Victoria Kivilevich, Threat Intelligence AnalystMultiple initial network accesses continue to appear for sale in underground forums every day, partially becoming an initial entry point for ransomware operators. Following KELA’s analysis of initial access brokers’ activities in September 2020, we’ve assessed the listings of network access from all of Q4 2020. We’ve shared some of the major takeaways below: KELA traced almost 250 initial network accesses listed for sale in Q4 2020. The cumulative price requested for all accesses surpasses $1.2 million. On average, we observed around 80 accesses offered for sale in each month of Q4 2020. Out of these network access listings, KELA found that at least 14% were noted as sold by actors. As the overall month-to-month number is lower than in September (108 accesses), KELA identified a growing trend of accesses being sold in private conversations rather than publicly in forums, likely the cause for the slight decline. While establishing a list of the most expensive accesses and the TTPs of their sellers, KELA discovered that the attack surface is constantly expanding, with initial access brokers offering new access types. Meanwhile, RDP- and VPN-based accesses, as well as vulnerabilities (allowing to run code using a specific flaw and potentially enabling actors to pivot further within the targeted environment), constitute the majority of the offers.

Almog Zoosman, Pre-Sales Engineer and Victoria Kivilevich, Threat Intelligence AnalystThe gaming industry should really thank Covid-19: People are stuck at home, seeking indoor hobbies, and giving online gaming a chance. With the rise of gamers and purchases, the online gaming industry is estimated to reach $196 billion in revenue by 2022. However, the growing success of this industry also calls attention to cybercriminals scouting out their new targets – and what better target could cybercriminals ask for than an industry that’s up and coming and may not be prioritizing their security precautions as much as their industry advancement and profit. So, though this industry isn’t valued at the trillions of dollars that the financial industry may be valued at, it still checks off boxes for two key factors that many profit-driven cyber criminals tend to seek: increase profits and minimize the complexity of the process in order to do so. In order to assess the threat landscape of the gaming industry in light of Covid-19, we explored the risks that are potentially threatening employees and internal resources of the leaders of this industry.[1] We’ve included some of this blog’s major key takeaways below: KELA observed multiple instances of supply and demand for initial network access of gaming companies (especially their resources designed for developers). KELA found nearly 1 million compromised accounts pertaining to gaming clients and employees, with 50% of them offered for sale during 2020. KELA detected more than 500,000 leaked credentials pertaining to employees of the leading companies in the gaming sector. The gaming industry is growing, in turn increasing the number of threats against it. By proactively monitoring darknet communities, organizations in this industry can collect real-time valuable intelligence in order to help gain an external viewpoint on their organizations’ attack surfaces and mitigate cyber threats.

Victoria Kivilevich, Threat Intelligence AnalystRising ransomware attacks around the world, together with the recent lists of exposed Pulse Secure VPN credentials set the backdrop for KELA’s latest research. While not all ransomware attacks used CVE-2019-11510 (a vulnerability of unpatched Pulse Secure VPN servers) or the previously shared credentials to the compromised corporate networks, it does add another layer to the analysis of possible initial infection vectors used in ransomware incidents. Moreover, the recent exposure of credentials to nearly 50,000 vulnerable Fortinet VPNs raises further concern of possible infection vectors that can be used for ransomware attacks. Our key findings include: Five victims of ransomware attacks whose credentials to their Pulse Secure VPN servers were exposed as part of two Pulse Secure VPN lists (i.e., directories with folders and files) that were shared by malicious actors in August 2020. Data of three of the victims were leaked to ransomware gangs’ blogs in an attempt to force them to pay a ransom. Based on KELA’s conversation with threat actors related to the attack, at least one victim (unnamed) paid the ransom. A threat actor involved in the attack confirmed that they gained initial access to at least one compromised network via the CVE-2019-11510. Proactive monitoring of darknet threats, such as the Pulse Secure VPN lists, helps enterprise defenders secure their networks and prevent further, more sophisticated attacks, such as ransomware attacks.

Victoria Kivilevich, Threat Intelligence AnalystIn light of rising cyberattacks and ahead of the 2021 Tokyo Games, Japan is investing in cybersecurity efforts, with one of them being the establishment of a government entity dubbed the Digital Agency. The decision follows recent fraud involving Japanese bank accounts linked to cashless payments services, which could be achieved by brute-forcing, using compromised credentials to banking accounts or via other attack vectors. Attacks on the banking infrastructure is just a part of threats targeting Japanese organizations, recently explored by KELA. They include: Leaked data and compromised accounts. KELA detected that data belonging to Japanese corporations, as well as government and educational entities, is actively circulating in the darknet and being demanded by threat actors. This data can be used to gain initial network accesses, i.e. entry points to targeted networks. Initial network accesses. KELA observed several Japanese compromised companies, ranging from corporations to universities, including one Japan ministry target during June-October 2020. These accesses can be leveraged to eventually deploy ransomware. Ransomware incidents. KELA detected at least 11 Japanese victims of ransomware attacks in June-October 2020. The affected companies are from manufacturing, construction and government-related industries, with top victims having around $143 billion, $33 billion and $2 billion yearly revenue.

Raveed Laeb, Product Manager and Victoria Kivilevich, Threat Intelligence AnalystWhile ransomware attacks are on the rise, more and more initial network accesses are being sold in underground forums every day, partially becoming an initial entry point for ransomware operators. Following KELA’s research about initial access brokers, we’ve decided to analyze some of the accesses sold over September 2020 to build a comprehensive picture of the activities in this field. Major takeaways are: Initial network access is a general term that refers to remote access to a computer in a compromised organization. Threat actors selling it – initial access brokers – are linking opportunistic campaigns with targeted attackers, namely ransomware operators. KELA traced over 100 initial network accesses put on sale by threat actors for one month – three times more than in August 2020. The cumulative price requested for all accesses surpasses $500,000. Of these network access listings, KELA found that at least 23% were reported as sold by the actors for cumulative revenue of nearly $90,000. While establishing a list of the top 5 most expensive accesses and the TTPs of their sellers, KELA examined a hypothesis that the price depends on the victim’s revenue and the level of privileges gained through access. Domain admin access can be 25-100% more expensive than user access. Initial access brokers’ public activity on cybercrime communities provides rare visibility into the inner workings of threat actors; this visibility should be leveraged by network defenders in order to understand the threat landscape and prioritize defense mechanisms accordingly. Moreover, passing network access from one the initial access broker to a ransomware affiliate effectively splits the exploitation process into two distinct phases – a TTP that may be invaluable during threat hunting and adversary simulation.

Victoria Kivilevich, Threat Intelligence AnalystFollowing the news of the first patient death due to a ransomware attack, KELA analyzed cyber threats and ransomware attacks against healthcare institutions and explored what ransomware operators state about targeting healthcare institutions, along with darknet chatter on the matter.

Raveed Laeb, Product Manager and Victoria Kivilevich, Threat Intelligence Analyst  Updated on October 8, 2020 with a statement from Zoho Corporation

プロダクト・マネージャー　ラビード・レイブ 脅威インテリジェンスアナリスト　ヴィクトリア・キヴィレヴィッチ2020年10月8日更新情報：ゾーホー社の声明を掲載 初期アクセス・ブローカーの台頭に加え、不正侵入されたネットワークへのリモートアクセスを販売する脅威アクターが増加するに伴い、RMM（リモート監視・管理ツール）が実入りのよい標的となっています。 KELAは、ロシア語のフォーラムで活動する某サイバー犯罪者が、最近RMMツールを介したアクセスを多数販売していることを察知するとともに、そのRMMツールがゾーホー社の製品「Desktop Central」であることを突き止めました――この事実は、組織が直面している脅威を示唆しています。 初期アクセス・ブローカー がどのような種類のネットワークアクセスを販売しているのかを監視することは、組織のネットワークを防衛するIT部門やサイバーセキュリティ部門にとって重要なインテリジェンスとなります。

Victoria Kivilevich, Threat Intelligence Analyst and Sharon Bitton, Marketing Content Manager2020’s back to school is a bit different than usual as most students around the world are getting ready to meet again with their peers online. Rather than worrying about the classic back to school activities, such as purchasing the most in-style school supplies or figuring out the perfect outfit for day 1, students are more invested in finding the comfortable home setup for online learning. School IT admins, on the other hand, are most concerned this year about educating their students and staff regarding cybersecurity as school begins remotely, while in parallel focusing heavily on deterring cyber threats from cybercriminals looking to attack educational institutions. In our last blogpost, Back to School: Why Cybercriminals Continue to Target the Education Sector, Part 1, we looked into threat actors’ overall interest in targeting organizations in the education sector, diving into some examples of recent attempted attacks that we’ve spotted across the underground ecosystem. This blogpost touched on several key points that helped establish a general understanding of the threat level targeting educational institutions. We decided to circle back to this topic because of the increasing risks that emerged as much of the world begins to return to schools. Schools already struggling with high cases of COVID-19 now must begin battling other mishaps such as cyberattacks on their online learning platforms within their first days of remote learning. This situation occurred to one of the largest district schools in Florida and was likely caused by a newbie in the underground world – an alleged 16-year old threat actor. This successful attack on a large school, by a supposedly young threat actor, may imply that planned attacks by more sophisticated and experienced threat actors are similarly on their way.

Victoria Kivilevich, Threat Intelligence Analyst and Sharon Bitton, Marketing Content Manager2020’s back to school is a bit different than usual as most students around the world are getting ready to meet again with their peers online. Rather than worrying about the classic back to school activities, such as purchasing the most in-style school supplies or figuring out the perfect outfit for day 1, students are more invested in finding the comfortable home setup for online learning. School IT admins, on the other hand, are most concerned this year about educating their students and staff regarding cybersecurity as school begins remotely, while in parallel focusing heavily on deterring cyber threats from cybercriminals looking to attack educational institutions. In our last blogpost, Back to School: Why Cybercriminals Continue to Target the Education Sector, Part 1, we looked into threat actors’ overall interest in targeting organizations in the education sector, diving into some examples of recent attempted attacks that we’ve spotted across the underground ecosystem. This blogpost touched on several key points that helped establish a general understanding of the threat level targeting educational institutions. We decided to circle back to this topic because of the increasing risks that emerged as much of the world begins to return to schools. Schools already struggling with high cases of COVID-19 now must begin battling other mishaps such as cyberattacks on their online learning platforms within their first days of remote learning. This situation occurred to one of the largest district schools in Florida and was likely caused by a newbie in the underground world – an alleged 16-year old threat actor. This successful attack on a large school, by a supposedly young threat actor, may imply that planned attacks by more sophisticated and experienced threat actors are similarly on their way.