CYBER THREAT INTELLIGENCE BLOG

An Executive’s Guide To The Cybercrime Underground

An Executive’s Guide To The Cybercrime Underground

David Carmiel, KELA's CEO In recent years, the cybercrime underground has become increasingly sophisticated and profitable by preying on vulnerable organizations. As a result, security leaders must gain visibility into what happens in this underground network of illegal activity to protect their organizations from emerging threats and accurately assess their risks. In this article, I will explore the current state of the cybercrime underground, including its definition, motivations, actors and methods. I will also provide recommendations for security leaders on defending their organizations against emerging threats.The cybercrime underground is a term for virtual sites, methods, platforms and tools with which threat actors congregate and communicate to sell their ill-gotten gains and purchase criminal services and products. Online forums are an illustrative example of where threat actors conduct illegal commercial activities. Forums provide an effective platform for threat groups, their peers and their potential customers to discuss tactics, technologies and procedures. These virtual venues allow criminals to recruit talent and engage in illegal commerce.

Attacks on MSPs: How Threat Actors Kill Two Birds (and More) With One Stone

Yael Kishon, Threat Intelligence Analyst Managed service providers (MSPs or MSSPs) have become a vital part of many companies, providing a range of IT services and support to keep operations running smoothly. At the same time, MSPs become attractive targets for cybercriminals aiming not only to compromise assets of a single company, but also to increase the number of potential victims and to target a wide range of third parties. In this blog, we examine the ongoing interest of threat actors in the cybercrime ecosystem targeting MSPs and IT companies.Initial access brokers (IABs) — threat actors who sell network access on cybercrime forums — seem to actively compromise MSPs. Network access is a broad term that is used to describe multiple different vectors, permission levels, and entry points. The offering can include SQL injection, remote desktop protocol (RDP) credentials, or the ability to change from user to admin privileges. The actors selling such network access types provide an initial entry point to a compromised network that can be further leveraged by other cybercriminals. The most common type of access is offered through RDP or VPN access. Threat actors define specific attributes of their ideal victim based on the geographies, sectors and revenue of the victim.

How To Prepare Your Organization For The Future Of Cybercrime

David Carmiel, KELA's CEOTo be prepared for the future of cybercrime, security teams must remain vigilant, as the threat of malicious actors continues to evolve. Businesses and institutions must understand the cybercrime underground and develop strategies to mitigate threats to stay ahead of criminals. Organizations must research past security incidents and consider what victims could have done differently. They should then take this knowledge and assess their attack surface, identifying the areas where a malicious actor can exploit weak points or gain access. Once an organization has identified its attack surface, it must ensure that security teams have access to relevant threat intelligence. Threat intelligence helps teams avoid malicious actors by providing up-to-date data on existing or emerging threats. Companies should educate their staff about the latest trends in cybercrime so they are aware of potential risks associated with their day-to-day activities online. Training programs should be conducted regularly and cover phishing scams, malware attacks, steps for spotting suspicious emails or websites and proper data handling practices when dealing with customer information or business records. The future of cybercrime is uncertain, but organizations can help protect themselves from becoming the next victim by preparing for the worst.

5 Trends Shaping The Future Of Cybercrime Threat Intelligence

David Carmiel, KELA's CEOCyber threats are evolving faster than ever, and the cybercrime underground has become an organized cybercrime ecosystem. In 2021, ransomware activity increased significantly. The number of attacked companies found in our sources increased almost twofold—from 1,460 to 2,860 victims. To effectively combat these threats, it’s essential for cybersecurity professionals to stay up to date on the latest trends in cybercrime. In this article, we’ll look at five trends shaping the future of cybercrime threat intelligence and how organizations can protect themselves. We’ll also discuss how these trends are impacting the way businesses need to protect themselves against attacks.

400 Security Practitioners Gave These 7 Insights into Their Cybercrime Monitoring

The cybercrime underground is complex and dynamic, and cybercrime threats that emerge from it pose a significant risk to organizations. What organizations know and refer to as the cybercrime underground is changing within the hour. Unfortunately, many organizations underestimate that risk or may believe that cybercrime monitoring and threat detection doesn't apply to their organization. Even the organizations that do understand the threat it presents are often underprepared with their tools, processes, and expertise to proactively protect their environments. KELA's mission is to make the complex world of the cybercrime underground simple and accessible to security teams so that they can leverage intelligence from cybercrime underground sources to keep their organizations safe. In order to better understand how they approach their cybercrime monitoring, we recently surveyed 400 security practitioners to see if they have the tools and training to protect their organization effectively, as well as gain insights into their successes, challenges, and current needs. Here are seven key insights from our "State of Cybercrime Threat Intelligence 2022" report about the state of cybercrime threat intelligence today.In looking at the responses in our survey, it became obvious that what would be most beneficial to their organization is additional training and proficiency in cybercrime investigations — especially with one of the top challenges being a lack of expertise. Security practitioners are also looking for a way to access the cybercrime underground quickly in a secure and non-attributional manner.

Proact, Don’t React: How CISOs Should View Cybercrime Threat Intelligence

David Carmiel, KELA's CEOAnyone involved in cybersecurity knows that the threat landscape is constantly evolving. Attackers are always looking for new ways to exploit systems and data, while defenders are working hard to stay ahead of them. In this constant cat-and-mouse game, it’s essential for security professionals to have up-to-date information on the latest threats. When defending your organization against cybercrime threats, it’s essential to have access to the latest threat intelligence. Security teams need actionable insights into the cybercrime underground ecosystem to better understand the threats their organizations face and take appropriate steps to defend themselves. Threat intelligence can be extremely valuable in helping organizations stay ahead of attackers and mitigate risk. But it’s also a complex and rapidly changing field, so keeping up with the latest trends can be challenging. This article will look at how the cybercrime threat intelligence landscape has evolved over the last few years and what we can expect in the coming months and years. We’ll also discuss some critical challenges security professionals face when implementing or using cybercrime threat intelligence.

Defender-in-the-middle: How to reduce damage from info-stealing malware

Victoria Kivilevich, Director of Threat ResearchBottom Line Up Front Following recent hacks of Uber and Rockstar Games, KELA decided to take a look at attacks that started with compromised corporate credentials being leaked or traded in the cybercrime ecosystem. Nowadays, this ecosystem enables threat actors to easily acquire such credentials that were accessed by information-stealing malware and offered for sale on automated botnet marketplaces, such as Genesis, Russian Market and TwoEasy.  While some threat actors are looking for banking and e-commerce credentials that they can use to cash out easily by stealing money from a compromised account, smarter attackers target organizations and their corporate credentials. These attackers are exchanging tips for finding such credentials, and they use the cybercrime ecosystem to buy them for a few dollars.  Luckily, defenders can access the same cybercrime ecosystem and can have the same visibility as a threat actor that is planning an attack. Threat intelligence solutions can be used effectively to monitor exposed assets and reduce attack surface by remediating exposures or taking down compromised data.  It’s crucial to consider not only direct assets of the company, but also workspaces hosted by third parties, with Slack being a perfect example: based on KELA’s research, thousands of unique workspaces were compromised and could be used for attacks similar to the Electronic Arts incident. The evolution of cybercrime — focusing on servitization (paying for a service instead of buying the equipment) and sales automation, as well as increased visibility of goods — will drive more threat actors to use this ecosystem.

Six months into Breached: The legacy of RaidForums?

Yael Kishon, Threat Intelligence AnalystOn March 14, 2022, a new English-language cybercrime forum called Breached (also known as BreachForums) launched, as a response to the closure and seizure of the popular RaidForums. Breached was launched with the same design by the threat actor “pompompurin” as “an alternative to RaidForums,” offering large-scale database leaks, login credentials, adult content, and hacking tools.  In late January 2022, three prominent actors from RaidForums were arrested after the domain was seized – the administrator and creator of the forum “Omnipotent” and two other administrators, “Jaw” and “moot.” According to the US Department of Justice, the owner of RaidForums was Portuguese national Diogo Santos Coelho (aka Omnipotent), who was charged with conspiracy, access device fraud, and aggravated identity theft. Coelho and his partners are alleged to have designed the forum’s software and computer infrastructure and managed the forum, promoting database exchange.  After the closure of RaidForums, it was only a few weeks until the launch of Breached. And in  the first six months of its existence, Breached has become the new platform for database exchange, attracting more than 82,000 registered users. KELA explored whether Breached has actually replaced RaidForums as the most popular database exchange site and analyzed the top actors’ activities and trends associated with the new forum. 

(NOT) Lost in Translation – Why Your Language Doesn’t Matter to Cybercriminals

Irina Nesterovsky, Chief Research OfficerAt KELA, we meet and work with companies from various geographies and languages, yet everyone keeps asking the same question: “Do you cover Spanish/French/Arabic/Younameit cybercrime sources?”. First, the answer is “yes” (isn’t that always the case?), but we also have a more in-depth one – such in which we say that a threat against any company, no matter the vertical, no matter the size, is not confined to a language or geography. What’s interesting about cybercrime, especially one targeted at enterprises and their clients – is that the criminals perpetrating it don’t have to be your countrymen or even speak your language to pose a threat to your organization. As an example, let’s look into some of the most high-profile cybercrime communities discussing various schemes and trading in network accesses, databases, and others just for monetary gain. Those – taking as an example the Exploit and XSS forums – happen to be run by Russian-speaking threat actors, who will also use English to correspond with their fellow foreign cybercriminals. The targets and victims discussed by those cybercriminals vary and can include any company worldwide – regardless of their residence. And while, as seen in KELA’s review of Initial Access Brokers trends, the leading country with companies compromised through network access is still the US, it is also followed by the UK, Brazil, Canada, and India.

The Next Generation of Info Stealers

KELA Cyber Intelligence CenterIn recent years, information-stealing Trojans have become a very popular attack vector. This type of malware is used for harvesting saved information on machines including usernames and passwords (“logs”) which are further sold on automated botnet marketplaces such as RussianMarket, TwoEasy, and Genesis, or privately. If purchased by threat actors, these credentials pose a significant risk to an organization, as they allow actors to access various resources which may result in data exfiltration, lateral movement, and malware deployment, such as ransomware. Some of the most popular info-stealers advertised on cybercrime forums and identified on these marketplaces are RedLine, Raccoon, and Vidar. While some of these commodity stealers remain relevant, KELA observed that the threat landscape started to change under various conditions. The Russia-Ukraine war, the info-stealer operators’ need to improve malware capabilities, and their financial motivation, resulted in new stealers and services becoming available. This report focuses on the currently active information stealers, highlighting the evolution of the old stealers, as well as the debut of new ones.