Hunting Down Initial Access Brokers with DARKBEAST

KELA’s Cyber Intelligence CenterInitial access brokers have taken the spotlight over the last year following their strong efforts – and success – of significantly facilitating network intrusions for ransomware affiliates and operators. These initial access brokers (“IAB”) continue to gain popularity as they become more active and popular in the cybercrime underground ecosystem. This blogpost will explore the different ways that users can leverage DARKBEAST to track and defeat initial access brokers before they cause harm. The blogpost will explain how DARKBEAST can be used to: 1. Identify noteworthy initial access brokers’ listings with the click of a button. 2. Pivot to investigate initial access brokers or network access listings by utilizing complex queries, metadata searches and Boolean logic. 3. Subscribe to relevant queries in order to track new results over time and receive real-time notifications. 4. Identify Initial Access Brokers hindering threats behind images rather than in plaintext. 5. Leverage finished intelligence compiled by KELA’s experts to gain more contextualized insights about various brokers or listings. 6. Retrieve and analyze data about initial access brokers in your existing tools using the DARKBEAST API.

Australian Mining Companies and Cybercriminals Digging for the Gold

Victoria Kivilevich and Sharon BittonWhile Australian mining companies are busy extracting natural minerals from their lands, cybercriminals are busy extracting sensitive information from mining companies’ infrastructures and employees. For more than a century, Australia’s economy has significantly benefited from the mining industry, with a particularly strong influence in the last decade. Employing over 260,000 people and being valued at more than 200 billion AUD, the mining industry is the primary contributor to the Australian economy, and in parallel under the spotlight for many cybercriminals. As growth of this industry continues to be evident, cybercriminals may be seen profiting more and more from the mining companies’ sensitive information. This industry, once relying almost solely on human work, has now evolved with the digital age to make use of technological support for day-to-day operations – naturally creating more opportunities for cybercriminals to exploit. Australia’s mining industry comprises numerous companies, however for this research, we’ve decided to look into the top 5 companies to identify the interest of cybercriminals in this industry. The research consists of an overview of numerous cyber threats that we have identified, which if exploited correctly could cause significant risk to this industry. The highlights include: KELA identified more than 91,000 leaked employee-credentials pertaining to the top 5 Australian mining companies, leaked through third party breaches over the last few years. KELA discovered multiple compromised accounts related to employees in the Australian mining industry, which might provide access to sensitive corporate services. KELA observed numerous network vulnerabilities in the Internet-facing infrastructure of the top 5 companies in the mining industry. KELA detected a compromised network access listed for sale. Upon research, KELA identified that the victim is a company that provides services and stores sensitive data belonging to companies in the mining and energy sector in Australia.

Dark Net Markets Going Out of Business: Where are Users Headed to Next?

Victoria Kivilevich, Threat Intelligence Analyst and Sharon Bitton, Marketing ManagerGoing out of business is a popular phenomenon with online marketplaces both in the Dark Net and surface web. Dark Net marketplaces continually shut down for a number of reasons, causing those markets’ users to actively search for alternative spots to trade goods and services. In light of the major announcement of Joker’s Stash shutting down on February 15th, 2021, we’ve dived into the cybercrime underground to understand more about the closures of Dark Net marketplaces and where market’s users migrate to. The research’s main highlights include: KELA identified four main marketplaces that are trying to steal Joker’s Stash’s users following the market’s closure. According to advertisements and users’ reactions, we may see users shifting activities to Brian’s Club, Vclub, Yale Lodge, and UniCC. KELA observes cybercriminals acting just as regular businessmen and marketers, trying to take advantage of their competitors’ terminations in order to advertise their services and steal their competitors’ users. KELA reveals an evident trend of market administrators offering free vendor bonds to try and lure new sellers to come to their marketplaces following a competitor’s market closure. KELA highlights the significance of monitoring threat actors and their TTPs so that enterprise defenders can assess actors’ credibilities, predict actors’ next steps, and protect their organizations from cyber threats.

$1 Million is Just the Beginning: Q4 2020 in Network Access Sales

Victoria Kivilevich, Threat Intelligence AnalystMultiple initial network accesses continue to appear for sale in underground forums every day, partially becoming an initial entry point for ransomware operators. Following KELA’s analysis of initial access brokers’ activities in September 2020, we’ve assessed the listings of network access from all of Q4 2020. We’ve shared some of the major takeaways below: KELA traced almost 250 initial network accesses listed for sale in Q4 2020. The cumulative price requested for all accesses surpasses $1.2 million. On average, we observed around 80 accesses offered for sale in each month of Q4 2020. Out of these network access listings, KELA found that at least 14% were noted as sold by actors. As the overall month-to-month number is lower than in September (108 accesses), KELA identified a growing trend of accesses being sold in private conversations rather than publicly in forums, likely the cause for the slight decline. While establishing a list of the most expensive accesses and the TTPs of their sellers, KELA discovered that the attack surface is constantly expanding, with initial access brokers offering new access types. Meanwhile, RDP- and VPN-based accesses, as well as vulnerabilities (allowing to run code using a specific flaw and potentially enabling actors to pivot further within the targeted environment), constitute the majority of the offers.

Darknet Threat Actors Are Not Playing Games with the Gaming Industry

Almog Zoosman, Pre-Sales Engineer and Victoria Kivilevich, Threat Intelligence AnalystThe gaming industry should really thank Covid-19: People are stuck at home, seeking indoor hobbies, and giving online gaming a chance. With the rise of gamers and purchases, the online gaming industry is estimated to reach $196 billion in revenue by 2022. However, the growing success of this industry also calls attention to cybercriminals scouting out their new targets – and what better target could cybercriminals ask for than an industry that’s up and coming and may not be prioritizing their security precautions as much as their industry advancement and profit. So, though this industry isn’t valued at the trillions of dollars that the financial industry may be valued at, it still checks off boxes for two key factors that many profit-driven cyber criminals tend to seek: increase profits and minimize the complexity of the process in order to do so. In order to assess the threat landscape of the gaming industry in light of Covid-19, we explored the risks that are potentially threatening employees and internal resources of the leaders of this industry.[1] We’ve included some of this blog’s major key takeaways below: KELA observed multiple instances of supply and demand for initial network access of gaming companies (especially their resources designed for developers). KELA found nearly 1 million compromised accounts pertaining to gaming clients and employees, with 50% of them offered for sale during 2020. KELA detected more than 500,000 leaked credentials pertaining to employees of the leading companies in the gaming sector. The gaming industry is growing, in turn increasing the number of threats against it. By proactively monitoring darknet communities, organizations in this industry can collect real-time valuable intelligence in order to help gain an external viewpoint on their organizations’ attack surfaces and mitigate cyber threats.

Easy Way In? 5 Ransomware Victims Had Their Pulse Secure VPN Credentials Leaked

Victoria Kivilevich, Threat Intelligence AnalystRising ransomware attacks around the world, together with the recent lists of exposed Pulse Secure VPN credentials set the backdrop for KELA’s latest research. While not all ransomware attacks used CVE-2019-11510 (a vulnerability of unpatched Pulse Secure VPN servers) or the previously shared credentials to the compromised corporate networks, it does add another layer to the analysis of possible initial infection vectors used in ransomware incidents. Moreover, the recent exposure of credentials to nearly 50,000 vulnerable Fortinet VPNs raises further concern of possible infection vectors that can be used for ransomware attacks. Our key findings include: Five victims of ransomware attacks whose credentials to their Pulse Secure VPN servers were exposed as part of two Pulse Secure VPN lists (i.e., directories with folders and files) that were shared by malicious actors in August 2020. Data of three of the victims were leaked to ransomware gangs’ blogs in an attempt to force them to pay a ransom. Based on KELA’s conversation with threat actors related to the attack, at least one victim (unnamed) paid the ransom. A threat actor involved in the attack confirmed that they gained initial access to at least one compromised network via the CVE-2019-11510. Proactive monitoring of darknet threats, such as the Pulse Secure VPN lists, helps enterprise defenders secure their networks and prevent further, more sophisticated attacks, such as ransomware attacks.

Zooming into Darknet Threats Targeting Japanese Organizations

Victoria Kivilevich, Threat Intelligence AnalystIn light of rising cyberattacks and ahead of the 2021 Tokyo Games, Japan is investing in cybersecurity efforts, with one of them being the establishment of a government entity dubbed the Digital Agency. The decision follows recent fraud involving Japanese bank accounts linked to cashless payments services, which could be achieved by brute-forcing, using compromised credentials to banking accounts or via other attack vectors. Attacks on the banking infrastructure is just a part of threats targeting Japanese organizations, recently explored by KELA. They include: Leaked data and compromised accounts. KELA detected that data belonging to Japanese corporations, as well as government and educational entities, is actively circulating in the darknet and being demanded by threat actors. This data can be used to gain initial network accesses, i.e. entry points to targeted networks. Initial network accesses. KELA observed several Japanese compromised companies, ranging from corporations to universities, including one Japan ministry target during June-October 2020. These accesses can be leveraged to eventually deploy ransomware. Ransomware incidents. KELA detected at least 11 Japanese victims of ransomware attacks in June-October 2020. The affected companies are from manufacturing, construction and government-related industries, with top victims having around $143 billion, $33 billion and $2 billion yearly revenue.

KELA’s 100 Over 100: September 2020 in Network Access Sales

Raveed Laeb, Product Manager and Victoria Kivilevich, Threat Intelligence AnalystWhile ransomware attacks are on the rise, more and more initial network accesses are being sold in underground forums every day, partially becoming an initial entry point for ransomware operators. Following KELA’s research about initial access brokers, we’ve decided to analyze some of the accesses sold over September 2020 to build a comprehensive picture of the activities in this field. Major takeaways are: Initial network access is a general term that refers to remote access to a computer in a compromised organization. Threat actors selling it – initial access brokers – are linking opportunistic campaigns with targeted attackers, namely ransomware operators. KELA traced over 100 initial network accesses put on sale by threat actors for one month – three times more than in August 2020. The cumulative price requested for all accesses surpasses $500,000. Of these network access listings, KELA found that at least 23% were reported as sold by the actors for cumulative revenue of nearly $90,000. While establishing a list of the top 5 most expensive accesses and the TTPs of their sellers, KELA examined a hypothesis that the price depends on the victim’s revenue and the level of privileges gained through access. Domain admin access can be 25-100% more expensive than user access. Initial access brokers’ public activity on cybercrime communities provides rare visibility into the inner workings of threat actors; this visibility should be leveraged by network defenders in order to understand the threat landscape and prioritize defense mechanisms accordingly. Moreover, passing network access from one the initial access broker to a ransomware affiliate effectively splits the exploitation process into two distinct phases – a TTP that may be invaluable during threat hunting and adversary simulation.