The cybercrime landscape is constantly evolving with sophisticated threats and risks, but the heart of the cybercrime ecosystem is built on threat actors. Being the brains behind each cyber incident, they are responsible for ransomware attacks, data breaches, building new malware, and aiming to compromise corporate networks. Threat actors are a wide range of players, from nation-state actors to script kiddies.  This blog delves into KELA’s new module – Threat Actors and details how CTI analysts can leverage it for their everyday tasks.  The module allows security teams to monitor, identify, and track threat actors in the cybercrime landscape, understand their TTPs and connections with other actors. It further delivers actionable intelligence on their motivations, aliases, tools, contact details, and activity in cybercrime forums.

November 20, 2023 – KELA, the leading provider of real, actionable threat intelligence, is announcing the launch of two groundbreaking modules – Threat Actors and Identity Guard. These additions reflect the company’s ongoing dedication to refining its comprehensive cyber intelligence platform. The innovative modules not only strengthen KELA’s commitment to delivering timely and actionable threat intelligence but also empower organizations of all sizes, contributing to a more robust and adaptable security posture. The modules are designed to enhance the accessibility of threat intelligence, delivering timely and actionable insights to effectively counter cyber threats facing your organization.

In late August 2023, in a major operation named Operation Duck Hunt, the FBI, along with international partners announced they dismantled the QakBot malware infrastructure. The botnet has been known to be used by different ransomware gangs, such as Ryuk, ProLock, Egregor, REvil, MegaCortex, Doppelpaymer and Black Basta for their malware delivery. While most of them are no longer active, some continue to operate — such as Black Basta. As seen by KELA, the botnet takedown could have affected their operations but it seems that two months after the dismantling, the group is back in business, possibly with a new initial infection vector. On the other hand, Black Basta may choose to persist in collaborating with threat actors linked to QakBot, given their ability to continue distributing the Knight ransomware (formerly known as Cyclops) successfully in recent months. This blog details the two operations’ collaboration with QakBot and how the takedown affected their activities.

In recent years, the automotive industry has been undergoing a rapid transformation of digitalization. As new technologies become increasingly prominent in the automotive sector, they open the door to a wide range of cyber threats and high interest from cybercriminals to attack automotive companies. 

In August 2023, KELA encountered several critical vulnerabilities that raised significant interest within the cybercrime underground: CVE-2023-3519 (Citrix ADC and NetScaler Gateway) CVE-2023-27997 (Fortigate) CVE-2023-34124 (SonicWall) CVE-2022-24834 (Redis) This report highlights the details of each vulnerability, their implications, and recommendations for mitigation. In addition to known vulnerabilities, threat actors always look for buying 0-day vulnerabilities to exploit, and KELA highlights two recent cases related to flaws in Windows and TP-Link W8970 routers.

“I wonder what the GDPR agency will think about our relationship?” — approaches one of its victims on their blog RansomedVC, a relatively new extortion collective that emerged in August 2023. The word has quickly spread that this actor is leveraging GDPR (General Data Protection Regulation), a tactic that has never been observed before. However, many attackers have been using GDPR threats in their ransom notes and blogs to pressure European victims into paying them, similarly to RansomedVC. In this blog, KELA looks at actors using GDPR as their leverage.

What is common between Okta, Uber, and EA Games? All fell victim to cyberattacks enabled by a single access point: compromised employee credentials. In the ever-changing cybercrime landscape, cybercriminals always find ways to put their hands on corporate sensitive data. One of the most popular ways to gather such credentials is using information-stealing malware or simply buying the bots (machines already compromised by info-stealing malware) on botnet markets and Telegram channels. Recently CISA reported that more than half of all cyberattacks on government entities and critical infrastructure involve valid credentials. That means that cybercriminals are using active employee credentials or default administrator credentials for their attacks. After acquiring login credentials, whether through purchase or by obtaining them for free, threat actors utilize these valuable assets in various campaigns, ranging from phishing to ransomware attacks. In this blog post, KELA examines the contrast between two methods of acquiring credentials: botnet markets such as Russian Market, Genesis, and TwoEasy (enabling the individual purchase of bots), and “clouds of logs”. Clouds of logs operate on a subscription basis, allowing threat actors to purchase and utilize multiple bots together through platforms like Telegram. The user-friendly Telegram interface, extensive bot sharing, and diverse actors and information-stealing tools collectively enhance the appeal and convenience of this messaging platform for conducting such transactions.

In August 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) published a list of the top routinely exploited vulnerabilities in 2022. The list included vulnerabilities disclosed in 2018-2022. While researching recent cybercrime chatter on these vulnerabilities, KELA discovered that the most discussed flaws out of this list include:  ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) affecting Microsoft Exchange servers CVE-2018-13379 affecting Fortinet FortiOS Follina (CVE-2022-30190) affecting Microsoft Support Diagnostic Tool In this blog, KELA summarizes how threat actors share tips and tools for finding and exploiting vulnerable instances, sell access to corporate networks affected by the flaws and bypass patches.

KELA Cyber Intelligence CenterIn July, KELA observed that actors behind Qilin (Agenda) RaaS program have announced that ransom payments are paid only to their affiliates’ wallets. Apparently, only then a share of profits is transferred to the Qilin RaaS owners. This approach is less common for RaaS programs: usually victims are paying ransom to wallets controlled by RaaS developers/managers, and only then affiliates receive their share of ransom. The “opposite” approach, now adopted by Qilin, is known to be used by LockBit.

KELA Cyber Intelligence CenterThe Cyclops ransomware gang has launched a 2.0 version of its RaaS operation named Knight. On July 26, the gang announced on their blog they were “releasing the new panel and program this week”, likely referring to updates to both their ransomware strain and their affiliates’ panel. Recently, Cyclops announced they “upgraded” the operation and called for new affiliates to join the group. A thread advertising Cyclops’ RaaS has been renamed to “[RaaS]Knight”.