New Russian-Speaking Forum – A New Place for RaaS?

Victoria Kivilevich, Threat Intelligence Analyst

A new Russian-speaking forum called RAMP was launched in July 2021 and received much attention from researchers and cybercrime actors. The forum emerged at the domain that previously hosted the Babuk ransomware data leak site and later the Payload.bin leak site. KELA researched the contents of the new site and assessed its chances to succeed.
*All the forum contents are described based on what KELA observed on RAMP until July 27, 2021, when the access became was restricted.

Ransomware Gangs are Starting to Look Like Ocean’s 11

Victoria Kivilevich, Threat Intelligence Analyst

The cybercrime underground ecosystem once housed cybercriminals who would perform attacks from start to finish on their own. This one-man show has nearly completely dissolved though as one of the most prominent trends that emerged instead is the specialization of cybercriminals in different niches. If we take a typical attack, we’ll see that not necessarily every cybercriminal will have the know-how to perform each stage involved in the attack:

  • Code (code or acquire malware with the desired capabilities)
  • Spread (infect targeted victims)
  • Extract (maintain access to infected machines)
  • Monetize (get profits from the attack)

Slacking Off – Slack and the Corporate Attack Surface Landscape – Part 2

Irina Nesterovsky, Chief Research Officer

In our first post referencing Slack and the corporate attack surface, we revealed the 12,000+ credentials to Slack workspaces that were available for sale on various cybercrime underground markets, representing the explicit threat for thousands of organizations. However, at the time, examination of both open-source reporting and cybercrime communities didn’t reveal a lot of attacker-interest in the platform. Though a steady interest may still not be apparent, what is clear is that the number of compromised credentials has grown, and another instance in which Slack credentials have been abused appears once again. Now, a year later from the release of Part 1, we have dived back into those same sources to see what exactly has transformed over the last year, and what the dangers of compromised Slack credentials really may be.

Exposing the UAE’s Underground Digital Dangers: The Attack Surface of One of the Most Digitally Advanced Countries in the Arab World

Victoria Kivilevich and Sharon Bitton

The UAE has gained global attention for the incredible improvements the country has gone through over the last few decades. While the UAE’s economy continues to flourish, cybercriminals will carry on with their efforts of trying to identify where their next worthy targets may be. With the growing success of advancing their economy and technological capabilities, UAE-related entities must continue to push their cybersecurity efforts as well to ensure that their wealth will not be harmed by lucrative cybercriminals operating in the cybercrime underground ecosystem. This research lays out the major underground digital dangers that KELA’s researchers have identified posing a threat to UAE-related entities.
The research’s highlights include:

  • During the last six months (December 2020-May 2021), KELA observed numerous compromised network access listings to UAE-related private and public entities offered for sale on cybercrime forums, including one that was possibly used in an attack by the Avaddon ransomware gang.
  • Among these, KELA detected several threat actors specifically targeting UAE entities, by selling data and network access related to UAE companies.
  • KELA discovered that UAE-related email addresses were exposed more than 1.2 million times, with more than 200,000 of them being related to employees of government, educational, academic, and nonprofit entities.
  • KELA also identified more than 68,000 compromised accounts related to UAE users on corporate portals, social media, e-commerce stores, and government websites.

USA Unemployment Fraud: It’s Easier Than You Think

Gilad Shiloach, Threat Intelligence Analyst

Unemployment systems have been challenged with responding to millions of unemployment claims over the last year, with thousands of those being fake claims made by cybercriminals. The US Pandemic Unemployment Assistance (PUA) and other assistance programs that were launched in response to the COVID-19 outbreak opened the doors to many cybercriminals searching for further ways to make money. Nearly 36 billion dollars have been taken away from US citizens in unemployment benefits, and that number will continue to rise as cybercriminals are persistent on taking advantage of those benefits.
The cybercrime underground ecosystem has become an excellent hub for trading various unemployment fraud services. Many of the services that our research has identified capitalize on identity theft basics and methods that have been circulating in underground platforms for years and therefore welcome cybercriminals who do not necessarily possess advanced technical skills. KELA has been closely tracking criminal actors across the cybercrime underground ecosystem and has identified significant levels of interest in PUA fraud schemes, which arm cybercriminals with the necessary information to illegally obtain US citizens’ unemployment benefits.
The top three non-technical services we’ve identified interest for were:
1. Fullz, which are bundles of information that belong to real people and contain personal information that would assist fraudsters in carrying out identity theft.
2. Step-by-step guides (aka “methods” or “sauces”) on how to carry out these attacks.
3. Targeting of the ID.me identity service – used for citizens’ access to digital government services – aiming to bypass it.

Hunting Down Initial Access Brokers with DARKBEAST

KELA’s Cyber Intelligence Center

Initial access brokers have taken the spotlight over the last year following their strong efforts – and success – of significantly facilitating network intrusions for ransomware affiliates and operators. These initial access brokers (“IAB”) continue to gain popularity as they become more active and popular in the cybercrime underground ecosystem. This blogpost will explore the different ways that users can leverage DARKBEAST to track and defeat initial access brokers before they cause harm.

The blogpost will explain how DARKBEAST can be used to:

1. Identify noteworthy initial access brokers’ listings with the click of a button.

2. Pivot to investigate initial access brokers or network access listings by utilizing complex queries, metadata searches and Boolean logic.

3. Subscribe to relevant queries in order to track new results over time and receive real-time notifications.

4. Identify Initial Access Brokers hindering threats behind images rather than in plaintext.

5. Leverage finished intelligence compiled by KELA’s experts to gain more contextualized insights about various brokers or listings.

6. Retrieve and analyze data about initial access brokers in your existing tools using the DARKBEAST API.

Australian Mining Companies and Cybercriminals Digging for the Gold

Victoria Kivilevich and Sharon Bitton

While Australian mining companies are busy extracting natural minerals from their lands, cybercriminals are busy extracting sensitive information from mining companies’ infrastructures and employees. For more than a century, Australia’s economy has significantly benefited from the mining industry, with a particularly strong influence in the last decade. Employing over 260,000 people and being valued at more than 200 billion AUD, the mining industry is the primary contributor to the Australian economy, and in parallel under the spotlight for many cybercriminals. As growth of this industry continues to be evident, cybercriminals may be seen profiting more and more from the mining companies’ sensitive information. This industry, once relying almost solely on human work, has now evolved with the digital age to make use of technological support for day-to-day operations – naturally creating more opportunities for cybercriminals to exploit.

Australia’s mining industry comprises numerous companies, however for this research, we’ve decided to look into the top 5 companies to identify the interest of cybercriminals in this industry. The research consists of an overview of numerous cyber threats that we have identified, which if exploited correctly could cause significant risk to this industry. The highlights include:

  • KELA identified more than 91,000 leaked employee-credentials pertaining to the top 5 Australian mining companies, leaked through third party breaches over the last few years.
  • KELA discovered multiple compromised accounts related to employees in the Australian mining industry, which might provide access to sensitive corporate services.
  • KELA observed numerous network vulnerabilities in the Internet-facing infrastructure of the top 5 companies in the mining industry.
  • KELA detected a compromised network access listed for sale. Upon research, KELA identified that the victim is a company that provides services and stores sensitive data belonging to companies in the mining and energy sector in Australia.

Dark Net Markets Going Out of Business: Where are Users Headed to Next?

Victoria Kivilevich, Threat Intelligence Analyst and Sharon Bitton, Marketing Manager

Going out of business is a popular phenomenon with online marketplaces both in the Dark Net and surface web. Dark Net marketplaces continually shut down for a number of reasons, causing those markets’ users to actively search for alternative spots to trade goods and services. In light of the major announcement of Joker’s Stash shutting down on February 15th, 2021, we’ve dived into the cybercrime underground to understand more about the closures of Dark Net marketplaces and where market’s users migrate to.

The research’s main highlights include:

  • KELA identified four main marketplaces that are trying to steal Joker’s Stash’s users following the market’s closure. According to advertisements and users’ reactions, we may see users shifting activities to Brian’s Club, Vclub, Yale Lodge, and UniCC.
  • KELA observes cybercriminals acting just as regular businessmen and marketers, trying to take advantage of their competitors’ terminations in order to advertise their services and steal their competitors’ users.
  • KELA reveals an evident trend of market administrators offering free vendor bonds to try and lure new sellers to come to their marketplaces following a competitor’s market closure.
  • KELA highlights the significance of monitoring threat actors and their TTPs so that enterprise defenders can assess actors’ credibilities, predict actors’ next steps, and protect their organizations from cyber threats.

$1 Million is Just the Beginning: Q4 2020 in Network Access Sales

Victoria Kivilevich, Threat Intelligence Analyst

Multiple initial network accesses continue to appear for sale in underground forums every day, partially becoming an initial entry point for ransomware operators. Following KELA’s analysis of initial access brokers’ activities in September 2020, we’ve assessed the listings of network access from all of Q4 2020.

We’ve shared some of the major takeaways below:

  • KELA traced almost 250 initial network accesses listed for sale in Q4 2020. The cumulative price requested for all accesses surpasses $1.2 million. On average, we observed around 80 accesses offered for sale in each month of Q4 2020.
  • Out of these network access listings, KELA found that at least 14% were noted as sold by actors.
  • As the overall month-to-month number is lower than in September (108 accesses), KELA identified a growing trend of accesses being sold in private conversations rather than publicly in forums, likely the cause for the slight decline.
  • While establishing a list of the most expensive accesses and the TTPs of their sellers, KELA discovered that the attack surface is constantly expanding, with initial access brokers offering new access types. Meanwhile, RDP- and VPN-based accesses, as well as vulnerabilities (allowing to run code using a specific flaw and potentially enabling actors to pivot further within the targeted environment), constitute the majority of the offers.

Darknet Threat Actors Are Not Playing Games with the Gaming Industry

Almog Zoosman, Pre-Sales Engineer and Victoria Kivilevich, Threat Intelligence Analyst

The gaming industry should really thank Covid-19: People are stuck at home, seeking indoor hobbies, and giving online gaming a chance. With the rise of gamers and purchases, the online gaming industry is estimated to reach $196 billion in revenue by 2022. However, the growing success of this industry also calls attention to cybercriminals scouting out their new targets – and what better target could cybercriminals ask for than an industry that’s up and coming and may not be prioritizing their security precautions as much as their industry advancement and profit. So, though this industry isn’t valued at the trillions of dollars that the financial industry may be valued at, it still checks off boxes for two key factors that many profit-driven cyber criminals tend to seek: increase profits and minimize the complexity of the process in order to do so.

  • In order to assess the threat landscape of the gaming industry in light of Covid-19, we explored the risks that are potentially threatening employees and internal resources of the leaders of this industry.[1] We’ve included some of this blog’s major key takeaways below:
  • KELA observed multiple instances of supply and demand for initial network access of gaming companies (especially their resources designed for developers).
  • KELA found nearly 1 million compromised accounts pertaining to gaming clients and employees, with 50% of them offered for sale during 2020.
  • KELA detected more than 500,000 leaked credentials pertaining to employees of the leading companies in the gaming sector.
  • The gaming industry is growing, in turn increasing the number of threats against it. By proactively monitoring darknet communities, organizations in this industry can collect real-time valuable intelligence in order to help gain an external viewpoint on their organizations’ attack surfaces and mitigate cyber threats.