In recent years, the automotive industry has been undergoing a rapid transformation of digitalization. As new technologies become increasingly prominent in the automotive sector, they open the door to a wide range of cyber threats and high interest from cybercriminals to attack automotive companies. 

In August 2023, KELA encountered several critical vulnerabilities that raised significant interest within the cybercrime underground: CVE-2023-3519 (Citrix ADC and NetScaler Gateway) CVE-2023-27997 (Fortigate) CVE-2023-34124 (SonicWall) CVE-2022-24834 (Redis) This report highlights the details of each vulnerability, their implications, and recommendations for mitigation. In addition to known vulnerabilities, threat actors always look for buying 0-day vulnerabilities to exploit, and KELA highlights two recent cases related to flaws in Windows and TP-Link W8970 routers.

“I wonder what the GDPR agency will think about our relationship?” — approaches one of its victims on their blog RansomedVC, a relatively new extortion collective that emerged in August 2023. The word has quickly spread that this actor is leveraging GDPR (General Data Protection Regulation), a tactic that has never been observed before. However, many attackers have been using GDPR threats in their ransom notes and blogs to pressure European victims into paying them, similarly to RansomedVC. In this blog, KELA looks at actors using GDPR as their leverage.

What is common between Okta, Uber, and EA Games? All fell victim to cyberattacks enabled by a single access point: compromised employee credentials. In the ever-changing cybercrime landscape, cybercriminals always find ways to put their hands on corporate sensitive data. One of the most popular ways to gather such credentials is using information-stealing malware or simply buying the bots (machines already compromised by info-stealing malware) on botnet markets and Telegram channels. Recently CISA reported that more than half of all cyberattacks on government entities and critical infrastructure involve valid credentials. That means that cybercriminals are using active employee credentials or default administrator credentials for their attacks. After acquiring login credentials, whether through purchase or by obtaining them for free, threat actors utilize these valuable assets in various campaigns, ranging from phishing to ransomware attacks. In this blog post, KELA examines the contrast between two methods of acquiring credentials: botnet markets such as Russian Market, Genesis, and TwoEasy (enabling the individual purchase of bots), and “clouds of logs”. Clouds of logs operate on a subscription basis, allowing threat actors to purchase and utilize multiple bots together through platforms like Telegram. The user-friendly Telegram interface, extensive bot sharing, and diverse actors and information-stealing tools collectively enhance the appeal and convenience of this messaging platform for conducting such transactions.

In August 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) published a list of the top routinely exploited vulnerabilities in 2022. The list included vulnerabilities disclosed in 2018-2022. While researching recent cybercrime chatter on these vulnerabilities, KELA discovered that the most discussed flaws out of this list include:  ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) affecting Microsoft Exchange servers CVE-2018-13379 affecting Fortinet FortiOS Follina (CVE-2022-30190) affecting Microsoft Support Diagnostic Tool In this blog, KELA summarizes how threat actors share tips and tools for finding and exploiting vulnerable instances, sell access to corporate networks affected by the flaws and bypass patches.

KELA Cyber Intelligence CenterIn July, KELA observed that actors behind Qilin (Agenda) RaaS program have announced that ransom payments are paid only to their affiliates’ wallets. Apparently, only then a share of profits is transferred to the Qilin RaaS owners. This approach is less common for RaaS programs: usually victims are paying ransom to wallets controlled by RaaS developers/managers, and only then affiliates receive their share of ransom. The “opposite” approach, now adopted by Qilin, is known to be used by LockBit.

KELA Cyber Intelligence CenterThe Cyclops ransomware gang has launched a 2.0 version of its RaaS operation named Knight. On July 26, the gang announced on their blog they were “releasing the new panel and program this week”, likely referring to updates to both their ransomware strain and their affiliates’ panel. Recently, Cyclops announced they “upgraded” the operation and called for new affiliates to join the group. A thread advertising Cyclops’ RaaS has been renamed to “[RaaS]Knight”.

KELA Cyber Intelligence CenterDespite the decryptor for the Akira ransomware that was released at the end of June 2023, the group still seems to successfully extort victims. In July, we observed 15 new victims of the group, either publicly disclosed or detected by KELA in the course of their negotiations.

Victoria Kivilevich, Director of Threat Research, KELAThe Stormous group has been allegedly operating as a ransomware gang since 2021. The group’s data leak site, which had been inaccessible for a long time, got back online in July!

Managed Security Service Providers (MSSPs) bear the crucial responsibility of safeguarding clients’ networks, applications, and devices against cyber threats. Yet, with the rapid evolution of the threat landscape, traditional detection and mitigation methods are falling short. Enter Cyber Threat Intelligence – CTI. By integrating CTI into your MSSP portfolio, you can proactively anticipate emerging threats, fortify defenses, and ensure unparalleled protection for your clients. Stay ahead of the curve with CTI, empowering your MSSP business to combat the ever-changing cyber landscape effectively.