CYBER THREAT INTELLIGENCE BLOG

Telegram Clouds of Logs – the fastest gateway to your network

What is common between Okta, Uber, and EA Games? All fell victim to cyberattacks enabled by a single access point: compromised employee credentials. In the ever-changing cybercrime landscape, cybercriminals always find ways to put their hands on corporate sensitive data. One of the most popular ways to gather such credentials is using information-stealing malware or simply buying the bots (machines already compromised by info-stealing malware) on botnet markets and Telegram channels. Recently CISA reported that more than half of all cyberattacks on government entities and critical infrastructure involve valid credentials. That means that cybercriminals are using active employee credentials or default administrator credentials for their attacks. After acquiring login credentials, whether through purchase or by obtaining them for free, threat actors utilize these valuable assets in various campaigns, ranging from phishing to ransomware attacks. In this blog post, KELA examines the contrast between two methods of acquiring credentials: botnet markets such as Russian Market, Genesis, and TwoEasy (enabling the individual purchase of bots), and “clouds of logs”. Clouds of logs operate on a subscription basis, allowing threat actors to purchase and utilize multiple bots together through platforms like Telegram. The user-friendly Telegram interface, extensive bot sharing, and diverse actors and information-stealing tools collectively enhance the appeal and convenience of this messaging platform for conducting such transactions.

Still hot: 2022 top exploited vulnerabilities discussed on cybercrime sources

In August 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) published a list of the top routinely exploited vulnerabilities in 2022. The list included vulnerabilities disclosed in 2018-2022. While researching recent cybercrime chatter on these vulnerabilities, KELA discovered that the most discussed flaws out of this list include:  ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) affecting Microsoft Exchange servers CVE-2018-13379 affecting Fortinet FortiOS Follina (CVE-2022-30190) affecting Microsoft Support Diagnostic Tool In this blog, KELA summarizes how threat actors share tips and tools for finding and exploiting vulnerable instances, sell access to corporate networks affected by the flaws and bypass patches.
KELA Cyber Threat Intelligence News Flash

Qilin Ransomware Gang Adopts Uncommon Payment System: All Ransom Payments Funneled through Affiliates

KELA Cyber Intelligence CenterIn July, KELA observed that actors behind Qilin (Agenda) RaaS program have announced that ransom payments are paid only to their affiliates’ wallets. Apparently, only then a share of profits is transferred to the Qilin RaaS owners. This approach is less common for RaaS programs: usually victims are paying ransom to wallets controlled by RaaS developers/managers, and only then affiliates receive their share of ransom. The “opposite” approach, now adopted by Qilin, is known to be used by LockBit.
KELA Cyber Threat Intelligence News Flash

Cyclops Ransomware Gang Unveils Knight 2.0 RaaS Operation: Partner-Friendly and Expanding Targets

KELA Cyber Intelligence CenterThe Cyclops ransomware gang has launched a 2.0 version of its RaaS operation named Knight. On July 26, the gang announced on their blog they were “releasing the new panel and program this week”, likely referring to updates to both their ransomware strain and their affiliates’ panel. Recently, Cyclops announced they “upgraded” the operation and called for new affiliates to join the group. A thread advertising Cyclops’ RaaS has been renamed to “[RaaS]Knight”.
stormous extortion group

The Stormous Extortion Group Strikes Back

KELA Cyber Intelligence CenterThe Stormous group has been allegedly operating as a ransomware gang since 2021. The group’s data leak site, which had been inaccessible for a long time, got back online in July!
5 Reasons Why MSSPs Should Embrace a CTI Solution

5 Reasons Why MSSPs Should Embrace a CTI Solution

Managed Security Service Providers (MSSPs) bear the crucial responsibility of safeguarding clients’ networks, applications, and devices against cyber threats. Yet, with the rapid evolution of the threat landscape, traditional detection and mitigation methods are falling short. Enter Cyber Threat Intelligence – CTI. By integrating CTI into your MSSP portfolio, you can proactively anticipate emerging threats, fortify defenses, and ensure unparalleled protection for your clients. Stay ahead of the curve with CTI, empowering your MSSP business to combat the ever-changing cyber landscape effectively.

Your Malware Has Been Generated: How Cybercriminals Exploit the Power of Generative AI and What Can Organizations Do About It?

In recent months, the popularity of Generative AI has surged due to its powerful capabilities. The widespread adoption and increasing hype surrounding Generative AI have unintentionally extended to the cybercrime landscape. Just like any other advanced and powerful technology that takes our world to the next level, the bad guys always manage to find their oh-so-‘special’ way in. Cybercriminals have started leveraging Generative AI for their malicious purposes and day-to-day activities, including creating malware and operating underground forums. In this blog, KELA delves into how cybercriminals manipulate and exploit ChatGPT and other AI platforms for stealing information and launching cyberattacks, as well as in their daily activities.

RaidForums leaked database – insights and intelligence by KELA

On May 29, 2023, a database containing the information of nearly 479,000 members of the RaidForums hacking forum was leaked online on a new forum named Exposed. RaidForums was known for hosting, leaking, and selling stolen data from breached organizations. Following the seizure by law enforcement and its subsequent closure, users migrated to a new forum called Breached (BreachForums). Breached was just recently seized by law enforcement, too, after its founder was arrested.  Exposed has emerged as a possible replacement for Breached in May 2023; its founders are not seemingly affiliated with the owners of RaidForums or Breached. The leaked RaidForums database was published by a user called ‘Impotent’, the owner of Exposed, who stated that its origin is unknown. Users on other cybercrime communities have wondered, too, how this leak came to be if access to the forum was supposedly only at the hands of law enforcement. The forum has used the leak as a marketing tool and placed a banner inviting all new users to come and download the leak (which is possible by buying a 50 euro upgrade to reveal the download link). Following the leak, the number of users on Exposed tripled: from around 900 members on May 28, 2023 (one day before the leak) to more than 3200 users just two days later.  KELA has indexed the database (available on KELA’s platform through a free trial via the following query) and is sharing some insights gained from exploring it. The leaked table appears to cover members who registered between March 2015 and September 2020 and includes users’ email addresses, usernames, instant messaging usernames, languages, IP addresses, DOBs, forum usage information, login keys, and hashed passwords with salt.  As stated by Impotent, some users were removed from the leak.
An Executive’s Guide To The Cybercrime Underground

An Executive’s Guide To The Cybercrime Underground

David Carmiel, KELA's CEO In recent years, the cybercrime underground has become increasingly sophisticated and profitable by preying on vulnerable organizations. As a result, security leaders must gain visibility into what happens in this underground network of illegal activity to protect their organizations from emerging threats and accurately assess their risks. In this article, I will explore the current state of the cybercrime underground, including its definition, motivations, actors and methods. I will also provide recommendations for security leaders on defending their organizations against emerging threats.The cybercrime underground is a term for virtual sites, methods, platforms and tools with which threat actors congregate and communicate to sell their ill-gotten gains and purchase criminal services and products. Online forums are an illustrative example of where threat actors conduct illegal commercial activities. Forums provide an effective platform for threat groups, their peers and their potential customers to discuss tactics, technologies and procedures. These virtual venues allow criminals to recruit talent and engage in illegal commerce.