KELA Cyber Intelligence CenterDespite the decryptor for the Akira ransomware that was released at the end of June 2023, the group still seems to successfully extort victims. In July, we observed 15 new victims of the group, either publicly disclosed or detected by KELA in the course of their negotiations.

KELA Cyber Intelligence CenterThe Stormous group has been allegedly operating as a ransomware gang since 2021. The group’s data leak site, which had been inaccessible for a long time, got back online in July!

Managed Security Service Providers (MSSPs) bear the crucial responsibility of safeguarding clients’ networks, applications, and devices against cyber threats. Yet, with the rapid evolution of the threat landscape, traditional detection and mitigation methods are falling short. Enter Cyber Threat Intelligence – CTI. By integrating CTI into your MSSP portfolio, you can proactively anticipate emerging threats, fortify defenses, and ensure unparalleled protection for your clients. Stay ahead of the curve with CTI, empowering your MSSP business to combat the ever-changing cyber landscape effectively.

In recent months, the popularity of Generative AI has surged due to its powerful capabilities. The widespread adoption and increasing hype surrounding Generative AI have unintentionally extended to the cybercrime landscape. Just like any other advanced and powerful technology that takes our world to the next level, the bad guys always manage to find their oh-so-‘special’ way in. Cybercriminals have started leveraging Generative AI for their malicious purposes and day-to-day activities, including creating malware and operating underground forums. In this blog, KELA delves into how cybercriminals manipulate and exploit ChatGPT and other AI platforms for stealing information and launching cyberattacks, as well as in their daily activities.

On May 29, 2023, a database containing the information of nearly 479,000 members of the RaidForums hacking forum was leaked online on a new forum named Exposed. RaidForums was known for hosting, leaking, and selling stolen data from breached organizations. Following the seizure by law enforcement and its subsequent closure, users migrated to a new forum called Breached (BreachForums). Breached was just recently seized by law enforcement, too, after its founder was arrested.  Exposed has emerged as a possible replacement for Breached in May 2023; its founders are not seemingly affiliated with the owners of RaidForums or Breached. The leaked RaidForums database was published by a user called ‘Impotent’, the owner of Exposed, who stated that its origin is unknown. Users on other cybercrime communities have wondered, too, how this leak came to be if access to the forum was supposedly only at the hands of law enforcement. The forum has used the leak as a marketing tool and placed a banner inviting all new users to come and download the leak (which is possible by buying a 50 euro upgrade to reveal the download link). Following the leak, the number of users on Exposed tripled: from around 900 members on May 28, 2023 (one day before the leak) to more than 3200 users just two days later.  KELA has indexed the database (available on KELA’s platform through a free trial via the following query) and is sharing some insights gained from exploring it. The leaked table appears to cover members who registered between March 2015 and September 2020 and includes users’ email addresses, usernames, instant messaging usernames, languages, IP addresses, DOBs, forum usage information, login keys, and hashed passwords with salt.  As stated by Impotent, some users were removed from the leak.

David Carmiel, KELA's CEO In recent years, the cybercrime underground has become increasingly sophisticated and profitable by preying on vulnerable organizations. As a result, security leaders must gain visibility into what happens in this underground network of illegal activity to protect their organizations from emerging threats and accurately assess their risks. In this article, I will explore the current state of the cybercrime underground, including its definition, motivations, actors and methods. I will also provide recommendations for security leaders on defending their organizations against emerging threats.The cybercrime underground is a term for virtual sites, methods, platforms and tools with which threat actors congregate and communicate to sell their ill-gotten gains and purchase criminal services and products. Online forums are an illustrative example of where threat actors conduct illegal commercial activities. Forums provide an effective platform for threat groups, their peers and their potential customers to discuss tactics, technologies and procedures. These virtual venues allow criminals to recruit talent and engage in illegal commerce.

Yael Kishon, Threat Intelligence Analyst Managed service providers (MSPs or MSSPs) have become a vital part of many companies, providing a range of IT services and support to keep operations running smoothly. At the same time, MSPs become attractive targets for cybercriminals aiming not only to compromise assets of a single company, but also to increase the number of potential victims and to target a wide range of third parties. In this blog, we examine the ongoing interest of threat actors in the cybercrime ecosystem targeting MSPs and IT companies.Initial access brokers (IABs) — threat actors who sell network access on cybercrime forums — seem to actively compromise MSPs. Network access is a broad term that is used to describe multiple different vectors, permission levels, and entry points. The offering can include SQL injection, remote desktop protocol (RDP) credentials, or the ability to change from user to admin privileges. The actors selling such network access types provide an initial entry point to a compromised network that can be further leveraged by other cybercriminals. The most common type of access is offered through RDP or VPN access. Threat actors define specific attributes of their ideal victim based on the geographies, sectors and revenue of the victim.

David Carmiel, KELA's CEOTo be prepared for the future of cybercrime, security teams must remain vigilant, as the threat of malicious actors continues to evolve. Businesses and institutions must understand the cybercrime underground and develop strategies to mitigate threats to stay ahead of criminals. Organizations must research past security incidents and consider what victims could have done differently. They should then take this knowledge and assess their attack surface, identifying the areas where a malicious actor can exploit weak points or gain access. Once an organization has identified its attack surface, it must ensure that security teams have access to relevant threat intelligence. Threat intelligence helps teams avoid malicious actors by providing up-to-date data on existing or emerging threats. Companies should educate their staff about the latest trends in cybercrime so they are aware of potential risks associated with their day-to-day activities online. Training programs should be conducted regularly and cover phishing scams, malware attacks, steps for spotting suspicious emails or websites and proper data handling practices when dealing with customer information or business records. The future of cybercrime is uncertain, but organizations can help protect themselves from becoming the next victim by preparing for the worst.

David Carmiel, KELA's CEOCyber threats are evolving faster than ever, and the cybercrime underground has become an organized cybercrime ecosystem. In 2021, ransomware activity increased significantly. The number of attacked companies found in our sources increased almost twofold—from 1,460 to 2,860 victims. To effectively combat these threats, it’s essential for cybersecurity professionals to stay up to date on the latest trends in cybercrime. In this article, we’ll look at five trends shaping the future of cybercrime threat intelligence and how organizations can protect themselves. We’ll also discuss how these trends are impacting the way businesses need to protect themselves against attacks.

The cybercrime underground is complex and dynamic, and cybercrime threats that emerge from it pose a significant risk to organizations. What organizations know and refer to as the cybercrime underground is changing within the hour. Unfortunately, many organizations underestimate that risk or may believe that cybercrime monitoring and threat detection doesn't apply to their organization. Even the organizations that do understand the threat it presents are often underprepared with their tools, processes, and expertise to proactively protect their environments. KELA's mission is to make the complex world of the cybercrime underground simple and accessible to security teams so that they can leverage intelligence from cybercrime underground sources to keep their organizations safe. In order to better understand how they approach their cybercrime monitoring, we recently surveyed 400 security practitioners to see if they have the tools and training to protect their organization effectively, as well as gain insights into their successes, challenges, and current needs. Here are seven key insights from our "State of Cybercrime Threat Intelligence 2022" report about the state of cybercrime threat intelligence today.In looking at the responses in our survey, it became obvious that what would be most beneficial to their organization is additional training and proficiency in cybercrime investigations — especially with one of the top challenges being a lack of expertise. Security practitioners are also looking for a way to access the cybercrime underground quickly in a secure and non-attributional manner.