The REvil Ransomware Gang Lists Three New Engineering Makers as Victims
Initial access brokers – the tier of cybercriminals who obtain network access, move laterally within the network, and eventually sell the compromised access to ransomware affiliates and gangs – generally do not sell their access to more than one buyer (out of courtesy to fellow cybercriminals). Though there are numerous initial access vectors, we presume that unpatched vulnerabilities are more common to be exploited by multiple groups for the same victim, making it a necessity for organizations to continually prioritize patching and monitor their network infrastructure.
KELA Names David Carmiel New CEO; Promotes Nir Barak to Chairman of KELA Board
We’re excited to officially announce that David Carmiel, former CTO and Chief Research Officer, has been appointed as Chief Executive Officer at KELA. Nir Barak, KELA’s former CEO and Founder has been promoted to Chairman of the Board. In his new role, David Carmiel will continue to guide KELA towards the company’s global mission of providing the world’s best intelligence solutions that empower organizations to neutralize their most relevant threats observed in the cybercrime underground.
Fourth time's a charm - OGUsers hacking forum hacked again
OGUsers has been hacked for its fourth time in two years, with hackers now selling the site’s database containing user records and private messages. KELA shares that we will likely be seeing members shifting to other communities – and maybe even establishing new ones – given both the poor operational security and the damage to the OG brand among fraudsters and other criminal actors.
MangaDex discloses data breach after stolen database shared online
At this time, the MangaDex database is privately being circulated and has not been publicly released. However, using KELA’s cybersecurity intelligence engine DarkBeast, BleepingComputer has been able to find threat actors distributing what they claim is a MangaDex database from the March 2021 attack.
Avaddon Ransomware Group Hit the Small Italian Municipality of Villafranca d’Asti
In the last few months, KELA has observed Avaddon specifically attacking municipalities in Portugal, Italy, Brazil, France, and Czech Republic. Avaddon has released the municipalities’ sensitive data, indicating that the majority of them have not been paying the ransom demanded. Our researchers are continually monitoring Avaddon and other ransomware groups to identify if attacking municipalities could be a new trend, or if these are simply opportunistic attacks.
KELA Unveils Major Updates to Industry-Leading Technology, DARKBEAST
KELA, the global leader of actionable threat intelligence, announces today many of the recent major improvements applied to their cybercrime research and investigation technology, DARKBEAST, during Q1. KELA’s industry-leading technology helps expose underground digital dangers to its clients by collecting, analyzing, and storing data from numerous sources in the cybercrime underground and making it accessible for users to search through – saving them the time, risk, and complexity of needing to locate and access the sources themselves.
REvil Group’s Failed $4 Million Extortion on Tata Steel Leads to Technical Drawings Leak
With the aid of KELA, we were able to see technical drawings of production line machines that are marked as “Confidential,” so they’re clearly not intended for publication. This potentially means REvil doesn’t have much hope in seeing any positive development in their negotiation efforts, and they’re immediately letting valuable stuff out. We have blurred the following samples that REvil posted as proof of the compromise.
Ransomware group targets universities in Maryland, California in new data leaks
Screenshots published by the group, viewed by ZDNet via KELA’s threat intelligence suite Darkbeast, include lists of individuals and their Social Security numbers, retirement documentation, and 2019/2020 benefit adjustment requests.
The NWO Is Still Recovering From Last Month’s Ransomware Attack
According to what we were able to find with the help of KELA, the cyber-intelligence experts, the ransomware gang that hit NWO was DoppelPaymer, and the actors have already leaked a dozen files stolen from the servers of the Dutch research council.
REvil Struck Laptop-Maker Acer and Demands $50 Million in Ransom
With the help of KELA’s cyber-intelligence tools, we located the new leak site, and we got to access the documents that are used for the extortion. We have blurred the following for you to get an idea of what has been stolen from Acer’s computers.
Did ‘exposed’ data on dark web lead to ransomware attack on Scottish university?
KELA reveals that there are over 8,000 ‘leaked credentials’ – including email addresses and sometimes passwords – belonging to UHI staff and students that have been leaked or stolen and possibly traded on underground web forums. A further 100-plus ‘compromised accounts’ were also found on malicious dark web sites, including one that indicated access to Active Directory Federation Services – a software component developed by Microsoft – ‘probably related to internal systems’, according to KELA.
Exchange PoC Released and APTs Gather Around Vulnerable Servers Like Piranhas
KELA shares that numerous threat actors have shown high levels of interest in the newly released PoC exploit for Microsoft Exchange. We’ve observed that not only are APT groups showing interest driven from an espionage motivation, but cybercriminals are also showing interest as they see the potential monetary value that can be gained from exploiting this vulnerability.
Darkside 2.0 Ransomware Promises Fastest Ever Encryption Speeds
Threat intelligence experts are warning of a new version of the Darkside ransomware variant which its creators claim will feature faster encryption speeds, VoIP calling and virtual machine targeting. KELA shared with Infosecurity information posted by the Russian-speaking group to dark web forums XSS and Exploit.
Identity Theft Attacks Channeled Millions in Jobless Claims to Inmates
Covid-19 has experienced a large number of scammers engaging in identity theft and unemployment fraud, in an attempt to receive money that they aren’t eligible for. Fraudulent activities, such as identity theft, are commonly enabled through chatter and tools shared in underground forums. Today, 15 US states use ID.me to allow citizens to prove their identity online. KELA reveals that cybercriminals are actively sharing tutorials on how to create a seemingly valid profile that will ensure they get their claim approved in their state.
Darknet Markets Compete to Replace Joker's Stash
“With the heavy marketing and advertising that Brian’s Club has been investing in, it seems that the longtime attempts of marketing to credit card traders may be finally paying off now that Joker’s Stash is out of the picture,” says Victoria Kivilevich, a threat intelligence analyst with Kela. “Brian’s Club has been immodestly trying to steal the thunder by publishing an advertisement on the main page of [Russian-language forum] XSS, soon after the announcement by Joker’s Stash.”
CD Projekt Red source code reportedly sells for millions in dark Web auction [Updated]
Cyber intelligence firm KELA confirmed the authenticity of that auction, telling The Verge that forum users needed to put up 0.1 BTC (roughly $4,700 as of this writing) to participate in the bidding as a sign that offers were legitimate. The sellers also reportedly provided file listings for Gwent and the Red Engine that underlies CDPR’s games as proof that the data was authentic.
Stolen CD Projekt Red Files Reportedly Now Sold After Dark Web Auction
KELA (which previously provided The Verge with what it believes to be legitimate file lists from CD Projekt’s Red Engine) reports that an auction set up to sell the files has now been closed after a “satisfying offer” was made from outside of the forum it was being held on. That offer reportedly stipulates that the code will not be distrubuted or sold further. Cybersecurity account vx-underground also reported that it had heard the sale was completed.
Hackers ask only $1,500 for access to breached company networks
The number of offers for network access and their median prices on the public posts on hacker forums dropped in the final quarter of last year but the statistics fail to reflect the real size of the initial access market. Data from threat intelligence firm Kela indicates that many of the deals actually closed behind closed doors, a trend shaped over the past months.
Cyberpunk and Witcher hackers claim they’ll auction off stolen source code for millions of dollars
Following the recent ransomware attack on video game developer CD Projekt Red, KELA reveals that hackers are now auctioning off the source code they acquired, with a starting price of $1 million. These include source code files for both the Red Engine and CDPR game releases, including The Witcher 3: Wild Hunt, Thronebreaker: The Witcher Tales spinoff, and the recently released Cyberpunk 2077
How Ransomware Is Accelerating in the COVID-19 Era
KELA’s Ayesha Prakash, VP of Global Channels and Alliances has released her EOY blog about ransomware during the COVID era. In her blog-post, Prakash explains why COVID-19 is a curse on the world, and a gift to cybercriminals. She later explains that what organizations need now is to make cybersecurity a forefront issue, to treat it as business-critical, and as a public health risk.
Experts: Foxtons Breach Was Egregor Ransomware
Recent announcements revealed a data breach on UK-based estate agency, Foxtons. KELA threat intelligence analyst Victoria Kivilevich explains that Foxtons was actually a victim of a ransomware attack in October, and confirms that this breach does not seem to be a separate incident. Generally, ransomware gangs have taken on a trend of a double extortion tactic – where they demand two ransoms one to avoid public exposure of their data and one for unlocking their systems, it’s likely that Foxton has not yet negotiated or agreed to pay and that is why part of the data has been leaked.
Ransomware Gangs are Abusing VMWare ESXi Exploits to Encrypt Virtual Hard Disks
Threat actors have also observed selling access to ESXi instances on underground cybercrime forums last year, according to threat intelligence firm KELA. Since ransomware gangs often work with initial access brokers for their initial entry points inside organizations, this might also explain why ESXi was linked to some ransomware attacks last year.
Ransomware's Helper: Initial Access Brokers Flourish
Kivilevich writes in a new report from Kela that over the last three months of 2020, she counted 242 initial network access offers for sale across three cybercrime forums with a total asking price of $1.2 million. During that time frame, Kivilevich says, the average price per access was $6,684, the median price was $1,500 and the highest single price listed was 7 bitcoins, which at the time could have been worth about $130,000. But 24% of offers didn’t list a price.
Initial Access Remains a Booming Business on the Dark Web
The prospering of the initial access market on the dark web continues unabated, and according to a report published by KELA yesterday, it has surpassed the size of $1.2 million in Q4 2020. The cyber-intelligence firm that uses specialized tools to monitor listings across numerous dark web sites has traced 242 new listings during that period, having an average price of $6,684 and a maximum of 7 BTC.
‘Chqbook.com’ Data Leak Exposes 2 Million Credit Score Reports
‘Chqbook.com,’ an India-based online banking service that offers credit card, loan, and insurance management services for small businesses and merchants, has suffered a data breach. Due to KELA’s caching capabilities, we were able to find the first evidence of the particular dataset appearing on the dark web for sale on December 25, 2020.
The State of the Dark Web: Insights From the UndergroundKELA’s researchers explain how the dark web represents a wide variety of goods and services which are traded across many different underground forums and markets. KELA explains that tapping into these forums and markets can help security teams keep up with where adversaries may be headed next.
Sensitive Data of Over 325,000 Indian Users Leaked in BuyUCoin Hack
Researchers at KELA discovered a leaked database belonging to BuyUCoin, an India-based global cryptocurrency exchange and wallet. On the same forum that the database was leaked KELA also identified leaked databases from Wongnai Media Co Ltd, Tuned Global Pvt Ltd, BuyUcoin, Wappalyzer, Teespring Inc and Bonobos.com, which looks like the handiwork of infamous hacking group ShinyHunters.
KELA Joins Cyber Security Forum Initiative (CSFI) as a Gold Sponsor in a Mission to Support National Cyber Security
KELA is thrilled to join the Cyber Security Forum Initiative (CSFI) as a gold sponsor in a mission to support national cyber security. We’re looking forward to working alongside CSFI to make the cyber environment a safer and more secure place by providing valuable darknet threat intelligence to government, military, private sector, and academia in the US.
ShinyHunters publishes 1.9M stolen user credentials from photo editing site Pixlr
ShinyHunters, has recently been very active after going silent for some time. Over this past summer, ShinyHunters was seen publishing leaked data for free, exposing millions of personal records from all over the world, however we have not observed Shiny Hunters releasing data themselves since November. In the last few days the group has leaked databases for free – among them a Pixlr database, exposing 1.9 million user records.
Threat Actor Claims to Leak 500K+ Records of C-level People from Capital Economics
Irina Nesterovsky, KELA’s CRO said, “It was originally leaked in early January in an English-speaking forum exposing information of nearly 500K people. The second instance we saw it appearing was when an actor tried selling it in another forum claiming that he had a database “for Finance Company Including SQL” with 500K records. Later that day, the same actor leaked the database for free claiming it contained data of more than 500K C-Level executives. KELA confirmed that the same database was shared in all instances. It appears that the “500K C level” title was given to the post in order to boost the importance of the database – the entire size of the relevant user database is around 500K lines, not at all a majority of which are C-Level employees.”
The ‘DarkSide’ Operators Respond to the Release of a Decryptor
KELA reveals a Q&A published by DarkSide ransomware operators following the release of the ransomware decryption tool. Throughout the Q&A, Darkside operators stated the decryptor was used by 4 targets but 1 of them eventually paid. They also include details about how they will refund losses to affected affiliates and why it’s not happening again in the future. The free decryptor allows victims to recover their files without paying a ransom to DarkSide operators.
Ransomware Disrupts Scottish Environment Protection Agency
The Scottish Environment Protection Agency says a ransomware attack last month continues to cause serious outages and warns that ransom-demanding attackers also stole some data. KELA’s experts share that a portion of SEPA’s data (7% of what they claimed to obtain) has been released on a leak site dedicated to Conti’s ransomware victims, and therefore assess with medium confidence that that this is indeed an attack by Conti.
Cyber criminals are taking aim at online gaming for their next big pay day
Cybersecurity company Kela examined underground forums and found an ecosystem based around buying and selling initial network access to gaming companies, as well as almost one million compromised accounts of gaming employees and clients up for sale – with half of those being listed in 2020 alone.
Leading Game Publishers Hit Hard by Leaked-Credential Epidemic
In a recent scan, they found 1 million compromised credentials associated with the larger gaming universe of “clients” and also employees – half of which were for sale online. More than 500,000 of the leaked credentials pertained to employees of leading game companies, according to the report published Monday.
Top gaming companies hit by major data breach, one million employees affected
Although Kela did not disclose the specific companies affected, it did reveal that it has been monitoring underground markets for more than two-and-a-half years now and that nearly every major gaming company was affected. The compromised credentials would give attackers access to a number of important internal resources, including admin panels and development-related projects.
Stolen employee credentials put leading gaming firms at risk
More than 500,000 login credentials linked to the employees of 25 leading game publishers have been found for sale on dark web bazaars, according to a report by threat intelligence company KELA. Threat actors have been increasingly targeting the gaming industry, including by harvesting and selling access credentials into the internal systems of top-tier game companies.
One Million Compromised Accounts Found at Top Gaming Firms
As Covid-19 has taken away 2020, people around the world have begun giving the online gaming industry a chance, hence growing revenues in this industry tremendously. After scouring dark web marketplaces, KELA discovered a thriving market in network access on both the supply and demand side. This included nearly one million compromised accounts related to employee- and customer-facing resources, half of which were listed for sale last year.
Safe-Inet, Insorg VPN services shut down by law enforcement
Safe-Inet services have been running for 11 years, advertised to cybercriminals needing multiple layers of anonymity and stable connections. BleepingComputer has seen ads for Safe-Inet services on several forums for black hat activities. The one below, posted as recently as December 4 and supplied by cybersecurity intelligence firm, KELA, is from a carder forum hidden in the Tor network
There’s Evidence That Ransomware Groups Are Forming Extortion Cartels
KELA reveals another proof of ransomware groups forming cartels to intimidate victims even further. KELA recently observed MountLocker touting 5% of the data dump originally stolen by “Ragnar Locker” during a cyberattack against ‘Dassault Falcon.’ The ransomware operators claim that the listing is from one of their partners, and provide a reference link to Ragnar Locker’s extortion site, who exposed partial data of this victim earlier this month.
FBI & Interpol disrupt Joker's Stash, the internet's largest carding marketplace
Following the recent seizure of Joker’s Stash (the largest marketplace for trading stolen cards) by law enforcement, KELA reveals that the disruption was only temporary and that the market’s admins claimed the actual Joker’s Stash portal continues to work as normal, with only proxy servers having been seized.
Digging the Recently Leaked Chinese Communist Party Database
KELA analyzed and obtained a database containing details of 1.9 million Chinese Communist Party members in Shanghai, which has recently resurfaced in the darknet communities, and found that companies in which CCP members were found include Pfizer, AstraZeneca, Airbus, Boeing, HSBC, Rolls-Royce, Jaguar and more
Millions of ShopBack, RedDoorz user records put on sale in hacker forums; Peatix another victim of breach
KELA, a cybersecurity firm headquartered in Israel, told BT that 5.7 million plaintext passwords were also made available for download from a website called Hashes.org, though the leak does not contain emails. “It will require some work for (threat actors) to correlate emails and hashed passwords from the original leak with dehashed passwords,” the firm said.
Egregor’s Latest Press Release Is a Victim Intimidation Machine
‘Egregor’ team has published a press release meant to intimidate victims and practically convince them to pay the demanded ransom. Spotted on the dark web by researchers of the KELA threat intelligence firm, the press release includes several key points specifically addressed to those who have not “secured a contract” with the actors
Networking equipment vendor Belden discloses data breach
American networking equipment vendor Belden said it was hacked in a press release published earlier this week. According to data provided by threat intelligence firm KELA, credentials for Belden accounts have been available on the cybercrime underground since April this year, although it’s unclear if they have been used to orchestrate this breach.
A hacker is selling access to the email accounts of hundreds of C-level executives
Attackers can use corporate credentials to monetize in many different ways – from manipulating employees to wire money through CEO scams, to exploiting them in order to move laterally in the organizations to conduct a network intrusion.
KELA’s technologies automatically monitor closed underground forums where threat actors are regularly trading corporate credentials and other sensitive data. Contact us to learn more about how KELA can help you detect if any of your sensitive data is circulating in the Dark Net.
Pakistan International Airlines data breach underscores sharp rise in illicit sales of access credentials
KELA’s researchers said that cybercriminals advertised domain admin access to PIA’s internal network for $4,000, while its customer database was listed for $500. Initial network access in such illicit deals refers to remote access to systems in a compromised organization, while those selling it are known as remote access brokers. Rather than hack their way into corporate networks, cybercriminals often purchase such initial network access to gain a foothold, allowing them to move laterally and expand their access rights.
Chinese APT10 hackers use Zerologon exploits against Japanese orgs
KELA reveals the latest threats targeting Japanese organizations, and concludes that threat actors, Advanced APT groups and nation-state actors are considering Japanese organizations as valuable targets and are actively attacking them via opportunistic and targeted attacks.
Ransomware Operator Promotes Distributed Storage for Stolen Data
“Such servers in Iran and [other] countries will be harder to discover, block, and cease due to a lack of cooperation from local authorities,” says Victoria Kivilevich, threat intelligence analyst at Israel-based security firm KELA, which first discovered the scheme.
DarkSide Ransomware's New Data Leak Service In Iran Will Spread and Store Victims' Stolen Data
According to Bleeping Computer‘s latest report, on Nov. 12, the cybersecurity intelligence firm Kela revealed DarkSide operators’ new posted topic on a Russian-speaking hacker forum. Additionally, Bank Info Security reported that the cybersecurity firm Kela said that the hackers claim that their average ransom is between $1.6 million and $4 million.
Darkside Ransomware Gang Launches Affiliate Program
#DarkSide ransomware launches their affiliate program. For the first time ever, KELA notices the operators offering initial access brokers to directly trade with them rather than through affiliates or middlemen. It seems that DarkSide is strengthening their efforts, and we can assume to see a surge of attacks by this gang over the coming months.
Hacker Sells Access to Pakistani Airlines' Network
KELA spotted a threat actor touting domain admin access to Pakistani International Airline for $4,000 on two Russian-speaking illegal online forums and one English-speaking forum that they had been monitoring. KELA’s team had been tracking ransomware trends, exploring how initial access brokers in the cybercrime community play a role in the supply chain of this popularly deployed malware.
Data-Exfiltrating Ransomware Gangs Pedal False Promises
In terms of unusual timing, another ransomware operation has also promised to turn out the lights. “We’ve seen Suncrypt affiliates stating on Exploit” – a cybercrime forum – “that the operators told them that the program is closing,” according to Israeli cyberthreat intelligence monitoring firm Kela. “It’s a bit interesting – and even suspicious – to see two major ransomware groups shutting down their operations around the same time.”
23,600 Hacked Databases have Leaked from a Defunct 'Data Breach Index' Site
More than 23,000 hacked databases have been leaked from the site archive of Cit0Day.in, a private service advertised on hacking forums to other cybercriminals. For the past several months, KELA’s technologies have been monitoring data from Cit0Day.in, prior to the site’s seizure in mid-September. As part of KELA’s leaked credential monitoring KELA’s clients have already had visibility into this site, and have already been alerted on any of their data that may have been leaked in these compromised database feeds.
As Dark Net Endangers Enterprises, MSSPs Need New Tools
One cybersecurity intelligence firm, Kela, intends to help MSSPs do just that with its new platform, IntelAct. The technology, Kela says, allows MSSPs to track and intercept any mentions of their clients’ network infrastructure, vulnerabilities or exposures in the dark net. This turns the attackers’ edge against them, remediating issues before they become breaches, the vendor says. IntelAct is fully automated, scalable, and requires no installation or network access.
KELA Launches New Technology for Attack Surface Intelligence
KELA announces today the release of their latest proprietary technology – IntelAct, allowing 100% automated monitoring of an organization’s attack surface. KELA’s Dark Net experts launch a new technology enabling organizations to receive real-time, automated alerts of their exposure in the Dark Net.
В сентябре 2020 года торговать доступом к взломанным сетям стали в три раза чаще
Специалисты KELA пишут, что проиндексировали 108 объявлений, размещенных на популярных хакерских форумах, и подсчитали, что совокупная стоимость предложенных хакерами доступов равняется 505 000 долларов США. Причем около четверти лотов в итоге были проданы злоумышленникам, желающим атаковать те или иные компании.
'Network access' sold on hacker forums estimated at $500,000 in September 2020
As ransomware attacks continue to rise, initial access brokers are repeatedly being seen as key players by selling network access to ransomware operators as an initial entry point into victims’ networks. In September alone, KELA detected over 108 accesses for sale at a total value of USD 500,000 – 3 times higher than the numbers gathered in the previous month.
Why Encrypted Chat Apps Aren't Replacing Darknet Markets
Some markets have moved to drop illegal drugs and begun adopting an “automarket” approach that focuses on self-fulfilled sales of malware, stolen databases, login credentials and other hacking and cybercrime tools and services, the Kela researchers say. Criminals’ thinking, they note, appears to be that by not selling drugs, and with malicious “cyber” tools existing in a legal gray zone in many jurisdictions, such markets will be less likely to get disrupted.
Hackers Sell Access to Your Network Via Remote Management Apps
In a report shared with BleepingComputer, cyber intelligence company KELA was able to determine that the offer was for Zoho’s ManageEngine Desktop Central, a management platform that lets administrators deploy patches and software automatically on network machines, as well as troubleshoot them through remote desktop sharing.
CISA Warns of Notable Increase in LokiBot Malware
Credentials stolen via LokiBot usually end up on underground marketplaces like Genesis, where KELA suspects LokiBot is the second most popular type of malware that supplies the store.
Why Darknet Markets Persist
Kivilevich and Raveed Laeb, Kela’s product manager, tell ISMG that it’s important to distinguish between the two types of darknet markets: drug marketplaces and cyber-focused marketplaces selling such things as malware, stolen databases and login credentials. “We also see sales of illicit and counterfeit goods – money, watches and stuff like that – but most of the time, that’s not the actual focus,” they say.
More recently, the sale of cyber goods has been migrating to what the darknet community calls “autoshops,” meaning they sell goods and services in a highly automated manner. Kela refers to this as the “servitization” – meaning selling not just goods but also services and outcomes – of the underground ecosystem.
LockBit Ransomware Launches Data Leak Site to Double-Extort Victims
KELA has been closely tracking new monetization methods employed by ransomware operators. One common method has been ransomware gangs stealing the data before encrypting it in order to use it as leverage in ransom negotiations, and many times including that data in data leak sites. Riding on this trend, LockBit ransomware has just launched a new data leak site to be used as part of their double extortion strategy to scare victims into paying ransom.
Hacked: 'Best Australian Financial Data' for Sale on the Dark Web
Victoria Kivilevich, threat intelligence analyst at Israeli intelligence firm KELA – which discovered the breaches of Australian financial data – said there had been an increase in attacks in recent years, and also RaaS, or ransomware-as-a-service; hackers were also often working together.“The most popular ransomware strains are operated by cybercriminals looking for financial gain,” Ms Kivilevich said. “Chasing profits, ransomware actors are always inventing new methods of intimidating victims.”
KELA Names Ayesha Prakash as Vice President of Global Channels and Alliances
We’re excited to officially welcome Ayesha Prakash to our team as our new Vice President of Global Channels and Alliances. Ayesha joins KELA to build and evolve the company’s strategic alliances and expand KELA’s global engagement with channel and technology partners. We’re excited to have her on board and are looking forward to see what we will accomplish together!
With Empire Gone, Patrons Eye Other Illegal Darkweb Markets
Israeli cyber threat intelligence monitoring firm, KELA has provided BleepingComputer with information on the matter, along with screenshots.
The company analyzed forums where darknet surfers frequent, and have offered insights on their footsteps.
More Ransomware Gangs Threaten Victims With Data Leaking
KELA’s latest research analyzes the recent rise of ransomware attacks and how that rise has introduced new methods of monetization allowing ransomware gangs to monetize bigger and better. This research laid out the top 6 trends observed by ransomware groups in the underground ecosystem and shared how these new methods are likely to spread.
Avaddon Ransomware Joins Data-Leaking Club
Israeli cybersecurity intelligence firm Kela shared that the operators behind Avaddon announced their data-leaking site via a Russian-language cybercrime forum. So far, the ransomware gang has listed one victim – a construction firm – from which 3.5 MB of allegedly stolen documents have been leaked.
“The attackers published a sample of the obtained data, including information related to the company’s activity in the U.K., Mexico, Philippines, Malaysia and Thailand,” Kela tells Information Security Media Group.
Avaddon Ransomware Launches Data Leak Site to Extort Victims
KELA shared with BleepingComputer that the Avaddon ransomware operators have announced on a Russian-speaking hacker forum this weekend that they have launched a new data leak site. KELA has shared that until now, only one victim has been listed – a US-based construction company.
Hacker Leaks Passwords for 900+ Enterprise VPN Servers
KELA’s #DARKBEAST has helped ZDNet obtain a copy of a recently leaked list of plaintext usernames and passwords for 900+ Pulse Secure VPN enterprise servers. If compromised, these Pulse Secure VPN servers can provide hackers easy access to a company’s entire internal network.
Email is Still a Hacker's Wonderland, They Could Take or Leave Slack
Cybersecurity researchers from KELA found about 17,000 Slack credentials for sale across 12,000 Slack workspaces in cybercrime online markets. While “many access types — webshells on online stores, RDP servers or corporate email inbox access — are a highly sought-after resource driving thriving markets,” no one is really buying Slack credentials, according to KELA.
Les Comptes Slack N'intéressent pas les Cybercriminels
En utilisant sa plateforme de renseignements sur les menaces, KELA a cherché à obtenir des références Slack sur les marchés de la cybercriminalité, pour tenter de voir si ce vecteur de menace était populaire parmi les cybercriminels. L’entreprise affirme avoir trouvé plus de 17 000 références Slack récemment mises en vente en ligne sur des forums de piratage et sur des marketplace de références, comme Genesis.
The “Bitcoin Twitter Hack” May Have Started With a Slack Compromise
KELA has found that there were at least 17,000 Slack credentials sold in the ‘Genesis Store’ alone, priced between $0.5 and $300, depending on how valuable they were. While a connection with the recent Twitter hack isn’t based on concrete evidence, there are indications pointing to this scenario.
Slack Credentials Abundant on Cybercrime Markets, But Little Interest from Hackers
Following reports that last week’s Twitter hacks may have been due to credentials stolen from an internal Slack channel, KELA decided to dive deeper into this topic, and found that currently more than 17,000 Slack credentials for roughly 12,000 Slack workspaces are being sold on underground cybercrime markets.
MGM Hotel’s 2019 Data Leak Might Have Affected 142M People, Not 10.6M
threat research firm KELA notified the publication about posts on Russian security forums that advertised MGM data breach affecting more than 200 million customers.
Millions of Logins from UK Ticket Site for Sale on Dark Web
KELA discovered a database of 4.8 million records posted for sale, belonging to a leading provider of ticket services for live shows in the UK. KELA’s intelligence team told Infosecurity Magazine that they acquired a sample of 10,000 records in order to analyze this data. Following analysis, KELA deducted that the leak affects users in the UK, US, New Zealand, Australia, South Africa, Germany, France and a few others, some of which belong to governmental domains.
British e-Ticketing Service Breach Resulted in 4.8 Million Records Now for Sale
Intelligence analysts at KELA discovered a database of 4.8 million records, containing emails and passwords, belonging to a leading provider of ticket services for live shows in the UK. The database was posted on July 8, 2020 on an underground forum by a newly registered threat actor, called “JamesCarter”, for $2500. KELA managed to acquire a sample of the database containing about 10,000 email addresses, and found that only about 300 email addresses were duplicates, deducting that the full leak likely consists mostly of unique combinations.
A Hacker is Selling Details of 142 Million MGM Hotel Guests on the Dark Web
In an exclusive today on ZDNet, KELA shares that the breached MGM database, originally reported to have 10.6 million records actually contains nearly 200 million. The hotel’s database resurfaced in the dark web this past weekend. This wasn’t the only time it resurfaced though. KELA’s intelligence team told ZDNet back in February that the MGM data had been circulating and was being sold in private hacking circles since at least July 2019.
Hacked: Thousands of MyGov Accounts for Sale on the Dark Web
The compromised accounts were detected by Israeli intelligence firm KELA, which specialises in dark web threat intelligence and offers its clients a real-time dark web search engine called Darkbeast.
KELA threat intelligence team leader Elad Ezrahi said the MyGov accounts were extracted from more than 2000 compromised computers, or “bots”. Botnets are networks of compromised machines controlled by a single actor.
The Details of 384,319 BMW Owners Are for Sale on the Dark Web
KELA researchers have shared one of their most interesting recent findings with TechNadu, and it looks like it concerns BMW and 384,319 of its customers in the UK. Apparently, the prolific hacking group that is known as “KelvinSecurityTeam” has posted a database they acquired when hacked ‘bmw.com.’ This is the same group of actors that recently sold databases from 16 companies, including the business consulting firm “Frost & Sullivan.”
500,000 BMW, Mercedes and Hyundai Owners Hit by Massive Data Breach
The personal information of almost 400,000 UK-based BMW customers is being sold to the highest bidder on an online black market, according to Tel Aviv-based darknet intelligence experts KELA.
Hackers at a group called KelvinSecurity Team have gained access to a BMW customer database and listed it for sale on an underground forum used by cybercriminals.
BMW Customer Database for Sale on Dark Web
KELA found a database of UK car owners offered for sale on an underground forum, which was initially described as BMW customers’ database affecting 384,319 customers. The data was posted by the KelvinSecurityTeam. KELA obtained the database and found that it contains almost 500,000 customers’ records from 2016-2018. The exposed data includes initials and surnames, emails, addresses, vehicle numbers, dealer names, and more; it affects owners of different cars in the UK.
Robolox Accounts Hacked with Pro-Trump Messages
Hackers have breached more than 1,800 Roblox accounts and defaced user profiles with messages in support of Donald Trump’s reelection campaign. With the help of threat intelligence firm KE-LA, ZDNet was able to identify multiple web pages containing large lists of Roblox usernames and cleartext passwords.
KELA Launches Sensitive Hostname Detection
KELA is proud to announce the launch of Sensitive Hostname Detection. As part of this addition, KELA’s RADARK now automatically alerts users on sensitive webpages that may be exposed to the public internet.
Get in touch with us today to learn more about how KELA detects vulnerabilities in your organization’s Internet-facing infrastructure.
Oz Sites Being Sold On The Dark Web
Elad Ezrahi, Threat Intelligence Team Leader at the Israeli intelligence company KELA, told the Australian Financial Review: “If the web shell enables the actor to abuse the mail server of the compromised website, the actor could use it to send spam and phishing emails… if the compromised site is of a governmental entity, for example, the consequences can be notably severe.”
Hacked: Aussie Websites for Sale on Dark Web
Elad Ezrahi, Threat Intelligence Team Leader at Israeli Intelligence company KELA, said web shells could be used for nefarious purposes. Remote access markets served as a gateway for obtaining data, he said.
KELA Acknowledged in Gartner's Market Guide for Security Threat Intelligence Products and Services 2020
Nir Barak, CEO and Founder of KELA shares, “Since KELA’s establishment we have been investing significant efforts to make sure that our technologies and services are perfectly applicable to what is required by security and intelligence teams. In our opinion, being acknowledged as a vendor of dark and deep web monitoring by our wide and global customer base, and now also by Gartner, definitely makes it seem like our team’s arduous work is making an impact, and gives us validation that we are growing on the right path.”
Ransomware Gangs Team Up to Form Extortion Cartel
KELA shares intelligence from their daily ransomware monitoring with specialists from Bleeping Computer. “BleepingComputer was told by cyber intelligence firm KELA that the Maze operators added the information and files for an international architectural firm to their data leak site.”
26 Million LiveJournal Credentials Leaked Online, Sold on the Dark Web
With the help of threat intelligence firm KELA, ZDNet has confirmed the existence of the LiveJournal stolen database and has tracked down copies and mentions of user data in multiple locations across the hacking underground.
KELA Extends Intelligence Monitoring Capabilities with Access to Instant Messaging Groups & Real-Time Image Searching
KELA announced today the capability of automatically searching through images and chatter in instant messaging groups, through DARKBEAST, their proprietary Dark Net threat hunting platform. The expansion of KELA’s data lake to include instant message groups, such as closed Telegram groups and Discord channels, is meant to provide partners and clients with added intelligence from different high-quality and curated sources.
Hacker Selling 40 Million User Records from Popular Wishbone App
Since Have I Been Pwned allows users to hide their email from public searches, we also verified these emails against a private platform managed by threat intelligence KELA, which has also been indexing and tracking data leaked in older breaches.
Cybercrime Marketplace MagBo Selling Access to 43,000 Hacked Websites
According to the latest report from threat intelligence firm KELA, MagBo is offering access to over 43,000 hacked servers and some of these belong to state and local governments, ministries, financial institutions, and health care facilities.
Hackers Preparing to Launch Ransomware Attacks against Hospitals Arrested in Romania
According to threat intelligence provided by cyber-security firm KELA, the PentaGuard group has been around since 2000, when they were involved in mass-defacements of several government and military websites, including the website of Microsoft Romania.
Loja de crimes cibernéticos está vendendo acesso a mais de 43.000 servidores hackeados
Um relatório da empresa de inteligência sobre ameaças KELA mostra a recente evolução do MagBo. A pesquisa foi feita em conjunto pelo KELA e o site ZDNet.
The “MagBo” Portal Offers Access to Thousands of Hacked Servers
KELA researchers report that the daily server additions to the market are between 200 and 400, and the number of daily transactions is approximately 200. There are 190 unique sellers who have something to offer on MagBo, while the cost to access each server depends on its type.
Access to Thousands Hacked Servers Being Sold Online
The infamous MagBo platform is known to have offered almost 150,000 different compromised websites, with over 200 daily transactions a day and over 200 to 400 new additions on the platform each day. According to data from KELA, “190 different threat actors currently have active listings on the market.”
Cyberkriminelle verkaufen Zugang zu mehr als 43.000 gehackten Servern
Cyberkriminelle verkaufen über einen Online-Marktplatz namens MagBo Zugangsdaten für mehr als 43.000 gehackte Server. Das geht aus einer Analyse der Threat-Intelligence-Firma Kela hervor. Demnach gilt MagBo als einer der größten Marktplätze für kompromittierte Server.
43,000 Hacked Servers up for Sale on Cybercrime Marketplace
More than 43,000 hacked servers are currently for sale on online cybercrime marketplace MagBo, according to new research from threat intelligence firm KELA and ZDNet.
KELA Sees MagBo Remote Access Market Booming During Pandemic
Threat intelligence company KELA has reported a boom in Remote Access Markets during the pandemic. Remote Access Markets sit on the Darknet and provide attackers with details on compromised websites and services. It means that attackers don’t have to waste time trying to steal credentials to gain access to those websites.
KELA Expands Their Intelligence Data Lake with Real-Time Monitoring of Remote Access Markets
As servitization of the underground world continues to thrive, KELA Targeted Cyber Intelligence, a global Dark Net threat intelligence provider, announces today the addition of a new information source type to their technologies – Remote Access Markets.
A Cybercrime Store is Selling Access to More than 43,000 Hacked Servers
Over the years, the site has boomed, to put it lightly. Since it launched in 2018, KELA says the site has sold access to more than 150,000 sites, with 43,000 still being up for sale as of this week. KELA product manager Raveed Laeb says they’ve tracked 190 different threat actors selling hacked servers on the site.
KELA Announces the Addition of Featured Queries to Their DARKBEAST Platform
KELA Targeted Cyber Intelligence, a global Dark Net threat intelligence provider, announces today the addition of Featured Queries to DARKBEAST – their proprietary Dark Net search engine and investigation platform — helping their users stay informed on the most relevant underground threats.
Cyber Security Today – Canada hit by COVID cheque fraud; Webex, Teams under attack, more COVID email scams and three big data breaches
According to an Israeli security company called KELA criminals soon began selling editable digital copies of cheques on the dark web. A criminal can either purchase a digital file and fill in their own name or have a criminal service do the editing for them.
Behind the Scenes of Dark Net Market Closures and Their Consequences
Like every free market, the Dark Net economy sees its many rises and falls. Sites come and go, just like brick and mortar stores open and close. Yet in recent months, we’ve seen a large number of sizeable illicit Dark Net sites closing, and smaller niche ones taking their place.
Threat Actor Selling Access to a Canadian University’s Domain
A Canadian university’s network may be at risk from a cyber attack, according to KELA, an Israeli threat intelligence firm.
Irina Nesterovsky said this threat actor seems to specialize in brute-forcing RDP (remote desktop) servers, running an affiliate program with other threat actors for this purpose.
Telus-Owned Koodo Mobile Announces Data Breach, Stolen Info for Sale
Raveed Laeb of cybersecurity intelligence firm, KELA has told BleepingComputer that Koodo accounts are being sold on various dark web web sites.
“A different market – one that specializes in automated selling of access to compromised accounts – currently offers over 21,000 Koodo accounts,” Laeb told BleepingComputer.
A Small Change To Google Chrome Hits Cybercrime Marketplace Hard
Raveed Laeb is a product manager for KELA, a threat intelligence firm that uses sophisticated, automated tools to keep tabs on the countless gigabytes of stolen data being traded on Darknet forums and marketplaces. He’s been investigating Genesis for quite some time and recently released an in-depth report on his findings so far.
Релиз Chrome 80 помешал работе малвари AZORult и маркетплейса Genesis
Специалисты компании KELA обратили внимание, что у торговой площадки Genesis, где торгуют не просто личными данными пользователей, но готовыми виртуальными личностями, возникли серьезные проблемы.
Chrome 80 Update Cripples Top Cybercrime Marketplace
According to new research shared with ZDNet this week by threat intelligence firm KELA, the Genesis Store is currently going through a rough patch, seeing a 35% drop in the number of hacked credentials sold on the site.
KELA says Genesis administrators are currently scrambling to fix their inventory deficit and feed the store with new credentials before customers notice a drop in new and fresh listings.
KELA Wins InfoSec Award at RSA Conference 2020
“We are very pleased to receive this prominent cybersecurity award, and it’s an honor to be selected from a wide selection of top-notch companies that were in the running for this prize. Our hard work has paid off in being recognized as global leaders in threat intelligence,” said KELA COO Eran Shtauber.
Exclusive: Details of 10.6 Million MGM Hotel Guests Posted on a Hacking Forum
According to Irina Nesterovsky, Head of Research at threat intel firm KELA, the data of MGM Resorts hotel guests had been shared in some closed-circle hacking forums since at least July, last year. The hacker who released this information is believed to have an association, or be a member of GnosticPlayers, a hacking group that has dumped more than one billion user records throughout 2019.
MGM Customer Data Has Been on Dark Web for Six Months
Irina Nesterovsky, head of research at cyber intelligence firm KELA, claimed that the most recent upload of breached data on nearly 10.7 million hotel customers was simply a repackaged bundle — as often happens on the dark web.
Tokyo 2020: The Dark Web is Hacker Gold
What treasures can hackers find on the dark web, how have these been used in the past, and what might threat actors be planning for Tokyo this summer? Here are the top four threats that KELA’s research team has been monitoring recently on the dark web
Outing Cyber-Criminals Puts a Face on Cyber-Crime
Online threat actors are just plain criminals – like 36-year-old Aleksandr Alekseyevich Korostin from Sigayevo, Sarapul District, Udmurtiya Republic, Russia – hiding behind anonymity as SaNX. – OPINION by KELA Cyber Intelligence Center
「対米報復はサイバー」 イラン、銀行狙い準備か イスラエル軍元高官が警告
Cyber Gangsters Publish Staff Passwords Following ‘Sodinokibi’ Attack on Car Parts Group Gedia
The threat marks a disturbing change in tactics by the crime groups behind the Sodinikobi ransomware, said Irina Nestrovosky, head of research for Israeli security company and specialist in darknet threat intelligence, KELA, which monitors hacking groups.
Travelex Hackers Shut Down German Car Parts Company Gedia in Massive ‘Cyber Attack’
Maya Steiner, threat intelligence team leader at Kela, said: “This is a continuation of the recent ‘attack and brag’ streak of the group. This is the second time they have released ‘proof’ documents, and the first where they announce that they are starting to release full data from a company that has failed to pay.”
Will This Be the Year of the Branded Cybercriminal?
All businesses evolve and adapt to their environments. Businesses in the Dark Web are no exception. In the burgeoning and nearly unpoliceable business climate that is the Dark Web, it’s only natural that businesses should become more “professional” — both in their revenue models and in their practices. We saw this happen in 2019 and expect even greater movement in this direction in 2020.
Travelex Begins to Restore Foreign Exchange Services Two Weeks After ‘Sodinokibi’ Attack
Irina Nesterovsky, head of research for Israeli security company and specialist in darknet threat intelligence, Kela, which identified the post, said it marked a significant change of tactic for the crime group, which first appeared in April 2019.
“This is the first time that the group behind Sodinokibi published alleged proof of their attack,” she said. “While not mentioning explicitly Travelex – this is definitely a nod towards them and any other company that would be attacked by the operators of the ransomware, and refuses to pay.”
Travelex Hackers Threaten to Sell Credit Card Data on Web
Irina Nesterovsky, head of research for Israeli security company and specialist in darknet threat intelligence, Kela, which discovered the post, said evidence from underground forums strongly linked UNKN to Sodinokibi.
“There is a discrepancy between what Travelex is saying and what these guys claim. You can’t always rely on the predator of the criminal, but there is a high probability they are correct,” she said.
Cybersecurity Predictions For 2020
“Cybercriminals will continue to heavily invest in their businesses as new monetization channels emerge. During the past 3 years, the underground economy has experienced a shift in how cybercriminals are monetizing their end products, from concentrating efforts on manual transactions and listings in markets, to focusing on sales of credentials, network access and sophisticated fraud methods…”
Disney Responds to Disney Plus Hacked Accounts: ‘No Evidence of a Security Breach’
Currently, there are nearly 80,000 compromised Netflix accounts for sale from one single market, on offer for an average one-time payment of $6 per account, according to KELA, an Israeli threat-intelligence provider.
Japan's Quest For Smart Automation Brings It To Israel
Executives from Israeli cyber intelligence firm, KELA Group, which monitors hacking threats in the dark recesses of the Dark Net –recently met with a large Japanese carmaker with news that it was wide open to a particularly vicious hacking attack called WannaCry.
KELA Targeted Cyber Intelligence Announces New Products
KELA Targeted Cyber Intelligence announces a new version of its cyber threat intelligence platform, RADARK, and launches the all-new DARKBEAST search engine.
Vector Hands $50M To Israeli Cyber-security Firm KELA
The KELA Group, an Israeli provider of advanced cyber intelligence software and solutions, has landed $50m in fresh funding.
KELA Group Receives $50M Investment from Vector Capital
The KELA Group (KELA), a rapidly growing, Israel-based provider of advanced cyber intelligence software and solutions, today announced a $50M equity investment from San Francisco-based Vector Capital.
Japan Taking Cues From Israel on Cyber Security
With the internet playing an ever-growing role in society, it is impossible for humans to protect networks and devices alone. The Kela Group has developed a system to automatically detect signs of an attack.
Software Helps Banks Hold on to Their Money
Time was when you wanted to pull off a big bank heist, you drove slowly up in the dark, jimmied the door lock and then blew open the safe. Such online thievery doesn’t surprise The sales director for KELA Targeted Cyber Intelligence, a Tel Aviv-based software producer that scans the Darknet for hackers trying to attack a company’s database. By alerting a company to such a possibility, KELA’s software helps keep such hackers at bay.