CYBER THREAT INTELLIGENCE BLOG

As we approach the end of 2023, the Hamas-Israel war still rages on, and so do cyberattacks accompanying it. KELA selected 5 questions out of those we’ve been asked by our clients and partners (aside from “how are you?”) in the past 70+ days, and represent the cybersecurity angle of a physical war.

Following a cyberattack on December 12, 2023, Kyivstar, a major Ukrainian mobile network operator, faced a significant digital crisis. The incident has been discussed as one of the most powerful attacks on a telecommunication organization. Confusing claims surfaced from hacktivist groups like Killnet and its successor, Deanon Club, along with Solntsepek. In this blog, KELA dives into the details of the Kyivstar cyberattack, exploring the conflicting stories and the potential involvement of a Russian nation-state actor.

Threat actors engage in active infiltration of corporate assets, extracting valuable information and distributing it on cybercrime forums for trade. Records like contact details, social security numbers, and credit card information are used for financial gain.

On December 6, 2023, the operators of LockBit ransomware claimed to have compromised Aldo, a shoe retailer, on their ransomware blog. The group has given Aldo until December 25, 2023, to pay a ransom, otherwise stolen data will be published.

Data enrichment is the process of pairing security event data with non-event data and deriving useful information to translate raw data into meaningful and actionable insights to improve an organization’s security. This process gives security analysts more context about the data their security tools are ingesting and what’s happening in their environment.

The cybercrime landscape is constantly evolving with sophisticated threats and risks, but the heart of the cybercrime ecosystem is built on threat actors. Being the brains behind each cyber incident, they are responsible for ransomware attacks, data breaches, building new malware, and aiming to compromise corporate networks. Threat actors are a wide range of players, from nation-state actors to script kiddies.  This blog delves into KELA’s new module – Threat Actors and details how CTI analysts can leverage it for their everyday tasks.  The module allows security teams to monitor, identify, and track threat actors in the cybercrime landscape, understand their TTPs and connections with other actors. It further delivers actionable intelligence on their motivations, aliases, tools, contact details, and activity in cybercrime forums.

November 20, 2023 – KELA, the leading provider of real, actionable threat intelligence, is announcing the launch of two groundbreaking modules – Threat Actors and Identity Guard. These additions reflect the company’s ongoing dedication to refining its comprehensive cyber intelligence platform. The innovative modules not only strengthen KELA’s commitment to delivering timely and actionable threat intelligence but also empower organizations of all sizes, contributing to a more robust and adaptable security posture. The modules are designed to enhance the accessibility of threat intelligence, delivering timely and actionable insights to effectively counter cyber threats facing your organization.

In late August 2023, in a major operation named Operation Duck Hunt, the FBI, along with international partners announced they dismantled the QakBot malware infrastructure. The botnet has been known to be used by different ransomware gangs, such as Ryuk, ProLock, Egregor, REvil, MegaCortex, Doppelpaymer and Black Basta for their malware delivery. While most of them are no longer active, some continue to operate — such as Black Basta. As seen by KELA, the botnet takedown could have affected their operations but it seems that two months after the dismantling, the group is back in business, possibly with a new initial infection vector. On the other hand, Black Basta may choose to persist in collaborating with threat actors linked to QakBot, given their ability to continue distributing the Knight ransomware (formerly known as Cyclops) successfully in recent months. This blog details the two operations’ collaboration with QakBot and how the takedown affected their activities.

In recent years, the automotive industry has been undergoing a rapid transformation of digitalization. As new technologies become increasingly prominent in the automotive sector, they open the door to a wide range of cyber threats and high interest from cybercriminals to attack automotive companies. 

In August 2023, KELA encountered several critical vulnerabilities that raised significant interest within the cybercrime underground: CVE-2023-3519 (Citrix ADC and NetScaler Gateway) CVE-2023-27997 (Fortigate) CVE-2023-34124 (SonicWall) CVE-2022-24834 (Redis) This report highlights the details of each vulnerability, their implications, and recommendations for mitigation. In addition to known vulnerabilities, threat actors always look for buying 0-day vulnerabilities to exploit, and KELA highlights two recent cases related to flaws in Windows and TP-Link W8970 routers.