Victoria Kivilevich, Threat Intelligence Analyst and Raveed Laeb, Product Manager Recently, ZDNet exclusively reported a leak posted on a cybercrime community containing details and credentials of over 900 enterprise Secure Pulse servers exploited by threat actors Since this leak represents an ever-growing ransomware risk, KELA delved into both the leak’s content and the actors who were involved in its inception and circulation This short research targets a specific tier of cybercriminal actors – Initial Access Brokers. These are mid-tier actors who specialize in obtaining initial network access from a variety of sources, curating and grooming it into a wider network compromise – and then selling them off to ransomware affiliates With the affiliate ransomware network becoming more and more popular and affecting huge enterprises as well as smaller ones, initial access brokers are rapidly becoming an important part of the affiliate ransomware supply chain The list leak mentioned above seems to have been circulating between several initial access brokers in cybercrime forums, and have been exposed by a LockBit affiliate who regarded the actors as unprofessional This event showcases the breadth of information that’s exchanged on cybercrime communities and, in KELA’s eyes, emphasizes the need for scalable and targeted monitoring of underground communities

Victoria Kivilevich, Threat Intelligence Analyst and Sharon Bitton, Marketing Content ManagerJust a few of the major headlines regarding the education sector have looked like this over the last couple of months: Blackbaud Hack: Universities Lose Data to Ransomware Attack The University of California Pays $1 Million Ransom Following Cyber Attack University of York Discloses Data Breach, Staff and Student Records Stolen The past year has seen a rise in the amount of education-related institutions that have been affected by cyberattacks. In 2019 alone, the K-12 cyber incident map reported that 348 schools have publicly-disclosed that they’ve been a victim of a cyberattack. That’s just in the United States and doesn’t even take into account the universities and colleges, which would by all means cause those numbers to escalate. These statements got us wondering. Are underground threat actors actively looking for and interested in targeting organizations in the education sector? What types of attacks are we seeing affecting the education sector? What have been some of the recent attempted attacks that we’ve seen in the underground ecosystem? Are these targeted attacks on the universities themselves or are they stemming from access through a third-party provider? These are all questions that will be addressed throughout this blogpost.

Victoria Kivilevich, Threat Intelligence Analyst and Sharon Bitton, Marketing Content ManagerJust a few of the major headlines regarding the education sector have looked like this over the last couple of months: Blackbaud Hack: Universities Lose Data to Ransomware Attack The University of California Pays $1 Million Ransom Following Cyber Attack University of York Discloses Data Breach, Staff and Student Records Stolen The past year has seen a rise in the amount of education-related institutions that have been affected by cyberattacks. In 2019 alone, the K-12 cyber incident map reported that 348 schools have publicly-disclosed that they’ve been a victim of a cyberattack. That’s just in the United States and doesn’t even take into account the universities and colleges, which would by all means cause those numbers to escalate. These statements got us wondering. Are underground threat actors actively looking for and interested in targeting organizations in the education sector? What types of attacks are we seeing affecting the education sector? What have been some of the recent attempted attacks that we’ve seen in the underground ecosystem? Are these targeted attacks on the universities themselves or are they stemming from access through a third-party provider? These are all questions that will be addressed throughout this blogpost.

Raveed Laeb, Product Manager Some media reports stated that last week’s Twitter hack was facilitated by an attacker who fished sensitive credentials from within the company’s internal Slack – essentially leveraging the instant messaging app as a vector for initial access. Credentials to over 12,000 Slack workspaces are available for sale on underground cybercrime markets, representing an explicit threat for thousands of organizations. However, examination of both open-source reporting and cybercrime communities don’t reveal a current, well-established attacker interest in the platform. KELA assumes cybercrime actors might be having a hard time monetizing Slack compromises since the cloud-based app grants no direct access to a target’s network, and pivoting from it to other internal applications requires a combination of tedious reconnaissance and sheer luck. The growth of “big game hunting” tactics in ransomware and the monetization of targeted intrusions lead us to believe that interest in Slack – and other cloud-based apps expanding the corporate attack surface – will probably grow in the future. As such, KELA strongly recommends implementing an automated, scalable monitoring solution that offers insights into cybercrime activities targeting cloud-based apps storing sensitive data.

Raveed Laeb, Product ManagerRemote Access Markets are automated stores that allow attackers to exchange access credentials to compromised websites and services. As such, they represent an endless stream of opportunities for attackers; buying access to an organization as a service lowers the skill bar for further exploitation and exposes organizations to a plethora wave of online threats – from ransomware to card skimming. This blog will review one prominent Remote Access Market out of the several tracked and monitored by KELA – MagBo. This store is unique in a few different aspects, but mostly in volume of goods: over two years of operations, it featured access to nearly 150,000 compromised websites – including financial institutions, government organizations and critical infrastructure around the world – mostly via selling access to web shell malware deployed on their servers. KELA advocated that gaining visibility into MagBo, as well as other Remote Access Markets, is a crucial intelligence feed for defenders.

Noy Reuveni, Threat Intelligence Team LeaderAs if a global pandemic crisis isn’t enough, organizations focused on the health and support of citizens have been forced to combat not only a widespread virus (and the public needs that come with it), but also threats coming at them from the underground world. As the pandemic continues to affect all types of both private- and government-affiliated organizations worldwide, KELA’s Cyber Intelligence Center took a look into various assets pertaining to Canadian health and support organizations to assess how their attack surfaces may be affected. This blog post will highlight just a couple of darknet findings that our team has detected, which exemplify how threat actors are targeting these types of organizations in Canada.

Leon Kurolapnik, Threat Intelligence Analyst and Raveed Laeb, Product ManagerSince mid-February, discussions throughout multiple cybercrime communities have been noting that the main password stealing features of the AZORult infostealer – one of the most prevalent stealers currently in use, and the main culprit behind the ongoing campaign – have been disabled by a recent Google Chrome update. Since AZORult isn’t actively maintained, many actors are now regarding the stealer as fully decommissioned.

Research: Part 1 – Misadventures in GUIDology by Raveed Laeb, Product ManagerThis is the first post in a series of posts reviewing the supply chain of the Genesis Store market – a likely-Russian threat actor operating a successful, borderline innovative, pay-per-bot store since 2018. The following post features a quick-and-easy methodology breaking down over 335,000 unique Genesis infections into four malware groups, allowing us to attribute over 300,000 AZORult infections to the Genesis actors currently involved in campaigns resulting is tens of thousands of new AZORult infections per month. Furthermore, it seems Genesis isn’t necessarily leading these campaigns, but rather working with various Malware-as-a-Service (MaaS) providers and cybercrime services. This discovery, linking Genesis with widely known commodity malware, highlights the ongoing threat to organizations and the proliferation of illegal data obtained from infections. It also sheds light on the supply chain relationships between actors operating within the cybercrime financial ecosystem (read: Dark Net); we’ll explore this theme, including specific actors and trends, in the next posts.

KELA's Research TeamDue to its anonymity, the Darknet is flooded with threat actors working together to share information, services, and knowledge required to carry out successful cyber-attacks, particularly within the cybercrime financial ecosystem. We’ve uncovered the real identity of a threat actor dubbed SaNX – a handle that has become an infamous one among many security departments of numerous leading corporations worldwide. Here, we’ll also reveal his activities, other handles in the Darknet, and affiliations to other hacking groups.

Raveed Laeb, Product ManagerThe cybercrime financial ecosystem constantly adapts to meet innovative, emerging business needs. Buyers are interested in gaining the most data in the easiest, most frictionless way possible – and threat actors are glad to lend a helping hand: from Malware-as-a-Service, to monthly subscriptions and data breaches, new services are popping up on a daily basis. This entry focuses on one interesting trend taking hold in many communities: the direct and targeted selling of data obtained from banking Trojans and infostealers. This is carried out both directly by threat actors in cybercrime communities and throughout specialized automated markets, and emphasizes a threat against enterprises: actors monetizing corporate credentials. However, these robust and vibrant markets also provide a great theatre for intelligence collection and an opportunity for defenders to have a look directly into cybercriminals’ operations.