CYBER THREAT INTELLIGENCE BLOG

Intimidating victims is all part of the game when ransomware and extortion actors steal data and aim to grab a pay day from the potential leak by demanding a ransom in return for not publicizing their haul. At KELA, we’ve noticed that threat actors have started leveraging one another’s data to maximize the level of threat, and sometimes even collaborating to distribute stolen information more widely. Really warms the heart, eh?

Threat actors — such attention seekers, #amiright? Always coveting the spotlight by doing diabolical deeds like stealing and compromising information, from passwords and usernames to social security numbers, emails and more. Of course, stolen databases are a genuine worry for security teams, as when a stolen database is sold or leaked for free by cybercriminals, attackers can use them to launch attacks or gain a foothold into their organization. So it’s no wonder that when a threat actor claims to have stolen data from a “big name” company, it attracts a whole lot of interest and fear.  But, is there always a reason to be afraid? From false claims and exaggerations, to readily-available data scraped from public sources — here are three reasons you might want to question the next flashy database dump headline.

They say imitation is the sincerest form of flattery. If that’s the case, some ransomware-as-a-service (RaaS) threat actors must be feeling seriously good about themselves lately.  With ransomware operations hitting the headlines, and the global cost of ransomware damage predicted to hit $231B by 2031, threat actors are increasingly creating fake operations, often leveraging the fame of other actors to get more attention to their own activities in order to get a slice of the action.

On February 16, 2024, a repository titled “I-S00N” was uploaded to Github, allegedly intended to expose insider information about I-Soon (Anxun Information Technology Co., 安洵信息技术有限公司,i-soon[.]net), a Chinese technology company in the cybersecurity field. The dump may indeed be a breach of I-Soon and contains documentation related to the company’s products, including spyware and offensive tools and services. AP News reported that two anonymous employees of I-Soon confirmed that the leak originated from the company. However, the cause and the leaker are still unclear.  KELA acquired and analyzed the leaked data. This blog outlines the most interesting insights, such as the structure of the leak, clients and potential targets of I-Soon, the company’s connection to advanced persistent threats (APTs), and discussions about zero-day vulnerabilities.  

It has been two years since Russian forces invaded Ukraine. The war is not only being fought on the ground, but also in cyberspace. Russian state-sponsored APT groups have been observed targeting Ukrainian entities, including government organizations and telecommunication companies. Moreover, the Ukrainian government has also been observed claiming to have conducted attacks against Russian organizations.

Remember the Okta security incident last October? Well, the dust has settled, and the final investigation report is out. But for Cloudflare, the story didn’t end there. A sophisticated attack leveraged a compromised Okta session to gain access to their systems, raising some critical questions about security best practices.

What got you here, won’t get you there. Turns out, that great career advice of pivoting to achieve scale and growth is relevant for anyone, even if you’re a ransomware and extortion actor.

If we had a nickel for every time someone asked us the difference between leaked credentials and compromised accounts… Well, we’d be able to treat the team to a packet of Oreos one of these days. Why does it matter? Well, according to CISA, 54% of cyberattacks involve the use of valid accounts. As a result, understanding the risk of compromised accounts and leaked credentials is critical.  This article tackles the terms head-on, and discusses how threat actors get their hands on sensitive account details, diving deep into the different types of vulnerability and what they mean for protecting your organization.

If it looks like a duck, and walks like a duck… you may need to look a little closer. This is an increasingly important lesson, highlighted by the case of threat actors Hunters International, who were wrongly assumed in October 2023 to be a rebrand of Hive ransomware group.

While some cybercriminals are on their holiday vacations (yes, we observed zero new ransomware victims on New Year’s Eve), the lull won’t continue long. Ahead of the new battles of 2024, KELA elaborates on the most expected trends in cybercrime for this year.