400 Security Practitioners Gave These 7 Insights into Their Cybercrime Monitoring

  The cybercrime underground is complex and dynamic, and cybercrime threats that emerge from it pose a significant risk to organizations. What organizations know and refer to as the cybercrime underground is changing within the hour. Unfortunately, many organizations underestimate that risk or may believe that cybercrime monitoring and threat detection doesn't apply to their organization. Even the organizations that do understand the threat it presents are often underprepared with their tools, processes, and expertise to proactively protect their environments. KELA's mission is to make the complex world of the cybercrime underground simple and accessible to security teams so that they can leverage intelligence from cybercrime underground sources to keep their organizations safe. In order to better understand how they approach their cybercrime monitoring, we recently surveyed 400 security practitioners to see if they have the tools and training to protect their organization effectively, as well as gain insights into their successes, challenges, and current needs. Here are seven key insights from our "State of Cybercrime Threat Intelligence 2022" report about the state of cybercrime threat intelligence today.

In looking at the responses in our survey, it became obvious that what would be most beneficial to their organization is additional training and proficiency in cybercrime investigations — especially with one of the top challenges being a lack of expertise. Security practitioners are also looking for a way to access the cybercrime underground quickly in a secure and non-attributional manner.

RANSOMWARE VICTIMS AND NETWORK ACCESS SALES IN Q3 2022

Sarit Borochov, Threat Intelligence Analyst

The most prolific ransomware and data leak actors in Q3 were LockBit, Black Basta, Hive, Alphv (aka BlackCat) and BianLian, with the last one being a relatively new ransomware gang. In Q3 2022, the sector that was most targeted by ransomware attackers and data leak actors was professional services. LockBit, Alphv and Hive were responsible for 55% of the attacks in this sector.

The US is still the most targeted country, with 40% of ransomware and extortion attacks affecting US companies in Q3, followed by ransomware and data leak victims from companies in the UK, France, Germany and Spain. New data leak sites and ransomware blogs of the quarter included Yanluowang, BianLian, 0mega, Daixin Team, Donut Leaks.

In Q3 2022, KELA traced over 570 network access listings for sale, with a cumulative requested price of around USD 4 million. The average price for access was around USD 2800 and the median price — USD 1350. In Q3 actors offered more expensive listings since the total number of listings remained almost the same. On average, there were around 190 access listings in each month of Q3, slightly higher than in Q2.

Top Luxury Brands in France: Threat Landscape Report

Laura Weinberg, Threat Intelligence Analyst

The luxury sector is considered particularly dynamic in France due its traditions, manufacturing expertise and craftsmanship. With five French companies in the top 10 luxury brands for 2021, France is a world leader in the sector, with around 150 billion EUR in revenue for 2021.

Luxury companies’ clientele holds private data from typically wealthier individuals and potentially public figures, which makes these businesses even more attractive targets. Luxury brands provide a more tailored service to their clients, and as a result, the data they collect may be more detailed than that of other retailers. 

Employees’ data may also be compromised and could provide a foothold into a company’s internal system, giving attackers access to valuable internal data that they may want to exfiltrate and sell or use to extort the company.

Considering what is at stake, KELA decided to research cyber threats the French luxury sector faces, including sellers of counterfeits and refund methods targeting French luxury brands. In addition, KELA researched the sector’s threat landscape by focusing on the top 10 companies. Mentions of France’s top luxury brands were collected to evaluate the sector’s exposure to cyber threats concerning leaked credentials and compromised accounts based on the cybercrime underground sources that KELA monitors. The analysis focuses on 10 of France’s top luxury brands and groups, including global and local domains. Finally, KELA took a look at Initial Access Brokers and ransomware attackers targeting the sector.

Defender-in-the-middle: How to reduce damage from info-stealing malware

Victoria Kivilevich, Director of Threat Research

Bottom Line Up Front

  • Following recent hacks of Uber and Rockstar Games, KELA decided to take a look at attacks that started with compromised corporate credentials being leaked or traded in the cybercrime ecosystem.
  • Nowadays, this ecosystem enables threat actors to easily acquire such credentials that were accessed by information-stealing malware and offered for sale on automated botnet marketplaces, such as Genesis, Russian Market and TwoEasy. 
  • While some threat actors are looking for banking and e-commerce credentials that they can use to cash out easily by stealing money from a compromised account, smarter attackers target organizations and their corporate credentials. These attackers are exchanging tips for finding such credentials, and they use the cybercrime ecosystem to buy them for a few dollars. 
  • Luckily, defenders can access the same cybercrime ecosystem and can have the same visibility as a threat actor that is planning an attack. Threat intelligence solutions can be used effectively to monitor exposed assets and reduce attack surface by remediating exposures or taking down compromised data. 
  • It’s crucial to consider not only direct assets of the company, but also workspaces hosted by third parties, with Slack being a perfect example: based on KELA’s research, thousands of unique workspaces were compromised and could be used for attacks similar to the Electronic Arts incident.
  • The evolution of cybercrime — focusing on servitization (paying for a service instead of buying the equipment) and sales automation, as well as increased visibility of goods — will drive more threat actors to use this ecosystem.

When a big-scale cyberattack happens, every security professional on the side of a victim can’t help but ask, “At which point could we stop it?” A decade ago, the answer would have focused mostly on suspicious activity inside a compromised network: what software, what policies and what people failed to detect unauthorized access and malicious activity. 

Back then, enterprise defenders had low visibility into the reconnaissance stage of attacks, which includes a threat actor researching a target and gathering information that may help to compromise the company. Threat actors, in their turn, were more used to orchestrate targeted attacks (think of ransomware incidents) from scratch, having less visibility into already-performed opportunistic attacks such as phishing campaigns. 

Nowadays, a growing cybercrime ecosystem enables threat actors to obtain and use data gained by other actors, turning one attacker’s trash into another attacker’s treasure. From malware-as-a-service to stolen databases and exposed credit card data an attacker familiar with cybercrime marketplaces and forums can access a variety of services and data with one click and a few dollars. Thus, opportunistic attacks serve as a source for targeted big attacks that end up in media headlines. 

Luckily — coming back to the question “At which point could we stop it?” — defenders can access the same cybercrime ecosystem and can have the same visibility as a threat actor that is planning an attack. This access means that they could intervene as “defender-in-the-middle” — in between opportunistic and targeted attacks, with this middle being cybercrime sources. 

A skilled and equipped defender can access these markets and forums, find their company’s exposed information and act to prevent further exploitation of this data. To discuss it practically, let’s take a look at the recent attacks that started with a piece of information being leaked or traded in the cybercrime ecosystem, namely, credentials acquired by information-stealing malware, which becomes a popular attack vector.

Six months into Breached: The legacy of RaidForums?

Yael Kishon, Threat Intelligence Analyst

On March 14, 2022, a new English-language cybercrime forum called Breached (also known as BreachForums) launched, as a response to the closure and seizure of the popular RaidForums. Breached was launched with the same design by the threat actor “pompompurin” as “an alternative to RaidForums,” offering large-scale database leaks, login credentials, adult content, and hacking tools. 

In late January 2022, three prominent actors from RaidForums were arrested after the domain was seized – the administrator and creator of the forum “Omnipotent” and two other administrators, “Jaw” and “moot.” According to the US Department of Justice, the owner of RaidForums was Portuguese national Diogo Santos Coelho (aka Omnipotent), who was charged with conspiracy, access device fraud, and aggravated identity theft. Coelho and his partners are alleged to have designed the forum’s software and computer infrastructure and managed the forum, promoting database exchange. 

After the closure of RaidForums, it was only a few weeks until the launch of Breached. And in  the first six months of its existence, Breached has become the new platform for database exchange, attracting more than 82,000 registered users. KELA explored whether Breached has actually replaced RaidForums as the most popular database exchange site and analyzed the top actors’ activities and trends associated with the new forum. 

The State of CYBERCRIME Threat Intelligence 2022

The cybercrime underground is complex and dynamic, and cybercrime threats that emerge from cybercrime underground sources pose a significant risk to organizations. Unfortunately, many organizations underestimate that risk, or may believe that cybercrime monitoring and threat detection doesn’t apply to their organization. Even the organizations that do understand the threat it presents are often underprepared with their tools, processes, and expertise to proactively protect their environments.

KELA surveyed 400 security team members in the US who were responsible for gathering cybercrime threat intelligence daily to better understand if they’re proactively scanning the cybercrime sources, what tools they’re using, the gaps they see in their cybercrime threat intelligence approach, and more. 

Here is a peek into the key findings:

  • 69% are concerned about threats from the cybercrime underground.
  • Only 38% believe that they’re very likely to detect it if it was released.
  • Only 41% believe their current security program is very effective.

(NOT) Lost in Translation – Why Your Language Doesn’t Matter to Cybercriminals

Irina Nesterovsky, Chief Research Officer

At KELA, we meet and work with companies from various geographies and languages, yet everyone keeps asking the same question: “Do you cover Spanish/French/Arabic/Younameit cybercrime sources?”. First, the answer is “yes” (isn’t that always the case?), but we also have a more in-depth one – such in which we say that a threat against any company, no matter the vertical, no matter the size, is not confined to a language or geography.

What’s interesting about cybercrime, especially one targeted at enterprises and their clients – is that the criminals perpetrating it don’t have to be your countrymen or even speak your language to pose a threat to your organization.

As an example, let’s look into some of the most high-profile cybercrime communities discussing various schemes and trading in network accesses, databases, and others just for monetary gain. Those – taking as an example the Exploit and XSS forums – happen to be run by Russian-speaking threat actors, who will also use English to correspond with their fellow foreign cybercriminals. The targets and victims discussed by those cybercriminals vary and can include any company worldwide – regardless of their residence. And while, as seen in KELA’s review of Initial Access Brokers trends, the leading country with companies compromised through network access is still the US, it is also followed by the UK, Brazil, Canada, and India.

RANSOMWARE VICTIMS AND NETWORK ACCESS SALES IN Q2 2022

KELA Cybercrime Intelligence Center

Ransomware groups continue to evolve and threaten organizations and companies around the world. While some gangs reduced their activity in Q2 2022 or shut down, new actors like Black Basta emerged and continued extorting money from businesses. Similarly to the ransomware attackers, there are actors mimicking their methods, such as stealing data and managing data leak sites, but not using actual encrypting software in their attacks.

Ransomware and data leak sites operators are constantly using the growing cybercrime ecosystem to ease the reconnaissance and initial compromise phases, constantly relying on other cybercriminals, including Initial Access Brokers (IABs). These actors, selling remote access to corporate networks, are an important part of the ransomware supply chain, therefore monitoring network access suppliers leads to better understanding of the ransomware-as-a-service (RaaS) ecosystem.

The report is based on KELA’s monitoring of ransomware gangs and initial access brokers’ activity in Q2.

German Automotive Sector Cybercrime Threats Landscape Report

Yael Kishon, Threat Intelligence Analyst

The automotive sector is considered to be the largest sector in Germany, generating over 411 billion euro in revenue. Germany is the largest automobile manufacturing country in Europe, producing 30% of all passenger cars in the EU in 2021. Automotive companies, their employees and users have frequently become targets of cybercriminals aiming to perform various attacks. One of the recent examples is an info-stealing campaign that targeted customers of German companies, mainly car dealers, with phishing emails aimed to infect the victims with info-stealing malware.
Another recent cyberattack that occurred in March 2022, targeted a German subsidiary of Denso, a Japanese automotive supplier. The Pandora ransomware group announced that it compromised the network and shared screenshots of purchase orders, automotive technical diagrams, and emails on its blog. Moreover, the gang claimed to have stolen 1.4 TB of data from the company. Following the attack, Denso apologized for any inconvenience caused and confirmed that the German network was illegally accessed.
With more and more vehicles connected to the internet and using many digital functions, major automotive companies are exposing cars to additional malicious activities and increasing the risk of cyberattacks.
The recent cyber-attacks that have targeted the automotive industry in Germany drove KELA to investigate the level of exposure of the 15 largest German automotive manufacturers, suppliers, and dealers to shed light on cyber threats they faced from January 2021 to April 2022.

The Next Generation of Info Stealers

KELA Cyber Intelligence Center

In recent years, information-stealing Trojans have become a very popular attack vector. This type of malware is used for harvesting saved information on machines including usernames and passwords (“logs”) which are further sold on automated botnet marketplaces such as RussianMarket, TwoEasy, and Genesis, or privately. If purchased by threat actors, these credentials pose a significant risk to an organization, as they allow actors to access various resources which may result in data exfiltration, lateral movement, and malware deployment, such as ransomware.

Some of the most popular info-stealers advertised on cybercrime forums and identified on these marketplaces are RedLine, Raccoon, and Vidar. While some of these commodity stealers remain relevant, KELA observed that the threat landscape started to change under various conditions. The Russia-Ukraine war, the info-stealer operators’ need to improve malware capabilities, and their financial motivation, resulted in new stealers and services becoming available.

This report focuses on the currently active information stealers, highlighting the evolution of the old stealers, as well as the debut of new ones.