Attacks on MSPs: How Threat Actors Kill Two Birds (and More) With One Stone

Yael Kishon, Threat Intelligence Analyst

Managed service providers (MSPs or MSSPs) have become a vital part of many companies, providing a range of IT services and support to keep operations running smoothly. At the same time, MSPs become attractive targets for cybercriminals aiming not only to compromise assets of a single company, but also to increase the number of potential victims and to target a wide range of third parties. In this blog, we examine the ongoing interest of threat actors in the cybercrime ecosystem targeting MSPs and IT companies.

Initial access brokers (IABs) — threat actors who sell network access on cybercrime forums — seem to actively compromise MSPs.

Network access is a broad term that is used to describe multiple different vectors, permission levels, and entry points. The offering can include SQL injection, remote desktop protocol (RDP) credentials, or the ability to change from user to admin privileges. The actors selling such network access types provide an initial entry point to a compromised network that can be further leveraged by other cybercriminals. The most common type of access is offered through RDP or VPN access. Threat actors define specific attributes of their ideal victim based on the geographies, sectors and revenue of the victim.

TELEGRAM – How a Messenger Turned Into a Cybercrime Ecosystem by 2023

Telegram is a messaging app that is used by many people around the world for a variety of purposes. However, it has also become a hub for cybercrime activities, including the sale and leakage of stolen personal and corporate data, the organization of cybercrime gangs, the distribution of hacking tutorials, hacktivism and the sale of illegal physical products such as counterfeits and drugs.
There are several other messaging apps that are favored by cybercriminals, but Telegram is one of the most popular. This presents a significant challenge for security researchers trying to combat cybercrime on the platform.
One reason why Telegram is attractive to cybercriminals is its alleged built-in encryption and the ability to create channels and large, private groups. These features make it difficult for law enforcement and security researchers to monitor and track criminal activity on the platform. In addition, cybercriminals often use coded language and alternative spellings to
communicate on Telegram, making it even more challenging to decipher their conversations.
This report, compiled by KELA, aims to provide an in-depth understanding of why Telegram has become a significant player in the cybercrime ecosystem. It covers various services, products and cybercrime activities that exist on the platform, as well as the threat actors involved. The report also includes showcases for each topic, highlighting specific examples
of the types of activities that take place on Telegram. In addition, the report lists prominent groups and channels that are involved in these activities, providing a comprehensive overview of the scope and scale of cybercrime on the platform.

Overall, Telegram has become a thriving ecosystem for cybercrime and will likely continue to be a major challenge for security researchers and law enforcement.

The Cybercrime Inferno- 2022 Annual Report

Ransomware and extortion attacks have been a growing concern for individuals and organizations alike in recent years. These types of attacks involve hackers gaining unauthorized access to a computer system or network and either holding the system hostage by encrypting the data until a ransom is paid, or threatening to release sensitive information unless a ransom is paid.

In addition to these types of attacks, particular attention was focused on the sale of network access on cybercrime sources, which can potentially be used by hackers to carry out ransomware and extortion attacks.

This report will provide an overview of the state of ransomware and extortion attacks and network access sales in 2022, as well as the evolution of trends and ways to prevent and mitigate these types of attacks.

Keys to the Kingdom: How Compromised Corporate Emails Have Become the Most Attractive Attack Vector for Cybercriminals

Yael Kishon, Threat Intelligence Analyst


Threat actors are constantly looking for new monetization opportunities in the cybercrime ecosystem, trying to put their hands on sensitive corporate data and leverage that for their profit. Such compromised data on cybercrime forums can include databases, source code, internal documents, as well access to services such as corporate email credentials. Once credentials are obtained, unauthorized actors can view the content of organizational accounts, as well as send emails from the compromised accounts, which appear legitimate but contain phishing campaigns.

Threat actors now have new marketplaces and shops, which enable them to easily buy corporate email accounts for their attacks. KELA noticed that actors selling email access via these dedicated, automated shops offer hundreds of thousands of corporate email credentials for sale. In this analysis, KELA takes a closer look at the scope of shops such as Xleet, Odin, Xmina, and Lufix that are easing processes for cybercriminals. This report shows how actors could obtain access and monetize it through several attack vectors, which include phishing, BEC, and malware attacks.

400 Security Practitioners Gave These 7 Insights into Their Cybercrime Monitoring

The cybercrime underground is complex and dynamic, and cybercrime threats that emerge from it pose a significant risk to organizations. What organizations know and refer to as the cybercrime underground is changing within the hour. Unfortunately, many organizations underestimate that risk or may believe that cybercrime monitoring and threat detection doesn't apply to their organization. Even the organizations that do understand the threat it presents are often underprepared with their tools, processes, and expertise to proactively protect their environments. KELA's mission is to make the complex world of the cybercrime underground simple and accessible to security teams so that they can leverage intelligence from cybercrime underground sources to keep their organizations safe. In order to better understand how they approach their cybercrime monitoring, we recently surveyed 400 security practitioners to see if they have the tools and training to protect their organization effectively, as well as gain insights into their successes, challenges, and current needs. Here are seven key insights from our "State of Cybercrime Threat Intelligence 2022" report about the state of cybercrime threat intelligence today.

In looking at the responses in our survey, it became obvious that what would be most beneficial to their organization is additional training and proficiency in cybercrime investigations — especially with one of the top challenges being a lack of expertise. Security practitioners are also looking for a way to access the cybercrime underground quickly in a secure and non-attributional manner.


Sarit Borochov, Threat Intelligence Analyst

The most prolific ransomware and data leak actors in Q3 were LockBit, Black Basta, Hive, Alphv (aka BlackCat) and BianLian, with the last one being a relatively new ransomware gang. In Q3 2022, the sector that was most targeted by ransomware attackers and data leak actors was professional services. LockBit, Alphv and Hive were responsible for 55% of the attacks in this sector.

The US is still the most targeted country, with 40% of ransomware and extortion attacks affecting US companies in Q3, followed by ransomware and data leak victims from companies in the UK, France, Germany and Spain. New data leak sites and ransomware blogs of the quarter included Yanluowang, BianLian, 0mega, Daixin Team, Donut Leaks.

In Q3 2022, KELA traced over 570 network access listings for sale, with a cumulative requested price of around USD 4 million. The average price for access was around USD 2800 and the median price — USD 1350. In Q3 actors offered more expensive listings since the total number of listings remained almost the same. On average, there were around 190 access listings in each month of Q3, slightly higher than in Q2.

Top Luxury Brands in France: Threat Landscape Report

Laura Weinberg, Threat Intelligence Analyst

The luxury sector is considered particularly dynamic in France due its traditions, manufacturing expertise and craftsmanship. With five French companies in the top 10 luxury brands for 2021, France is a world leader in the sector, with around 150 billion EUR in revenue for 2021.

Luxury companies’ clientele holds private data from typically wealthier individuals and potentially public figures, which makes these businesses even more attractive targets. Luxury brands provide a more tailored service to their clients, and as a result, the data they collect may be more detailed than that of other retailers. 

Employees’ data may also be compromised and could provide a foothold into a company’s internal system, giving attackers access to valuable internal data that they may want to exfiltrate and sell or use to extort the company.

Considering what is at stake, KELA decided to research cyber threats the French luxury sector faces, including sellers of counterfeits and refund methods targeting French luxury brands. In addition, KELA researched the sector’s threat landscape by focusing on the top 10 companies. Mentions of France’s top luxury brands were collected to evaluate the sector’s exposure to cyber threats concerning leaked credentials and compromised accounts based on the cybercrime underground sources that KELA monitors. The analysis focuses on 10 of France’s top luxury brands and groups, including global and local domains. Finally, KELA took a look at Initial Access Brokers and ransomware attackers targeting the sector.

Defender-in-the-middle: How to reduce damage from info-stealing malware

Victoria Kivilevich, Director of Threat Research

Bottom Line Up Front

  • Following recent hacks of Uber and Rockstar Games, KELA decided to take a look at attacks that started with compromised corporate credentials being leaked or traded in the cybercrime ecosystem.
  • Nowadays, this ecosystem enables threat actors to easily acquire such credentials that were accessed by information-stealing malware and offered for sale on automated botnet marketplaces, such as Genesis, Russian Market and TwoEasy. 
  • While some threat actors are looking for banking and e-commerce credentials that they can use to cash out easily by stealing money from a compromised account, smarter attackers target organizations and their corporate credentials. These attackers are exchanging tips for finding such credentials, and they use the cybercrime ecosystem to buy them for a few dollars. 
  • Luckily, defenders can access the same cybercrime ecosystem and can have the same visibility as a threat actor that is planning an attack. Threat intelligence solutions can be used effectively to monitor exposed assets and reduce attack surface by remediating exposures or taking down compromised data. 
  • It’s crucial to consider not only direct assets of the company, but also workspaces hosted by third parties, with Slack being a perfect example: based on KELA’s research, thousands of unique workspaces were compromised and could be used for attacks similar to the Electronic Arts incident.
  • The evolution of cybercrime — focusing on servitization (paying for a service instead of buying the equipment) and sales automation, as well as increased visibility of goods — will drive more threat actors to use this ecosystem.

Six months into Breached: The legacy of RaidForums?

Yael Kishon, Threat Intelligence Analyst

On March 14, 2022, a new English-language cybercrime forum called Breached (also known as BreachForums) launched, as a response to the closure and seizure of the popular RaidForums. Breached was launched with the same design by the threat actor “pompompurin” as “an alternative to RaidForums,” offering large-scale database leaks, login credentials, adult content, and hacking tools. 

In late January 2022, three prominent actors from RaidForums were arrested after the domain was seized – the administrator and creator of the forum “Omnipotent” and two other administrators, “Jaw” and “moot.” According to the US Department of Justice, the owner of RaidForums was Portuguese national Diogo Santos Coelho (aka Omnipotent), who was charged with conspiracy, access device fraud, and aggravated identity theft. Coelho and his partners are alleged to have designed the forum’s software and computer infrastructure and managed the forum, promoting database exchange. 

After the closure of RaidForums, it was only a few weeks until the launch of Breached. And in  the first six months of its existence, Breached has become the new platform for database exchange, attracting more than 82,000 registered users. KELA explored whether Breached has actually replaced RaidForums as the most popular database exchange site and analyzed the top actors’ activities and trends associated with the new forum. 

The State of CYBERCRIME Threat Intelligence 2022

The cybercrime underground is complex and dynamic, and cybercrime threats that emerge from cybercrime underground sources pose a significant risk to organizations. Unfortunately, many organizations underestimate that risk, or may believe that cybercrime monitoring and threat detection doesn’t apply to their organization. Even the organizations that do understand the threat it presents are often underprepared with their tools, processes, and expertise to proactively protect their environments.

KELA surveyed 400 security team members in the US who were responsible for gathering cybercrime threat intelligence daily to better understand if they’re proactively scanning the cybercrime sources, what tools they’re using, the gaps they see in their cybercrime threat intelligence approach, and more. 

Here is a peek into the key findings:

  • 69% are concerned about threats from the cybercrime underground.
  • Only 38% believe that they’re very likely to detect it if it was released.
  • Only 41% believe their current security program is very effective.