David Carmiel, KELA's CEO
Welcome to KELA’s new home: kelacyber.com!
Celebrate with usDavid Carmiel, KELA's CEO
The cybercrime underground is a term for virtual sites, methods, platforms and tools with which threat actors congregate and communicate to sell their ill-gotten gains and purchase criminal services and products.
Online forums are an illustrative example of where threat actors conduct illegal commercial activities. Forums provide an effective platform for threat groups, their peers and their potential customers to discuss tactics, technologies and procedures. These virtual venues allow criminals to recruit talent and engage in illegal commerce.
Many organizations struggle with determining the initial steps and selecting an action plan when it comes to addressing the proactive approach required for effective defensive strategies against cyber threats.
Our complimentary checklist outlines a comprehensive set of 7 crucial first steps for initiating a robust cyber threat intelligence program within your company.
Whether your organization already has security measures in place or is in the process of establishing a strong cybersecurity posture, this checklist can serve as a valuable resource.
We encourage you to download and utilize it to assess your current processes and establish cybersecurity priorities for the year 2023.
The risk of cyber attacks by information stealers poses a threat to organizations in the last few years and continues to be a significant concern for companies in 2023. The emergence of new infostealers highlights the ongoing efforts of cybercriminals to create new tools for stealing sensitive data.
Organizations must stay up to date about new infostealers in order to remain vigilant and protect themselves against these evolving threats. We’re happy to share this FREE report with you to arm you with more knowledge!
Read KELA’s latest Delving Into The Emerging Infostealers of 2023 Report to learn about:
The massive ransomware campaign that targeted thousands of ESXi servers in early 2023 highlights the continuing danger posed by ransomware and extortion groups to organizations worldwide.1 KELA observed an increase in ransomware and extortion attacks and sales of network access (an important part in ransomware gangs’ supply chain) in Q1 2023 compared with the average metrics of 2022.
Yael Kishon, Threat Intelligence Analyst
Initial access brokers (IABs) — threat actors who sell network access on cybercrime forums — seem to actively compromise MSPs.
Network access is a broad term that is used to describe multiple different vectors, permission levels, and entry points. The offering can include SQL injection, remote desktop protocol (RDP) credentials, or the ability to change from user to admin privileges. The actors selling such network access types provide an initial entry point to a compromised network that can be further leveraged by other cybercriminals. The most common type of access is offered through RDP or VPN access. Threat actors define specific attributes of their ideal victim based on the geographies, sectors and revenue of the victim.
Telegram is a messaging app that is used by many people around the world for a variety of purposes. However, it has also become a hub for cybercrime activities, including the sale and leakage of stolen personal and corporate data, the organization of cybercrime gangs, the distribution of hacking tutorials, hacktivism and the sale of illegal physical products such as counterfeits and drugs.
There are several other messaging apps that are favored by cybercriminals, but Telegram is one of the most popular. This presents a significant challenge for security researchers trying to combat cybercrime on the platform.
One reason why Telegram is attractive to cybercriminals is its alleged built-in encryption and the ability to create channels and large, private groups. These features make it difficult for law enforcement and security researchers to monitor and track criminal activity on the platform. In addition, cybercriminals often use coded language and alternative spellings to communicate on Telegram, making it even more challenging to decipher their conversations.
This report, compiled by KELA, aims to provide an in-depth understanding of why Telegram has become a significant player in the cybercrime ecosystem. It covers various services, products and cybercrime activities that exist on the platform, as well as the threat actors involved. The report also includes showcases for each topic, highlighting specific examples of the types of activities that take place on Telegram. In addition, the report lists prominent groups and channels that are involved in these activities, providing a comprehensive overview of the scope and scale of cybercrime on the platform.
Overall, Telegram has become a thriving ecosystem for cybercrime and will likely continue to be a major challenge for security researchers and law enforcement.
Ransomware and extortion attacks have been a growing concern for individuals and organizations alike in recent years. These types of attacks involve hackers gaining unauthorized access to a computer system or network and either holding the system hostage by encrypting the data until a ransom is paid, or threatening to release sensitive information unless a ransom is paid.
In addition to these types of attacks, particular attention was focused on the sale of network access on cybercrime sources, which can potentially be used by hackers to carry out ransomware and extortion attacks.
This report will provide an overview of the state of ransomware and extortion attacks and network access sales in 2022, as well as the evolution of trends and ways to prevent and mitigate these types of attacks.
Yael Kishon, Threat Intelligence Analyst
Threat actors are constantly looking for new monetization opportunities in the cybercrime ecosystem, trying to put their hands on sensitive corporate data and leverage that for their profit. Such compromised data on cybercrime forums can include databases, source code, internal documents, as well access to services such as corporate email credentials. Once credentials are obtained, unauthorized actors can view the content of organizational accounts, as well as send emails from the compromised accounts, which appear legitimate but contain phishing campaigns.
Threat actors now have new marketplaces and shops, which enable them to easily buy corporate email accounts for their attacks. KELA noticed that actors selling email access via these dedicated, automated shops offer hundreds of thousands of corporate email credentials for sale. In this analysis, KELA takes a closer look at the scope of shops such as Xleet, Odin, Xmina, and Lufix that are easing processes for cybercriminals. This report shows how actors could obtain access and monetize it through several attack vectors, which include phishing, BEC, and malware attacks.
The cybercrime underground is complex and dynamic, and cybercrime threats that emerge from it pose a significant risk to organizations. What organizations know and refer to as the cybercrime underground is changing within the hour. Unfortunately, many organizations underestimate that risk or may believe that cybercrime monitoring and threat detection doesn't apply to their organization. Even the organizations that do understand the threat it presents are often underprepared with their tools, processes, and expertise to proactively protect their environments. KELA's mission is to make the complex world of the cybercrime underground simple and accessible to security teams so that they can leverage intelligence from cybercrime underground sources to keep their organizations safe. In order to better understand how they approach their cybercrime monitoring, we recently surveyed 400 security practitioners to see if they have the tools and training to protect their organization effectively, as well as gain insights into their successes, challenges, and current needs. Here are seven key insights from our "State of Cybercrime Threat Intelligence 2022" report about the state of cybercrime threat intelligence today.
In looking at the responses in our survey, it became obvious that what would be most beneficial to their organization is additional training and proficiency in cybercrime investigations — especially with one of the top challenges being a lack of expertise. Security practitioners are also looking for a way to access the cybercrime underground quickly in a secure and non-attributional manner.
Sarit Borochov, Threat Intelligence Analyst
The most prolific ransomware and data leak actors in Q3 were LockBit, Black Basta, Hive, Alphv (aka BlackCat) and BianLian, with the last one being a relatively new ransomware gang. In Q3 2022, the sector that was most targeted by ransomware attackers and data leak actors was professional services. LockBit, Alphv and Hive were responsible for 55% of the attacks in this sector.
The US is still the most targeted country, with 40% of ransomware and extortion attacks affecting US companies in Q3, followed by ransomware and data leak victims from companies in the UK, France, Germany and Spain. New data leak sites and ransomware blogs of the quarter included Yanluowang, BianLian, 0mega, Daixin Team, Donut Leaks.
In Q3 2022, KELA traced over 570 network access listings for sale, with a cumulative requested price of around USD 4 million. The average price for access was around USD 2800 and the median price — USD 1350. In Q3 actors offered more expensive listings since the total number of listings remained almost the same. On average, there were around 190 access listings in each month of Q3, slightly higher than in Q2.