Cyber Intelligence Center Updates • KELA Cyber Threat Intelligence

24 May 2023

An Executive’s Guide To The Cybercrime Underground

David Carmiel, KELA's CEO

In recent years, the cybercrime underground has become increasingly sophisticated and profitable by preying on vulnerable organizations. As a result, security leaders must gain visibility into what happens in this underground network of illegal activity to protect their organizations from emerging threats and accurately assess their risks. In this article, I will explore the current state of the cybercrime underground, including its definition, motivations, actors and methods. I will also provide recommendations for security leaders on defending their organizations against emerging threats.

The cybercrime underground is a term for virtual sites, methods, platforms and tools with which threat actors congregate and communicate to sell their ill-gotten gains and purchase criminal services and products.

Online forums are an illustrative example of where threat actors conduct illegal commercial activities. Forums provide an effective platform for threat groups, their peers and their potential customers to discuss tactics, technologies and procedures. These virtual venues allow criminals to recruit talent and engage in illegal commerce.

7 ways to protect your organization from cyber threats

23 May 2023

7 Easy Steps To Bolster Your Threat-Resilience Capabilities [Checklist]

Many organizations struggle with determining the initial steps and selecting an action plan when it comes to addressing the proactive approach required for effective defensive strategies against cyber threats.

Our complimentary checklist outlines a comprehensive set of 7 crucial first steps for initiating a robust cyber threat intelligence program within your company.

Whether your organization already has security measures in place or is in the process of establishing a strong cybersecurity posture, this checklist can serve as a valuable resource.

We encourage you to download and utilize it to assess your current processes and establish cybersecurity priorities for the year 2023.

Delving into new inforstealers 2023 Report

15 May 2023

Delving Into The Emerging Infostealers Of 2023 [Report]

The risk of cyber attacks by information stealers poses a threat to organizations in the last few years and continues to be a significant concern for companies in 2023. The emergence of new infostealers highlights the ongoing efforts of cybercriminals to create new tools for stealing sensitive data.

Organizations must stay up to date about new infostealers in order to remain vigilant and protect themselves against these evolving threats. We’re happy to share this FREE report with you to arm you with more knowledge!

Read KELA’s latest Delving Into The Emerging Infostealers of 2023 Report to learn about:

New infostealers like Titan, LummaC2, Whitesnake, and others recently emerged from the cybercrime underground that have already gained popularity among threat actors.
The most popular illicit markets and channels for distributing stolen data.
Outlook on infostealers for 2023 and what to anticipate.

10 April 2023

Ransomware Victims and Network Access Sales in Q1 2023

The massive ransomware campaign that targeted thousands of ESXi servers in early 2023 highlights the continuing danger posed by ransomware and extortion groups to organizations worldwide.1 KELA observed an increase in ransomware and extortion attacks and sales of network access (an important part in ransomware gangs’ supply chain) in Q1 2023 compared with the average metrics of 2022.

27 March 2023

Attacks on MSPs: How Threat Actors Kill Two Birds (and More) With One Stone

Yael Kishon, Threat Intelligence Analyst

Managed service providers (MSPs or MSSPs) have become a vital part of many companies, providing a range of IT services and support to keep operations running smoothly. At the same time, MSPs become attractive targets for cybercriminals aiming not only to compromise assets of a single company, but also to increase the number of potential victims and to target a wide range of third parties. In this blog, we examine the ongoing interest of threat actors in the cybercrime ecosystem targeting MSPs and IT companies.

Initial access brokers (IABs) — threat actors who sell network access on cybercrime forums — seem to actively compromise MSPs.

Network access is a broad term that is used to describe multiple different vectors, permission levels, and entry points. The offering can include SQL injection, remote desktop protocol (RDP) credentials, or the ability to change from user to admin privileges. The actors selling such network access types provide an initial entry point to a compromised network that can be further leveraged by other cybercriminals. The most common type of access is offered through RDP or VPN access. Threat actors define specific attributes of their ideal victim based on the geographies, sectors and revenue of the victim.

1 February 2023

TELEGRAM – How a Messenger Turned Into a Cybercrime Ecosystem by 2023

Telegram is a messaging app that is used by many people around the world for a variety of purposes. However, it has also become a hub for cybercrime activities, including the sale and leakage of stolen personal and corporate data, the organization of cybercrime gangs, the distribution of hacking tutorials, hacktivism and the sale of illegal physical products such as counterfeits and drugs.
There are several other messaging apps that are favored by cybercriminals, but Telegram is one of the most popular. This presents a significant challenge for security researchers trying to combat cybercrime on the platform.
One reason why Telegram is attractive to cybercriminals is its alleged built-in encryption and the ability to create channels and large, private groups. These features make it difficult for law enforcement and security researchers to monitor and track criminal activity on the platform. In addition, cybercriminals often use coded language and alternative spellings to communicate on Telegram, making it even more challenging to decipher their conversations.
This report, compiled by KELA, aims to provide an in-depth understanding of why Telegram has become a significant player in the cybercrime ecosystem. It covers various services, products and cybercrime activities that exist on the platform, as well as the threat actors involved. The report also includes showcases for each topic, highlighting specific examples of the types of activities that take place on Telegram. In addition, the report lists prominent groups and channels that are involved in these activities, providing a comprehensive overview of the scope and scale of cybercrime on the platform.

Overall, Telegram has become a thriving ecosystem for cybercrime and will likely continue to be a major challenge for security researchers and law enforcement.

12 January 2023

The Cybercrime Inferno- 2022 Annual Report

Ransomware and extortion attacks have been a growing concern for individuals and organizations alike in recent years. These types of attacks involve hackers gaining unauthorized access to a computer system or network and either holding the system hostage by encrypting the data until a ransom is paid, or threatening to release sensitive information unless a ransom is paid.

In addition to these types of attacks, particular attention was focused on the sale of network access on cybercrime sources, which can potentially be used by hackers to carry out ransomware and extortion attacks.

This report will provide an overview of the state of ransomware and extortion attacks and network access sales in 2022, as well as the evolution of trends and ways to prevent and mitigate these types of attacks.

8 December 2022

Keys to the Kingdom: How Compromised Corporate Emails Have Become the Most Attractive Attack Vector for Cybercriminals

Yael Kishon, Threat Intelligence Analyst

Threat actors are constantly looking for new monetization opportunities in the cybercrime ecosystem, trying to put their hands on sensitive corporate data and leverage that for their profit. Such compromised data on cybercrime forums can include databases, source code, internal documents, as well access to services such as corporate email credentials. Once credentials are obtained, unauthorized actors can view the content of organizational accounts, as well as send emails from the compromised accounts, which appear legitimate but contain phishing campaigns.

Threat actors now have new marketplaces and shops, which enable them to easily buy corporate email accounts for their attacks. KELA noticed that actors selling email access via these dedicated, automated shops offer hundreds of thousands of corporate email credentials for sale. In this analysis, KELA takes a closer look at the scope of shops such as Xleet, Odin, Xmina, and Lufix that are easing processes for cybercriminals. This report shows how actors could obtain access and monetize it through several attack vectors, which include phishing, BEC, and malware attacks.

24 November 2022

400 Security Practitioners Gave These 7 Insights into Their Cybercrime Monitoring

The cybercrime underground is complex and dynamic, and cybercrime threats that emerge from it pose a significant risk to organizations. What organizations know and refer to as the cybercrime underground is changing within the hour. Unfortunately, many organizations underestimate that risk or may believe that cybercrime monitoring and threat detection doesn't apply to their organization. Even the organizations that do understand the threat it presents are often underprepared with their tools, processes, and expertise to proactively protect their environments. KELA's mission is to make the complex world of the cybercrime underground simple and accessible to security teams so that they can leverage intelligence from cybercrime underground sources to keep their organizations safe. In order to better understand how they approach their cybercrime monitoring, we recently surveyed 400 security practitioners to see if they have the tools and training to protect their organization effectively, as well as gain insights into their successes, challenges, and current needs. Here are seven key insights from our "State of Cybercrime Threat Intelligence 2022" report about the state of cybercrime threat intelligence today.

In looking at the responses in our survey, it became obvious that what would be most beneficial to their organization is additional training and proficiency in cybercrime investigations — especially with one of the top challenges being a lack of expertise. Security practitioners are also looking for a way to access the cybercrime underground quickly in a secure and non-attributional manner.

31 October 2022

RANSOMWARE VICTIMS AND NETWORK ACCESS SALES IN Q3 2022

Sarit Borochov, Threat Intelligence Analyst

The most prolific ransomware and data leak actors in Q3 were LockBit, Black Basta, Hive, Alphv (aka BlackCat) and BianLian, with the last one being a relatively new ransomware gang. In Q3 2022, the sector that was most targeted by ransomware attackers and data leak actors was professional services. LockBit, Alphv and Hive were responsible for 55% of the attacks in this sector.

The US is still the most targeted country, with 40% of ransomware and extortion attacks affecting US companies in Q3, followed by ransomware and data leak victims from companies in the UK, France, Germany and Spain. New data leak sites and ransomware blogs of the quarter included Yanluowang, BianLian, 0mega, Daixin Team, Donut Leaks.

In Q3 2022, KELA traced over 570 network access listings for sale, with a cumulative requested price of around USD 4 million. The average price for access was around USD 2800 and the median price — USD 1350. In Q3 actors offered more expensive listings since the total number of listings remained almost the same. On average, there were around 190 access listings in each month of Q3, slightly higher than in Q2.