Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and remediating threats to prevent lateral spread.
Investigation and enhanced threat detection across multi-cloud or hybrid environments.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Customer testimonials and case studies.
Stories on cyberattacks, customers, employees, and more.
Cyber incident, analyst, and thought leadership reports.
Demonstrations, seminars and presentations on cybersecurity topics.
Information and solution briefs for our services.
MITRE ATT&CK Framework, Cybersecurity Assessment, SOC Calculator & more
eSentire recently investigated an incident involving RIG Exploit Kit which was linked to a Reddit discussion post on Wimbledon. The victim was browsing /r/tennis and attempted to load several streaming links from the popular subreddit. Unfortunately, instead of streaming a tennis match, they were served up an exploit kit.
The RIG Exploit Kit (EK) was a major player in 2017, seeing both widespread use and success. Arrests and coordinated takedowns almost completed halted the popularity of RIG EK. Operation Shadowfall was the name given to a coordinated effort by RSA, GoDaddy and several independent researchers that resulted in the dismantling of large portions of infrastructure associated with RIG EK in 2017 [1]. The RIG exploit kit has recently seen some resurgence and is relying on Flash and Internet Explorer vulnerabilities to deliver a variety of payloads [2].
eSentire’s Security Operations Center was initially alerted to the exploit attempts from a RIG EK on 94[.]250[.]254[.]73. Once the event was triaged and contained, an investigation into the origin of the EK began. Root cause analysis revealed a series of web transactions – or referers – from the original site the user purposely visited to the page hosting the exploit kit. Analysis revealed that cricfree[.]cc was to blame, as it kicked off a series of redirects to the EK.
Reviewing packet capture data shows the user was on the Reddit Wimbledon discussion page when they clicked a link to cricfree[.]cc/tennis-live-streaming, which served a 302 redirect to mybetterdl[.]com.
[image src="/assets/Wimbledon1.png" id="2323" width="375" height="116" class="center ss-htmleditorfield-file image" title="Wimbledon1"]
This results in a few more 302 redirects:
[image src="/assets/Wimbledon2.png" id="2324" width="375" height="109" class="center ss-htmleditorfield-file image" title="Wimbledon2"]
Then another one, this time to makemoneyeasywith[.]me:
[image src="/assets/Wimbledon3.png" id="2325" width="375" height="119" class="center ss-htmleditorfield-file image" title="Wimbledon3"]
Finally we see RIG getting served:
[image src="/assets/Fimbledon4.png" id="2326" width="375" height="130" class="center ss-htmleditorfield-file image" title="Fimbledon4"]
Some quick Googling shows cricfree[.]cc appears in both threads but also the /r/tennis sidebar:
[image src="/assets/Wimbledon5.png" id="2329" width="375" height="356" class="center ss-htmleditorfield-file image" title="Wimbledon5"]
Exploring Reddit, we see the link is still live:
[image src="/assets/Wimbledon6-v2.png" id="2330" width="400" height="284" class="center ss-htmleditorfield-file image" title="Wimbledon6 v2"]
Finally viewing the Wimbledon discussion thread, it’s easy to see how the victim accessed the supposed streaming link:
[image src="/assets/Wimbledon7.png" id="2331" width="400" height="400" class="center ss-htmleditorfield-file image" title="Wimbledon7"]
Reddit has long been a source for sports fans to obtain access to pirated sports streams. While the r/tennis subreddit still has a link to the cricfree[.]cc in its sidebar, subreddits that focus on providing illegal streams such as r/soccerstreams and /nbastreams have recently been banned from the site.
These Reddit bans however, have not made illegal streaming disappear. As an example, this week, The Open Championship (aka The Bristish Open) begins, and for people who want to watch one of golf’s four major tournaments, a quick Google search for “Golf Streams” reveals more than 39 million search results. Some of these results steer users to legitimate sites that are licensed to provide streams of PGA events (typically for a fee), but the vast majority of these results direct fans towards sites that host “free” illegal streams.
For these pirate streaming sites to be sustainable; they must be profitable. As a user, if you aren’t paying for a stream, it likely means that money being made off of you in some way, shape or form.
In most cases, that revenue would come from website forcing users to view web ads before (or while viewing a stream), but as demonstrated above, these websites could also be directing you to malware in hopes of monetizing your illegal streaming by exploiting your computer or your personal data.
For organizations with more lenient web access policies, the illegal streaming of sporting events that occur during core operational hours such as tennis or golf tournaments, March Madness, and the Olympics represent a significant potential risk. As demonstrated, these pirate streaming sites can and do host malware, and even though employees know these sites are likely to be illegitimate in nature, the desire to not miss “the big game” may cause them to access these sites anyway, exposing not only their workstations but their entire organizations to threats.
If you are wanting to protect your organization from the threat posed by illegal online streaming, eSentire Threat Intelligence makes the following recommendations.