CYBER THREAT INTELLIGENCE BLOG

KELA is Named One to Watch in the Data Enrichment Category of Snowflake’s 2023 Next-Generation Cybersecurity Applications Report!

Data enrichment is the process of pairing security event data with non-event data and deriving useful information to translate raw data into meaningful and actionable insights to improve an organization’s security. This process gives security analysts more context about the data their security tools are ingesting and what’s happening in their environment.

Uncovering Your Adversaries with KELA’s Threat Actors Hub

The cybercrime landscape is constantly evolving with sophisticated threats and risks, but the heart of the cybercrime ecosystem is built on threat actors. Being the brains behind each cyber incident, they are responsible for ransomware attacks, data breaches, building new malware, and aiming to compromise corporate networks. Threat actors are a wide range of players, from nation-state actors to script kiddies.  This blog delves into KELA’s new module – Threat Actors and details how CTI analysts can leverage it for their everyday tasks.  The module allows security teams to monitor, identify, and track threat actors in the cybercrime landscape, understand their TTPs and connections with other actors. It further delivers actionable intelligence on their motivations, aliases, tools, contact details, and activity in cybercrime forums.

KELA Revolutionizes Cyber Intelligence with Two Cutting-edge Modules, Threat Actors and Identity Guard, Elevating and Simplifying Proactive Threat Defense

November 20, 2023 – KELA, the leading provider of real, actionable threat intelligence, is announcing the launch of two groundbreaking modules – Threat Actors and Identity Guard. These additions reflect the company’s ongoing dedication to refining its comprehensive cyber intelligence platform. The innovative modules not only strengthen KELA’s commitment to delivering timely and actionable threat intelligence but also empower organizations of all sizes, contributing to a more robust and adaptable security posture. The modules are designed to enhance the accessibility of threat intelligence, delivering timely and actionable insights to effectively counter cyber threats facing your organization.
QakBot

Surviving the QakBot Takedown: Black Basta and Knight Ransomware Operations

In late August 2023, in a major operation named Operation Duck Hunt, the FBI, along with international partners announced they dismantled the QakBot malware infrastructure. The botnet has been known to be used by different ransomware gangs, such as Ryuk, ProLock, Egregor, REvil, MegaCortex, Doppelpaymer and Black Basta for their malware delivery. While most of them are no longer active, some continue to operate — such as Black Basta. As seen by KELA, the botnet takedown could have affected their operations but it seems that two months after the dismantling, the group is back in business, possibly with a new initial infection vector. On the other hand, Black Basta may choose to persist in collaborating with threat actors linked to QakBot, given their ability to continue distributing the Knight ransomware (formerly known as Cyclops) successfully in recent months. This blog details the two operations’ collaboration with QakBot and how the takedown affected their activities.

Have a SAFE ride – Cyber Threats in the Automotive Sector

In recent years, the automotive industry has been undergoing a rapid transformation of digitalization. As new technologies become increasingly prominent in the automotive sector, they open the door to a wide range of cyber threats and high interest from cybercriminals to attack automotive companies. 

A Glimpse into August 2023 Vulnerabilities Discussed by Cybercriminals

In August 2023, KELA encountered several critical vulnerabilities that raised significant interest within the cybercrime underground: CVE-2023-3519 (Citrix ADC and NetScaler Gateway) CVE-2023-27997 (Fortigate) CVE-2023-34124 (SonicWall) CVE-2022-24834 (Redis) This report highlights the details of each vulnerability, their implications, and recommendations for mitigation. In addition to known vulnerabilities, threat actors always look for buying 0-day vulnerabilities to exploit, and KELA highlights two recent cases related to flaws in Windows and TP-Link W8970 routers.

GDPR Gambit: The new favorite of Ransomware and Extortion Actors?

“I wonder what the GDPR agency will think about our relationship?” — approaches one of its victims on their blog RansomedVC, a relatively new extortion collective that emerged in August 2023. The word has quickly spread that this actor is leveraging GDPR (General Data Protection Regulation), a tactic that has never been observed before. However, many attackers have been using GDPR threats in their ransom notes and blogs to pressure European victims into paying them, similarly to RansomedVC. In this blog, KELA looks at actors using GDPR as their leverage.

Telegram Clouds of Logs – the fastest gateway to your network

What is common between Okta, Uber, and EA Games? All fell victim to cyberattacks enabled by a single access point: compromised employee credentials. In the ever-changing cybercrime landscape, cybercriminals always find ways to put their hands on corporate sensitive data. One of the most popular ways to gather such credentials is using information-stealing malware or simply buying the bots (machines already compromised by info-stealing malware) on botnet markets and Telegram channels. Recently CISA reported that more than half of all cyberattacks on government entities and critical infrastructure involve valid credentials. That means that cybercriminals are using active employee credentials or default administrator credentials for their attacks. After acquiring login credentials, whether through purchase or by obtaining them for free, threat actors utilize these valuable assets in various campaigns, ranging from phishing to ransomware attacks. In this blog post, KELA examines the contrast between two methods of acquiring credentials: botnet markets such as Russian Market, Genesis, and TwoEasy (enabling the individual purchase of bots), and “clouds of logs”. Clouds of logs operate on a subscription basis, allowing threat actors to purchase and utilize multiple bots together through platforms like Telegram. The user-friendly Telegram interface, extensive bot sharing, and diverse actors and information-stealing tools collectively enhance the appeal and convenience of this messaging platform for conducting such transactions.