Blog

Victoria Kivilevich, Threat Intelligence Analyst

Following the news of the first patient death due to a ransomware attack, KELA analyzed cyber threats and ransomware attacks against healthcare institutions and explored what ransomware operators state about targeting healthcare institutions, along with darknet chatter on the matter.

Raveed Laeb, Product Manager and Victoria Kivilevich, Threat Intelligence Analyst  

Updated on October 8, 2020 with a statement from Zoho Corporation

プロダクト・マネージャー　ラビード・レイブ 脅威インテリジェンスアナリスト　ヴィクトリア・キヴィレヴィッチ

2020年10月8日更新情報：ゾーホー社の声明を掲載

• 初期アクセス・ブローカーの台頭に加え、不正侵入されたネットワークへのリモートアクセスを販売する脅威アクターが増加するに伴い、RMM（リモート監視・管理ツール）が実入りのよい標的となっています。
• KELAは、ロシア語のフォーラムで活動する某サイバー犯罪者が、最近RMMツールを介したアクセスを多数販売していることを察知するとともに、そのRMMツールがゾーホー社の製品「Desktop Central」であることを突き止めました――この事実は、組織が直面している脅威を示唆しています。
• 初期アクセス・ブローカー がどのような種類のネットワークアクセスを販売しているのかを監視することは、組織のネットワークを防衛するIT部門やサイバーセキュリティ部門にとって重要なインテリジェンスとなります。

Victoria Kivilevich, Threat Intelligence Analyst and Sharon Bitton, Marketing Content Manager

2020’s back to school is a bit different than usual as most students around the world are getting ready to meet again with their peers online. Rather than worrying about the classic back to school activities, such as purchasing the most in-style school supplies or figuring out the perfect outfit for day 1, students are more invested in finding the comfortable home setup for online learning. School IT admins, on the other hand, are most concerned this year about educating their students and staff regarding cybersecurity as school begins remotely, while in parallel focusing heavily on deterring cyber threats from cybercriminals looking to attack educational institutions.
In our last blogpost, Back to School: Why Cybercriminals Continue to Target the Education Sector, Part 1, we looked into threat actors’ overall interest in targeting organizations in the education sector, diving into some examples of recent attempted attacks that we’ve spotted across the underground ecosystem. This blogpost touched on several key points that helped establish a general understanding of the threat level targeting educational institutions. We decided to circle back to this topic because of the increasing risks that emerged as much of the world begins to return to schools.
Schools already struggling with high cases of COVID-19 now must begin battling other mishaps such as cyberattacks on their online learning platforms within their first days of remote learning. This situation occurred to one of the largest district schools in Florida and was likely caused by a newbie in the underground world – an alleged 16-year old threat actor. This successful attack on a large school, by a supposedly young threat actor, may imply that planned attacks by more sophisticated and experienced threat actors are similarly on their way.

Victoria Kivilevich, Threat Intelligence Analyst and Sharon Bitton, Marketing Content Manager

2020’s back to school is a bit different than usual as most students around the world are getting ready to meet again with their peers online. Rather than worrying about the classic back to school activities, such as purchasing the most in-style school supplies or figuring out the perfect outfit for day 1, students are more invested in finding the comfortable home setup for online learning. School IT admins, on the other hand, are most concerned this year about educating their students and staff regarding cybersecurity as school begins remotely, while in parallel focusing heavily on deterring cyber threats from cybercriminals looking to attack educational institutions.

In our last blogpost, Back to School: Why Cybercriminals Continue to Target the Education Sector, Part 1, we looked into threat actors’ overall interest in targeting organizations in the education sector, diving into some examples of recent attempted attacks that we’ve spotted across the underground ecosystem. This blogpost touched on several key points that helped establish a general understanding of the threat level targeting educational institutions. We decided to circle back to this topic because of the increasing risks that emerged as much of the world begins to return to schools.

Schools already struggling with high cases of COVID-19 now must begin battling other mishaps such as cyberattacks on their online learning platforms within their first days of remote learning. This situation occurred to one of the largest district schools in Florida and was likely caused by a newbie in the underground world – an alleged 16-year old threat actor. This successful attack on a large school, by a supposedly young threat actor, may imply that planned attacks by more sophisticated and experienced threat actors are similarly on their way.

Victoria Kivilevich, Threat Intelligence Analyst

An average ransomware payment now equals $178,254, which is +60% from Q1 2020. The sum has grown not only because of the continually increasing activity of ransomware operators, but also due to their efforts in finding new ways of monetizing their malicious activities and threatening victims. These new TTPs include:

• Stealing data and requesting double ransoms;
• Collaborating with other ransomware gangs;
• Using stolen data to attack other victims;
• Selling stolen data on auctions;
• Notifying media, as well as victims’ partners and clients about leaks;
• Scraping credit cards.

Novel tactics were adopted not only by infamous gangs such as Maze and Sodinokibi (REvil), but also by less-popular runner-ups, such as Netwalker, Ragnar Locker, Ako, and others.

KELA is regularly monitoring these ransomware gangs’ blogs and observes an average of 10-20 new victims each week – implying that the actual number of victims can be much higher since we’re only seeing the victims who did not pay a ransom. In addition, there are those who cooperated with cybercriminals and therefore did not appear in the blogs.

The following piece will focus on how the ransomware operators diversify their schemes and implement so-called “marketing efforts,” related to threatening victims, in order to gain more profits.

Victoria Kivilevich, Threat Intelligence Analyst

On August 9, 2020, Torum’s administrator announced the forum is shutting down. What was this forum, and will its users find alternatives? KELA explored various darknet sources, as well as Torum itself, to find out. Here is a summary of our findings:

• Torum was an English-speaking underground forum that posed as a nonprofit cybersecurity website. While both its members and users of other forums agreed Torum was a good place to discuss cybersecurity and learn hacking methods, the site was overwhelmed by newbies and scammers who damaged its reputation.
• Torum’s administrator announced he is closing the forum because he lost interest in supporting it.
• Torum was an active, stable community, which will likely be missed by users. The forum has a few alternatives in the darknet, including CryptBB, which recently became public. This post will explore what distinguished Torum and what darknet chatter reveals about possible alternatives.
• As users struggle to find new forums with a decent community, it is crucial to continue tracking these sources to understand new trends and TTPs, and proactively mitigate potential risks emerging from them.

Victoria Kivilevich, Threat Intelligence Analyst and Raveed Laeb, Product Manager

• Recently, ZDNet exclusively reported a leak posted on a cybercrime community containing details and credentials of over 900 enterprise Secure Pulse servers exploited by threat actors
• Since this leak represents an ever-growing ransomware risk, KELA delved into both the leak’s content and the actors who were involved in its inception and circulation
• This short research targets a specific tier of cybercriminal actors – Initial Access Brokers. These are mid-tier actors who specialize in obtaining initial network access from a variety of sources, curating and grooming it into a wider network compromise – and then selling them off to ransomware affiliates
• With the affiliate ransomware network becoming more and more popular and affecting huge enterprises as well as smaller ones, initial access brokers are rapidly becoming an important part of the affiliate ransomware supply chain
• The list leak mentioned above seems to have been circulating between several initial access brokers in cybercrime forums, and have been exposed by a LockBit affiliate who regarded the actors as unprofessional
• This event showcases the breadth of information that’s exchanged on cybercrime communities and, in KELA’s eyes, emphasizes the need for scalable and targeted monitoring of underground communities

Victoria Kivilevich, Threat Intelligence Analyst and Sharon Bitton, Marketing Content Manager

Just a few of the major headlines regarding the education sector have looked like this over the last couple of months:

Blackbaud Hack: Universities Lose Data to Ransomware Attack

The University of California Pays $1 Million Ransom Following Cyber Attack

University of York Discloses Data Breach, Staff and Student Records Stolen

The past year has seen a rise in the amount of education-related institutions that have been affected by cyberattacks. In 2019 alone, the K-12 cyber incident map reported that 348 schools have publicly-disclosed that they’ve been a victim of a cyberattack. That’s just in the United States and doesn’t even take into account the universities and colleges, which would by all means cause those numbers to escalate.

These statements got us wondering.

• Are underground threat actors actively looking for and interested in targeting organizations in the education sector?
• What types of attacks are we seeing affecting the education sector?
• What have been some of the recent attempted attacks that we’ve seen in the underground ecosystem?
• Are these targeted attacks on the universities themselves or are they stemming from access through a third-party provider?

These are all questions that will be addressed throughout this blogpost.

Victoria Kivilevich, Threat Intelligence Analyst and Sharon Bitton, Marketing Content Manager

Just a few of the major headlines regarding the education sector have looked like this over the last couple of months:
Blackbaud Hack: Universities Lose Data to Ransomware Attack
The University of California Pays $1 Million Ransom Following Cyber Attack
University of York Discloses Data Breach, Staff and Student Records Stolen
The past year has seen a rise in the amount of education-related institutions that have been affected by cyberattacks. In 2019 alone, the K-12 cyber incident map reported that 348 schools have publicly-disclosed that they’ve been a victim of a cyberattack. That’s just in the United States and doesn’t even take into account the universities and colleges, which would by all means cause those numbers to escalate.
These statements got us wondering.

• Are underground threat actors actively looking for and interested in targeting organizations in the education sector?
• What types of attacks are we seeing affecting the education sector?
• What have been some of the recent attempted attacks that we’ve seen in the underground ecosystem?
• Are these targeted attacks on the universities themselves or are they stemming from access through a third-party provider?

These are all questions that will be addressed throughout this blogpost.