KELA conducted an examination of past security incidents involving these ransomware groups. First up is LockBit, of which an attack began against Bangkok Airways due to AnyConnect VPN access offered by a threat actor called “babam.”
While it isn’t clear exactly who purchased Bangkok Airways access, on August 23, 2021 — not yet a month after access was offered in underground forums — the airline became infected by ransomware. Two days later, Bangkok Airways appeared on the LockBit leak site.
“Bangkok Airways did not disclose any investigation details, but based on the timeline, it is highly possible that the attack was performed using the bought access,” the researchers noted.
Multiple sellers on the 2easy market, for example, appear to have already “worked out” certain types of data, meaning it’s been excised from logs before they’re offered for sale, according to a report from Israeli cybersecurity firm Kela. In many cases, this technique appears to center on cryptocurrency wallets, which attackers can target to siphon away all the funds they store, the report says. But in other cases, it might be part of the terms and conditions being offered by an information-stealing malware service being used by the seller.
KELA announces its recent product induction in AWS Marketplace to provide the highest quality attack surface intelligence and protection for organizations, empowering them to neutralize their most relevant threats without compromising on technology needs
Based on an analysis by researchers at Israeli dark web intelligence firm KELA, the sudden growth is attributed to the market’s platform development and the consistent quality of the offerings that have resulted in favorable reviews in the cybercrime community.
According to Kela’s analysis of dark web forum activity, the “perfect” prospective ransomware victim in the US will have a minimum annual revenue of $100 million and preferred access purchases include domain admin rights, as well as entry into Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services.
Although the initial attack vector
has not been officially confirmed, it is thought to have used a malicious browser update delivered via a legitimate website, according to David
Carmiel, CEO at KELA, a provider of
cyber threat intelligence.
Although it is not known how elevated privileges on the system were
obtained, Carmiel says that this
“often happens through the use of
known vulnerabilities and further
He advises CIOs to implement
security policies to ensure that all
staff and other key stakeholders do
not download updates without verifying their authenticity.
Researchers at KELA have issued a report describing what ransomware operators are looking for in a potential victim:
“In July 2021, KELA found 48 active threads where actors claimed they are looking to buy different kinds of accesses. 46% of them were created in that month, illustrating the demand for access listings.
“40% of the actors who were looking to buy accesses were identified as active participants in the ransomware-as-a-service (RaaS) supply chain – operators, or affiliates, or middlemen.
Of course, REvil is just one of many players. Indeed, Israeli threat intelligence firm Kela says that numerous ransomware operators continue to list new victims on their data leak sites. In just the past week, Kela says, it’s seen new victims listed by these 11 groups: BlackMatter, Clop, Conti, Cuba, Grief, Groove, LockBit, Marketo, Ragnar Locker, REvil and Vice Society.
Researchers with threat intelligence company KELA have recently analyzed 48 active threads on underground (dark web) marketplaces made by threat actors looking to buy access to organizations’ systems, assets and networks, and have found that at least 40% of the postings were by active participants in the ransomware-as-a-service (RaaS) supply chain (operators, or affiliates, or middlemen). The analyzed threads have provided interesting insights into how these threat actors choose their next victims.
According to a new report, the ideal ransomware victim is in a lucrative commercial market in a wealthy country that uses remote desktop protocol or a VPN.
Cybersecurity firm KELA’s report cited activity from July 2021 that indicated ransomware attackers prefer organizations in specific geographies and markets, and prefer very specific products for initial network access.
Specifically, organizations in the U.S. with revenue of ore than $100 million are the most sought-after targets, according to KELA’s report.
If you run a large, US-based non-health-care or -education company with revenue exceeding $100 million, then you will likely find yourself a victim of a ransomware attack. These organizations are the most likely ransomware victims, according to a new report by cyber security firm Kela.
Kela searched dark web forums for hackers wanting to buy access to organizations. It found 48 active threads where hackers claimed they wanted to buy different kinds of accesses. Of those hackers, 40% were involved in ransomware in some way or another.
Victoria Kivilevich, a threat intelligence analyst at Kela, said ransomware attackers appear to form “industry standards” defining an ideal victim based on its revenue and geography and excluding specific sectors and countries from the targets list.
After examining ransomware gang’s “want ads,” cybersecurity intelligence company KELA has compiled a list of criteria that the larger enterprise-targeting operations look for in a company for their attacks.
KELA analyzed 48 forum posts creates in July where threat actors are looking to purchase access to a network. The researchers state that 40% of these ads are created by people working with ransomware gangs.
These want ads list the company requirements that ransomware actors are looking for, such as the country a company is located, what industry they are in, and how much they are looking to spend.
On Monday, KELA published a report on listings made by ransomware operators in the underground, including access requests — the way to gain an initial foothold into a target system — revealing that many want to buy a way into US companies with a minimum revenue of over $100 million.
Analyzing how ransomware operators choose their targets makes it possible to better understand the types of companies these threat actors have on their list. In this regard, Victoria Kivilevich, Threat Intelligence Analyst at KELA has released a profile of an ideal ransomware victim based on valuable criteria for cyber attackers buying access.
The most sought-after type of victim for ransomware-wielding attackers is a large, U.S.-based business with at least $100 million in revenue, not operating in the healthcare or education sector, for which remote access is available via remote desktop protocol or VPN credentials.
So says Israeli threat intelligence firm Kela in a new report, rounding up dozens of active discussion threads it tracked on cybercrime forums during July that were devoted to buying initial access to networks. About half of the threads it found had been created the same month, suggesting that the market for supplying such access continues to thrive, it says.
Want to take information security defense advice from a ransomware-wielding attacker?
Here goes: “Employ a full-time red team, regularly update all software, perform preventive talks with a company’s employees to thwart social engineering and … use the best ransomware-fighting antivirus.”
So says “LockBitSupp,” a representative of the LockBit 2.0 ransomware group, in a Russian-language interview with the Russian OSINT YouTube channel posted Monday, and translated into English by Israeli threat intelligence firm Kela. The BlackBerry Research & Intelligence Team says that whoever is behind the LockBitSupp handle claims to be based in China and is active on the Russian-language XSS cybercrime forum.
Organizations have a constant need to defend against and defeat these bad actors, but are challenged by not knowing where to look, what they should be looking at or having enough staff resources with the skills to figure it out. Even if they had those capabilities, most organizations do and should have policies that prohibit employees from searching the dark web. In some sectors, it’s even legally prohibited. The result is a lack of insight into the true threats an organization may be facing. They don’t know what’s coming until it’s too late.
Research from another intelligence provider, KELA, found one example of ‘admin access’ to a $500 million revenue company network being offered for 12 BTC, or more than $500,000 at current rates.
The rise of ransomware as a moneymaking powerhouse for online attackers parallels the services being offered by initial access brokers. Such brokers sell access as a service to others, saving them the time, effort and expense of gaining a toehold in an organization’s network.
Initial access brokers gain first access to victims’ networks in a variety of ways – often via weak remote desktop protocol or remote management software to which they’ve gained brute force access. Sometimes, attackers exploit an unpatched vulnerability in a system. Whatever the approach, once they have access, brokers can resell it to others, sometimes more than once.
In the last year, initial access brokers, who sell ways to gain remote access to compromised devices to cybercriminals, including ransomware gangs, have posted more than 1,000 access listings for sale averaging at $5,400 for each, according to research released today by security firm KELA. Researchers confirmed that at least 262 were sold, and 28 percent of the victim entities are based in the United States, the largest share of all affected countries.
In a threat actor’s mind, take out the legwork, reap the proceeds of blackmail.
Initial Access Brokers (IABs) are individuals or groups who have managed to quietly obtain access to a corporate network or system through means including, but not limited to, stolen credentials, brute-force attacks, or by exploiting vulnerabilities.
In recent years, ransomware-as-a-service (RaaS) groups have taken an interest in these brokers, as by employing them directly or paying them a fee in return for access to a target system, they are able to avoid the first step of intrusion: the time-consuming process required to find a vulnerable endpoint.
A new report into so-called “initial access brokers” from threat intelligence firm Kela Research and Strategy Ltd. has detailed some disturbing trends in the criminal internet underworld and those involved in ransomware endeavors.
The Kela report was based on exploring over 1,000 access listings over the last year. IABs are threat actors who sell access to malicious services and play a crucial role in the ransomware-as-a-service economy. IABs facilitate network intrusions by selling remote access to a computer in a compromised organization and link opportunistic campaigns with targeted attacks, often ransomware operators. IABs don’t undertake ransomware attacks but sell access to a compromised network that is then used by ransomware gangs and others.
It seems that during the pandemic IABs have been busy improving their business model. New research from threat intelligence company KELA shows that pricing is often determined by company size and the level of privilege on offer within the compromised network, with $5,400 as the average price for network access, and $1,000 as the median price.
“One major aspect of this trend is the cooperation between actors facilitated by the rise of targeted ransomware. In order to support work in scale, ransomware operators turn to partners and affiliates to fulfill their remote access needs,” said Victoria Kivilevich, threat intel analyst at KELA.
KELA’s “All Access Pass: Five Trends with Initial Access Brokers” Report Reveals the Inner Workings of the Ransomware-as-a-Service Ecosystem
KELA, the global leader in actionable threat intelligence, today announced the launch of brand new research along with LUMINT, a new offering providing users with a glimpse into KELA’s latest intelligence insights from the dark web including newly listed ransomware attacks, compromised network accesses for sale in cybercrime forums, leaked databases and data dumps, and updates on trending cybercrime threats. KELA’s newly released research report, “All Access Pass: Five Trends with Initial Access Brokers,” includes an in-depth analysis of Initial Access Brokers (IAB) and their activity for a full year from July 1, 2020 to June 30, 2021.
“Everything in moderation,” the saying goes. But it may come as a surprise that this expression even seems to apply to many of the hacker forums littered across the dark web. On the surface, these forums may appear to be a lawless landscape, but there are some activities even hacker forums ban because they tend to attract too much heat.
Ransomware gangs are increasingly turning to specialists to complete their capers on corporations, according to a Dark Net intelligence provider. A report issued Friday by Tel Aviv-based Kela noted that the days when lone wolves conducted cyberattacks from start to finish has become nearly extinct. The one-man show has nearly completely dissolved, giving way to specialization, maintained the report written by Kela Threat Intelligence Analyst Victoria Kivilevich.
Known as “pentesters” on Russian-language cybercrime forums, RaaS operations regularly advertise for these types of individuals, seeking help with obtaining domain-level access on victims’ networks and often offering them 10% to 30% of every ransom paid by a victim, according to Kela’s report.
On Thursday, KELA threat intelligence analyst Victoria Kivilevich published the results of a study in RaaS trends, saying that one-man-band operations have almost “completely dissolved” due to the lucrative nature of the criminal ransomware business.
The increasing sophistication of the cyber criminal underground is now reflected in how ransomware operations put together their crews, seeking out specialist talent and skillsets. Indeed, some gangs are coming to resemble corporations, with diversified roles and outsourced negotiations with victims, according to new research published by Kela, a provider of threat intelligence services.
Check out KELA’s Raveed Laeb in an interview with Charlene O’Hanlon from DevOps.com as he sheds some light on the most recent trends in the cybercrime underground ecosystem. Raveed also dives into KELA’s industry leading technologies to explain how we can leverage these trends to track and defeat cybercriminals before they cause harm.
US President Joe Biden is expected to meet with Russian President Vladimir Putin today to discuss the cyber threats emerging from Russia that are targeting the whole world. In response to the expected talk today, Irina Nesterovsky, Chief Research Officer at KELA explains: “There is this common knowledge between Russian-speaking and Russia-based cybercriminals that as long as you refrain from attacking Russia or any other CIS [Commonwealth of Independent States] countries, you’re safe to a certain degree as local Russian authorities won’t hunt you.”
Exclusive: Tens of thousands of Scottish public sector leaked credentials discovered on the dark web
Kela’s RaDark tool was also deployed to simulate the reconnaissance path used by hackers have to scan network for vulnerabilities based on its ‘attack surface mapping’ capabilities. To find the best ‘vector’ for an attack, cybercriminals will often look for outdated technologies or open ports to find their way in. According to Kela’s analysis across the public sector domains, it found ‘multiple potential compromise points’, including exposed remote access services that could enable an attacker to access and further compromise a network, and outdated web technologies whose ‘inherent vulnerabilities could lead to an attack on the organisation’s website’.
Once they have identified a potential target, the IAB will ‘groom’ them – they “perform some reconnaissance, escalate privileges or install further tooling,” explains Victoria Kivilevich, a threat intelligence analyst at Israeli cybersecurity company Ke La – before sharing access in exchange for a cut of the ransom. “Once a target is ripe and ready, it can be offered on cybercrime markets where ransomware affiliates can acquire it and move forward with the final attack,” says Kivilech. Last year, DarkSide posted a job advert on the dark web for an IAB with access to companies with a net worth of $400m or higher.
“I think one thing is clear, cybercriminals are not still, nor are they going to be quiet and they are going to look for new ways of doing things and for this they will use all present and future technologies that will provide them with the highest level of impunity possible. The important thing is to know what they are doing and where they are doing it and to follow them (and chase them) wherever they go to be able to anticipate and avoid and / or stop their attacks.
From another point of view, I am sure that the cyber intelligence market, or rather, the maturity in cyber intelligence of Spanish companies will be much higher than that existing today, and that in itself is a positive thing.”
Like many technology startups, DarkSide poured some of its revenue into
developing new features, according to its posts in forums. In March it introduced
DarkSide 2.0, an update to its service that came with a “call on us” feature that
let users make internet-based calls for free to victims, according to an analysis of
forum posts by threat intelligence firm Kela Research and Strategy Ltd.
While new victims continue to show up on Darkside’s shaming blog (as is the case with Toshiba France), we see that the aftermath of the Colonial attack has created waves in the cybercrime underground. More specifically, there are rumors stating that the DarkSide “program” is closing down, and one of the largest Russian-speaking cybercrime forums has just banned the promotion of ransomware on its platform.
Initial access brokers – the tier of cybercriminals who obtain network access, move laterally within the network, and eventually sell the compromised access to ransomware affiliates and gangs – generally do not sell their access to more than one buyer (out of courtesy to fellow cybercriminals). Though there are numerous initial access vectors, we presume that unpatched vulnerabilities are more common to be exploited by multiple groups for the same victim, making it a necessity for organizations to continually prioritize patching and monitor their network infrastructure.
We’re excited to officially announce that David Carmiel, former CTO and Chief Research Officer, has been appointed as Chief Executive Officer at KELA. Nir Barak, KELA’s former CEO and Founder has been promoted to Chairman of the Board. In his new role, David Carmiel will continue to guide KELA towards the company’s global mission of providing the world’s best intelligence solutions that empower organizations to neutralize their most relevant threats observed in the cybercrime underground.
OGUsers has been hacked for its fourth time in two years, with hackers now selling the site’s database containing user records and private messages. KELA shares that we will likely be seeing members shifting to other communities – and maybe even establishing new ones – given both the poor operational security and the damage to the OG brand among fraudsters and other criminal actors.
At this time, the MangaDex database is privately being circulated and has not been publicly released. However, using KELA’s cybersecurity intelligence engine DarkBeast, BleepingComputer has been able to find threat actors distributing what they claim is a MangaDex database from the March 2021 attack.
In the last few months, KELA has observed Avaddon specifically attacking municipalities in Portugal, Italy, Brazil, France, and Czech Republic. Avaddon has released the municipalities’ sensitive data, indicating that the majority of them have not been paying the ransom demanded. Our researchers are continually monitoring Avaddon and other ransomware groups to identify if attacking municipalities could be a new trend, or if these are simply opportunistic attacks.
KELA, the global leader of actionable threat intelligence, announces today many of the recent major improvements applied to their cybercrime research and investigation technology, DARKBEAST, during Q1. KELA’s industry-leading technology helps expose underground digital dangers to its clients by collecting, analyzing, and storing data from numerous sources in the cybercrime underground and making it accessible for users to search through – saving them the time, risk, and complexity of needing to locate and access the sources themselves.
With the aid of KELA, we were able to see technical drawings of production line machines that are marked as “Confidential,” so they’re clearly not intended for publication. This potentially means REvil doesn’t have much hope in seeing any positive development in their negotiation efforts, and they’re immediately letting valuable stuff out. We have blurred the following samples that REvil posted as proof of the compromise.
Screenshots published by the group, viewed by ZDNet via KELA’s threat intelligence suite Darkbeast, include lists of individuals and their Social Security numbers, retirement documentation, and 2019/2020 benefit adjustment requests.
According to what we were able to find with the help of KELA, the cyber-intelligence experts, the ransomware gang that hit NWO was DoppelPaymer, and the actors have already leaked a dozen files stolen from the servers of the Dutch research council.
With the help of KELA’s cyber-intelligence tools, we located the new leak site, and we got to access the documents that are used for the extortion. We have blurred the following for you to get an idea of what has been stolen from Acer’s computers.
KELA reveals that there are over 8,000 ‘leaked credentials’ – including email addresses and sometimes passwords – belonging to UHI staff and students that have been leaked or stolen and possibly traded on underground web forums. A further 100-plus ‘compromised accounts’ were also found on malicious dark web sites, including one that indicated access to Active Directory Federation Services – a software component developed by Microsoft – ‘probably related to internal systems’, according to KELA.
KELA shares that numerous threat actors have shown high levels of interest in the newly released PoC exploit for Microsoft Exchange. We’ve observed that not only are APT groups showing interest driven from an espionage motivation, but cybercriminals are also showing interest as they see the potential monetary value that can be gained from exploiting this vulnerability.
Threat intelligence experts are warning of a new version of the Darkside ransomware variant which its creators claim will feature faster encryption speeds, VoIP calling and virtual machine targeting. KELA shared with Infosecurity information posted by the Russian-speaking group to dark web forums XSS and Exploit.
Covid-19 has experienced a large number of scammers engaging in identity theft and unemployment fraud, in an attempt to receive money that they aren’t eligible for. Fraudulent activities, such as identity theft, are commonly enabled through chatter and tools shared in underground forums. Today, 15 US states use ID.me to allow citizens to prove their identity online. KELA reveals that cybercriminals are actively sharing tutorials on how to create a seemingly valid profile that will ensure they get their claim approved in their state.
“With the heavy marketing and advertising that Brian’s Club has been investing in, it seems that the longtime attempts of marketing to credit card traders may be finally paying off now that Joker’s Stash is out of the picture,” says Victoria Kivilevich, a threat intelligence analyst with Kela. “Brian’s Club has been immodestly trying to steal the thunder by publishing an advertisement on the main page of [Russian-language forum] XSS, soon after the announcement by Joker’s Stash.”
Cyber intelligence firm KELA confirmed the authenticity of that auction, telling The Verge that forum users needed to put up 0.1 BTC (roughly $4,700 as of this writing) to participate in the bidding as a sign that offers were legitimate. The sellers also reportedly provided file listings for Gwent and the Red Engine that underlies CDPR’s games as proof that the data was authentic.
KELA (which previously provided The Verge with what it believes to be legitimate file lists from CD Projekt’s Red Engine) reports that an auction set up to sell the files has now been closed after a “satisfying offer” was made from outside of the forum it was being held on. That offer reportedly stipulates that the code will not be distrubuted or sold further. Cybersecurity account vx-underground also reported that it had heard the sale was completed.
The number of offers for network access and their median prices on the public posts on hacker forums dropped in the final quarter of last year but the statistics fail to reflect the real size of the initial access market. Data from threat intelligence firm Kela indicates that many of the deals actually closed behind closed doors, a trend shaped over the past months.
Following the recent ransomware attack on video game developer CD Projekt Red, KELA reveals that hackers are now auctioning off the source code they acquired, with a starting price of $1 million. These include source code files for both the Red Engine and CDPR game releases, including The Witcher 3: Wild Hunt, Thronebreaker: The Witcher Tales spinoff, and the recently released Cyberpunk 2077
Recent announcements revealed a data breach on UK-based estate agency, Foxtons. KELA threat intelligence analyst Victoria Kivilevich explains that Foxtons was actually a victim of a ransomware attack in October, and confirms that this breach does not seem to be a separate incident. Generally, ransomware gangs have taken on a trend of a double extortion tactic – where they demand two ransoms one to avoid public exposure of their data and one for unlocking their systems, it’s likely that Foxton has not yet negotiated or agreed to pay and that is why part of the data has been leaked.
KELA’s Ayesha Prakash, VP of Global Channels and Alliances has released her EOY blog about ransomware during the COVID era. In her blog-post, Prakash explains why COVID-19 is a curse on the world, and a gift to cybercriminals. She later explains that what organizations need now is to make cybersecurity a forefront issue, to treat it as business-critical, and as a public health risk.
Threat actors have also observed selling access to ESXi instances on underground cybercrime forums last year, according to threat intelligence firm KELA. Since ransomware gangs often work with initial access brokers for their initial entry points inside organizations, this might also explain why ESXi was linked to some ransomware attacks last year.
Kivilevich writes in a new report from Kela that over the last three months of 2020, she counted 242 initial network access offers for sale across three cybercrime forums with a total asking price of $1.2 million. During that time frame, Kivilevich says, the average price per access was $6,684, the median price was $1,500 and the highest single price listed was 7 bitcoins, which at the time could have been worth about $130,000. But 24% of offers didn’t list a price.
The prospering of the initial access market on the dark web continues unabated, and according to a report published by KELA yesterday, it has surpassed the size of $1.2 million in Q4 2020. The cyber-intelligence firm that uses specialized tools to monitor listings across numerous dark web sites has traced 242 new listings during that period, having an average price of $6,684 and a maximum of 7 BTC.
‘Chqbook.com,’ an India-based online banking service that offers credit card, loan, and insurance management services for small businesses and merchants, has suffered a data breach. Due to KELA’s caching capabilities, we were able to find the first evidence of the particular dataset appearing on the dark web for sale on December 25, 2020.
KELA’s researchers explain how the dark web represents a wide variety of goods and services which are traded across many different underground forums and markets. KELA explains that tapping into these forums and markets can help security teams keep up with where adversaries may be headed next.
Researchers at KELA discovered a leaked database belonging to BuyUCoin, an India-based global cryptocurrency exchange and wallet. On the same forum that the database was leaked KELA also identified leaked databases from Wongnai Media Co Ltd, Tuned Global Pvt Ltd, BuyUcoin, Wappalyzer, Teespring Inc and Bonobos.com, which looks like the handiwork of infamous hacking group ShinyHunters.
KELA Joins Cyber Security Forum Initiative (CSFI) as a Gold Sponsor in a Mission to Support National Cyber Security
KELA is thrilled to join the Cyber Security Forum Initiative (CSFI) as a gold sponsor in a mission to support national cyber security. We’re looking forward to working alongside CSFI to make the cyber environment a safer and more secure place by providing valuable darknet threat intelligence to government, military, private sector, and academia in the US.
Irina Nesterovsky, KELA’s CRO said, “It was originally leaked in early January in an English-speaking forum exposing information of nearly 500K people. The second instance we saw it appearing was when an actor tried selling it in another forum claiming that he had a database “for Finance Company Including SQL” with 500K records. Later that day, the same actor leaked the database for free claiming it contained data of more than 500K C-Level executives. KELA confirmed that the same database was shared in all instances. It appears that the “500K C level” title was given to the post in order to boost the importance of the database – the entire size of the relevant user database is around 500K lines, not at all a majority of which are C-Level employees.”
ShinyHunters, has recently been very active after going silent for some time. Over this past summer, ShinyHunters was seen publishing leaked data for free, exposing millions of personal records from all over the world, however we have not observed Shiny Hunters releasing data themselves since November. In the last few days the group has leaked databases for free – among them a Pixlr database, exposing 1.9 million user records.
KELA reveals a Q&A published by DarkSide ransomware operators following the release of the ransomware decryption tool. Throughout the Q&A, Darkside operators stated the decryptor was used by 4 targets but 1 of them eventually paid. They also include details about how they will refund losses to affected affiliates and why it’s not happening again in the future. The free decryptor allows victims to recover their files without paying a ransom to DarkSide operators.
The Scottish Environment Protection Agency says a ransomware attack last month continues to cause serious outages and warns that ransom-demanding attackers also stole some data. KELA’s experts share that a portion of SEPA’s data (7% of what they claimed to obtain) has been released on a leak site dedicated to Conti’s ransomware victims, and therefore assess with medium confidence that that this is indeed an attack by Conti.
Cybersecurity company Kela examined underground forums and found an ecosystem based around buying and selling initial network access to gaming companies, as well as almost one million compromised accounts of gaming employees and clients up for sale – with half of those being listed in 2020 alone.
In a recent scan, they found 1 million compromised credentials associated with the larger gaming universe of “clients” and also employees – half of which were for sale online. More than 500,000 of the leaked credentials pertained to employees of leading game companies, according to the report published Monday.
Although Kela did not disclose the specific companies affected, it did reveal that it has been monitoring underground markets for more than two-and-a-half years now and that nearly every major gaming company was affected. The compromised credentials would give attackers access to a number of important internal resources, including admin panels and development-related projects.
More than 500,000 login credentials linked to the employees of 25 leading game publishers have been found for sale on dark web bazaars, according to a report by threat intelligence company KELA. Threat actors have been increasingly targeting the gaming industry, including by harvesting and selling access credentials into the internal systems of top-tier game companies.
As Covid-19 has taken away 2020, people around the world have begun giving the online gaming industry a chance, hence growing revenues in this industry tremendously. After scouring dark web marketplaces, KELA discovered a thriving market in network access on both the supply and demand side. This included nearly one million compromised accounts related to employee- and customer-facing resources, half of which were listed for sale last year.
KELA reveals another proof of ransomware groups forming cartels to intimidate victims even further. KELA recently observed MountLocker touting 5% of the data dump originally stolen by “Ragnar Locker” during a cyberattack against ‘Dassault Falcon.’ The ransomware operators claim that the listing is from one of their partners, and provide a reference link to Ragnar Locker’s extortion site, who exposed partial data of this victim earlier this month.
Safe-Inet services have been running for 11 years, advertised to cybercriminals needing multiple layers of anonymity and stable connections. BleepingComputer has seen ads for Safe-Inet services on several forums for black hat activities. The one below, posted as recently as December 4 and supplied by cybersecurity intelligence firm, KELA, is from a carder forum hidden in the Tor network
Following the recent seizure of Joker’s Stash (the largest marketplace for trading stolen cards) by law enforcement, KELA reveals that the disruption was only temporary and that the market’s admins claimed the actual Joker’s Stash portal continues to work as normal, with only proxy servers having been seized.
KELA analyzed and obtained a database containing details of 1.9 million Chinese Communist Party members in Shanghai, which has recently resurfaced in the darknet communities, and found that companies in which CCP members were found include Pfizer, AstraZeneca, Airbus, Boeing, HSBC, Rolls-Royce, Jaguar and more
Millions of ShopBack, RedDoorz user records put on sale in hacker forums; Peatix another victim of breach
KELA, a cybersecurity firm headquartered in Israel, told BT that 5.7 million plaintext passwords were also made available for download from a website called Hashes.org, though the leak does not contain emails. “It will require some work for (threat actors) to correlate emails and hashed passwords from the original leak with dehashed passwords,” the firm said.
‘Egregor’ team has published a press release meant to intimidate victims and practically convince them to pay the demanded ransom. Spotted on the dark web by researchers of the KELA threat intelligence firm, the press release includes several key points specifically addressed to those who have not “secured a contract” with the actors
American networking equipment vendor Belden said it was hacked in a press release published earlier this week. According to data provided by threat intelligence firm KELA, credentials for Belden accounts have been available on the cybercrime underground since April this year, although it’s unclear if they have been used to orchestrate this breach.
Attackers can use corporate credentials to monetize in many different ways – from manipulating employees to wire money through CEO scams, to exploiting them in order to move laterally in the organizations to conduct a network intrusion.
KELA’s technologies automatically monitor closed underground forums where threat actors are regularly trading corporate credentials and other sensitive data. Contact us to learn more about how KELA can help you detect if any of your sensitive data is circulating in the Dark Net.
Pakistan International Airlines data breach underscores sharp rise in illicit sales of access credentials
KELA’s researchers said that cybercriminals advertised domain admin access to PIA’s internal network for $4,000, while its customer database was listed for $500. Initial network access in such illicit deals refers to remote access to systems in a compromised organization, while those selling it are known as remote access brokers. Rather than hack their way into corporate networks, cybercriminals often purchase such initial network access to gain a foothold, allowing them to move laterally and expand their access rights.
KELA reveals the latest threats targeting Japanese organizations, and concludes that threat actors, Advanced APT groups and nation-state actors are considering Japanese organizations as valuable targets and are actively attacking them via opportunistic and targeted attacks.
“Such servers in Iran and [other] countries will be harder to discover, block, and cease due to a lack of cooperation from local authorities,” says Victoria Kivilevich, threat intelligence analyst at Israel-based security firm KELA, which first discovered the scheme.
According to Bleeping Computer‘s latest report, on Nov. 12, the cybersecurity intelligence firm Kela revealed DarkSide operators’ new posted topic on a Russian-speaking hacker forum. Additionally, Bank Info Security reported that the cybersecurity firm Kela said that the hackers claim that their average ransom is between $1.6 million and $4 million.
#DarkSide ransomware launches their affiliate program. For the first time ever, KELA notices the operators offering initial access brokers to directly trade with them rather than through affiliates or middlemen. It seems that DarkSide is strengthening their efforts, and we can assume to see a surge of attacks by this gang over the coming months.
KELA spotted a threat actor touting domain admin access to Pakistani International Airline for $4,000 on two Russian-speaking illegal online forums and one English-speaking forum that they had been monitoring. KELA’s team had been tracking ransomware trends, exploring how initial access brokers in the cybercrime community play a role in the supply chain of this popularly deployed malware.
In terms of unusual timing, another ransomware operation has also promised to turn out the lights. “We’ve seen Suncrypt affiliates stating on Exploit” – a cybercrime forum – “that the operators told them that the program is closing,” according to Israeli cyberthreat intelligence monitoring firm Kela. “It’s a bit interesting – and even suspicious – to see two major ransomware groups shutting down their operations around the same time.”
More than 23,000 hacked databases have been leaked from the site archive of Cit0Day.in, a private service advertised on hacking forums to other cybercriminals. For the past several months, KELA’s technologies have been monitoring data from Cit0Day.in, prior to the site’s seizure in mid-September. As part of KELA’s leaked credential monitoring KELA’s clients have already had visibility into this site, and have already been alerted on any of their data that may have been leaked in these compromised database feeds.
One cybersecurity intelligence firm, Kela, intends to help MSSPs do just that with its new platform, IntelAct. The technology, Kela says, allows MSSPs to track and intercept any mentions of their clients’ network infrastructure, vulnerabilities or exposures in the dark net. This turns the attackers’ edge against them, remediating issues before they become breaches, the vendor says. IntelAct is fully automated, scalable, and requires no installation or network access.
KELA announces today the release of their latest proprietary technology – IntelAct, allowing 100% automated monitoring of an organization’s attack surface. KELA’s Dark Net experts launch a new technology enabling organizations to receive real-time, automated alerts of their exposure in the Dark Net.
Специалисты KELA пишут, что проиндексировали 108 объявлений, размещенных на популярных хакерских форумах, и подсчитали, что совокупная стоимость предложенных хакерами доступов равняется 505 000 долларов США. Причем около четверти лотов в итоге были проданы злоумышленникам, желающим атаковать те или иные компании.
As ransomware attacks continue to rise, initial access brokers are repeatedly being seen as key players by selling network access to ransomware operators as an initial entry point into victims’ networks. In September alone, KELA detected over 108 accesses for sale at a total value of USD 500,000 – 3 times higher than the numbers gathered in the previous month.
Some markets have moved to drop illegal drugs and begun adopting an “automarket” approach that focuses on self-fulfilled sales of malware, stolen databases, login credentials and other hacking and cybercrime tools and services, the Kela researchers say. Criminals’ thinking, they note, appears to be that by not selling drugs, and with malicious “cyber” tools existing in a legal gray zone in many jurisdictions, such markets will be less likely to get disrupted.
In a report shared with BleepingComputer, cyber intelligence company KELA was able to determine that the offer was for Zoho’s ManageEngine Desktop Central, a management platform that lets administrators deploy patches and software automatically on network machines, as well as troubleshoot them through remote desktop sharing.
Credentials stolen via LokiBot usually end up on underground marketplaces like Genesis, where KELA suspects LokiBot is the second most popular type of malware that supplies the store.
Kivilevich and Raveed Laeb, Kela’s product manager, tell ISMG that it’s important to distinguish between the two types of darknet markets: drug marketplaces and cyber-focused marketplaces selling such things as malware, stolen databases and login credentials. “We also see sales of illicit and counterfeit goods – money, watches and stuff like that – but most of the time, that’s not the actual focus,” they say.
More recently, the sale of cyber goods has been migrating to what the darknet community calls “autoshops,” meaning they sell goods and services in a highly automated manner. Kela refers to this as the “servitization” – meaning selling not just goods but also services and outcomes – of the underground ecosystem.
KELA has been closely tracking new monetization methods employed by ransomware operators. One common method has been ransomware gangs stealing the data before encrypting it in order to use it as leverage in ransom negotiations, and many times including that data in data leak sites. Riding on this trend, LockBit ransomware has just launched a new data leak site to be used as part of their double extortion strategy to scare victims into paying ransom.
Victoria Kivilevich, threat intelligence analyst at Israeli intelligence firm KELA – which discovered the breaches of Australian financial data – said there had been an increase in attacks in recent years, and also RaaS, or ransomware-as-a-service; hackers were also often working together.“The most popular ransomware strains are operated by cybercriminals looking for financial gain,” Ms Kivilevich said. “Chasing profits, ransomware actors are always inventing new methods of intimidating victims.”
We’re excited to officially welcome Ayesha Prakash to our team as our new Vice President of Global Channels and Alliances. Ayesha joins KELA to build and evolve the company’s strategic alliances and expand KELA’s global engagement with channel and technology partners. We’re excited to have her on board and are looking forward to see what we will accomplish together!
Israeli cyber threat intelligence monitoring firm, KELA has provided BleepingComputer with information on the matter, along with screenshots.
The company analyzed forums where darknet surfers frequent, and have offered insights on their footsteps.
KELA’s latest research analyzes the recent rise of ransomware attacks and how that rise has introduced new methods of monetization allowing ransomware gangs to monetize bigger and better. This research laid out the top 6 trends observed by ransomware groups in the underground ecosystem and shared how these new methods are likely to spread.
Israeli cybersecurity intelligence firm Kela shared that the operators behind Avaddon announced their data-leaking site via a Russian-language cybercrime forum. So far, the ransomware gang has listed one victim – a construction firm – from which 3.5 MB of allegedly stolen documents have been leaked.
“The attackers published a sample of the obtained data, including information related to the company’s activity in the U.K., Mexico, Philippines, Malaysia and Thailand,” Kela tells Information Security Media Group.
KELA shared with BleepingComputer that the Avaddon ransomware operators have announced on a Russian-speaking hacker forum this weekend that they have launched a new data leak site. KELA has shared that until now, only one victim has been listed – a US-based construction company.
KELA’s #DARKBEAST has helped ZDNet obtain a copy of a recently leaked list of plaintext usernames and passwords for 900+ Pulse Secure VPN enterprise servers. If compromised, these Pulse Secure VPN servers can provide hackers easy access to a company’s entire internal network.
Cybersecurity researchers from KELA found about 17,000 Slack credentials for sale across 12,000 Slack workspaces in cybercrime online markets. While “many access types — webshells on online stores, RDP servers or corporate email inbox access — are a highly sought-after resource driving thriving markets,” no one is really buying Slack credentials, according to KELA.
En utilisant sa plateforme de renseignements sur les menaces, KELA a cherché à obtenir des références Slack sur les marchés de la cybercriminalité, pour tenter de voir si ce vecteur de menace était populaire parmi les cybercriminels. L’entreprise affirme avoir trouvé plus de 17 000 références Slack récemment mises en vente en ligne sur des forums de piratage et sur des marketplace de références, comme Genesis.
KELA has found that there were at least 17,000 Slack credentials sold in the ‘Genesis Store’ alone, priced between $0.5 and $300, depending on how valuable they were. While a connection with the recent Twitter hack isn’t based on concrete evidence, there are indications pointing to this scenario.
Following reports that last week’s Twitter hacks may have been due to credentials stolen from an internal Slack channel, KELA decided to dive deeper into this topic, and found that currently more than 17,000 Slack credentials for roughly 12,000 Slack workspaces are being sold on underground cybercrime markets.
threat research firm KELA notified the publication about posts on Russian security forums that advertised MGM data breach affecting more than 200 million customers.
In the past few years, hackers have attacked several hotels to steal customer data. In March, Marriott Hotels was breached impacting more than 5.2 million people.
KELA discovered a database of 4.8 million records posted for sale, belonging to a leading provider of ticket services for live shows in the UK. KELA’s intelligence team told Infosecurity Magazine that they acquired a sample of 10,000 records in order to analyze this data. Following analysis, KELA deducted that the leak affects users in the UK, US, New Zealand, Australia, South Africa, Germany, France and a few others, some of which belong to governmental domains.
Intelligence analysts at KELA discovered a database of 4.8 million records, containing emails and passwords, belonging to a leading provider of ticket services for live shows in the UK. The database was posted on July 8, 2020 on an underground forum by a newly registered threat actor, called “JamesCarter”, for $2500. KELA managed to acquire a sample of the database containing about 10,000 email addresses, and found that only about 300 email addresses were duplicates, deducting that the full leak likely consists mostly of unique combinations.
In an exclusive today on ZDNet, KELA shares that the breached MGM database, originally reported to have 10.6 million records actually contains nearly 200 million. The hotel’s database resurfaced in the dark web this past weekend. This wasn’t the only time it resurfaced though. KELA’s intelligence team told ZDNet back in February that the MGM data had been circulating and was being sold in private hacking circles since at least July 2019.
The compromised accounts were detected by Israeli intelligence firm KELA, which specialises in dark web threat intelligence and offers its clients a real-time dark web search engine called Darkbeast.
KELA threat intelligence team leader Elad Ezrahi said the MyGov accounts were extracted from more than 2000 compromised computers, or “bots”. Botnets are networks of compromised machines controlled by a single actor.
KELA researchers have shared one of their most interesting recent findings with TechNadu, and it looks like it concerns BMW and 384,319 of its customers in the UK. Apparently, the prolific hacking group that is known as “KelvinSecurityTeam” has posted a database they acquired when hacked ‘bmw.com.’ This is the same group of actors that recently sold databases from 16 companies, including the business consulting firm “Frost & Sullivan.”
The personal information of almost 400,000 UK-based BMW customers is being sold to the highest bidder on an online black market, according to Tel Aviv-based darknet intelligence experts KELA.
Hackers at a group called KelvinSecurity Team have gained access to a BMW customer database and listed it for sale on an underground forum used by cybercriminals.
KELA found a database of UK car owners offered for sale on an underground forum, which was initially described as BMW customers’ database affecting 384,319 customers. The data was posted by the KelvinSecurityTeam. KELA obtained the database and found that it contains almost 500,000 customers’ records from 2016-2018. The exposed data includes initials and surnames, emails, addresses, vehicle numbers, dealer names, and more; it affects owners of different cars in the UK.
Hackers have breached more than 1,800 Roblox accounts and defaced user profiles with messages in support of Donald Trump’s reelection campaign. With the help of threat intelligence firm KE-LA, ZDNet was able to identify multiple web pages containing large lists of Roblox usernames and cleartext passwords.
KELA is proud to announce the launch of Sensitive Hostname Detection. As part of this addition, KELA’s RADARK now automatically alerts users on sensitive webpages that may be exposed to the public internet.
Get in touch with us today to learn more about how KELA detects vulnerabilities in your organization’s Internet-facing infrastructure.
Elad Ezrahi, Threat Intelligence Team Leader at the Israeli intelligence company KELA, told the Australian Financial Review: “If the web shell enables the actor to abuse the mail server of the compromised website, the actor could use it to send spam and phishing emails… if the compromised site is of a governmental entity, for example, the consequences can be notably severe.”
Elad Ezrahi, Threat Intelligence Team Leader at Israeli Intelligence company KELA, said web shells could be used for nefarious purposes. Remote access markets served as a gateway for obtaining data, he said.
KELA Acknowledged in Gartner’s Market Guide for Security Threat Intelligence Products and Services 2020
Nir Barak, CEO and Founder of KELA shares, “Since KELA’s establishment we have been investing significant efforts to make sure that our technologies and services are perfectly applicable to what is required by security and intelligence teams. In our opinion, being acknowledged as a vendor of dark and deep web monitoring by our wide and global customer base, and now also by Gartner, definitely makes it seem like our team’s arduous work is making an impact, and gives us validation that we are growing on the right path.”
KELA shares intelligence from their daily ransomware monitoring with specialists from Bleeping Computer. “BleepingComputer was told by cyber intelligence firm KELA that the Maze operators added the information and files for an international architectural firm to their data leak site.”
With the help of threat intelligence firm KELA, ZDNet has confirmed the existence of the LiveJournal stolen database and has tracked down copies and mentions of user data in multiple locations across the hacking underground.
KELA Extends Intelligence Monitoring Capabilities with Access to Instant Messaging Groups & Real-Time Image Searching
KELA announced today the capability of automatically searching through images and chatter in instant messaging groups, through DARKBEAST, their proprietary Dark Net threat hunting platform. The expansion of KELA’s data lake to include instant message groups, such as closed Telegram groups and Discord channels, is meant to provide partners and clients with added intelligence from different high-quality and curated sources.
Since Have I Been Pwned allows users to hide their email from public searches, we also verified these emails against a private platform managed by threat intelligence KELA, which has also been indexing and tracking data leaked in older breaches.
According to the latest report from threat intelligence firm KELA, MagBo is offering access to over 43,000 hacked servers and some of these belong to state and local governments, ministries, financial institutions, and health care facilities.
KELA researchers report that the daily server additions to the market are between 200 and 400, and the number of daily transactions is approximately 200. There are 190 unique sellers who have something to offer on MagBo, while the cost to access each server depends on its type.
More than 43,000 hacked servers are currently for sale on online cybercrime marketplace MagBo, according to new research from threat intelligence firm KELA and ZDNet.
According to threat intelligence provided by cyber-security firm KELA, the PentaGuard group has been around since 2000, when they were involved in mass-defacements of several government and military websites, including the website of Microsoft Romania.
Um relatório da empresa de inteligência sobre ameaças KELA mostra a recente evolução do MagBo. A pesquisa foi feita em conjunto pelo KELA e o site ZDNet.
The infamous MagBo platform is known to have offered almost 150,000 different compromised websites, with over 200 daily transactions a day and over 200 to 400 new additions on the platform each day. According to data from KELA, “190 different threat actors currently have active listings on the market.”
Cyberkriminelle verkaufen über einen Online-Marktplatz namens MagBo Zugangsdaten für mehr als 43.000 gehackte Server. Das geht aus einer Analyse der Threat-Intelligence-Firma Kela hervor. Demnach gilt MagBo als einer der größten Marktplätze für kompromittierte Server.
Threat intelligence company KELA has reported a boom in Remote Access Markets during the pandemic. Remote Access Markets sit on the Darknet and provide attackers with details on compromised websites and services. It means that attackers don’t have to waste time trying to steal credentials to gain access to those websites.
As servitization of the underground world continues to thrive, KELA Targeted Cyber Intelligence, a global Dark Net threat intelligence provider, announces today the addition of a new information source type to their technologies – Remote Access Markets.
Over the years, the site has boomed, to put it lightly. Since it launched in 2018, KELA says the site has sold access to more than 150,000 sites, with 43,000 still being up for sale as of this week. KELA product manager Raveed Laeb says they’ve tracked 190 different threat actors selling hacked servers on the site.
KELA Targeted Cyber Intelligence, a global Dark Net threat intelligence provider, announces today the addition of Featured Queries to DARKBEAST – their proprietary Dark Net search engine and investigation platform — helping their users stay informed on the most relevant underground threats.
Cyber Security Today – Canada hit by COVID cheque fraud; Webex, Teams under attack, more COVID email scams and three big data breaches
According to an Israeli security company called KELA criminals soon began selling editable digital copies of cheques on the dark web. A criminal can either purchase a digital file and fill in their own name or have a criminal service do the editing for them.
Like every free market, the Dark Net economy sees its many rises and falls. Sites come and go, just like brick and mortar stores open and close. Yet in recent months, we’ve seen a large number of sizeable illicit Dark Net sites closing, and smaller niche ones taking their place.
A Canadian university’s network may be at risk from a cyber attack, according to KELA, an Israeli threat intelligence firm.
Irina Nesterovsky said this threat actor seems to specialize in brute-forcing RDP (remote desktop) servers, running an affiliate program with other threat actors for this purpose.
Genesis, one underground shop for browser data kept using the original version of the malware and suffered grave losses when Chrome 80 came along, as uncovered by KELA researchers towards the end of February.
Raveed Laeb of cybersecurity intelligence firm, KELA has told BleepingComputer that Koodo accounts are being sold on various dark web web sites.
“A different market – one that specializes in automated selling of access to compromised accounts – currently offers over 21,000 Koodo accounts,” Laeb told BleepingComputer.
Специалисты компании KELA обратили внимание, что у торговой площадки Genesis, где торгуют не просто личными данными пользователей, но готовыми виртуальными личностями, возникли серьезные проблемы.
Raveed Laeb is a product manager for KELA, a threat intelligence firm that uses sophisticated, automated tools to keep tabs on the countless gigabytes of stolen data being traded on Darknet forums and marketplaces. He’s been investigating Genesis for quite some time and recently released an in-depth report on his findings so far.
According to new research shared with ZDNet this week by threat intelligence firm KELA, the Genesis Store is currently going through a rough patch, seeing a 35% drop in the number of hacked credentials sold on the site.
KELA says Genesis administrators are currently scrambling to fix their inventory deficit and feed the store with new credentials before customers notice a drop in new and fresh listings.
“We are very pleased to receive this prominent cybersecurity award, and it’s an honor to be selected from a wide selection of top-notch companies that were in the running for this prize. Our hard work has paid off in being recognized as global leaders in threat intelligence,” said KELA COO Eran Shtauber.
Irina Nesterovsky, head of research at cyber intelligence firm KELA, claimed that the most recent upload of breached data on nearly 10.7 million hotel customers was simply a repackaged bundle — as often happens on the dark web.
According to Irina Nesterovsky, Head of Research at threat intel firm KELA, the data of MGM Resorts hotel guests had been shared in some closed-circle hacking forums since at least July, last year. The hacker who released this information is believed to have an association, or be a member of GnosticPlayers, a hacking group that has dumped more than one billion user records throughout 2019.
What treasures can hackers find on the dark web, how have these been used in the past, and what might threat actors be planning for Tokyo this summer? Here are the top four threats that KELA’s research team has been monitoring recently on the dark web
Online threat actors are just plain criminals – like 36-year-old Aleksandr Alekseyevich Korostin from Sigayevo, Sarapul District, Udmurtiya Republic, Russia – hiding behind anonymity as SaNX. – OPINION by KELA Cyber Intelligence Center
The threat marks a disturbing change in tactics by the crime groups behind the Sodinikobi ransomware, said Irina Nestrovosky, head of research for Israeli security company and specialist in darknet threat intelligence, KELA, which monitors hacking groups.