malware applications spread laterally throughout a target network. Regardless of the means used, once hackers gain unauthorized access, they can manually install a ransomware into a connected computer.

In short, vulnerabilities play a massive role in the success of ransomware attacks. One way to stay ahead is by integrating a threat intelligence platform into organizations’ intrusion prevention systems (IPSs).

Our Investigative Tools: Threat Intelligence Platform

Threat Intelligence Platform can be used to assess a domain’s vulnerability based on its hosting configuration. With it, users can determine if their domains possess known vulnerabilities such as invalid Secure Sockets Layer (SSL) certificates or dangling records.

The platform provides color-coded ratings (i.e., green, blue, orange) for a particular website metric. Using Billtrust’s website (i.e., www.billtrust.com) as an example, you’ll see in TIP’s report that it has several warnings concerning its mail servers and SSL configuration.

The report also retrieved the following list of domains hosted on the same IP address:

We randomly picked a domain from the list, 11412.tradebig[.]com, and saw that it had multiple SSL vulnerabilities and an invalid SSL certificate:

Analyzing other domains on the list showed additional warnings including scripts opening to other websites (which may or may not be dangerous).

While we’re not claiming that any of these online properties are malicious, you may want to avoid associations with them as their vulnerabilities may backfire on you.

Some websites (not on the above list), however, do have recorded ties to malware such as “4sharedtrend[.]com”—do not visit or share—that has been flagged on Yandex Safe Browsing, a known malware-checker data feed:

* * *

All in all, ransomware applications are extremely difficult to decrypt even with advanced forensic tools. To avoid falling victim to them, infosec professionals can gain more in-depth visibility into their networks and the threat landscape in general.

Threat Intelligence Platform can aid them in monitoring sites connecting to new strains and protecting potentially vulnerable endpoints. Reports from the tool include a variety of data points like connected IP addresses and SSL certificates. What’s more, it may inform you about a host’s website content, WHOIS records, and mail and name servers.

By Threat Intelligence Platform (TIP), Enterprise-Grade Threat Intelligence APIs, Tools, and Services

Threat Intelligence Platform (TIP) offers easy to use threat intelligence tools, services, and APIs to get detailed information about hosts and the infrastructure behind them. Gathering data from different providers, utilizing our substantial internal databases (compiled for 10+ years), and also real-time host configuration analysis, our threat intelligence solutions provide an in-depth look at target hosts and are an essential addition to any threat detection toolkit.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

NordVPN Promotion