The Challenge

A job recruiting platform approached Nisos to determine the severity and authenticity of an affiliate recruiting company that appeared to be involved with disinformation and foreign nation state espionage efforts. The foreign nation state was suspected of targeted recruiting of individuals in sensitive US government positions using sockpuppet accounts.

Why Nisos

After receiving an allegation that the affiliate was using their platform to advance these efforts, the client asked Nisos to perform a digital investigation and use high operational security tradecraft to determine the extent of the operation and make recommendations on how to address the issue. Options included:

1. Removing the recruiting company from the platform,
2. Continuing to monitor, and/or
3. Informing law enforcement.

Preparation

Nisos was provided with minimal information consisting only of the name of the recruiting company. Nisos was not provided with any data regarding the details of the client’s organization or internal telemetry.

The Challenge

A technology company tasked Nisos to conduct a threat evaluation assessment on one of their executives after multiple internet forum users posted inflammatory, threatening, and racially derogatory content. More concerning, some forum users posted the executive’s residential address, social media accounts, public records information, speaking engagements and locations, and other sensitive personal information.

Why Nisos

The company approached Nisos to conduct a threat evaluation and digital identity reduction (PII removal). Prior to engaging Nisos, they had approached other vendors who could conduct a threat evaluation but had no ability to action and remove the problematic PII data.

Preparation

Nisos used a variety of available external data sources that did not require access to internal company information.

The Challenge

A technology company noticed a disturbing increase in malicious activity across their platform. Unknown individuals were selling bots that claimed to automate interactions with their platform and provide those that purchased the app an advantage over other users. This use of the app was a clear violation of the client’s Terms of Service. In other words - the bots would “game the system” to the financial disadvantage of normal conforming users - leading to frustration and anger directed at the client. To make matters worse, the bots mirrored the legitimate client application, presenting additional security threats.

The client enlisted Nisos with three primary objectives:

1. Determine how the bots were able to subvert client controls and take advantage of the platform.
2. Provide recommendations on how the client could improve their security posture and counter the illegitimate activity of the bots. 
3. Identify the actors making the bots, enabling the client to properly attribute the crime and take legal action.

Why Nisos

Nisos’ ability to help the client was rooted in our ability to deliver high-quality technical application analysis combined with open source research and attribution.

Preparation

The Client started by providing Nisos with a detailed history of bots that they had previously uncovered. They requested Nisos identify additional bots that may be present and undiscovered. In order to accomplish this task, Nisos did not need to access the Client’s network or sensitive data.

Execution

Nisos acquired the bot of most concern to the client through a common App store. We confirmed that it operated as claimed and provided an analysis of how the bot functioned at the code level. We also determined that several methods could be used to create a functional bot targeting the client’s platform, and we provided recommendations to the client to remediate this risk.

Our assessment concluded that the creator of the bot took the official client application, acquired the binary from a device, and altered it with their own additional code. This additional code pulled the necessary information from the client and automated user responses.


Attribution

Nisos found that previous application bot domains were associated with truncated email addresses. In one case, Google cache inspection of application .vip revealed a telegram account associated with a partially named online persona. We acquired a license for the application and extracted the Intelligent Process Automation (IPA). We then identified that the back end server for downloading the app bot was associated with an IP address that served as a Virtual Private Server (VPS). The infrastructure was hosted in a Japanese hosting facility.

In another case, we were able to track back “old” versions of the application bots that revealed selectors. Using these selectors and cross referencing them in Nisos proprietary credential databases and other external telemetry, we attributed them to named individuals. We also determined that these selectors were being used for additional, identifiable fraudulent activity.

The Challenge

Nisos was contracted to conduct cybersecurity diligence and an assessment of external network hygiene for a cybersecurity company’s acquisition target

Why Nisos

Although the client, a cybersecurity company, leverages many of the same services as Nisos, they understood that Nisos’ analytical rigor and access to external data collection would allow them to gain greater insight and optimize the evaluation of their acquisition target. Utilizing publicly available information, third party datasets, and partner relationships, Nisos was able to discover and assess the target of acquisition’s cyber assets and provide the client with a comprehensive understanding of areas of concern and indicators of compromise.

Preparation

Nisos began the investigation knowing eight registered domain names of the acquisition target. Nisos had no existing insight into the company’s overall cyber posture. The investigation revealed extensive information about the acquisition’s cyber-security maturity and the breadth of their cyber assets.

Execution

Nisos identified several ties to entities that were not publicly affiliated with the acquisition target. The investigation, conducted on the public internet, uncovered IP addresses directly associated with the target’s office. This led to the identification of specific infrastructure which would likely be targeted by an advanced attacker. , Nisos also identified a server providing remote access to the target’s office network and users of a Docker instance created by the target, one of which was running default credentials. Although the instance did not appear to belong to the target, an attacker could leverage it to gain control over a customer. It could also be used as an access vector in a breach of someone using the target’s software. A compromise of this sort could negatively impact the target’s brand reputation and ability to generate new clients. The investigation ultimately determined that the organization's cyber-security maturity was high, which is uncommon for organizations of similar size, but consistent with the target’s cybersecurity background.

Impact

Based on Nisos findings and recommendations, the acquiring company immediately and transparently began remediation. Recommended remediation actions included removing public permissions, enforcing two factor authentication for console access, and limiting access to Kubernetes ingress controller only via whitelisting IP addresses. Throughout the process, Nisos shared best practices and additional guidance with the client and the acquisition target.

The Challenge

A retail client requested our assistance to identify an individual, who was also a paying customer, who wrote a python script that scraped a backend server. The customer had also previously published a WiFi vulnerability present at the company’s offices in the US. The client was aware of closed forums where this customer and other potential threat actors exchanged ideas about denigrating the client’s reputation, and asked Nisos to help understand the nature of the threat.

The Challenge

Malicious foreign actors were creating automated tools to abuse an e-commerce client’s platform. Using that automated process the threat actors were able to mass create and bulk manage accounts, run advertisements, and use credit cards. With those credit cards, they were able to make purchases through the client’s site, and the client’s customers and third party service providers.

The CEO of a multinational manufacturer (Client) identified an urgent need to remove a key executive, along with several accomplices, from the operations of the company, based on concerns that these insiders were intent on sabotaging the company. Given the known IT expertise and access of the executive and his associates, the Client needed to prevent these persons of interest (POI) from stealing sensitive data or disrupting the network prior to being fired. The Client also intended to pursue legal action against the POI and needed digital evidence preserved.

Nisos   was   tasked to   acquire   additional  information on a threat actor making violent threats against a big tech company's executive leadership.

A technology company’s proprietary information was leaked to unauthorized third parties presumably from an identified disgruntled employee. The Client required assistance in determining with certainty whether such actions could be directly attributed to a specific employee within its organization and whether mitigation controls could be put in place to prevent further leaks.

A global consumer service provider was exploring different foreign cities to launch their new service, using security and safety as a critical metric.