Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label attacks. Show all posts

Global Effort Unites Against Ransomware: New Guidance to Strengthen Business Defenses

  

Ransomware attacks continue to pose significant challenges for businesses worldwide, with incidents on the rise. 

In response, the UK, along with 38 other nations and international cyber insurance organizations, has collaborated to release updated guidance aimed at supporting victims and enhancing resilience. This guidance advises against making immediate ransom payments, as recovery of data or malware removal is not guaranteed, and paying ransoms often encourages further criminal activity.

Instead, businesses are urged to create a comprehensive response plan, with policies and contingency measures in place. Organizations that fall victim to ransomware should report the incident to law enforcement and consult security professionals for expert guidance.

Ransomware has become a lucrative venture for cybercriminals, causing an estimated $1 billion in losses in 2023. By removing the incentive for criminals, these new policies aim to weaken the ransomware business model and reduce future attacks.

"International cooperation is crucial in fighting ransomware as cybercrime knows no borders," stated Security Minister Dan Jarvis. He emphasized that this collective effort will hit cybercriminals financially and better protect businesses in the UK and beyond.

The UK is taking a leading role, collaborating with three major insurance organizations—the Association of British Insurers, the British Insurance Brokers' Association, and the International Underwriting Association—to issue co-sponsored guidance. Meanwhile, the UK National Crime Agency has taken steps by sanctioning 16 individuals from the 'Evil Corp' cybercrime group, responsible for over $300 million in theft from critical infrastructure, healthcare, and government sectors.

Jonathon Ellison, Director for National Resilience at the NCSC, highlighted the urgency of addressing ransomware threats: "This guidance, backed by both international bodies and cyber insurance organizations, represents a united front in bolstering defenses and increasing cyber readiness."

Researchers Develop 'VoltSchemer' Assaults Aimed at Wireless Charging Systems

 

A team of researchers from the University of Florida, collaborating with CertiK, a Web3 smart contract auditor, have uncovered potential security threats in wireless charging systems. Their research introduces new attack methods, named VoltSchemer, which exploit vulnerabilities in these systems by manipulating power supply voltages.

The VoltSchemer attacks, outlined in a research paper, target weaknesses in wireless charging setups, allowing attackers to disrupt charging devices, tamper with voice assistants, and override safety mechanisms outlined in the Qi standard. Notably, these attacks utilize voltage fluctuations from the power source, requiring no direct modifications to the chargers themselves.

While wireless chargers are generally considered more secure than wired alternatives due to their reliance on near-field magnetic coupling, the researchers argue that they are still susceptible to manipulation. By tampering with power signals, attackers could potentially compromise communication between the charger and the device being charged, leading to malicious actions.

The underlying issue lies in the susceptibility of wireless chargers to electromagnetic interference (EMI) caused by voltage fluctuations. This interference can modulate the power signals transmitted by the charger, enabling attackers to manipulate the magnetic field produced and issue unauthorized commands to connected devices.

In their experiments, the researchers tested the VoltSchemer attacks on nine commercially available wireless chargers, all of which were found to be vulnerable. By inserting a disguised voltage manipulation device, such as a modified power port, between the power adapter and the charger, the researchers successfully executed the attacks.

The consequences of these attacks were significant, with charging smartphones experiencing overheating and devices such as key fobs, USB drives, SSD drives, and NFC cards being permanently damaged or destroyed. The researchers emphasize that the root cause of these vulnerabilities lies in the lack of effective noise suppression in certain frequency bands within wireless charging systems.

Overall, the findings highlight the potential risks associated with wireless charging technologies and underscore the need for improved security measures, especially in high-power systems like electric vehicle (EV) wireless charging.

Espionage Group Suspected of Intruding Asian Nation's Power Grid

 

Earlier this year, cyber attackers targeted an undisclosed Asian country's national power grid using ShadowPad malware, commonly associated with entities linked to the Chinese government, according to cybersecurity experts. 

While Symantec did not explicitly attribute the incident to China, they identified the group as RedFly, who infiltrated the network for up to six months, siphoning credentials and targeting multiple computers. 

ShadowPad, which first emerged in 2017, has also been linked to the APT41 hacking group, which researchers have connected to China's Ministry of State Security and the People's Liberation Army. In recent years, various China-linked groups have employed ShadowPad for cyber-espionage activities.

The attack's initial signs emerged on February 28, when ShadowPad was deployed on a single computer, Symantec reported. The malware reappeared in the network on May 17, indicating that the hackers had maintained access for over three months.

Over the following week, the attackers worked to broaden their access to storage devices, collect system credentials, and conceal their tracks. They utilized the legitimate Windows application oleview.exe to gain insights into the victim's network and move laterally.

Dick O'Brien, principal intelligence analyst at Symantec Threat Hunter, expressed concern about the escalating trend of hackers targeting critical national infrastructure (CNI) with malware. He highlighted that attacks on CNI are particularly worrisome due to the potential for serious disruption, and emphasized that this incident is part of a broader pattern.

Experts warn that the frequency of attacks on CNI organizations has risen over the past year, posing a heightened risk of disruptions to power supplies and essential services during times of heightened political tension.

While Symantec has not observed disruptive actions from RedFly, they acknowledge that such actions have occurred in other regions, underscoring the potential threat.

ShadowPad has been identified in cyberattacks on seven electricity grid management facilities in Northern India, as well as Pakistani government agencies, a state bank, and a telecommunications provider. Critical industries in various countries across Asia and Europe have also been targeted with ShadowPad and other malicious tools.

Designed as a successor to Korplug/PlugX, another popular strain among some Chinese espionage groups, ShadowPad briefly appeared on underground forums, making it challenging for researchers to attribute all instances of its use directly to China-based actors.

LastPass Security Breach Linked to Series of Crypto Heists, Say Experts

 

Security experts allege that some of the LastPass password vaults, which were stolen in a security breach towards the end of 2022, have now been successfully breached, leading to a series of substantial cryptocurrency thefts. 

According to cybersecurity blogger Brian Krebs, a group of researchers has uncovered compelling evidence linking over 150 victims of crypto theft to the LastPass service. The combined value of the stolen cryptocurrency is estimated to be over $35 million, with a frequency of two to five high-value heists occurring each month since December 2022.

Taylor Monahan, the lead product manager at MetaMask, a cryptocurrency wallet company, and a prominent figure in the investigation, noted that the common denominator among the victims was their prior use of LastPass to safeguard their "seed phrase" – a confidential digital key necessary to access cryptocurrency investments. 

These keys are typically stored on secure platforms like password managers to thwart unauthorized access to crypto wallets. Furthermore, the pilfered funds were traced to the same blockchain addresses, further solidifying the connection between the victims.

LastPass, a password management service, experienced two known security breaches in August and November of the previous year. 

During the latter incident, hackers utilized information acquired from the first breach to gain access to shared cloud storage containing customer encryption keys for vault backups. We have contacted LastPass to verify if any of the stolen password vaults have indeed been breached and will provide an update if we receive a response.

LastPass CEO Karim Toubba informed The Verge in a statement that the security breach in November is still under active investigation by law enforcement and is also the subject of pending litigation. The company did not confirm whether the 2022 LastPass breaches are related to the reported crypto thefts.

Researcher Nick Bax, who holds the position of Director of Analytics at crypto wallet recovery company Unciphered, also examined the theft data and concurred with Monahan’s conclusions in an interview with KrebsOnSecurity:

“I’m confident enough that this is a real problem that I’ve been urging my friends and family who use LastPass to change all of their passwords and migrate any crypto that may have been exposed, despite knowing full well how tedious that is.”

Vietnamese Cybercriminals Exploit Malvertising to Target Facebook Business Accounts

Cybercriminals associated with the Vietnamese cybercrime ecosystem are exploiting social media platforms, including Meta-owned Facebook, as a means to distribute malware. 

According to Mohammad Kazem Hassan Nejad, a researcher from WithSecure, malicious actors have been utilizing deceptive ads to target victims with various scams and malvertising schemes. This tactic has become even more lucrative with businesses increasingly using social media for advertising, providing attackers with a new type of attack vector – hijacking business accounts.

Over the past year, cyber attacks against Meta Business and Facebook accounts have gained popularity, primarily driven by activity clusters like Ducktail and NodeStealer, known for targeting businesses and individuals operating on Facebook. 

Social engineering plays a crucial role in gaining unauthorized access to user accounts, with victims being approached through platforms such as Facebook, LinkedIn, WhatsApp, and freelance job portals like Upwork. Search engine poisoning is another method employed to promote fake software, including CapCut, Notepad++, OpenAI ChatGPT, Google Bard, and Meta Threads.

Common tactics among these cybercrime groups include the misuse of URL shorteners, the use of Telegram for command-and-control (C2), and legitimate cloud services like Trello, Discord, Dropbox, iCloud, OneDrive, and Mediafire to host malicious payloads.

Ducktail, for instance, employs lures related to branding and marketing projects to infiltrate individuals and businesses on Meta's Business platform. In recent attacks, job and recruitment-related themes have been used to activate infections. 

Potential targets are directed to fraudulent job postings on platforms like Upwork and Freelancer through Facebook ads or LinkedIn InMail. These postings contain links to compromised job description files hosted on cloud storage providers, leading to the deployment of the Ducktail stealer malware.

The Ducktail malware is designed to steal saved session cookies from browsers, with specific code tailored to take over Facebook business accounts. These compromised accounts are sold on underground marketplaces, fetching prices ranging from $15 to $340.

Recent attack sequences observed between February and March 2023 involve the use of shortcut and PowerShell files to download and launch the final malware. The malware has evolved to harvest personal information from various platforms, including X (formerly Twitter), TikTok Business, and Google Ads. It also uses stolen Facebook session cookies to create fraudulent ads and gain elevated privileges.

One of the primary methods used to take over a victim's compromised account involves adding the attacker's email address, changing the password, and locking the victim out of their Facebook account.

The malware has incorporated new features, such as using RestartManager (RM) to kill processes that lock browser databases, a technique commonly found in ransomware. Additionally, the final payload is obfuscated using a loader to dynamically decrypt and execute it, making analysis and detection more challenging.

To hinder analysis efforts, the threat actors use uniquely generated assembly names and rely on SmartAssembly, bloating, and compression to obfuscate the malware.

Researchers from Zscaler also observed instances where the threat actors initiated contact using compromised LinkedIn accounts belonging to users in the digital marketing field, leveraging the authenticity of these accounts to aid in social engineering tactics. This highlights the worm-like propagation of Ducktail, where stolen LinkedIn credentials and cookies are used to log in to victims' accounts and expand their reach.

Ducktail is just one of many Vietnamese threat actors employing shared tools and tactics for fraudulent schemes. A Ducktail copycat known as Duckport, which emerged in late March 2023, engages in information stealing and Meta Business account hijacking. Notably, Duckport differs from Ducktail in terms of Telegram channels used for command and control, source code implementation, and distribution, making them distinct threats.

Duckport employs a unique technique of sending victims links to branded sites related to the impersonated brand or company, redirecting them to download malicious archives from file hosting services. Unlike Ducktail, Duckport replaces Telegram as a channel for passing commands to victims' machines and incorporates additional information stealing and account hijacking capabilities, along with taking screenshots and abusing online note-taking services as part of its command and control chain.

"The Vietnamese-centric element of these threats and high degree of overlaps in terms of capabilities, infrastructure, and victimology suggests active working relationships between various threat actors, shared tooling and TTPs across these threat groups, or a fractured and service-oriented Vietnamese cybercriminal ecosystem (akin to ransomware-as-a-service model) centered around social media platforms such as Facebook," WithSecure said.

Recent Vulnerability Puts 3,000 Openfire Servers at Risk of Attack

More than 3,000 instances of Openfire servers have not undergone patching to address a recent vulnerability, leaving them susceptible to potential attacks exploiting a newly discovered exploit, according to a report by VulnCheck, a firm specializing in vulnerability intelligence.

Openfire, developed by Ignite Realtime, functions as a cross-platform real-time collaboration server written in Java. Operating on the XMPP protocol, it allows web interface administration.

The vulnerability, identified as CVE-2023-32315, is classified as high-severity and pertains to Openfire's administration console. It is characterized as a path traversal flaw within the setup environment, enabling unauthorized attackers to gain entry to restricted sections of the admin console.

The root of the problem stems from Openfire's inadequate protection against specific non-standard URL encoding for UTF-16 characters. The webserver's lack of support for these characters allowed the inclusion of the new encoding without an accompanying update to the protection measures.

All iterations of Openfire, starting from version 3.10.0 launched in April 2015 up to versions 4.7.5 and 4.6.8 issued in May 2023 for vulnerability remediation, are impacted by this flaw.

Exploitations of this vulnerability have been observed over a span of more than two months. Cyber threat actors have been establishing fresh user accounts in the admin console to introduce a new plugin. This plugin houses a remote web shell, affording the attackers the ability to execute arbitrary commands and infiltrate server data.

Publicly available exploits targeting CVE-2023-32315 adhere to a uniform pattern. However, VulnCheck asserts the identification of a novel exploit path that doesn't necessitate the creation of an administrative user account.

VulnCheck has identified a total of over 6,300 accessible Openfire servers on the internet. Of these, around half have either been patched against the vulnerability, run non-vulnerable older versions, or are divergent forks that might remain unaffected.

The firm highlights that approximately 50% of externally facing Openfire servers operate on the impacted versions. Despite their relatively small number, the firm underscores the significance of this issue due to the trusted role these servers hold in connection with chat clients.

The vulnerability's implications allow an attacker lacking authentication to access the plugin administration endpoint. This provides the attacker with the capability to directly upload the plugin and subsequently access the web shell, all without authentication.

VulnCheck clarifies that this strategy avoids triggering login notifications in the security audit log, ensuring a discreet operation. The absence of a security audit log entry is notable, as it eliminates evidence of the breach. 

While signs of malicious activity might be present in the openfire.log file, the attacker can exploit the path traversal to eliminate the log through the web shell. This leaves the plugin as the sole compromise indicator, an aspect of the situation that VulnCheck warns about.

“This vulnerability has already been exploited in the wild, likely even by a well-known botnet. With plenty of vulnerable internet-facing systems, we assume exploitation will continue into the future,” VulnCheck concludes.

Understanding Blagging in Cybersecurity: Tactics and Implications

 

Blagging might sound intricate, resembling an elaborate hacking maneuver, yet it is remarkably simpler. Despite its less "high-tech" nature compared to other cybercrimes, blagging can inflict significant harm if businesses are unprepared.

Blagging involves crafty fraudsters attempting to deceive or manipulate individuals into divulging confidential information that should remain off-limits.

These blaggers fabricate convincing stories to coax their targets into revealing data that could fuel illicit activities like identity theft, corporate espionage, or extortion.

So, how does blagging work precisely? Here are some typical blagging tactics:

1. Impersonation: The perpetrator pretends to be someone else, such as a colleague, bank representative, or law enforcement officer. This engenders trust and raises the likelihood of the target sharing confidential information. For instance, they might make a call posing as an IT specialist needing a password to rectify a computer issue.

2. Fabricating Urgency: The scammer employs pressure by framing the request as time-critical. Threats to close accounts or initiate legal action are utilized to extract information swiftly, leaving the target with insufficient time to verify the request's legitimacy.

3. Phishing: Blaggers resort to phishing emails or links infused with malware to breach target systems and pilfer data. These emails are meticulously designed to mimic trustworthy sources, enticing victims to click or download.

4. USB Drop Attack: This stratagem entails leaving malware-laden devices like USB drives in public venues where victims are likely to discover and insert them. Parking lots and elevators serve as popular spots to entice unsuspecting individuals.

5. Name-Dropping: Scammers invoke names of genuine managers, executives, or contacts to create an illusion of authorization for accessing otherwise confidential information. This lends credibility to their dubious appeals.

6. Sympathy Ploys: Fraudsters play on the target's empathy by fabricating emotional narratives to manipulate them. They might claim to be single parents requiring funds in an account to feed their family.

7. Quid Pro Quo: Scammers promise incentives like bonuses, time off, or cash in exchange for information. These are hollow assurances employed to achieve their aims.

8. Tailgating: Blaggers physically tail an employee into a building or restricted area to gain access. They rely on people holding doors open or not questioning their presence.

9. Elicitation: Blaggers engage in friendly conversations to surreptitiously extract information about systems, processes, or vulnerabilities. This innocuous approach is perilous due to its seemingly harmless nature.

The crucial point to remember is that these attackers are adept at deceit and will employ any means necessary to attain their objectives.

Defending Against Blagging Attacks

Given the array of cunning tactics utilized by blaggers, how can individuals and businesses shield themselves from these scams? Here are some essential strategies to counter blagging attacks:

1. Verify Claims: Never take claims at face value—always corroborate stories. If someone claims to be tech support or a colleague in need of information, hang up and call back using an official number to confirm legitimacy. Scrutinize email addresses, names, and contact details closely to ensure they match up.

2. Validate Requests: As an employee, investigate any unusual requests, even if they seem urgent or credible. Consider escalating it to a supervisor or submitting a formal request through established channels. Slow down interactions to allow for thorough investigation before divulging confidential data.

3. Limit Account Access: Employers should grant employees only the minimum access required for their tasks. For instance, customer service representatives likely don't need access to financial systems. This containment strategy mitigates potential damage if an account is compromised.

4. Report Suspicious Activity: If a request appears suspicious or a story doesn't add up, voice your concerns. Alert security or management immediately if you suspect a blagging attempt. Monitor systems and user behavior closely for unusual activity.

5. Security Awareness Training: Well-informed employees are more resistant to blagging attempts. Continuous education fortifies the human defense against social engineering. Real-world scenarios and examples should be integrated into training, including simulated phishing emails and unexpected visitors.

6. Layered Security: Employ multiple overlapping security measures instead of relying on a single point of defense. This encompasses physical security controls, perimeter defenses, endpoint security, email security, access controls, and data loss prevention tools.

7. Remain Vigilant: Blagging targets not only businesses but also individuals. Vigilance is necessary to thwart seemingly innocuous calls or emails from scammers posing as various entities. Recognizing blagging techniques and red flags is paramount.

For business proprietors, comprehensive security awareness training and robust technical defenses are instrumental in neutralizing this threat. With the appropriate safeguards in place, blaggers can be effectively deterred.

Sharp Increase in Malware Attacks via USB Flash Drives

 

Instances of cybercriminals employing USB drives for malware attacks have seen a significant rise. According to security researchers from Mandiant, there has been a three-fold increase in malware attacks via USB drives aimed at stealing sensitive information during the first half of 2023. These researchers have disclosed details regarding two specific attack campaigns.

One of the attack campaigns, attributed to the China-linked cyberespionage group TEMP.Hex, targeted both public and private organizations in Europe, Asia, and the U.S. The attackers utilized USB flash drives to introduce the SOGU malware into compromised systems and extract valuable data. 

The flash drives contained multiple malicious software and employed a DLL hijacking technique to download the final payload into the memory of the compromised systems. Once executed, the SOGU malware carried out various actions such as capturing screenshots, recording keystrokes, establishing reverse shell connections, and enabling remote desktop connections for executing additional files. 

The stolen data was sent to the attackers' command and control (C2) server using a custom binary protocol over TCP, UDP, or ICMP. Industries targeted by this attack campaign included construction, engineering, government, manufacturing, retail, media, and pharmaceutical sectors.

In an attack campaign, victims were enticed to click on a file that appeared to be a legitimate executable file found in the root folder of a USB drive. Upon executing this file, an infection chain was triggered, leading to the download of a shellcode-based backdoor named SNOWYDRIVE.

The malware not only copied itself to removable drives connected to infected systems but also performed various other operations, such as writing or deleting files, initiating file uploads, and executing reverse shell commands.

Recently, the Check Point Research Team uncovered a new USB-based attack campaign attributed to a China-based group called Camaro Dragon. 

The campaign specifically targeted a healthcare institution in Europe and involved the deployment of several updated versions of malware toolsets, including WispRider and HopperTick. It was reported that Camaro Dragon effectively utilized USB drives to launch attacks in Myanmar, South Korea, Great Britain, India, and Russia.

Organizations are strongly advised to prioritize access restrictions on USB devices and conduct comprehensive scans for malicious files before connecting them to their networks. 

Additionally, it is crucial for organizations to enhance their awareness and understanding of such attack campaigns in order to proactively defend against threats from the outset. It can be achieved by implementing a robust and automated Threat Intelligence Platform (TIP) that provides real-time tactical and technical insights into attacks.

CISA Warns of DDoS Attacks on US Organizations Following Multiple Incidents

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about ongoing distributed denial-of-service (DDoS) attacks affecting multiple industry sectors in the United States.

To counter these attacks, all U.S. organizations are advised to proactively prepare their security teams and take necessary measures to prevent or minimize the impact of such attacks.

One proactive measure is for network administrators to be prepared to swiftly implement firewall rules or reroute malicious traffic through DoS protection services. This helps prevent attackers from successfully targeting online portals or services.

Internet service providers (ISPs) can also provide guidance on the appropriate actions to take during such attacks.

"CISA is aware of open-source reporting of targeted denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks against multiple organizations in multiple sectors," the cybersecurity agency said.

"These attacks can cost an organization time and money and may impose reputational costs while resources and services are inaccessible."

CISA, in collaboration with the FBI and MS-ISAC, offers guidance on pre- and post-DDoS attack measures. This includes enrolling in dedicated DDoS protection services that redirect malicious traffic away from targeted assets.

Additionally, federal civilian executive branch (FCEB) agencies are advised to leverage tools like the Managed Security Service (MSS) and the Managed Trusted Internet Protocol Service (MTIPS) provided by the General Services Administration (GSA). These tools help mitigate the effects of DDoS attacks and restore impacted systems' operation.

The warning from CISA comes in the wake of a series of DDoS attacks that targeted both private and government organizations. These attacks resulted in the temporary shutdown of online portals. The responsibility for these incidents has been claimed by a threat actor known as Anonymous Sudan or Storm-1359 (tracked by Microsoft). Some cybersecurity researchers speculate a possible link to Russia.

Anonymous Sudan recently claimed responsibility for taking down the websites of EFTPS.gov (the U.S. Treasury Department's Electronic Federal Tax Payment System) and the U.S. Commerce Department. Independent verification confirmed the downtime of eftps.gov during the attack as stated by the threat group on their Telegram channel.

Furthermore, the threat group claimed another DDoS attack targeting Stripe's business payment management dashboard, which handles payments, refunds, and operations.

In previous instances, Anonymous Sudan also claimed responsibility for DDoS attacks that disrupted Microsoft's Outlook, OneDrive, and Azure web portals.

Since May, the group has targeted several large organizations globally, including Scandinavian Airlines (SAS), Tinder, Lyft, and various hospitals across the United States.

CryptosLabs Scam Ring Preys on French-Speaking Investors, Amasses €480 Million

 

A group of cybersecurity researchers has uncovered the inner workings of a fraudulent organization known as CryptosLabs. This scam ring has allegedly generated illegal profits amounting to €480 million by specifically targeting individuals who speak French in France, Belgium, and Luxembourg since April 2018.

According to a comprehensive report by Group-IB, the scam ring's modus operandi revolves around elaborate investment schemes. They impersonate 40 prominent banks, financial technology companies, asset management firms, and cryptocurrency platforms. The scam infrastructure they have established includes over 350 domains hosted on more than 80 servers.

Group-IB, headquartered in Singapore, describes CryptosLabs as an organized criminal network with a hierarchical structure. The group comprises kingpins, sales agents, developers, and call center operators. These individuals are recruited to lure potential victims by promising high returns on their investments.

"CryptoLabs made their scam schemes more convincing through region-focused tactics, such as hiring French-speaking callers as 'managers' and creating fake landing pages, social media ads, documents, and investment platforms in the French language," Anton Ushakov, deputy head of Group-IB's high-tech crime investigation department in Amsterdam, stated.

"They even impersonated French-dominant businesses to resonate with their target audience better and be successful in exploiting them."

The scam begins by enticing targets through advertisements on social media, search engines, and online investment forums. The scammers masquerade as the "investment division" of the impersonated organization and present attractive investment plans, aiming to obtain the victims' contact details.

Once engaged, the victims are contacted by call center operators who provide them with additional information about the fraudulent platform and the credentials needed for trading. After logging into the platform, victims are encouraged to deposit funds into a virtual balance. They are then shown fabricated performance charts, enticing them to invest more in pursuit of greater profits. However, victims eventually realize they cannot withdraw any funds, even if they pay the requested "release fees."

"After logging in, the victims deposit funds on a virtual balance," Ushakov said. "They are then shown fictitious performance charts that trigger them to invest more for better profits until they realize they cannot withdraw any funds even when paying the 'release fees.'"

Initially, the victims are required to deposit around €200-300. However, the scam is designed to manipulate victims into depositing larger sums by presenting them with false evidence of successful investments.

Group-IB initially uncovered this large-scale scam-as-a-service operation in December 2022. Their investigation traced the group's activities back to 2015 when they were experimenting with various landing pages. CryptosLabs' involvement in investment scams became more prominent in June 2018 after a preparatory period of two months.

A key aspect of the fraudulent campaign is the utilization of a customized scam kit. This kit enables the threat actors to execute, manage, and expand their activities across different stages of the scam, ranging from deceptive social media advertisements to website templates used to facilitate the fraud.

The scam kit also includes auxiliary tools for creating landing pages, a customer relationship management (CRM) service that allows the addition of new managers to each domain, a leads control panel used by scammers to onboard new customers to the trading platform, and a real-time VoIP utility for communicating with victims.

"Analyzing CryptosLabs, it is evident that the threat group has given its activities a well-established structure in terms of operations and headcount, and is likely to expand the scope and scale of its illicit business in the coming years," Ushakov said.

Cl0p Ransomware Targets Sony, EY, and PwC in MOVEit Transfer Cyberattack

 

The recent attack, which commenced earlier this month, has the potential to become one of the largest cyberattacks in history. Its victims include various entities from the public and private sectors in the United States, United Kingdom, and other countries.

Reports suggest that Cl0p, the cybercriminal group behind the attack, claims to possess data from prominent organizations like Sony, as well as leading accountancy firms EY and PwC. In a statement, Cl0p warned that it possesses approximately 120GB of data from PwC, which it may release if its demands are not met.

However, Cl0p denies having any data from government agencies, emphasizing that its focus lies solely on exploiting private companies for financial gain. The group clarifies on its blog that it receives numerous emails regarding government data but promptly deletes such information, as its motivations are primarily monetary and not political.

Typically, ransomware groups deny possessing sensitive government information, especially if they believe that holding such data would invite closer scrutiny from law enforcement agencies.

Notable organizations affected by the security vulnerability in MOVEit Transfer, a widely used secure file transfer system, include British Airways, the BBC, and Boots. These entities informed their staff that their data may have been compromised following a breach of payroll platform Zellis, which is used by all three companies.

Although Cl0p denies having any data from Zellis, an email exchange with the BBC reveals the group's claim that they do not possess the information and have notified Zellis about it. The group asserts its longstanding policy of truthfulness, stating that if they say they don't have certain data, they genuinely do not possess it.

The hackers allegedly set a deadline of 14 June for the affected companies to pay a ransom, or else their data would be exposed online. However, no information has been leaked thus far, raising the possibility that other cybercriminals may also be taking advantage of the MOVEit Transfer vulnerability. 

The software vendor, Progress Software, disclosed the glitch on 31 May, but no other hacker group has publicly claimed responsibility for stealing data through this exploit.

Vietnamese Public Companies Targeted by SPECTRALVIPER Backdoor

 

Vietnamese public companies are facing an ongoing targeted campaign involving the SPECTRALVIPER backdoor. This backdoor, previously undisclosed and in the x64 variant, offers a range of capabilities such as manipulating files, impersonating tokens, and loading PE files. Elastic Security Labs has identified these attacks as the work of REF2754, a threat actor associated with the Vietnamese APT32 group, also known as Canvas Cyclone, Cobalt Kitty, and OceanLotus.

In the latest attack chain, SysInternals ProcDump utility is utilised to load an unsigned DLL file containing DONUTLOADER, which then loads SPECTRALVIPER and other malware. 

SPECTRALVIPER establishes communication with a server controlled by the threat actor to receive commands and employs obfuscation techniques to evade analysis. Additional malware involved in these attacks includes P8LOADER, capable of launching arbitrary payloads from files or memory, and a PowerShell runner named POWERSEAL, which executes provided PowerShell scripts or commands.

REF2754 exhibits tactical similarities to another group known as REF4322, which has targeted Vietnamese entities using the PHOREAL implant. These connections suggest a high likelihood of state-affiliated threats originating from Vietnam.

Meanwhile, Check Point Research has discovered a cyberespionage campaign targeting Libyan organizations, employing a customized backdoor named Stealth Soldier. This malware possesses advanced surveillance capabilities and is believed to be linked to a threat actor known as "The Eye on the Nile."

In the realm of Linux malware, the BPFDoor has received updates to enhance its stealth capabilities, including stronger encryption and improved reverse shell communications. Notably, the latest version of BPFDoor has not been detected as malicious by any currently available antivirus engines for the platform.

SPECTRALVIPER can be compiled as either an executable or DLL to mimic known binary exports. The malware leverages encrypted communication channels (HTTP and named pipe) with AES encryption and either Diffie-Hellman or RSA1024 key exchange. All samples of SPECTRALVIPER undergo heavy obfuscation using the same obfuscator, with varying levels of hardening, making analysis challenging.

Undiscovered Attacks Against Middle Eastern Targets Conducted Since 2020

 

Over the last few years, companies in the Middle East have faced a series of targeted attacks using an open-source tool used by threat actors as kernel drivers. Fortinet researchers discovered a sample of the so-called Donut tool while scanning suspicious executables that used open-source technologies. 

This open-source shellcode-generation tool, as well as a variant of the Wintapix driver, were found to have been used in targeted cyberattacks against Saudi Arabia and other Middle Eastern countries. Fortinet researchers Geri Revay and Hossein Jazi stated in a blog post about their research that they believe this driver has been operational in the wild since at least mid-2020, was not reported until now, and has been employed in multiple campaigns over the previous few years.

In accordance with Fortinet's data, there is a noteworthy increase in the number of lookups — or peaks in activity — for this driver in August and September 2022, as well as again in February and March 2023. This could imply that the threat actor behind the driver was running large-scale campaigns these days. According to the data, 65% of the lookups for the driver were from Saudi Arabia, showing that it was a primary focus.

Jazi notes that other malware families have been identified employing similar attack methods (i.e., kernel drivers), but this was a detection of a new malicious driver.

"It has new functionalities such as targeting IIS [Internet Information Services] servers, which is unique in its own accord," Jazi says.

While Jazi cannot to provide any information on the exact verticals targeted, he does highlight that Iranian threat groups have a long history of attacking Saudi Arabia and other governments in the region.

According to Fortinet analysts, it is unclear how the driver was spread, and they have no idea who was behind this operation. "Observed telemetry shows that, while this driver has primarily targeted Saudi Arabia, it has also been detected in Jordan, Qatar, and the United Arab Emirates, which are classic targets of Iranian threat actors," according to the research.

Since Iranian threat actors have been known to use Microsoft Exchange Servers to distribute other malware, it is probable that this driver was used in conjunction with Exchange attacks. "To that point, the compilation time of the drivers is also aligned with times when Iranian threat actors were exploiting Exchange server vulnerabilities," the researchers stated.

At this point, it's unknown whose organizations were targeted or what the attackers were after. According to Ciarán Walsh, associate research engineer at Tenable, it is entirely possible for a campaign to go undetected for an extended period of time, as this one did. 

"APT1 (CommentCrew) has been noted as maintaining a presence on victim networks without detection for years during its cyberespionage campaigns," he says.

When asked if he believes the time spent undiscovered is indicative of an attacker's sophistication, Walsh answers it depends on a variety of things, including the campaign's aims.

"In espionage, the aim would be to go undetected for however long it takes to achieve those objectives," he says, "but in campaigns that aim to cause disruption such as Anonymous Sudan and its DDoS campaigns, being stealthy and maintaining a foothold in a target network is not a priority."

Walsh observes that open source tools are more likely to be identified because the security community is aware of them and countermeasures and remediation strategies to fight them have been created.

"Custom tooling is much more difficult to detect as automated systems have little, if any, information about the tool to use as part of their detection mechanisms," he says. "Attackers do sometimes adopt an approach of using tools already on target systems or within target networks."

Volt Typhoon, an APT ascribed to China that Microsoft reported last week had obtained access to telecom networks and other critical infrastructure targets in the US, took this strategy.

"Living-off-the-land allows for stealth as there is no execution of any suspicious programs or scripts, which would trigger an alert," Walsh says. "The attackers instead use tools built into operating systems, which are less likely to trigger an alert, or even be deemed suspicious."

Hackers can Open Smart Garage Doors From Anywhere in the World

 

According to findings from a security researcher, hackers can remotely tap into a specific brand of smart garage door opener controllers and open them all over the world due to a number of security weaknesses that the firm, Nexx, has refused to repair. 

The flaws represent a major risk to Nexx users, who have access to wi-fi-connected garage door opener controllers among other things. As per a copy of an email obtained with Motherboard, the researcher who discovered the vulnerability claims that Nexx has not reacted to their attempts to responsibly report the vulnerabilities for months.

“Completely remote. Anywhere in the world,” Sam Sabetan, the security researcher, told Motherboard, describing the hack.

Nexx describes its goods as "easy-to-use products that work with things you already own." Its garage product links to a person's existing garage door opener and allows them to remotely activate it via a smartphone app. “Life is complicated enough. Remembering whether or not you left your garage door open should be the least of your worries: Get peace of mind,” the company advertises on its website. Nexx has run campaigns on Kickstarter.

Sabtean demonstrated the hack in a video proof-of-concept. It shows his fist unlocking his own garage door with the Nexx app, as promised. He then accesses a tool that allows him to read communications sent by the Nexx device. Sabetan uses the app to close the door and records the data that the device sends to Nexx's server during this activity.

Sabetan not only receives information on his own device but also messages from 558 other gadgets. According to the video, he can now see the device ID, email address, and name associated with each. He then sends an order to the garage via software rather than the app, and his door opens once more. Sabetan only tested this on his own garage door, but he could have used this technique to open other users' garage doors as well.

Sabetan told Motherboard he could open doors “for any customer.” “That’s the craziest bug. But the disabling alarm and turning on [and] off smart plugs is pretty neat too,” he added, referring to another Nexx product that allows users to control power outlets in their home.

The repercussions of someone weaponizing these vulnerabilities are far-reaching, and might pose a serious security risk to Nexx's clients. A hacker might randomly open Nexx doors all across the world, exposing their garage contents and possibly their homes to opportunistic robbers. Pets could flee. Customers may become irritated if they see someone opening and closing their property without knowing why. In more extreme circumstances, a hacker could exploit the flaws as part of a targeted assault against the particular garage that used Nexx’s security system.

Sabetan and Motherboard have made numerous attempts to contact Nexx about the problems. Sabetan claimed that the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) had tried to contact him. The corporation has not responded or fixed the issues. This means that security flaws are still available to hackers who desire to exploit them. As a result, Motherboard will not go to great lengths on them, instead focusing on their influence on customers. On Tuesday, CISA issued its own advisory regarding security issues.

Nexx appears to be purposefully disregarding at least some inquiries attempting to alert them to the vulnerabilities. Sabetan contacted Nexx's support again because Nexx's support email did not react to his vulnerability report, this time stating that he needed assistance with his own Nexx product. According to a copy of the email Sabetan shared with Motherboard, Nexx's support personnel responded at the time.

“Great to know your support is alive and well and that I’ve been ignored for two months,” Sabetan replied. Please respond to ticket [ticket number,” he wrote, referring to his vulnerability report.


How to Spot New Risks Via Suspicious Activities?

 

Unknown malware poses a significant cybersecurity risk and can cause significant harm to both organizations and individuals. Malicious code can gain access to confidential information, corrupt data, and allow attackers to take control of systems if it goes undetected. 
Learn how to avoid these situations and effectively detect unknown malicious behavior. Challenges in detecting new threats# While known malware families are more predictable and can be detected more easily, unknown threats can take on a variety of forms, posing a slew of detection challenges:
  • Malware developers employ polymorphism, allowing them to modify the malicious code to create distinct variants of the same malware.
  • There is malware that has yet to be identified and does not have any detection rulesets.
  • Some threats can be Fully UnDetectable (FUD) for a period of time, putting perimeter security at risk.
  • The code is frequently encrypted, making signature-based security solutions difficult to detect.
  • Malware authors may employ a "low and slow" strategy, which entails sending a small amount of malicious code across a network over a long period of time, making it difficult to detect and block. This is especially dangerous in corporate networks, where a lack of visibility into the environment can result in undetected malicious activity.
New threat detection# When analyzing known malware families, researchers can use existing data about the malware, such as its behavior, payloads, and known vulnerabilities, to detect and respond to it.

However, when dealing with new threats, researchers must start from scratch, following the guidelines below:

Step 1: Use reverse engineering to analyze the malware's code to determine its purpose and malicious nature.

Step 2: Examine the malware's code using static analysis to identify its behavior, payloads, and vulnerabilities.

Step 3: Use dynamic analysis to observe the malware's behavior during execution.

Step 4: Use sandboxing to isolate the malware and observe its behavior without causing harm to the system.

Step 5: Identify potentially malicious code using heuristics based on observable patterns and behaviors.

Step 6: Examine the results of reverse engineering, static and dynamic analysis, sandboxing, and heuristics to see if the code is malicious.

There are numerous tools available to assist you with the first five steps, ranging from Process Monitor and Wireshark to ANY.RUN. But how do you draw a precise conclusion, and what should you focus on with all of this data?

The solution is straightforward: concentrate on indicators of malicious behavior.

Surveillance of suspicious activities is essential for the effective detection

To detect threats, various signatures are used. A signature is a typical footprint or pattern associated with a malicious attack on a computer network or system, according to computer security terminology.

Behavioral signatures are included in this list. It's impossible to do something in the OS without leaving a trace. We can determine what software or script it was based on their suspicious behavior.

You can observe the behavior of the malware and identify any malicious behavior by running a suspicious program in a sandbox, such as:
  • abnormal file system activity,
  • suspicious process creation and termination
  • abnormal networking activity
  • reading or modifying system files
  • access system resources
  • create new users
  • connect to remote servers
  • execute other malicious commands
  • exploit known vulnerabilities in the system
Microsoft Office is launching PowerShell, which appears suspicious, doesn't it? Pay close attention when an application adds itself to the scheduled tasks. Something is definitely wrong when a svchost process runs from the temp registry. Even without signatures, you can always detect a threat based on its behavior.

Eventually, cybercriminals can use unknown threats to extort money from businesses and launch large-scale cyberattacks. Even if the malware family is not discovered, we can always deduce the threat's functionality based on its behavior. 

Using this information, you can create information security to protect against new threats. Behavior analysis improves your ability to respond to new and unknown threats while also strengthening your organization's security without incurring additional costs.

Where Do the Most Ransomware Attacks Take Place in the United States?

 

Ransomware can be as disruptive to your day as a flood, earthquake, fire, or another natural disaster. It has the potential to devastate businesses, close hospitals, and close schools. And if you're unlucky enough to be affected, it can completely devastate your finances. 

However, as with natural apocalyptic events, there are patterns in misfortune, and it is possible to draw patterns and identify high-risk areas. You can avoid disaster entirely with some forethought. 

What is Ransomware? 

Criminals are after your money, and draining your bank account is problematic. By encrypting vital files on compromised computers, criminals persuade victims to hand over their money voluntarily. Companies that are unable to perform business and are losing money every day, they are not functioning and will frequently pay criminals to decrypt their machines and enable them to continue trading. Criminals typically gain access to devices through either lax security processes or social engineering attacks.

Engaging in any criminal enterprise is a risky business, and cybercriminals prefer to target targets that will net them the most money while exposing them to the least amount of risk. It makes more sense to hit fewer large targets rather than many small ones. And it's understandable that they'd rather target businesses that are more likely to pay than call law enforcement.

Between 2018 and January 2023, there were 2,122 ransomware attacks in the United States, as per Comparitech research. That's a lot, and even more is likely to have gone unreported. Even if this figure is taken at face value, it equates to more than one ransomware attack per day. Each ransom was worth an astounding $2.3 million on average.

Naturally, because businesses have more money than private individuals, schools, or government agencies, they are regarded as the biggest jackpot for hackers. And because they're constantly making money, every pause costs them more. The largest ransom known to have been paid during this time period was a whopping $60 million paid in 2022 by Intrado, a communications company with interests in cloud collaboration, 911 operations, enterprise communications, and digital media, among other things.

In fact, nine of the top ten ransoms were paid by corporations, including Kia Motors, Garmin, and EDP Renewables. The education sector is prominent, with Broward County Public Schools paying the second-largest ransom of $40 million in 2021. The notorious Conti group, which has been linked to hundreds of other attacks, carried out the attack.

Hospitals and other medical care facilities are prime targets for ransomware attacks because when hospital computers go down, patients don't get the care they require, and people die. Ransoms from the healthcare sector tend to be lower, with an average payout of around $700,000, possibly because the criminals have some conscience about people dying as a direct result of their actions.

Government facilities are also frequently targeted, with state and regional facilities particularly vulnerable. Local government agencies have limited IT security resources and frequently use outdated software due to their stricter budgets, making them easier targets. However, this also means that they pay significantly less than businesses with a median revenue of half a million dollars.

Where do most attacks take place?

Ransomware attacks occur wherever criminals believe they can make a quick buck, and attacks are concentrated in areas with a high concentration of wealth and businesses with a high turnover.

In the United States, this includes the east coast, which includes Washington, DC, Maryland, Delaware, and New York; the north-west coast, which includes California and Seattle; and major regional hubs like Chicago, Illinois. The majority of these attacks target businesses, but that doesn't mean the rest of the country is safe. Attacks on healthcare and government are far more common in poorer states. Again, this is most likely due to reduced IT budgets.

Between 2018 and January 2023, no US state was immune to ransomware attacks, though some were either less appealing or more resilient to criminals. Wyoming had the fewest reported attacks, with one ransomware incident at Carbon Power and Light and two healthcare facility attacks.

Ransomware is frightening, but just like designing flood defences or forest fires, there are steps you can take to avoid becoming a victim. Here are some of the best recommendations:
  • Take regular backups and store them securely
  • Employ a good antivirus
  • Train your staff
  • Keep your systems updated
Ransomware is terrible, but at least you know that if you pay the ransom, your system will be restored to normal working order and you can resume business as usual... right? This isn't always true. What appears to be ransomware is sometimes fake ransomware: your files have been encrypted, but the criminals who have encrypted them will never decrypt them.

A New Era is Emerging in Cybersecurity, but Only the Best Algorithms will Survive

 

The industry identified that basic fingerprinting could not maintain up with the rate of these developments, and the requirement to be everywhere, at all times, pushed the acceptance of AI technology to deal with the scale and complexity of modern business security. 

Since then, the AI defence market has become crowded with vendors promising data analytics, looking for "fuzzy matches": close matches to previously encountered threats, and eventually using machine learning to detect similar attacks. While this is an advancement over basic signatures, using AI in this manner does not hide the fact that it is still reactive. It may be capable of recognizing attacks that are very similar to previous incidents, but it is unable to prevent new attack infrastructure and techniques that the system has never seen before.

Whatever you call it, this system is still receiving the same historical attack data. It recognises that in order to succeed, there must be a "patient zero" — or first victim. Supervised machine learning is another term for "pretraining" an AI on observed data (ML). This method does have some clever applications in cybersecurity. For example, in threat investigation, supervised ML has been used to learn and mimic how a human analyst conducts investigations — asking questions, forming and revising hypotheses, and reaching conclusions — and can now carry out these investigations autonomously at speed and scale.

But what about tracking down the first traces of an attack? What about detecting the first indication that something is wrong?

The issue with utilising supervised ML in this area is that it is only as good as its historical training set — not with new things. As a result, it must be constantly updated, and the update must be distributed to all customers. This method also necessitates sending the customer's data to a centralised data lake in the cloud to be processed and analysed. When an organisation becomes aware of a threat, it is frequently too late.

As a result, organisations suffer from a lack of tailored protection, a high number of false positives, and missed detections because this approach overlooks one critical factor: the context of the specific organisation it is tasked with protecting.

However, there is still hope for defenders in the war of algorithms. Today, thousands of organisations utilise a different application of AI in cyber defence, taking a fundamentally different approach to defending against the entire attack spectrum — including indiscriminate and known attacks, as well as targeted and unknown attacks.

Unsupervised machine learning involves the AI learning the organisation rather than training it on what an attack looks like. In this scenario, the AI learns its surroundings from the inside out, down to the smallest digital details, understanding "normal" for the specific digital environment in which it is deployed in order to identify what is not normal.

This is AI that comprehends "you" in order to identify your adversary. It was once thought to be radical, but it now protects over 8,000 organisations worldwide by detecting, responding to, and even avoiding the most sophisticated cyberattacks.

Consider last year's widespread Hafnium attacks on Microsoft Exchange Servers. Darktrace's unmonitored ML identified and disrupted a series of new, unattributed campaigns in real time across many of its customer environments, with no prior threat intelligence associated with these attacks. Other organisations, on the other hand, were caught off guard and vulnerable to the threat until Microsoft revealed the attacks a few months later.

This is where unsupervised ML excels — autonomously detecting, investigating, and responding to advanced and previously unseen threats based on a unique understanding of the organization in question. Darktrace's AI research centre in Cambridge, UK, tested this AI technology against offensive AI prototypes. These prototypes, like ChatGPT, can create hyperrealistic and contextualised phishing emails and even choose a suitable sender to spoof and fire the emails.

The conclusions are clear: as attackers begin to weaponize AI for nefarious reasons, security teams will require AI to combat AI. Unsupervised machine learning will be critical because it learns on the fly, constructing a complex, evolving understanding of every user and device across the organisation. With this bird's-eye view of the digital business, unsupervised AI that recognises "you" will detect offensive AI as soon as it begins to manipulate data and will take appropriate action.

Offensive AI may be exploited for its speed, but defensive AI will also contribute to the arms race. In the war of algorithms, the right approach to ML could mean the difference between a strong security posture and disaster.

Vanuatu Officials Resort to Phone Books and Typewriters, One Month After Cyberattack

 

One month after a cyber-attack brought down Vanuatu's government servers and websites, frustrated officials were still using private Gmail accounts, personal laptops, pen and paper, and typewriters to run the government of Prime Minister Ishmael Kalsakau, who took office just a few days after the crash.

Malware attacks on state networks have slowed communication and coordination in the Pacific island nation of 314,000 people spread across 80 islands. To find government phone numbers, people turned to the online Yellow Pages or the hard copy phone directory. Some offices were operating solely through their Facebook and Twitter pages.

According to a financial analyst who works closely with the ministry's cybersecurity teams, the problems began about a month ago, when suspicious phishing activity was first detected in emails to the Ministry of Finance.

Almost all government email and website archives were destroyed by malware. Many departments were still storing data on local computer drives rather than web servers or the cloud. There has been no official word on whether or not the hackers demanded a ransom.

“It is taking longer for payments [from the Ministry of Finance] to get out, but … we are always on Vanuatu time anyway,” stated the financial analyst.

Government departments have struggled to stay connected, frustrating officials, with spontaneous solutions for communication between agencies and departments being implemented. Many government offices on the outer islands are experiencing significant service delays.

“It was chaos during the first few days but the entire government made alternative Gmail accounts or used their private emails. We are all using telephones and mobile phones for communication. But we are resilient in Vanuatu as a small country and can manage this,” said Olivia Finau, a communications officer in the Ministry of Climate Change. “Our department is communicating with the public more now with Facebook and Twitter, and we are actually getting more followers.”

The attack did not cause any disruptions to civilian infrastructures, such as airline or hotel websites. The majority of tourism and business has continued as usual through the busy Christmas and New Year's seasons.

According to the analyst, the current system can be improved by upgrading software and storing files in the cloud for management. However, local officials lack the necessary expertise and "require outside assistance."

The government had previously reported that the attack took place on November 5, but a computer technician at the Office of the Government's Chief Information Officer and a foreign diplomat confirmed to the Guardian that the crash took place on October 30.

In the early days of the crisis, some Vanuatu authorities blamed the problem on bad weather, which damaged the internet infrastructure.

However, the diplomat said: “We noticed there was a problem right away … our team recognized this as having the hallmarks of a cyber-attack, and not being caused by weather.”

Internal communication breakdowns in the days following the attack exacerbated matters. On November 4, Prime Minister Kalsakau formally took office, and on November 5, the government formally acknowledged the problem. 

The Australian government has offered assistance. "We sent a team in to assist with that disgraceful cyber-attack and response, and we are working through the process of bringing the government IT systems back up to speed," Pat Conroy, Australia's minister for international development and the Pacific, told Vanuatu Daily.

Cyber-attacks have wreaked havoc around the world in recent years, and Vanuatu's attack will serve as a warning to small Pacific nations with even weaker cybersecurity than Port Vila. Requests for comment were not returned by the Vanuatu Office of the Government Chief Information Officer (OGCIO).

Hackers Selling Ransomware Victims and Network Access Data for $4 Million

 

In accordance with a new report, hackers are selling access to 576 corporate networks worldwide for a total cumulative sales price of $4,000,000, fueling enterprise attacks. The findings come from the Israeli cyber-intelligence firm KELA, which published its Q3 2022 ransomware report, which showed stable activity in the initial access sales sector but a significant increase in the value of the offerings. Despite the fact that the number of network access sales remained roughly the same as in the previous two quarters, the total requested price has now reached $4,000,000. In comparison, the total value of initial access listings in Q2 2022 was $660,000, a decrease that coincided with the summer ransomware hiatus, which hampered demand. 
The Rise of Ransomware

IABs are hackers who sell access to corporate networks, typically through credential theft, webshells, or exploiting vulnerabilities in publicly exposed hardware.

After gaining access to the network, threat actors sell it to other hackers, who use it to steal valuable data, deploy ransomware, or engage in other malicious activity.


The reasons IABs do not use network access vary, from a lack of diverse intrusion skills to a preference not to risk increased legal trouble.

IABs continue to play an important role in the ransomware infection chain, despite the fact that they were sidelined last year when large ransomware gangs that operated as crime syndicates had their own IAB departments.

KELA analysts observed 110 threat actors posting 576 initial access offerings totaling $4,000,000 in the third quarter of 2022. The average selling price of these listings was $2,800, with a record median selling price of $1,350. KELA also witnessed a single access being offered for sale at the exorbitant price of $3,000,000. However, due to concerns about its authenticity, this listing was not included in the Q3 '22 stats and totals.

In Q3 2022, the top three IABs ran a large-scale business, selling between 40 and 100 accesses. According to hacking forum discussions and marketplace listing removal events, the average time to sell corporate access was only 1.6 days, while the majority were of  RDP and VPN types.

The United States was the most targeted country this quarter, accounting for 30.4% of all IAB offerings. This figure is comparable to the 39.1% share of ransomware attacks targeting US businesses in the third quarter.

Professional services, manufacturing, and technology led the targeted sectors with 13.4%, 10.8%, and 9.4%, respectively. Ransomware attacks are ranked similarly, emphasizing the link between the two. 

Because initial access brokers have become an essential component of the ransomware attack chain, protecting your network from intrusion is critical. To prevent the theft of corporate credentials, remote access servers should be placed behind VPNs, access to publicly exposed devices should be restricted, MFA should be enabled, and phishing training should be conducted.