Back to School: Why Cybercriminals Continue to Target the Education Sector | Part Two

Victoria Kivilevich, Threat Intelligence Analyst and Sharon Bitton, Marketing Content Manager

2020’s back to school is a bit different than usual as most students around the world are getting ready to meet again with their peers online. Rather than worrying about the classic back to school activities, such as purchasing the most in-style school supplies or figuring out the perfect outfit for day 1, students are more invested in finding the comfortable home setup for online learning. School IT admins, on the other hand, are most concerned this year about educating their students and staff regarding cybersecurity as school begins remotely, while in parallel focusing heavily on deterring cyber threats from cybercriminals looking to attack educational institutions.

In our last blogpost, Back to School: Why Cybercriminals Continue to Target the Education Sector, Part 1, we looked into threat actors’ overall interest in targeting organizations in the education sector, diving into some examples of recent attempted attacks that we’ve spotted across the underground ecosystem. This blogpost touched on several key points that helped establish a general understanding of the threat level targeting educational institutions. We decided to circle back to this topic because of the increasing risks that emerged as much of the world begins to return to schools.

Schools already struggling with high cases of COVID-19 now must begin battling other mishaps such as cyberattacks on their online learning platforms within their first days of remote learning. This situation occurred to one of the largest district schools in Florida and was likely caused by a newbie in the underground world – an alleged 16-year old threat actor. This successful attack on a large school, by a supposedly young threat actor, may imply that planned attacks by more sophisticated and experienced threat actors are similarly on their way.

How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing

Victoria Kivilevich, Threat Intelligence Analyst

An average ransomware payment now equals $178,254, which is +60% from Q1 2020. The sum has grown not only because of the continually increasing activity of ransomware operators, but also due to their efforts in finding new ways of monetizing their malicious activities and threatening victims. These new TTPs include:

  • Stealing data and requesting double ransoms;
  • Collaborating with other ransomware gangs;
  • Using stolen data to attack other victims;
  • Selling stolen data on auctions;
  • Notifying media, as well as victims’ partners and clients about leaks;
  • Scraping credit cards.

 

Novel tactics were adopted not only by infamous gangs such as Maze and Sodinokibi (REvil), but also by less-popular runner-ups, such as Netwalker, Ragnar Locker, Ako, and others.

KELA is regularly monitoring these ransomware gangs’ blogs and observes an average of 10-20 new victims each week – implying that the actual number of victims can be much higher since we’re only seeing the victims who did not pay a ransom. In addition, there are those who cooperated with cybercriminals and therefore did not appear in the blogs.

The following piece will focus on how the ransomware operators diversify their schemes and implement so-called “marketing efforts,” related to threatening victims, in order to gain more profits.

Torum is Dead. Long Live CryptBB?

Victoria Kivilevich, Threat Intelligence Analyst

On August 9, 2020, Torum’s administrator announced the forum is shutting down. What was this forum, and will its users find alternatives? KELA explored various darknet sources, as well as Torum itself, to find out. Here is a summary of our findings:

  • Torum was an English-speaking underground forum that posed as a nonprofit cybersecurity website. While both its members and users of other forums agreed Torum was a good place to discuss cybersecurity and learn hacking methods, the site was overwhelmed by newbies and scammers who damaged its reputation.
  • Torum’s administrator announced he is closing the forum because he lost interest in supporting it.
  • Torum was an active, stable community, which will likely be missed by users. The forum has a few alternatives in the darknet, including CryptBB, which recently became public. This post will explore what distinguished Torum and what darknet chatter reveals about possible alternatives.
  • As users struggle to find new forums with a decent community, it is crucial to continue tracking these sources to understand new trends and TTPs, and proactively mitigate potential risks emerging from them.

The Secret Life of an Initial Access Broker

Victoria Kivilevich, Threat Intelligence Analyst and Raveed Laeb, Product Manager

  • Recently, ZDNet exclusively reported a leak posted on a cybercrime community containing details and credentials of over 900 enterprise Secure Pulse servers exploited by threat actors
  • Since this leak represents an ever-growing ransomware risk, KELA delved into both the leak’s content and the actors who were involved in its inception and circulation
  • This short research targets a specific tier of cybercriminal actors – Initial Access Brokers. These are mid-tier actors who specialize in obtaining initial network access from a variety of sources, curating and grooming it into a wider network compromise – and then selling them off to ransomware affiliates
  • With the affiliate ransomware network becoming more and more popular and affecting huge enterprises as well as smaller ones, initial access brokers are rapidly becoming an important part of the affiliate ransomware supply chain
  • The list leak mentioned above seems to have been circulating between several initial access brokers in cybercrime forums, and have been exposed by a LockBit affiliate who regarded the actors as unprofessional
  • This event showcases the breadth of information that’s exchanged on cybercrime communities and, in KELA’s eyes, emphasizes the need for scalable and targeted monitoring of underground communities

Back to School: Why Cybercriminals Continue to Target the Education Sector | Part One

Victoria Kivilevich, Threat Intelligence Analyst and Sharon Bitton, Marketing Content Manager

Just a few of the major headlines regarding the education sector have looked like this over the last couple of months:
Blackbaud Hack: Universities Lose Data to Ransomware Attack
The University of California Pays $1 Million Ransom Following Cyber Attack
University of York Discloses Data Breach, Staff and Student Records Stolen
The past year has seen a rise in the amount of education-related institutions that have been affected by cyberattacks. In 2019 alone, the K-12 cyber incident map reported that 348 schools have publicly-disclosed that they’ve been a victim of a cyberattack. That’s just in the United States and doesn’t even take into account the universities and colleges, which would by all means cause those numbers to escalate.
These statements got us wondering.

  • Are underground threat actors actively looking for and interested in targeting organizations in the education sector?
  • What types of attacks are we seeing affecting the education sector?
  • What have been some of the recent attempted attacks that we’ve seen in the underground ecosystem?
  • Are these targeted attacks on the universities themselves or are they stemming from access through a third-party provider?

These are all questions that will be addressed throughout this blogpost.

Back to School: Why Cybercriminals Continue to Target the Education Sector | Part One

Victoria Kivilevich, Threat Intelligence Analyst and Sharon Bitton, Marketing Content Manager

Just a few of the major headlines regarding the education sector have looked like this over the last couple of months:

Blackbaud Hack: Universities Lose Data to Ransomware Attack

The University of California Pays $1 Million Ransom Following Cyber Attack

University of York Discloses Data Breach, Staff and Student Records Stolen

The past year has seen a rise in the amount of education-related institutions that have been affected by cyberattacks. In 2019 alone, the K-12 cyber incident map reported that 348 schools have publicly-disclosed that they’ve been a victim of a cyberattack. That’s just in the United States and doesn’t even take into account the universities and colleges, which would by all means cause those numbers to escalate.

These statements got us wondering.

  • Are underground threat actors actively looking for and interested in targeting organizations in the education sector?
  • What types of attacks are we seeing affecting the education sector?
  • What have been some of the recent attempted attacks that we’ve seen in the underground ecosystem?
  • Are these targeted attacks on the universities themselves or are they stemming from access through a third-party provider?

These are all questions that will be addressed throughout this blogpost.

Slacking Off – Slack and the Corporate Attack Surface Landscape

Raveed Laeb, Product Manager

  • Some media reports stated that last week’s Twitter hack was facilitated by an attacker who fished sensitive credentials from within the company’s internal Slack – essentially leveraging the instant messaging app as a vector for initial access.
  • Credentials to over 12,000 Slack workspaces are available for sale on underground cybercrime markets, representing an explicit threat for thousands of organizations. However, examination of both open-source reporting and cybercrime communities don’t reveal a current, well-established attacker interest in the platform.
  • KELA assumes cybercrime actors might be having a hard time monetizing Slack compromises since the cloud-based app grants no direct access to a target’s network, and pivoting from it to other internal applications requires a combination of tedious reconnaissance and sheer luck.
  • The growth of “big game hunting” tactics in ransomware and the monetization of targeted intrusions lead us to believe that interest in Slack – and other cloud-based apps expanding the corporate attack surface – will probably grow in the future.
  • As such, KELA strongly recommends implementing an automated, scalable monitoring solution that offers insights into cybercrime activities targeting cloud-based apps storing sensitive data.

Access-as-a-Service – Remote Access Markets in the Cybercrime Underground

Raveed Laeb, Product Manager

Remote Access Markets are automated stores that allow attackers to exchange access credentials to compromised websites and services. As such, they represent an endless stream of opportunities for attackers; buying access to an organization as a service lowers the skill bar for further exploitation and exposes organizations to a plethora wave of online threats – from ransomware to card skimming.

This blog will review one prominent Remote Access Market out of the several tracked and monitored by KELA – MagBo. This store is unique in a few different aspects, but mostly in volume of goods: over two years of operations, it featured access to nearly 150,000 compromised websites – including financial institutions, government organizations and critical infrastructure around the world – mostly via selling access to web shell malware deployed on their servers. KELA advocated that gaining visibility into MagBo, as well as other Remote Access Markets, is a crucial intelligence feed for defenders.

The Duties Beyond Assisting the Public: Darknet Threats Against Canadian Health & Support Organizations

Noy Reuveni, Threat Intelligence Team Leader

As if a global pandemic crisis isn’t enough, organizations focused on the health and support of citizens have been forced to combat not only a widespread virus (and the public needs that come with it), but also threats coming at them from the underground world. As the pandemic continues to affect all types of both private- and government-affiliated organizations worldwide, KELA’s Cyber Intelligence Center took a look into various assets pertaining to Canadian health and support organizations to assess how their attack surfaces may be affected. This blog post will highlight just a couple of darknet findings that our team has detected, which exemplify how threat actors are targeting these types of organizations in Canada.

What’s Dead May Never Die: AZORult Infostealer Decommissioned Again

Leon Kurolapnik, Threat Intelligence Analyst and Raveed Laeb, Product Manager

Since mid-February, discussions throughout multiple cybercrime communities have been noting that the main password stealing features of the AZORult infostealer – one of the most prevalent stealers currently in use, and the main culprit behind the ongoing campaign – have been disabled by a recent Google Chrome update. Since AZORult isn’t actively maintained, many actors are now regarding the stealer as fully decommissioned.