It was the best of times for criminals, and the worst of times for lovers of cracked software. Infostealer campaigns represent a major issue today for consumers and corporations worldwide. Dedicated threat actors develop infostealer variants, a type of remote access trojan (RAT) that infects a host and extracts credentials saved in the browser, session cookies, and other data from the victim’s machine. This information is then packaged into log files and distributed throughout the cybercrime ecosystem via the dark web and Telegram. 

This article will examine two infostealer campaigns, one from 2022 and one from 2023. We will map out how each campaign operates using victim screenshots—images captured by the malware shortly after infection—that often reveal key details of how the infection occurred. The purpose of this article is to demonstrate common pathways for infostealer campaigns.

The Snow* Microsoft 2022 Campaign

*Snow because “yuki” is Japanese for snow

The Snow infostealer campaign targeted a wide pool of victims from all over the world. Victims that included French, English, Spanish, Turkish, Portuguese, Chinese, and even Korean language devices were identified across multiple months. 

All these devices were infected by the same process: threat actors seeded a cracked version of Microsoft Office 2022 with the Aurora infostealer variant and spread it via YouTube videos via a link in the Youtube description. 

A Google search for “office 2021 crack” pulls up the YouTube video that promoted the infostealer

The choice to use well-known, widely trusted, and essential software like Microsoft Office (which has a costly license, pushing some users to seek illegal alternatives) is a strategic one. Microsoft Office is recognized globally as the standard for basic computer tasks, with popular programs like Word, Excel, and PowerPoint included in the suite. Leveraging such a ubiquitous tool as bait to distribute infostealer malware provides access to an enormous pool of potential victims, spanning the world. Even in countries with different alphabets, the name “Microsoft” is universally recognized. This makes it a perfect fit for one of the most potentially far-reaching malware campaigns to date.

First users search for “Office [Year] crack” and click on the first few videos they are suggested: “Microsoft Office 2022 Crack \Download Free\ Office 365 Free Version \ World Language” video from the DataStat Youtube Channel. DataStat YouTube channel is written in Azerbaijani and has 37 videos for a little over 2k subscribers (as of September 18th, 2024). The video previously available at www.youtube.com/watch?v=kP58gLnluLY\n4 was only a minute and 13 seconds long and presented a tutorial on how to download and install the cracked version of the software. However, the video is no longer available on the channel. 

YouTube is a major vector of malware distribution. Threat actors launch account takeovers against legitimate small YouTube channels and publish videos on how to obtain/run specific types of cracked software. Typically the actor then links to “their” download of the cracked application in the YouTube description. 

We see this exact scenario play out in the Snow infostealer campaign, a seemingly harmless YouTube video lures viewers into downloading a malicious cracked version of popular software. In the video’s description box, users are enticed by a download link claiming to provide access to free software.
When the link is clicked, it redirects the user to a Telegraph page, where they are promised a “free version of Office.”

Clicking on the link to download redirects the user to the Telegraph page for “Software by Yuki”

The malware is hosted on MEGA.nz, a popular file-sharing platform, and the link provided (https://mega.nz/file/DZxXBB5#iNTbuEP4K83I-5Blx114xYmGJIgZZStjTc352iU) allows users to download a compressed archive. 

The MEGA.nz link shows a compressed archive for “Microsoft_Office_Crack_2022”

Inside this archive, users will find:

• two Dynamic Link Library (DLL) files (win-32.dll and win-64.dll)
• An executable (@fomicvell.exe)
• a folder named “data”

The file is protected by a password—”YUKI”—which is provided alongside the download link in the video’s description.

The archive shows two Dynamic Link Library (DLL) files, an executable, and a folder named “data”

In many cases infostealer variants deliberately password protect the ZIP files to prevent anti-malware scans from detecting viruses when the file is downloaded. In some cases we’ve seen actors provide specific instructions to new infostealer distributors on the best ways to maximize the chances of evading AV technologies. 

While downloading the infostealer malware, the user sees what looks like a legitimate Microsoft popup

Once the archive is extracted, the user believes they are gaining access to a free, cracked version of Office. However, instead of legitimate software, they’ve unwittingly installed an infostealer malware variant designed to harvest sensitive information, including passwords, credentials and cookies.

The Midjourney Campaign

Midjourney is an AI-based art generation platform, launched in July 2022, that quickly established itself as one of the leading tools for AI-generated art. Initially free to use, it has since transitioned to a subscription-based model. Surfing on this new wave of public interest, cybercriminals decided to capitalize on users’ desire to access Midjourney’s services without paying.

Midjourney users currently and have historically accessed the service through Discord which allows them to join channels and generate images through those channels. 

Several malicious domains mimicking Midjourney’s legitimate site were identified, including “ai.mid-journey.org” and “get.mid-journey.com”. One of the primary infection vectors is a sponsored Google ad for get.mid-journey.org. Despite users’ browsers displaying a verified security badge for the legitimate site below the ad, many click on the sponsored link, assuming it is safe.

The search for “midjourney” shows sponsored posts that lead to malicious domains

Once users fall for the trap, they are presented with a web page that closely resembles Midjourney’s official platform. Upon clicking, the user is redirected to a page that introduces a supposed “beta version” of the software, accompanied by a warning that the program may trigger antivirus alerts.

The malware authors work to reassure users by claiming such alerts are “typical” and “expected” for beta versions, encouraging them to disable their antivirus software for a “successful installation.”

The falsified Midjourney download page shows a button to “Download for Windows”

Note that this screenshot includes a “Download for Windows” option even though Midjourney is primarily accessed through Discord (and does include a downloadable file). 

This shows the downloaded “MidSetup” file

After downloading the executable and disabling their antivirus software, as advised, the installation proceeds. However, the software fails to run, instead prompting users to further disable their antivirus. Although this raises suspicion, users proceed since they were “warned” this would happen on the download page.

When installing the file, a few popups display asking the user to disable the antivirus

Users search on how to disable their antivirus. After following instructions to disable the antivirus, the system becomes vulnerable, and the infostealer malware executes. While users may initially hope for access to free Midjourney software, they soon discover that the program still doesn’t work.

Further investigation is initiated by user searches such as “is ai.midjourney a virus?”, which reveals that the user has been deceived. By then, their system has already been infected, leading to the theft of sensitive information such as passwords, cookies, and personal files.

A user who has downloaded the malware searches for “ai.midj0urney.or virus”

In this final screenshot, we can see where a user who has downloaded the malware is now searching to verify whether the website “ai.midj0urney” is real or a virus. In many cases we saw victims searching to try and identify why their software wasn’t working or whether they had just downloaded a virus (spoiler: unfortunately they had).

The Dynamics of a Campaign

From the two campaigns we’ve discussed, the architecture of an infostealer campaign is clear. Threat actors target commonly used software packages (or new and exciting products being released in the case of Midjourney). They advertise by taking over legitimate YouTube and Google Ads accounts, then run those until they are banned which enables them to gain mass audience reach. 

The first campaign ran the following playbook:

1. Victim searches for “Microsoft Office 2022 crack” on YouTube.
2. YouTube video from the DataStat channel lures victims with a download link for “free Office.”
3. Link redirects to a Telegraph page promising free Office software.
4. Malware hosted on MEGA.nz, users download a compressed archive.
5. Inside the archive: two DLL files (win-32.dll and win-64.dll), an executable (@fomicvell.exe), and a folder named “data.”
6. Archive password is provided as “YUKI” in the video description.
7. Once extracted and executed, the malware installs infostealer to harvest sensitive information (passwords, credentials, cookies).

And the second instead leveraged malvertising: 

1. Users search for free access to Midjourney and click on a Google-sponsored ad for a fake domain (e.g., get.mid-journey.org).
2. Users are redirected to a website mimicking Midjourney’s platform, offering a “Download for Windows” option.
3. Download page warns about antivirus alerts and advises users to disable their antivirus.
4. Users download a malicious executable and follow instructions to disable their antivirus.
5. The malware installs, stealing sensitive data (passwords, cookies, personal files).
6. Victims often search afterward to verify if the website was a virus, realizing they’ve been infected.

These campaigns don’t happen in isolation. Instead every step is supported by various elements of the cybercrime ecosystem which equip actors with the malware, accounts, and infrastructure they need to successfully run campaigns. 

Monitoring for Stealer Logs with Flare

The Flare Threat Exposure Management (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically scans the clear & dark web and illicit Telegram channels 24/7 to discover unknown events, prioritize risks, and deliver actionable intelligence you can use instantly to improve security.

Our customer Sokigo’s CISO said:

“Stealer logs have been the [sources] where we have seen the most actionable intelligence [with Flare] regarding leaked credentials.”

Flare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools. Learn more by signing up for our free trial.

The post A Tale of Two Campaigns: Infostealer Infections, Victim Screenshots, and a Glimpse into the World’s Strangest Economy appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Breached identities facilitated by infostealer malware represent one of the most significant threats to corporate information security programs in 2024. The first half of this article will deal with “what is an infostealer,” so if you are already familiar with infostealers, feel free to skip directly to the following section. 

Infostealer malware is a type of remote access trojan (RAT) that infects a user and exfiltrates:

• Credentials saved in any browsers found on the computer
• Session cookies 
• Browser history 
• Crypto wallet data
• Screenshot of the victim’s screen
• Host data

There are dozens of direct infostealer variants, and many other malware variants that may contain some info stealing capabilities. Once a user has been infected, all of this data is packaged up and sent to command and control (C2) infrastructure, where threat actors often leverage easy to use access such as bank accounts with active session cookies and crypto wallets to quickly monetize access. 

In many cases, the threat actors launching infections are not the ones actively utilizing credentials and other stolen data, but instead monetize breached identities by distributing them on Telegram channels. Actors will operate a public Telegram channel that is free and open to all users where they distribute older logs as a “sample” of the value they can provide. They then sell access to private channels for $200 to $500 per month where fresher logs are provided.

How Infections Happen

Reviewing infostealer screenshots provides enormous insight into where users are getting infected. A large proportion of infections come from users downloading cracked software, but many infections also occur as a result of malicious advertising (malvertising), fake “Windows update” scams, and “free gift card” scams.

“Free gift card” scam

One extremely common source of infections comes from “repackaged games,” which are compressed versions of video games that have been altered to reduce their file size without affecting the game’s core content or functionality. The process typically involves compressing the game’s files, removing non-essential components (like certain languages, high-definition videos, or unnecessary files), and sometimes integrating updates or DLCs directly into the game. Repackers can add malicious packages, such as infostealers, during this process.

Victims are often prompted to disable antivirus software after downloading an infostealer infected package, although many infostealer variants can bypass certain antivirus features. On the right, you can see a real victim screenshot where the user is being prompted by the malware to disable antivirus in order to complete an installation. It can also be expected by a victim to see the antivirus react as is sometimes the case with software cracks.

Prompt to disable antivirus

Unlike many other variants of malware, infostealers don’t require local administrative privileges. This makes them particularly pernicious as they require even less changes from the user to successfully execute. 

Threat Actors’ Use of Infostealers

Most threat actors are not targeting corporations but are instead looking to make an easy few dollars by breaking into bank accounts, stealing from crypto wallets, or ordering from compromised Amazon or other e-commerce accounts. Indeed, almost all infostealers specifically target session cookies, threat actors can often bypass MFA controls with high session cookie TTL settings, creating an additional value proposition compared to traditional password dumps.

An infostealer log structure 

In many cases, threat actors also value commonly found credentials to monthly paid applications that can be utilized without the victim noticing, such as Netflix, NordVPN, Hulu, Steam, and other streaming, VPN, or gaming applications. In some cases, we’ve actually seen infostealer backends specifically call out these “high value” credentials in order to make it easier for threat actors to identify easy opportunities for account takeover.

Infostealers and Corporate Access

Just because the main and most common infostealer use-case is around personal credentials doesn’t mean that threat actors don’t also work to identify valuable corporate credentials . We’ve seen specific instances of initial access brokers (a specific type of threat actor that compromises companies and then sells the access to other threat actors) buying hundreds of thousands of stealer logs in order to identify corporate access credentials.

To conduct this research, we identified 50 recent companies that had suffered a data breach from publicly available information (we are not publishing the list to avoid naming and shaming). We then searched Flare’s stealer log database to identify two specific data points:

• Percentage of companies with corporate credentials leaked: These were organizations that had at least one corporate email (@companyname.com) found in a stealer log at any point since Flare began collecting.

• Percentage of companies with corporate credentials leaked within six months of a breach: This was the percentage of organizations that had a stealer log detected within 6 months before or after a breach (so a one-year total period).

Overall, we found that:

• 90% (45/50) breached companies had previous corporate credentials leaked in a stealer log.
• 78% (39/50) breached companies had corporate credentials leaked in a stealer log within 6 months before or after the breach. 

Next, we wanted to understand how this compares to similar companies that did not suffer a breach. To do this, we manually picked 50 “sister companies” that resemble the breached companies in headcount, revenue, and industry.

We took our control set of “sister companies” and evaluated them against the same metrics. Since these companies did not have a reported breach, we instead evaluated whether they had seen a stealer log compromise in the past year.

• 76% (38/50) of sister companies (organizations that weren’t breached) had a corporate stealer log compromise at any point. 
• 68% (34/50) of sister companies that had not suffered a breach set had a stealer log with compromised employee credentials in the past 12 months. 

It’s worth noting that, first, these numbers are exceptionally high. Out of the total data set, 83% of companies surveyed across all sizes and industries had corporate credentials found, including companies with and without a reported breach. Notably, this is considerably higher than research conducted last year, which found that 19.6% of healthcare organizations had compromised corporate credentials stolen through infostealer malware.

When looking at compromised corporate credentials, we were specifically searching for compromised email accounts within the log. As a result, we excluded institutions of higher education and some telecom providers where it’s common for consumers to use the organization’s domain as an email address. In the corporate logs we reviewed, we identified numerous high-criticality credentials, including:

• login.microsoft.com
• companyname.slack.com
• companyname.okta.com
• sso.companyname.com
• adfs.companyname.com

In many cases a single user had access to more than a dozen corporate credentials spanning SaaS applications, internal technology systems, and other mission critical corporate information technologies. 

Infostealers: An Increasing Risk

As previously discussed, threat actors are not launching mass infostealer attacks specifically to gather corporate credentials. Instead, the theft of corporate credentials can be seen as a useful and valuable byproduct of the influx of normal consumer credentials. However, there is extensive evidence that ransomware groups, initial access brokers, and other actors are combing through infostealers to identify corporate access.

If the rise of infostealer malware were taken as a singular event, it would likely be considered the largest breach in history. While other breaches have contained more individual records, such as the Equifax breach, which contained an estimated 147 million records including Social Security numbers, names, and addresses, infostealers contain far more than just that. Stealer logs can include all of that, as well as browser history, saved credentials, and many personal details about an individual. We process on average 500,000 unique stealer logs per week, and each log has thousands to hundreds of thousands of unique data points about a single individual or family. 

Recommendations

We recommend that organizations immediately begin monitoring for infostealer malware infections to identify if corporate credentials have been compromised in an infostealer infection. Additionally we recommend: 

• Restricting download privileges: Limit the ability to download and install software to a select group of users. Implement application whitelisting to prevent unauthorized software, which is often a source of infostealer infections.

• Don’t share your corporate computer: Many infections happen as a result of sharing work computers with children and spouses. 

• Don’t access illegal content: Stolen and “repackaged” applications such as cracked Adobe products, games, and other stolen software. This is where a plurality of infections happen. 

• Disabling macros by default: Ensure that macros are disabled by default in all Office applications, as infostealers can be delivered through malicious documents. Educate users on the dangers of enabling macros from untrusted sources.

• Regularly Updating and Patching Software: Keep all software, including browsers and plugins, up to date with the latest patches. 

• Monitoring Browser Extensions: Restrict the installation of browser extensions, which can be used to deliver infostealers. Regularly audit installed extensions and remove any that are not approved or necessary for business operations.

Stealer Logs and Flare

The Flare Threat Exposure Management (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically scans the clear & dark web and illicit Telegram channels 24/7 to discover unknown events, prioritize risks, and deliver actionable intelligence you can use instantly to improve security.
Flare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools. Learn more by signing up for our free trial.

The post Breached Identities and Infostealers: One of the Largest Ongoing Data Leaks in History appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

The post The Use of Large Language Models for Cyber Threat Intelligence in Cybercrime Forums appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

by Eric Clay and Zaid Osta 

This report conducts a case study on a large sample of initial access broker (IAB) posts on the Russian-language hacking forum Exploit, targeting critical infrastructure in NATO member states across Europe and North America. We first examine the anatomy of typical IAB posts and explore recent sample IAB posts from entities within NATO member states.

IABs are key players in the cybercrime landscape. They infiltrate systems and gain unauthorized access through various techniques, including spear-phishing, exploiting unpatched vulnerabilities, and leveraging leaked and stolen credentials. Their primary goal is to establish persistence in these environments, not to conduct the final stages of a cyberattack, but rather to sell this access to other malicious actors. Future buyers might use the access for deploying ransomware, data theft, or other criminal activities.

Key Findings 

• Pervasive Threat of IABs in NATO Countries: IABs are increasingly targeting entities within NATO member states, indicating a persistent and geographically diverse cyberthreat landscape. Our case study, analyzing hundreds of IAB postings on the Exploit forum, reveals recent activities in 21 out of 31 NATO countries. This underscores their extensive reach and the consistent potential threat they pose to national security and economic stability.
• High Value of Critical Infrastructure Access: The data shows that access to critical infrastructure sectors, as defined by CISA, commands notably higher prices in the cybercrime market. The average blitz price (“buy it now” price) for access in NATO countries is $6,396, significantly exceeding the average of $2,742 for other listings.
• Focused Targeting by Threat Actors: There is a marked concentration by certain threat actors on critical infrastructure sectors. Actors like “Roblette” and “Sandocan” display a disproportionate focus on these areas, suggesting strategic targeting by cybercriminals for potentially higher financial gains and greater impacts.
• U.S. Defense Sector as a High-Value Target: Our analysis indicates a clear trend of targeted cyberattacks on the U.S. defense sector. Access to U.S. defense contractors is priced on average at $5,750 for immediate purchase. This price point reflects the high value of these targets and suggests that threat actors recognize the significant impact of infiltrating defense-related systems.
• Complexity and Challenges: The analysis underlines the complexity of the cybercrime ecosystem and the challenges in identifying and responding to security breaches. The cautious approach of sellers on forums like Exploit, who often withhold sensitive details to avoid victim identification, is an example of the ongoing cat-and-mouse game between cybercriminals, researchers, and law enforcement.

Snapshot of IAB Postings in NATO Countries

The anatomy of an IAB post, with slight variations in wording, typically includes:

• Access Type: Usually RDP or VPN.
• Activity: Victim company’s industry.
• Revenue: Often sourced from data providers and services such as ZoomInfo.
• Level / Rights: Level of privileges obtained.
• Host / Network: Details about the victim’s network and security systems.
• Start, Step, and Blitz: Auction prices detailing the starting, bid increments, and ‘buy it now’ prices, respectively.

Sample 01/06/2024 IAB post on the Exploit forum.

To better understand the IAB threat landscape targeting entities in NATO member states, we present a snapshot of recent IAB sales from the Exploit forum. These sales, involving entities in 21 of the 31 NATO countries and primarily from the years 2023 and 2024, represent just a small sample of the multitude of IAB listings. Our search was limited to the Exploit forum, focusing exclusively on IAB sales and not other breaches like data leaks. As a result, some NATO countries are absent from this list. 

In the brief selection below, we have opted to provide summaries rather than include original postings, which often contain sensitive details and screenshots, such as real server and workstation names from federal and private entities in NATO countries. 

These sample summaries are a small part of the regular influx of IAB posts on cybercrime forums that Flare collects by the hour. Our overview aims to provide some insight into the diversity and reach of IAB activities affecting entities in NATO countries.

Belgium

• Date: 01/12/2024
• Industry: Commercial and Residential Construction
• Revenue: $12.8 million
• Technical: RDweb access (Microsoft’s Remote Desktop Web Client), limitations such as the disabling of PowerShell and CMD by the administrator.
• Auction: Start $500, Step $50, Blitz $600
• Notes: Access allows users to explore the network, “even the BACKUP folders.” 

Canada

• Date: 01/11/2024
• Industry: Legal
• Revenue: $4.5 million
• Technical: RDP “via Tunnel,” domain admin privileges, 3 domain controllers, 400 users, 170 PCs, Windows Server 2012 R2 Standard
• Auction: Start $200, Step $100, Blitz $1,000
• Notes: Includes hashes of all users, suggesting potential for extensive unauthorized access within the firm’s network. Quick sale closure within 6 hours for a buyering offering a bid of “Blitz + 200$.”

Croatia

• Date: 07/04/2022
• Industry: Plastics Product Manufacturing
• Technical: RDP access with domain admin rights
• Auction: Start $35, Blitz $50
• Notes: On the same day, the threat actor responded to their own post writing that the sale had been “closed,” indicating a quick sale at the blitz price.

Denmark

• Date: 12/23/2022
• Industry: Business Services
• Revenue: Over $5 million
• Technical: RDWeb access, Windows Server 2012R2, Kaspersky Lab antivirus, 110+ PCs, MySQL database
• Auction: Start $400, Step $100, Blitz $800
• Notes: Transaction includes escrow service availability.

France & United Kingdom

• Date: 01/15/2024
• Industry: Various
• Revenue: France entity over $45 million, UK entity over $500 million
• Technical: Pulse Secure VPNs
• Auction: Start $1,000, Step $200, Blitz $5,000
• Notes: UK access offers admin rights and France with user rights. In the same posting, the threat actor is selling access to a South Korean company’s Pulse Secure VPN with a revenue surpassing a whopping $50 billion, also offered with user rights. The auction is time-constrained, closing 12 hours after the last bid. The threat actor emphasizes that bids should be serious: “Please do not offer if you do not have real buying intentions.”

Germany

• Date: 12/18/2023
• Revenue: Over $155 million
• Technical: RDP access, 1,320 hosts, Sophos antivirus (turned off)
• Auction: Start $1,000, Step $200, Blitz $5,000
• Notes: This auction is time-sensitive, concluding 12 hours after the last bid.

Greece

• Date: 12/17/2023
• Industry: Broadcasting, Media & Internet
• Revenue: $7 million
• Technical: Shell access
• Auction: Start $2,000, Step $500, Blitz $15,000
• Notes: No sale after initial offer; price reduced twice due to lack of interest. The seller shares that this entity receives about 65,200 visitors per day, as per MuStat.com

Hungary

• Date: 12/12/2023
• Industry: Retail (Shop)
• Technical: FTP server access
• Auction: Start $100, Step $50, Blitz $200
• Notes: Full access to the shop’s FTP server. Seller encouraged interested parties with a reputable background to inquire about the domain name.  Quick blitz sale within hours of posting.

Italy

• Date: 01/11/2024
• Industry: Energy, Utilities & Waste
• Revenue: $154.3 million
• Technical: Citrix access, over 1000 network computers
• Auction: Start $3,000, Step $1,000, Blitz $6,000
• Notes: The post included two screenshots: one displaying a PowerShell window with a sample list of workstations in the domain, and another showcasing sample folders on the network.

Luxembourg

• Date: 07/09/2022
• Industry: Likely Yachting
• Technical: RDP access, user rights
• Auction: Start $35, Blitz $70
• Notes: Potential buyers were invited to message the seller for a screenshot of the access.  Quick sale, with the listing closed the following day.

Netherlands

• Date: 12/23/2023
• Industry: Website Development
• Revenue: $5 – $10 million
• Technical: Root access to servers, FTP, hosting; Plesk with 120 domains
• Auction: Start $1,500, Step $500, Blitz $3,000
• Notes: Threat actor and seller’s name “pmc_vagner”likely refers to the private military company and Russian paramilitary organization the Wagner Group. Access to the Dutch company has not been sold despite a detailed offer.

North Macedonia

• Date: 02/09/2023
• Industry: Federal
• Revenue: $34 million
• Technical: Domain admin access, 271 hosts, Symantec antivirus
• Auction: Start $1,000, Step $500, Blitz $3,000

Norway

• Date: 01/04/2024
• Industry: Marine Shipping & Transportation
• Revenue: Approximately $1.1 billion
• Technical: Citrix access
• Auction: Start $2,000, Step $500, Blitz $5,000
• Notes: Very high-revenue company, auction ends after the last bid or blitz purchase.

Poland

• Date: 09/10/2023
• Industry: Construction Materials and Sanitary Equipment
• Revenue: $200 million
• Technical: Windows Server 2008 R2, ESET antivirus, 3TB HDD, 20+ PCs
• Auction: Start $700, Step $100, Blitz $1,500
• Notes: User domain rights included, with an escrow service for added security.

Portugal

• Date: 01/20/2024
• Industry: Home Furniture
• Technical: Magento (popular open-source e-commerce platform) access, 200,000 customers, 600 weekly orders
• Auction: Start $300, Step $100, Blitz $700
• Notes: The post includes an image displaying various payment methods accepted by the shop, including PayPal, VISA, and Klarna, among others. The listing specifies that there are no admin rights included, and that the buyer “Need to raise exploit” to gain further access

Romania

• Date: 06/16/2023
• Industry: Electrical Equipment and Component Manufacture
• Revenue: Estimated at $35 million
• Technical: “VPN-RDP” access, 43 hosts, ESET antivirus 
• Auction: Start $1,000, Step $250, Blitz $2,500
• Notes: The seller, writing in Russian, mentioned their inability to find the Romanian company’s information on ZoomInfo and suggested that anyone with a “днб” (“dnb”) account, likely referring to Dun & Bradstreet (D&B), might be able to access this information. 

Slovakia

• Date: 06/07/2023
• Industry: Vehicles
• Revenue: $25 million
• Technical: Microsoft Office365 “admin user” and 120 email accounts
• Auction: Start $100, Step $50, Blitz $1,500
• Notes: The Slovakian company is an authorized service center for various brands including VW, Škoda, SEAT, Jeep, Toyota, Cadillac, Corvette, Camaro, and many others.

Spain

• Date: 12/19/2023
• Industry: Software License Sales
• Technical: RDP “via Tunnel,” Windows Server 2016, Cortex XDR security solution, 162 PCs, 537 users
• Auction: Start $300, Step $100, Blitz $1,000
• Notes: Access includes both “Enterprise Admin” and “Domain Admin” rights.

Turkey

• Date: 07/17/2023
• Industry: Banking & Finance
• Revenue: $31 million
• Technical: “Domain Admins” rights, Symantec antivirus
• Auction: Start $500, Step $100, Blitz $1,000
• Notes: Sale restricted to PM or Jabber for Russian speakers only.

United States

• Date: 01/21/2024
• Industry: Telecommunications
• Revenue: $75 million
• Technical: Enterprise admin access within domain controller
• Auction: Start $3,000, Step $550, Blitz $6,000
• Notes: Just six minutes after the listing was posted, a forum user expressed  immediate interest in this high-value access and requested a “Blitz (checking via escrow)” purchase.

Exploit Case Study 

Background

Exploit is a Russian-language hacking forum established in the mid-2000s that has gained notoriety in the cybercrime world for enabling the exchange of information and services among a wide range of cybercriminals, from beginners to experts. This forum serves as a marketplace for various illicit digital goods, including botnets, unauthorized system access, stolen credit card details, ransomware, and phishing kits. As of late 01/2024, Exploit boasts a membership of approximately 61,000, with around 1.34 million posts across over 213,000 topics.

Exploit forum’s homepage, screenshot as of 01/2024.

Within the forum’s diverse structure, the “Commerce” section is particularly relevant, where IABs are notably active. These brokers offer unauthorized access to various systems and networks. Not only do IABs sell their access, but they also often make custom requests for access to specific countries or regions. For instance, a post from 11/2023 explicitly seeks network access in France and Germany, stating: “I will buy France and Germany Network Access with any type of privilege. I provide the best offer in the forum. First contact in PM.”

Sellers on Exploit typically adopt a cautious approach, frequently withholding sensitive details to prevent victim identification by researchers or law enforcement. In a 01/2024 post, when a seller was asked about the state and specific location of a U.S. company they were offering access to, they responded: “i can’t provide this information! Protection against researchers Sorry!” Similarly, another seller offering access to a Swedish company with over $500 million in revenue stated: “Because of researchers and police, I’ll keep some details private for serious buyers.” Another seller offering Citrix access to a “HUGE BRAZIL DATA CENTER” quickly replied to an inquiry for more details about the company, saying: “PM for additional info, don’t ask for the site name publicly.”

These are just a few examples of the complexity of the cybercrime ecosystem, as well as the challenges faced by researchers and potential victim entities in identifying and responding to potential security breaches.

Exploit forum’s “Commerce” section, screenshot as of 01/2024.

Findings

We conducted a case study after collecting 438 IAB listings from Exploit between August 2022 and September 2023.  While we initially collected data from other hacking forums similar to Exploit, like XSS and Ramp, we noticed significant redundancy in postings across these platforms, with threat actors often replicating their listings to increase the likelihood of a sale. Due to this redundancy and Exploit’s active user base, we concentrated on the Exploit forum alone. 

We classified organizations as critical infrastructure following CISA’s taxonomy, which defines 16 sectors so vital that their “incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety.” The data included post date, actor name, victim revenue, industry, auction prices, access type, and level of access. Exclusions were made where geography or industry details were missing. Our research aimed to determine whether there is disproportionate targeting of NATO countries’ critical infrastructure or not, examining IAB posts and prominent threat actors. 

Note: Our research was based exclusively on self-claimed compromises of critical infrastructure and forum postings by threat actors, without independently verifying the legitimacy of these listings. 

Our analysis indicates a trend of targeted cyber attacks on the critical infrastructure of NATO countries. Through a detailed examination of various recent online listings, we identified 64 that correspond to the critical infrastructure sectors as defined by CISA, accounting for approximately 15% of all listings analyzed. While our findings do not reveal concrete proof of threat actors directly selling access to these infrastructures to hostile nations, the patterns we observed are nonetheless concerning.

IAB listings advertising critical infrastructure access sold for more than double the average IAB listing price. The average blitz price for NATO country infrastructure was $6,396, compared to $2,742 for all listings. Employing the Interquartile Range (IQR) method to eliminate outliers, we found the average selling price for critical infrastructure was still higher: $1,782 versus $1,420 for non-critical infrastructure.

We then analyzed individual threat actors’ focus on critical infrastructure. Of all posts, approximately 15% included NATO critical infrastructure access. Among 108 unique actors, a few showed disproportionate activity. ‘Prolific’ actors, with over 15 posts, had a baseline critical infrastructure targeting rate of 12.4%. Notably, “Roblette” targeted critical infrastructure in 29% of their posts, and “Sandocan” in 25%. 

Analysis of our dataset indicates that 35% of all posts targeted victims in the U.S. Both threat actors exceeded this rate: “Roblette” targeted U.S. companies in 57% of posts and NATO countries in 94%, while “Sandocan” targeted U.S. companies in 53% of posts and NATO countries in 71%. The latter percentage rises to 93% if we include NATO-allied countries or “enhanced opportunities” partners like Australia. 

The chart above includes another actor we analyzed, Nixploiter, who has dozens of listings to provide an additional point of comparison.

We then focused our analysis on a specific subset of IAB posts which specifically target the U.S. defense sector. Following our review and considering the context of recent high-profile attacks – some of which stemmed from improper password use and hygiene – and the consistent influx of fresh infostealer malware logs that Flare collects and analyzes daily (millions per week), including those containing official government and high-profile government contractor credentials, we assess:

• Certain threat actors deliberately target critical infrastructure and defense sectors. They are motivated by the sectors’ significant roles in national security, which can command higher prices in terms of revenue for the threat actors.
• Conversely, other incidents appear to be incidental, arising from widespread phishing and social engineering campaigns and enabled by tactics like credential stuffing or password spraying.

In our review of hundreds of posts, listings, and discussions on Exploit, pertaining to defense contractors and companies, we came across numerous instances where IABs and forum users were explicitly targeting the defense sector, as evidenced by their postings. We also saw posts that highlighted the value of accessing companies with government connections, as per threat actors’ vocabulary when describing fresh access and sales with great enthusiasm. Notable findings from analyzing this subset of IAB data include:

• Access to U.S. defense contractors is priced at an average of $5,750 for immediate purchase, in stark contrast to an average of $1,489 for all other industries (after removing outliers). This disparity suggests that threat actors are willing to pay a premium for potential access to highly sensitive environments.
• Offers of privileged IT access to American IT management companies with federal contracts were observed, raising concerns about the potential for a wider-scale impact and the possibility of expanded cyber supply chain attacks.
• Threat actors frequently and explicitly promote access to U.S. government digital assets, suggesting they recognize the value of accessing high-level privileged information.

Conclusion

IABs target a diverse range of entities, including those belonging to critical infrastructure sectors in NATO member states. No organization is immune to the threat of infiltration, and so in light of this pervasive threat, we recommend the following:

• Actively monitor forums that enable IABs: It is crucial for organizations to actively monitor forums such as Exploit to detect potential compromises. Given the anonymized nature of IAB postings and cautiousness of sellers, it is often difficult to determine an exact victim. However, since threat actors often use publicly available services like ZoomInfo for victim description, analyzing differences in postings – such as geography, revenue, industry, and especially technical details like number of hosts, sample usernames, antivirus solutions, etc. – can provide insights into potential compromises within their environments. This proactive approach facilitates early detection, allowing organizations to address existing breaches before they escalate into ransomware or other undesirable malicious activities.
• Actively monitor stealer logs: Leaked credentials and cookies from stealer logs can be a common vector for IABs to gain initial access. Organizations should implement automated systems to monitor fresh logs, which often contain information like RDP and VPN credentials, as well as local network IP credentials that can assist in internal post-compromise pivoting. It is crucial to act immediately upon detecting these leaked credentials and infected devices – before an IAB potentially does. This detection should extend across both public and private channels on Telegram and include premium paid logs from surface and dark web marketplaces, such as “Russian Market.”
• General security: Organizations should continuously assess and update their security measures. This includes regular vulnerability scanning, patch management, and the implementation of multi-factor authentication to strengthen their security posture. Additionally, training employees to recognize and respond to cyber threats is essential in reducing the risk of successful phishing attacks and other social engineering tactics frequently used by IABs.

About Flare

The Flare Threat Exposure Management (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically scans the clear & dark web and illicit Telegram channels 24/7 to discover unknown events, prioritize risks, and deliver actionable intelligence you can use instantly to improve security.

Flare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools.

Want to learn more about monitoring for relevant threats with Flare?

[Sign Up for a Free Trial]

The post Initial Access Broker Landscape in NATO Member States on Exploit Forum appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Background

An out-of-place data leak appears.

The dark web is no stranger to drama. Threat groups often collude, fight, and attempt to expose each other. This past week witnessed a notable example of such conflict, involving a confrontation between the LockBit ransomware group and a threat actor known as KonstLiv3. This strife led to an explosion of drama across the Russian-language dark web cybercrime forums XSS and RAMP. But what caused this dissension?

There are few rules that Russian threat actors are expected to follow. However, one crucial, non-negotiable, and immutable rule is that threat actors must never target entities belonging to Russia or any country in the Commonwealth of Independent States (CIS). These countries include, in addition to the Russian Federation, Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, and Uzbekistan.

So, what happens when a threat actor disregards this rule? What happens if a threat actor attempts to sell a massive data dump from a significant multinational Russian company, which has ties to the Russian government and Russian intelligence services?

Last week provided a compelling example of this.

AN Security[.]ru Allegedly Breached 

The saga began when KonstLiv3 posted on the invite-only dark web forum RAMP, claiming to have breached a multinational Russian physical and cybersecurity firm, AN-Security[.]ru (hereinafter referred to as “AN Security”). The threat actor alleged they had accessed a substantial trove of data and were trying to sell it for a staggering 100 BTC, approximately $4.3 million USD at the time of writing. Within hours, fellow RAMP users were calling for KonstLiv3’s ban. The RAMP moderators responded to these demands, resulting in KonstLiv3’s ban within nine hours.

KonstLiv3’s claim of breaching Russian security services company AN Security. Monday, Jan 22, 2024, 3:33AM

A RAMP user, writing in Russian, demands KonstLiv3’s ban. A RAMP moderator then acknowledges that “work,” a euphemism for malicious activity, is “Forbidden” against CIS countries, before proceeding to ban KonstLiv3. Monday, Jan 22, 2024, 9:23AM, 11:14AM

LockBit Enters the Chat

Hours later, LockBitSupp, the primary public-facing account operating the LockBit ransomware-as-a-service (RaaS) platform, expressed significant concern on the prominent Russian-language forum XSS. They feared being framed for the attack on AN Security. The perpetrator of the attack had allegedly utilized a leaked version of LockBit 3.0, also known as “LockBit Black,” a more modular and evasive variant of LockBit’s previous ransomware.

LockBitSupp claimed to have reached out directly to an employee at AN Security, who supplied them with the ransom note allegedly left with the organization, which directly implicated LockBit in the attack. For LockBit, this was alarming news. Much of the threat cyber intelligence community believes that LockBit operates primarily out of the Russian Federation. However, a major breach had just occurred at an entity directly associated with the Russian state, allegedly by a LockBit affiliate.

LockBitSupp’s response on XSS to the insinuation that LockBit was involved in the AN Security breach. Monday, Jan 22, 2024, 9:10:12PM

Shortly after LockBitSupp’s post, XSS user alex778 commented, describing AN Security as: “a very fat and very old St. Petersburg PSC [private security company] from the dashing 90s. Whether it is so fat that citizen LockBit will now be poisoned with polonium… It definitely looks like a setup.” A few hours later, LockBitSupp returned to XSS with an update. They alleged that the user Signature was behind the setup.

LockBitSupp, the primary public-facing account of LockBit, accuses CL0P of orchestrating the attack and framing them. Tuesday, Jan 23, 2024, 5:59AM

Signature was a user on Exploit, another infamous Russian-language forum specializing in initial access, and the sale of exploits and malware. LockBitSupp made some astounding allegations. Firstly, LockBit claimed that Signature was the owner of the CL0P ransomware gang. CL0P, a notorious group with connections to FIN7, also known as the Carbanak Group, gained significant prominence last year after exploiting the MOVEit (CVE-2023-34362) and GoAnywhere (CVE-2023-0669) vulnerabilities, targeting hundreds of organizations worldwide and resulting in over $100 million in ransom demands.

LockBitSupp and Signature had a history on Exploit. They attempted a few deals, but these fell through when Signature refused to use the main escrow on Exploit, leading to a ban from the forum. This allegedly angered Signature, leading them to use a leaked build of the LockBit Black builder to attack AN Security. Signature allegedly encrypted their network, exfiltrated over 5TB of data, and offered it for sale on XSS, RAMP, and BreachForums. In response, LockBitSupp placed a bounty on the XSS forum for any information leading to the personal identification of Signature. Over the next few days, the forum buzzed with activity as users tracked down potential usernames and TOX IDs. 

The well-connected actor Bratva posted a thoroughly compiled list of users potentially connected to Signature.

Bratva (a term for Russian mafia) posts usernames they believe are associated with Signature.

Another user, lisa99, presented an analysis of the news site used to verify the breach’s authenticity. The domain cybernewsint[.]com was registered on December 17th, 2023, just a few weeks before the initial data leak posts began to surface online.

The earliest news article on cybernewsint.com is dated January 9th, 2024. Lisa99 also pointed out that the website is linked to vk[.]com/dailyhackernews and the admin vk[.]com/sozdam_sayt. This admin is identified as: “a certain redacted,” whose profile mentions: “I make websites [for] order,” before lisa99 concludes that: “Apparently this site was ordered for him too.”

Lisa99 posts on BreachForums, sharing the results of their initial investigation into the news site.

LockBit Increases the Bounty

LockBitSupp, frequently boasting about their OPSEC and ability to elude international justice, has taken a unique approach to deter detection and personal identification. They have established a bounty on their own identity, offering $1 million USD in cryptocurrency to anyone who can provide their full name and explain the method used to uncover it. In a notable move, LockBitSupp has now raised this bounty from $1 million USD to $10 million USD. This substantial increase either signifies growing concerns over their own anonymity, or is simply a technique to establish and prove ‘innocence.’

LockBitSupp announces an increase in the bounty on their own identity in a post on XSS.

This tenfold increase in their self-imposed bounty might also serve to reassure affiliates and core members of the LockBit group, especially in light of the extra scrutiny brought about by this alleged breach. LockBitSupp has a history of making similar offers, including incentives for getting LockBit tattoos, rewards for finding vulnerabilities on the LockBit site, and other bounties related to their identity.

Breakdown and Analysis

With the basic facts laid out, several aspects of this episode merit further exploration. A primary question arises: Did Signature, allegedly the leader of CL0P, attempt to weaponize the Russian state against a competing ransomware group? Furthermore, what does this incident reveal about the broader cybercrime ecosystem?

Inconsistencies Abound

This conflict is riddled with oddities. Firstly, it’s peculiar that an actor, active on top-tier dark web forums since at least 2022, would deliberately target and publicize data from a Russian state-affiliated entity. Such a move is highly unusual and almost inconceivable. Signature would surely be aware that targeting CIS country organizations is strictly forbidden, and it is improbable to find a buyer under these circumstances. 

A Fake News Site?

Another bizarre element is the possible creation of a fake cyber news site, still operational at the time of this writing, seemingly to legitimize an attack that occurred. If the attack was fabricated, did LockBitSupp post a fake ransomware note from the affected AN Security? Additionally, one would expect any party ready to make a massive $4.3 million payment to verify the news site’s authenticity.

Data Size Inconsistency Across Forums

KonstLiv3’s actions and timeline also raise questions. Initially, they listed the data exclusively on the RAMP forum and were banned hours later. He then moved to XSS, followed by the English-language BreachForums. There are two notable points:

• The exorbitant asking price, in a market where data dumps typically sell for $5,000-$100,000, suggests the posts might have been more about publicizing the breach of a major Russian company than actually selling the data.
• KonstLiv3’s post on BreachForums was nearly identical to their RAMP forum post, except – the data size dropped by 1TB, while the price remained at 100 BTC. One possibility is that part of the dataset was sold, or that AN Security (or another entity) paid to prevent the publication of the most sensitive data. It is likely that the sloppy user could have simply forgotten to align the data size across forums.

The final post on BreachForums advertises access to AN Security, with the sale price unchanged but a noticeable 1TB decrease in the claimed data size (originally “~5TB” on other forums)

The Russian State and Cybercrime

A key takeaway from this event is the importance that the illicit cybercrime community places on the rule against targeting entities in CIS countries. Breaking this rule jeopardizes all involved parties. Forum admins are responsible for the community’s welfare, and users attracting undue attention can endanger the forum’s security.

Ransomware groups operate within a fine line of tolerance. Attacking highly sensitive targets in NATO countries risks drawing national government and law enforcement attention, as seen in the Colonial Pipeline 2021 attack. Targeting organizations within CIS countries is strictly forbidden, and the ability of Russian authorities to press charges against cybercriminals in Russia is significantly stronger than that of Western countries. 

Even in the cybercrime underground, content moderation is crucial.

Image Credits

https://twitter.com/3xp0rtblog/status/1750469704773161244

https://twitter.com/azalsecurity/status/1749637667577356335

https://twitter.com/3xp0rtblog/status/1750521829847187797

https://twitter.com/azalsecurity/status/1749637667577356335/photo/3

https://twitter.com/ddd1ms/status/1750560454932385848

https://twitter.com/azalsecurity/status/1750565920806727973/photo/1

The post Dark Web Drama: LockBit and the AN Security Breach Saga appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

This report explores the rising trend of crowdsourced distributed denial-of-service (DDoS) attacks within the context of recent geopolitical events, examining case studies from the ongoing Russia-Ukraine and Israel-Hamas conflicts.

Download the full report PDF

Key Findings 

• Overall Trend: The crowdsourcing attack model differs from traditional DDoS attacks carried out by well-funded and sophisticated threat actors, primarily in terms of its accessibility. Threat actors with limited resources and minimal technical expertise can now contribute to significant attacks against private businesses and government agencies, using open-source tools and the support of a network of volunteers driven by shared political beliefs.
• Increasing Sophistication: We see crowdsourced attacks becoming increasingly sophisticated as threat groups implement leaderboards, financial rewards, and other incentives in order to motivate individual actors to participate. This fits the broader trend of growing commoditization we see in the cybercrime ecosystem. 
• IT Army of Ukraine: A volunteer-based collective formed in response to the Russian invasion of Ukraine, targeting Russian digital assets. They utilize open-source DDoS tools, with installation and usage guidance on their website, and employ a leaderboard to gamify and track participants’ contributions, adding a competitive element to cyberattacks.
• DDoSia by NoName057(16): Supporting Russia in the conflict, DDoSia has witnessed rapid expansion with its unique model of offering financial incentives. Volunteers are compensated in cryptocurrency, based on their contribution to DDoS attacks against American and European digital assets, attracting both ideologically motivated individuals and those seeking to profit from cybercrime.
• Cyber Army of Palestine: Established in response to Israel’s military operation in Gaza, this group organizes thousands of volunteers, coordinating their efforts in successful anti-Israel DDoS campaigns. They use a Windows-based attack tool named after Hamas’ October 7th attack on Israeli cities. Analysis of the tool’s source code indicates that it is a recycled version of the IT Army of Ukraine’s UAshield tool. The group features a Hamas-themed ranking system, incentivizing participation by linking successful DDoS contributions to ranks of key Hamas figures, including bomb makers and senior military commanders assassinated by Israel.

Introduction

DDoS attacks involve a large network of devices or compromised systems, often known as a botnet, flooding a target with excessive internet traffic to deny availability. These attacks have become increasingly common in recent years as a result of rising tensions and conflicts between nation states. Rather than being tools solely wielded by highly sophisticated actors, these attacks have increasingly become the domain of moderately skilled attackers, or even novices, who exploit geopolitical tensions and conflicts to target victim organizations. This trend signifies a sea change in cyber warfare: the barrier for impactful attacks is lower, while the ability to exploit politically charged events for disruptive purposes is both high and evident.

An example of this escalating threat is seen in Latvia’s response to the pro-Russia hacktivist collective Killnet. Following a series of DDoS attacks against Latvian parliamentary web services, Latvia officially designated Killnet as a terrorist organization, underscoring the serious nature of such attacks and their fusion with geopolitics. 

Similarly, earlier this year, the Kenyan government experienced a massive politically driven DDoS attack launched by Anonymous Sudan, which disrupted nearly 5,000 government services for almost a week. The attack, in response to the group’s perception of Kenyan interference and meddling in Sudanese affairs, affected critical operations, including the processing of passport applications, issuing e-visas for foreigners, and disruptions to train-booking systems. This example highlights the significant disruption of even relatively low sophistication DDoS attacks.

The increasing prevalence of crowdsourced DDoS attacks represents a new trend in the realm of geopolitically driven hacktivism. These attacks leverage the collective power of many individuals and their systems, who are sympathetic to the cause of the threat actor and are aligned with the threat actor’s political views. 

As a result these attacks require no special skills, such as developing malware, compromising devices, and then developing a botnet of these hacked systems, but rather, they only require some coordination and enough participants to temporarily take down a website or service. This report will explore recent case studies of crowdsourced DDoS attacks, from Eastern Europe with the Russia-Ukraine conflict, to the Middle East with the Israel-Hamas conflict. In some cases, we see actors leveraging leaderboards, payments, and other incentives to encourage greater participation in these attacks. 

Russia-Ukraine Conflict: IT Army of Ukraine & DDoSia

On February 24, 2022, Russia launched a military invasion of Ukraine, marking the largest attack on a European country since World War II. In response, the “IT ARMY of Ukraine” (hereinafter referred to as the “IT Army”) was launched. Just two days after the invasion, on February 26, 2022, the IT Army made its first appearance with a Telegram channel. Their inaugural post reached out to “IT specialists from other countries,” soliciting support for “cyber and DDoS attacks” against a range of Russian digital assets. 

This initial call to action included a list of prominent Russian business, bank, and state service websites, such as Gazprom, Yandex, and the Kremlin. Later that day, the IT Army posted two IP addresses linked to Gosuslugi, Russia’s official internet portal for government services. Just 13 minutes after this post, the IT Army announced a successful DDoS attack on the Gosuslugi service, claiming their volunteers took it down in “just 1 minute.” 

Screenshots depicting the first post on the IT Army’s official Telegram channel (left), and a congratulatory message posted by the IT Army (right) with images indicating the temporary unavailability of prominent Belarusian websites. [Source: Telegram]

The momentum continued the following day with the IT Army shifting its focus to Belarusian websites, identified by their “.by” country code top-level domain, likely in response to Belarus’ support for Russia in the war. This strategy quickly yielded results again, as several targeted Belarusian websites were taken down, and a congratulatory post was shared on the IT Army’s channel with proof of HTTP connection failures to the websites.

This model of operation, which involved publicly sharing target domains and IP addresses along with their respective port numbers, and then displaying screenshots as proof of successful takedowns, continued for several months with successful back-to-back DDoS attacks. During this period, however, the IT Army was developing custom tools and a website to streamline future attacks. According to a WHOIS lookup, the IT Army’s official website was registered on April 5, 2022, two weeks before the IT Army first publicly announced it.

According to their stated mission, the IT Army “aims to help Ukraine win by crippling aggressor economies, blocking vital financial, infrastructural and government services, and tiring major taxpayers. We also stop hostile media propaganda and spread truth about the war. We want every resident of aggressor countries to feel and tire from their state’s aggression.”

The website explains that the IT Army is “a worldwide IT community united to resist the Russian invasion to Ukraine. We are supreme power in Ukraine capable to block over 800 targets simultaneously… keep using automated systems to harass websites and internet services of the country-aggressor. 

This website is made to provide guidelines for joining our resistance even if you are very rookie in technologies” – which is exactly why crowdsourcing DDoS attacks is concerning: even a “rookie in technologies” can effectively contribute to attacks.

The IT Army’s website offers detailed guidance on conducting DDoS attacks against designated targets. It presents a range of tools, encouraging users to try them out to find the most suitable one for them. The website emphasizes using these tools on a virtual private server (VPS), to prevent local network overload and increase attack efficiency with better resource availability. It provides specific guidelines for various operating systems, including Windows, Linux, and Mac. It also advises users to disable their antivirus softwares prior to installing the tools: “Our Russian foes leveraged antivirus software to consider DDoS potentially unsecured hence blocked.” 

Screenshot depicting the homepage of the IT Army’s official website. [Source: IT Army]

The IT Army assures volunteers that the recommended tools — MHDDoS, DB1000N, Distress, UKITA, and UAshield — are safe, claiming: “Our tools do not contain any harmful components for your cybersecurity.” Detailed instructions cover each tool’s installation, optimal tool settings, and tips on using VPNs for improved attack performance and enhanced anonymity. Here is an overview of the tools facilitating the IT Army’s crowdsourced DDoS attacks:

• MHDDoS
  • MHDDoS is a DDoS tool with a “user-friendly” interface that does not require a VPN, as it “automatically downloads and selects working proxies.”
• DB1000N (Death by 1000 Needles)
  • DB1000N is a Go-based DDoS tool, described by its Ukrainian author as “a simple distributed load generation tool.” The author adds: “Feel free to use it in your load tests (wink-wink).” On the tool’s documentation page, the author explains the motive behind writing the tool: “On 24th of February Russia has launched a full-blown invasion on Ukrainian territory. We’re doing our best to stop it and prevent innocent lives being taken.”

• Distress
• Distress is a Rust-based DDoS tool written by a “Senior Java Software Engineer” currently residing in Kyiv, Ukraine, as per his LinkedIn profile. Another contributor to the tool is a “15-year-old Web Developer from Ukraine,” as per his GitHub profile.

• UKITA (Ukraine IT Army Installer)
  • UKITA is an all-in-one suite of the above DDoS tools, available for Windows only.
• ADSS (Automatic DDoS Server Starter)
  • ADSS, is a shell script designed for Linux. It automates tasks such as self-updating, determining the OS version, and installing DDoS tools. It also installs a firewall and sets MHDDoS to start automatically during Linux boot.
• UAshield
  • UAshield is yet another DDoS tool, self-described on its GitHub repository page as: “Voluntary Ukraine security platform to protect us from Russian forces in the Internet.”

Screenshot depicting the UKITA Windows installer. [Source: IT Army]

Screenshot depicting the UAshield interface for Windows. [Source: IT Army]

For effective attack coordination, the IT Army automates target selection, allowing volunteers to simply focus on tool deployment. An interesting feature of IT Army is the tracking of per-user attack traffic. This system uses a Telegram bot to assign an anonymous ID to each volunteer, enabling them to monitor their individual impact on the DDoS attacks. Instructions explain how to obtain and integrate this ID with the DDoS tools, and the “Leaderboard” section on the website, updated every 7 minutes and posted weekly to Telegram, showcases these statistics. This approach introduces a gamified and competitive element to volunteering in DDoS attacks.

Screenshot depicting the IT Army Leaderboard, where “littlest_giant” secures the number 1 spot, having unleashed a staggering 412 TB of DDoS traffic on IT Army targets, using 409 Linux-based machines. [Source: IT Army]

On the other side of the Russia-Ukraine conflict in the realm of crowdsourced DDoS attacks is DDoSia. This cybercrime project is operated by the pro-Russian hacktivist group “NoName057(16)” (hereinafter referred to as “NoName”), which began its DDoS attacks in early 2022. NoName has attracted considerable attention due to its frequent disabling of prominent websites belonging to American and European private businesses, media outlets, and government agencies. As of December 2023, NoName’s primary Russian-language Telegram channel has reached nearly 60,000 subscribers.

Since its inception, the DDoSia project has seen remarkable growth, expanding by a massive 2,400% in less than a year. Originally developed in Python and initially exclusive to Windows, DDoSia has since broadened its compatibility to include versions for Windows, Linux, and Mac, as of the November 30, 2023, distribution of the tool. Similar to the Ukrainian IT Army’s statistics bot, NoName automates participation through Telegram bots and a leaderboard, too. However, DDoSia stands out by offering financial incentives, attracting not only those ideologically aligned with NoName’s anti-Western and pro-Russian stance, but also opportunists interested in monetizing cybercrime.

NoName has used a distributed payout model to reward the “most active fighters of the DDoSia Project,” as stated in a Telegram post by the group. This model’s rewards are based on the number of “successful attacks” (likely successful HTTP requests to target websites), and paid in cryptocurrency at the exchange rate on the day of payment. The rewards according to NoName are 80,000 rubles ($882) for 1st place, 50,000 rubles ($551) for 2nd place, 20,000 rubles ($220) for 3rd place, and a proportional division of 50,000 rubles ($551) among 4th to 10th place users.

Under a per-user reward system, new DDoSia members provide a TON (Telegram Open Network) wallet address to receive cryptocurrency, and an automated bot generates a unique client ID. Attack participants link this ID to their cryptocurrency wallet, earning money for participating in DDoS attacks, with the payment being proportional to their attack contribution.

Screenshot depicting an October 11, 2022, NoName Telegram post addressing “comrades” and announcing monetary rewards for their “most powerful DDoS fighters.” Volunteer “06434” has launched over half-a-billion “attacks.” [Source: Telegram]

Israel-Hamas Conflict: Cyber Army of Palestine

On October 7, 2023, in response to Hamas’ attacks on cities along the Gaza envelope, Israel declared a state of war and launched a military operation on the Gaza Strip. In the subsequent days, several Telegram channels emerged aiming to take prominent Israeli websites offline in response to Israel’s offensive. One such group, the “Cyber Army of Palestine” (hereinafter referred to as the “Cyber Army”), was established on October 14, 2023. 

Announcing their mission in Arabic, the Cyber Army declared their preparation for “strong cyberattacks on the technological infrastructure of the Zionist entity,” noting that “specialized teams are preparing the necessary tools and instructions to facilitate these attacks for everyone.” The Cyber Army embraced the increasingly popular tactic of crowdsourcing DDoS attacks, telling their followers that “anyone with a computer and internet access can participate in the initial campaign,” emphasizing that the planned attacks would be simple and straightforward, “requiring no expertise.” 

Recognizing the inexperience in cybersecurity among many of its thousands of new followers, the Cyber Army began its campaign by sharing infographics explaining essential terms deemed necessary for engaging in cyberattacks. Notably, these infographics and all subsequent ones bear the text logo “Tufan al-Aqsa” in the top left corner. “Tufan al-Aqsa” translates to “al-Aqsa Flood,” which is the title used by Hamas to designate its October 7th attack on Israel. This serves as a clear indicator of the Cyber Army’s support of Hamas.

Screenshots depicting three educational infographics shared by the Cyber Army. [Source: Telegram]

On October 18, 2023, the Cyber Army announced the release of their Windows tool which helps enable their crowdsourced DDoS attacks. The tool was named after Hamas’ operation, with the Cyber Army writing on Telegram:

“A DDoS attack tool will be published shortly. The current version works on: Windows and Linux. 

The name of the attack tool is: Toffan [alternate spelling of “Tufan”] version one. The level of tool usage is for: beginners and professionals. 

Important notice for successful operations: The tool should continue operating for as long as possible. Use paid VPNs (if available). The attack should involve as many people as possible. If you own a cloud server, the attack will be more impactful. 

First target: Ten Israeli news websites and Dubai International Airport’s website [likely due to the UAE’s recent normalization deal with Israel].

We hope you disseminate this channel widely so it reaches all free people in all Arab countries. The larger the number, and from different locations, the more successful the attack will be.”

Screenshots depicting three infographics released by the Cyber Army with general installation and usage instructions for Toffan and an overview of the user interface. [Source: Telegram]

Screenshot depicting Toffan’s user interface. The red arrow points at “Current Target Loading.” The Cyber Army explains: “We control the pool of targets, automatically integrated into the tool. All you need to do is run the tool and keep the attack going as long as possible.” [Source: Flare]

The Cyber Army’s upcoming attacks are announced to participants via Telegram posts accompanied by infographics specifying the attack time. For example, a post on October 19, 2023, reads: “Alert to all the honorable people of the Arab world! The attack begins today at exactly 10:00 PM Mecca time. Be ready, all of you, to start simultaneously.” Another post on November 2, 2023, states: “Get ready for the next attack tonight at 8:00 PM al-Aqsa time. Everyone should disseminate and share this to ensure the attack is powerful and effective.” 

A list of Israeli website links, including news outlets, law firms, government agencies, and critical infrastructure services, typically follows these postings. Users do not have to copy these links at the coordinated attack time. Instead, target websites are automatically integrated into and updated by Toffan for ease of use, enabling seamless crowdsourced DDoSing.

Screenshots depicting a November 13, 2023, Telegram post by the Cyber Army: “Get ready with high enthusiasm for the next attack tonight at 9:00 PM Palestine time. Disseminate this widely so the attack is powerful and effective.” Attack times in various Arab countries are then listed. [Source: Telegram]

After downloading and extracting the password-protected archive from the Cyber Army’s Telegram channel, users set up the Toffan DDoS tool with a 184 MB EXE installer. The installer places the primary files of the tool into the C:/AppData/Local/Programs/Toffan folder. Upon inspecting the folder’s contents and the application itself, it was evident that the tool is built with Electron, a platform for building desktop applications using technologies such as HTML, CSS, and JavaScript. The source code, assets, and resources of Electron applications are packaged in a single file using the compressed Atom Shell Archive file format, or ASAR.

Unpacking Toffan’s ASAR file reveals its Electron application source code. Reformatting the obfuscated and disorganized .js code files returns cleaner code structures, rendering the code more readable and comprehensible. It then becomes evident that the Toffan DDoS tool is not an entirely original creation. Analysis indicates that significant portions of the UAshield tool, developed by the Ukrainian IT Army, appear to have been incorporated into Toffan.

In Toffan, several code segments are identical to those in UAshield, and others are very similar with slight differences. Toffan’s author renamed variables and classes into more generic or less meaningful names, and restructured the code’s flow without altering the tool’s functionality, likely a result of automated obfuscation. There are even spelling mistakes in variable names that are identical, as seen below.

Screenshots depicting UAshield’s (top) and Toffan’s code (bottom). Both serve the same purpose: altering the “executor planning strategy” based on an input parameter, and they share the same spelling errors, rendering “strategy” as “startegy” and “planning” as “planing.” [Source: Flare]

The author of Toffan’s code (top) did not remove several Russian domains originally hard-coded in UAshield (bottom). Only the variable name was changed, likely due to automated obfuscation. [Source: Flare]

UAshield offers users a ranking system based on the number of “successful attacks” that DDoS participants perform. As seen in UAshield’s code, the ranks are structured into levels from 0 to 24, and each level is associated with a specific rank name. Users ascend through the levels based on their contributions to DDoS attacks on IT Army targets. For example, Level 3 is “Potato man,” Level 8 is “Pickled cucumber jar,” Level 14 is President “Joe Biden,” Level 23 is “Valerii Zaluzhnyi” (Ukraine’s Commander-in-Chief), and the highest Level 24 is “Volodymyr Zelenskyy” (Ukraine’s President).

In yet another display of the Cyber Army’s ideology, Toffan replaces this Ukrainian-made list and provides rankings from levels 0 to 24, featuring names of predominantly former senior Hamas members. For instance, Level 12 is designated as “Yahya Ayyash,” a Hamas bomb maker known as “The Engineer.” Level 17 corresponds to “Mahmoud Al-Mabhouh,” a senior Hamas military commander assassinated in Dubai in 2010. Level 23 is “Ahmed Yassin,” the founder and spiritual leader of Hamas, killed in an Israeli airstrike in 2004. The highest-performing DDoS attack participant at Level 24 is awarded the rank of “Izz al-Din al-Qassam,” the name of an Arab nationalist and Islamic militant leader from the 1930s. The rank “Izz al-Din al-Qassam” serves as a reference to the military wing of Hamas, known as the Izz al-Din al-Qassam Brigades.

In addition, the author of Toffan did not remove a hard-coded file path from their code, revealing that the DDoS tool’s development environment was located within a folder titled “qassam” on Toffan’s author’s desktop, another reference to the Izz al-Din al-Qassam Brigades. The hard-coded file path as seen in the unpacked Electron application’s source code is:

“C:/Users/Virtual/Desktop/work/qassam/node_modules/yargs/lib/platform-shims/esm.mjs”

It is notable that in Toffan’s source code, the Arabic language is configured multiple times across different code files with the locale code “ar-YE,” representing the Yemeni dialect of Arabic. Typically, Arabic applications utilize the locale code “ar” or “ar-SA” (Saudi Arabia) to represent the Modern Standard Arabic (MSA) dialect, universally understood across the Arab world. Although not definitive evidence linking Toffan’s author to a specific nationality, this prompts questions regarding the configuration of Toffan, specifically with the Yemeni Arabic locale code.No other Arabic locale code exists in the analyzed Electron application source code.

Further analysis of Toffan’s code indicates that in version 1, attacks were carried out after targets were automatically pulled from the GitHub profile “@trynothing09,” now inactive and unarchived. In version 2, the tool called on the profile “@KareemAdem,” also inactive and unarchived, to pull targets. However, in the latest version of Toffan as of late December 2023, the tool calls on the active profile “@hw746159” to pull targets. 

Displayed below are partial screenshots of the original and decoded versions of the “0.json” file on the “@hw746159” profile. This file contains 14 base64-encoded .il (Israel) websites, pulled by Toffan at coordinated attack times, and subsequently flooded by Cyber Army volunteers with HTTP GET requests. These websites span various industries such as banking, government, telecommunications, intelligence, media and news, and investment.

Partial screenshots displaying the original (top) and base64-decoded (bottom) “0.json” file on the active GitHub profile of “@hw746159,” featuring targeted Israeli websites. [Source: Flare]

Screenshot depicting Toffan during a French-speaking participant’s attack on Israel’s Ministry of Health website. This user has sent over 4 million GET requests with Toffan. [Source: Flare]

The Cyber Army also offers an APK for Android users to participate in their DDoS attacks. Basic analysis of the Android application indicates that, like the Toffan tool for Windows, the APK is recycled and not custom-built from scratch. The original application appears to be the “DDoSPacket” tool for Android written by “@blueskychan-dev,” who mentions on their GitHub profile: “I make this app since i’m 12 years old and going register to middle school.”

With thousands of Telegram followers, and a simple model of crowdsourcing DDoS attacks against Israeli websites, the Cyber Army typically achieves successful attack results just minutes after the announced attack times. Below are sample screenshots posted by the Cyber Army, from Check-Host, a website that offers tools for checking the status of hosts and websites. Many other DDoS groups, including the IT Army and NoName, have previously used Check-Host to demonstrate proof of their attacks and the temporary unavailability of targeted websites.

Screenshots depicting the temporary unavailability of the websites for Israel’s Mossad intelligence agency, Israel’s Space Agency, and Israel’s Police, following Cyber Army attacks. [Source: Telegram]

Conclusion

The rise of crowdsourced DDoS attacks marks an evolution in cybercrime, with geopolitical tensions serving as a catalyst for new threat actors. As seen during the ongoing Russia-Ukraine and Israel-Hamas conflicts, groups like the IT Army of Ukraine, NoName057(16), and the Cyber Army of Palestine capitalize on these events to launch disruptive attacks on large businesses and government entities across the world. These attacks, once the domain of well-resourced malicious actors, now also involve under-resourced novices using readily available open-source tools, and a community of enough people sympathetic to a particular political ideology or cause. The consequences of such attacks go beyond simple disruptions to a website’s homepage, with rookies now having the potential ability to impact essential services like hospital portals.

It is important to highlight how these threat actors, like many others involved in DDoS attacks, often announce their targets well in advance. This provides organizations an opportunity for advance preparation by monitoring these discussions in real-time, gaining insights for proactive defense. Post-attack, this monitoring assists in attributing incidents to specific actors and a better understanding of the organization’s cybersecurity landscape in terms of particular threats it faces. Given the dynamic nature of geopolitics and the ease of accessing DDoS tools and amassing a community of cybercrime volunteers, continuous surveillance across the clear, deep, and dark web, including illicit Telegram channels, is crucial for early threat detection.

About Flare

Flare is the proactive Threat Exposure Management (TEM) solution that monitors threat actor activities across the clear & dark web and illicit Telegram channels 24/7. 

With customized alerts, Flare enables security teams to discover unknown events, automatically prioritize risks, and respond to actionable intelligence. Identify and respond to information relevant to your organization within cybercrime communities in real-time. 

Want to learn more about better protecting your digital assets with Flare? 

Download the full report

The post Crowdsourced DDoS Attacks Amid Geopolitical Events appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Download the PDF

Introduction: Analyzing Cybercrime Targeting the Healthcare Sector

The cybercrime ecosystem continues to reach new heights of organization, coordination, and sophistication. Every year, cybercriminals develop and use new tools, which are increasingly commoditized and sold in as-a-service business models. The rapid advancement in cybercrime poses significant challenges for healthcare cybersecurity professionals. 

Healthcare is also one of the most targeted sectors by threat actors. Patient data fetches a premium on the dark web due to its potential use in medical fraud, creating a lucrative target for criminals. In addition, many healthcare organizations may be under additional pressure to pay ransoms in order to maintain the availability of mission-critical systems. 

This report will examine the impact of cybercrime on the healthcare sector. We will leverage more than:

• seven years of archived data from Tor
• 21 million stealer logs
• thousands of posts on top-tier dark web forums 

to better understand how cybercriminals are targeting healthcare and how the threat landscape is shifting for healthcare organizations. 

Section I: Stealer Logs, SSO, and the Emerging Threat to Healthcare will focus on infostealer malware infections and healthcare organizations. We’ll cover the infostealer lifecycle, stealer logs, and single sign-on credentials before finally analyzing stealer log data from more than 800 healthcare organizations. 

Section II: Initial Access Brokers, the Dark Web Hacking Economy, and Healthcare will focus on initial access brokers selling privileged access to healthcare organizations on dark web forums. 

Section III: Healthcare and Ransomware: Key Trends 2022 and 2023 will cover key trends involving ransomware and healthcare.

The CISO’s Perspective on Cybercrime Risk

Ransomware attacks against healthcare organizations have increased by more than 100% at an annualized rate in 2023. This growth is occurring against the backdrop of an increasingly sophisticated cybercrime ecosystem, with more than 50 ransomware groups operating. 

A variant of malware called infostealer is resulting in hundreds of thousands of corporate credentials being distributed on the dark web and Telegram, with an estimated 20% of healthcare organizations affected in the past 6 months. We rate it as highly likely that stealer logs are one of the key drivers of the increase in ransomware attacks. Implementing a continuous threat exposure management platform to automatically detect and remediate high-risk exposure is an essential step in creating a secure environment. 

Cybercrime & Healthcare: Major Statistics

• 19.4% of healthcare organizations have had leaked credentials containing corporate access distributed on the dark web and Telegram in the past six months. In many cases, these credentials enabled access to essential services, including secure email, single sign-on environments, active directory, patient records, and even surgery centers. 

• Initial access brokers have sold privileged IT access to six healthcare organizations in the past 12 months. Access to three pharmaceutical companies, two undefined healthcare organizations, and a large medical device manufacturer was sold during this time. Threat actors most commonly sell domain admin privileges with VPN or RDP access.
• Stealer logs containing access to corporate single-sign-on applications are a significant and growing risk. Flare identified more than 300,000 credentials to corporate SSO applications in a data set of more than 21 million logs. 
• Ransomware attacks against healthcare organizations are up 144% on an annualized basis in 2023, representing a significant and rapid expansion in data extortion ransomware tactics 

Section I: Stealer Logs, SSO, and the Emerging Threat to Healthcare

Stealer logs represent one of the most high-risk vectors for organizations today. Infostealer malware infects computers and extracts the browser fingerprint with all of the saved passwords in the browser including active session cookies. Threat actors then package thousands of individual logs together in “log files” which are distributed across public and private paid illegal telegram channels. 

Key Findings on Stealer Logs and Healthcare

• 19.4% of healthcare organizations surveyed had an infostealer infection with access to corporate credentials in the past 6 months. 9.6% of organizations had two or more stealer logs with unique corporate access posted. 
• Access found in the logs included credentials and session cookies to ADFS, SSO Applications, Citrix, VPN, RDP, and dozens of other internal resources.
• We rate it as highly likely that stealer logs with access to corporate environments are a primary vector for ransomware groups and initial access brokers.

These findings were particularly alarming due to the dramatic increase we are seeing in ransomware and cybercrime year over year. Creating an efficient internal solution for the rapid detection and remediation of stealer logs with corporate access is likely one of the highest ROI activities a security team can undertake in 2023.

These findings also closely parallel results from a research report we did several months ago, in which we found thousands of corporate credentials in a stealer log sample of 21,000,000. 

Threat actor advertises for Atomic Malware 

Public Telegram Channels

Threat actors share hundreds of thousands of new logs in public channels every week, containing millions of unique credential pairs. (Each log contains all of the credentials saved on a single host.) Threat actors post these logs directly to public Telegram in order to “advertise” private paid rooms. 

Private Telegram Channels

In private paid-access Telegram channels, threat actors offer exclusive access to more extensive and valuable logs containing a higher volume of logs with access to corporate IT environments. These channels often require a subscription fee or membership, attracting individuals who are willing to pay for more targeted and specialized information. 

Threat actor on Telegram advertises two forms of accessing RedLine stealer malware

Russian Market

Russian Market operates as a dark web marketplace with automated purchasing and listing of logs. Threat actors can browse for logs with specific credentials and purchase a log that looks promising for as little as $10. 

Most infostealer malware infections are targeted at individuals rather than companies. Infostealers are primarily distributed through cracked software, malvertising, and phishing. Threat actors are looking for easy ways to steal banking credentials, saved credit card numbers, VPN accounts, Netflix accounts, and other easily accessible SaaS applications. 

However, in many cases, threat actors end up picking up corporate credentials as part of their distribution, and these can be extremely high-risk. To better understand the presence of corporate healthcare credentials in stealer logs, we manually sorted through stealer logs with access to almost 1,000 healthcare organizations to identify logs that likely contain corporate access.

Urgent Recommendations for Healthcare Organizations

We recommend that healthcare organizations adopt the following policies and measures immediately.

• Monitor Russian Market and Telegram for stealer logs that may contain access to corporate IT environments and SaaS applications. 
• Place significant restrictions on BYOD policies.
• Utilize a password manager and create a policy against saving credential sets in the browser.
• Reduce TTL for session cookies for corporate applications in order to reduce the risk of logs bypassing 2FA controls present. 

Section II: Initial Access Brokers, the Dark Web Hacking Economy, and Healthcare

Initial access brokers specialize in gaining and selling access to corporate IT environments. They operate across multiple dark web forums, including Exploit, XSS, Ramp, and Breach Forums, and list corporate IT access in auction-style format. 

These brokers play a significant role in the dark web hacking economy by facilitating unauthorized access to sensitive information. The healthcare industry is particularly vulnerable to these attacks, as healthcare companies hold valuable patient data that can be exploited for financial gain. 

Key Findings about Initial Access Brokers

• Across a limited sample size of access broker posts, we found access to six healthcare organizations being sold in the past six months. 
• Access was sold to three pharmaceutical companies, two undefined healthcare companies, and one medical practice organization.
• RDP and VPN access are the most common types of access sold, with domain admin being the most common level of access.
• The U.S. was the most targeted country, with 36% of IAB posts containing access to U.S. companies. 
• We rate it as highly likely that IAB access is routinely used by ransomware groups. 

The Anatomy of an Initial Access Broker Post

Many initial access broker posts follow an extremely similar format, creating a consistent set of features that we can measure to better understand the IAB economy. 

• Access Type/Тип доступа: Describes the type of access obtained, most commonly RDP or VPN access.
• Activity/Деятельность: Describes the industry or activity of the victim company. Finance, Retail, and Manufacturing are the three most common targets.
• Rights/Права: Describes the level of privileges obtained.
• Revenue: Describes the revenue of the victim company, often obtained from U.S. based data providers publicly available online. 
• Host Online: Often describes the number of hosts from the victim and sometimes includes antivirus and security systems in place. 
• Start: The starting price of the auction.
• Step: The bid increments. 
• Blitz: The buy it now price.

IAB post advertising RDP access for a U.S.-based organization

We rate it as highly likely that ransomware groups are using initial access broker posts as a key method for gaining access and persistence to corporate healthcare IT systems. We’ve seen many examples like that pictured on the right where threat actors have specifically called out the absence or compromise of backup and recovery systems in initial access broker posts.

This is a telling indicator that the access broker likely expects the access being sold to be used for data encryption ransomware attacks.  

IAB post advertises RDP access to an organization along with financial documentation 

Section III: Healthcare and Ransomware: Key Trends 2022 and 2023

Ransomware has been a scourge for healthcare organizations in recent years, but the past 12 months has seen a particularly precipitous increase. To measure the number of ransomware victims, we chose to focus on victims that had their data published from January 1, 2022 to the end of June 2023.

What is Data Extortion Ransomware? 

Data extortion ransomware is a recent innovation in which the ransomware group exfiltrates data and demands a ransom. These ransomware attacks involve threats of publishing or selling the stolen data if the ransom is not paid. This tactic adds an additional layer of pressure on victims, particularly in industries like healthcare where sensitive patient information is at stake. If the victim doesn’t pay, their files are leaked on dedicated ransomware blogs. 

 Key Findings about Ransomware and Healthcare Organizations

• Ransomware attacks against healthcare organizations increased at an annualized rate of 144% from 2022 to 2023.
• Lockbit and Cl0p continue to be two of the most prolific groups through the end of June 2023.
• Some ransomware groups claim that they won’t attack healthcare organizations out of principle, although the existence of affiliates make it challenging to abide by this in practice.

In our analysis of ransomware attacks against healthcare organizations for the years 2022 and the first half of 2023, specific ransomware groups have been identified as particularly active. These groups not only disrupt healthcare services but also put patient data at risk. The top five ransomware groups most responsible for these attacks are: 

• LockBit: With 27 documented attacks, LockBit stands out as the most active group targeting healthcare organizations. The group is known for its sophisticated attack techniques and has been a significant threat to healthcare providers.
• CL0P Leaks: Accountable for 10 attacks, CL0P Leaks is another group that has focused its efforts on healthcare entities. Their attacks often involve leaking sensitive information if the ransom is not paid.
• Royal: Royal has been involved in eight attacks against healthcare organizations. Their modus operandi typically includes encrypting critical files and demanding a ransom for the decryption keys.
• ALPHV: This group has executed seven attacks against healthcare organizations. ALPHV often exploits vulnerabilities in healthcare systems to deploy their ransomware.
• Karakurt: Also responsible for seven attacks, Karakurt is known for its targeted approach. They often use spear-phishing campaigns to gain initial access to healthcare networks.

Group Variance and the Ethics of Ransomware

Data extortion ransomware continues to be a significant challenge for healthcare organizations in 2023. One of the most interesting aspects of doing research on ransomware groups is just how much they vary in their approaches. For example the group CL0P claims that they don’t target healthcare organizations and charities out of a sense of ethical obligation.

Post from CL0P that states they will not and have not attacked hospitals, orphanages, nursing homes, and charitable foundations

Other groups such as BianLian make absolutely no distinction between victims and have been known to directly target children’s hospitals, medical clinics and other critical infrastructure. 

In some examples we’ve seen ransomware groups describe themselves as “pentesters,” “ethical hackers” and their activities as “pentesting after the fact” in an effort to create a veneer of respectability and ethical consideration to their activities.

Cybercrime and Healthcare: Conclusions from Analysis

Healthcare is one of the most at-risk industries from threat actors. Malicious actors have enormous motivation to target healthcare companies given the wealth of data that they hold and the value of that data. In many cases healthcare companies may be incentivized to pay ransoms and deal with cybercriminals rather than accept weeks of downtime or loss and exposure of sensitive patient data.

The trends are clear; infostealer malware infections containing access to SSO credentials and healthcare organizations are a significant threat vector, at the same time ransomware groups and initial access brokers specifically target healthcare. Worryingly, all signs point to these trends continuing to worsen in 2024.

Continuous Threat Exposure Management as an Opportunity

Implementing robust external monitoring can help mitigate a significant degree of risk. Continuous threat exposure management represents an opportunity for organizations to proactively detect and remediate high-risk exposure that leaves them vulnerable from threat actors. 

Preventing infostealer malware infections is a key part of the battle, but building and integrating a security program focused on the principle of defense in depth is even more important. Organizations that build comprehensive approaches to prevent large scale loss of confidentiality, integrity, or availability will find the most success in risk mitigation. 

About Flare

Flare is the proactive Continuous Threat Exposure Management (CTEM) solution for organizations. Our AI-driven technology constantly scans the online world, including the clear & dark web, to discover unknown events, automatically prioritize risks, and deliver actionable intelligence you can use instantly to improve security. Our solution integrates into your security program in 30 minutes to provide your team with actionable intelligence and automated remediation for threats across the clear & dark web.

Download the PDF

The post The Cybercrime Ecosystem and U.S. Healthcare in 2023 appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

This report will delve into the growing trend of data extortion in ransomware, analyzing data from numerous such attacks to understand changing trends, major threat actors, and affected industries. We aim to equip CTI teams, red teams, blue teams, and security leadership with evidence-driven strategies to better understand ransomware readiness and combat this threat.

Introduction

In 2019, the nature of ransomware fundamentally changed. Ransomware operators are traditionally associated with denying the availability of IT infrastructure by encrypting systems and then extorting the victim. 2019 saw the advent of a new tactic; the ransomware group Maze began stealing data prior to encryption and then blackmailing victims by threatening to release sensitive data and files, jeopardizing both confidentiality and availability of data. 

This Flare research report will focus on a new and potentially dangerous trend: the rapid adoption of data extortion tactics by ransomware groups and affiliates. To do this, we will begin by examining how ransomware groups operate within the framework of the broader cybercrime ecosystem. We will then carefully review data from thousands of double and triple extortion ransomware attacks to answer key questions, including how trends around data extortion attacks are changing over time, which groups represent the most significant threat, and which industries are most affected. Finally, we will provide concrete, evidence-based recommendations for cyber threat intelligence (CTI) teams, red teams, blue teams, and security leadership. 

This report will be split into three sections, each designed to contextualize and help security teams better understand the threat from ransomware groups and affiliates.

SalesIntel provided data to better understand victims in this report.

Section 1 focuses on the role of ransomware groups and affiliates in the broader cybercrime ecosystem. This section will examine evidence of how ransomware groups gain initial access to systems, what they do with that access, and the anatomy of an attack.

Section 2 provides a detailed analysis of data collected from more than 3,000 ransomware leaks to examine key trends related to ransomware. 

Section 3 offers actionable, evidence-based recommendations for CISOs, CTI teams, and security operations teams on how to reduce the risk of ransomware.

Terms and Definitions

• Data Extortion: Refers to a ransomware tactic in which the ransomware operator exfiltrated data and threatens to publish it if the ransom is not paid.
• Double Extortion Ransomware: Refers to tactics in which two methods of extortion are used (for example, data extortion and encryption).
• Triple Extortion Ransomware: Refers to ransomware events in which at least three separate extortion methods are used to try and force the victim to pay, for example, encryption, data extortion, and third-party notification).
• Ransomware Group: Refers to an organized, criminal group focused on ransomware creation, distribution, and extortion.
• Ransomware Affiliate: Refers to an outside party that partners with a ransomware group and shares in potential profits.
•  Ransomware Blog: Refers a website on Tor run by a ransomware group where victim data is published.
• Dedicated Leak Site (DLS): refers to a website/hidden service where the ransomware operators publish the stolen data. More advanced groups will usually maintain a blog and a DLS.

Executive Summary 

• Ransomware attacks involving data extortion have increased at an annualized rate of more than 112% in 2023.
• Manufacturing, Information Technology, and Professional Services are the most targeted industries. 
• LockBit, Alphvm, CL0P, and BianLian remain the most active groups in 2023, with LockBit eclipsing all other groups by sheer number of ransomware extortion posts.
• Ransomware groups are very likely using infostealer logs containing single sign-on (SSO) and active directory federation service (AD FS) credentials as a vector of attack. 
• Ransomware groups continue to proliferate, with dozens of active groups, many with affiliate programs enabling the “democratization” of ransomware. 

Section 1: Ransomware Groups, Data Extortion, and Placing the Ransomware Economy in the Broader Cybercrime Ecosystem

It is impossible to understand how ransomware groups operate without understanding their role in the broader cybercrime ecosystem. Groups do not operate in a vacuum; instead, they are provided with initial access to corporate IT environments, credentials, and cookies for SSO applications, and ready-made infrastructure for distribution. We will examine each leg of the ransomware support infrastructure in turn.

Ransomware Groups and Ransomware Affiliates

Understanding the sharp distinction between ransomware groups and ransomware affiliates is necessary to contextualize their place in the broader cybercrime ecosystem. Ransomware groups are self-sufficient entities that take different organizational forms.

Ransomware group Karakurt’s recruitment page

In many cases, they are organized similarly to corporations, with clear hierarchies and role specializations. Some ransomware groups, such as Karakurt, operate entirely self sufficiently, creating and distributing ransomware, while also collecting ransoms.

However, other groups have developed a different business model. Groups such as LockBit operate affiliate programs in which the group provides the ransomware to outside contractors who manage gaining initial access and infecting systems. This allows the groups to leverage economies of scale and role specialization, infecting more victims and increasing payouts. It also de-risks the group; for example, even if nine affiliates fail to carry out a substantial attack, the group can still profit from the successful 10th. This strategy also allows the group itself to focus on code and ransomware feature sets.

Infostealers, Dark Web Marketplaces, and Paid Telegram Channels

Infostealer malware and stealer logs represent one of the most underappreciated risks in modern cybersecurity programs. Infostealer variants such as RedLine, Raccoon, Aurora, Vidar, Titan, and others infect victim computers mainly through cracked software downloads, malvertising, and phishing emails. They then proceed to exfiltrate data from the infected device, including the browser fingerprint, which includes all the credentials saved on the browser along with active session cookies, credit card information, and information about the host.

This information is then packaged into log files, which are distributed on dark web marketplaces and cybercrime Telegram channels. Stealer logs represent a potentially massive access vector for ransomware groups. They:

• Are easily obtainable and given out freely on Telegram.
• Often contain access to corporate SSO applications, Active Directory (AD) environments, and remote desktop protocol (RDP).
• Represent a known vector that ransomware groups and affiliates have used to gain access to corporate IT systems. 

We have also seen substantial evidence of initial access brokers (IAB) operating on the dark web forums Exploit and XSS utilizing stealer logs to gain initial access to corporate environments which are later resold for ransomware.  

Key Fact: Flare’s researchers identified 196,970 instances of AD credentials and 53,292 corporate SSO credentials in a sample of more than twenty million unique stealer logs. These credentials were leaked due to users downloading infostealer malware onto their computers, which harvested AD and SSO credentials. AD environments represent a critical access point for ransomware threat actors. Many groups attempt to take over AD environments and de-privilege other administrators as a first step before exfiltrating files and beginning to encrypt documents.

Malware as a Service and Cybercrime Infrastructure Vendors

Phishing, spear-phishing, and leaked credentials continue to represent one of the most common ways that groups gain access to privileged systems. Malware as a service (MaaS) and Phishing as a Service (PaaS) vendors on the dark web provide all the infrastructure and malware necessary to gain initial access, without the need for the ransomware operator to code infostealer malware or ransomware themselves. These vendors offer a range of services, including exploit kits, remote access trojans (RAT), and botnets, allowing cybercriminals to easily launch sophisticated attacks. By leveraging these services, ransomware operators can quickly and efficiently infiltrate networks and escalate their privileges.

Initial Access Brokers and Obtaining Privileged Access

IABs likely represent another key vector for ransomware groups and affiliates. IABs operate on the dark web forums Exploit and XSS; they specialize in gaining initial access to corporate IT environments which is later resold in an auction style format.

IABs don’t post commonly, usually only one or two new listings per day. However, the listings are often high-quality and contain the exact type of access that ransomware operators need in order to compromise sensitive corporate networks and infrastructure. A typical post will include the number of hosts, anti-virus used by the victim, geography of the victim, and a “blitz” or buy it now price. 

IAB post advertises selling access to financial documentation and an organization’s network

Note the presence of “no backup servers” in the pictured initial access broker post. This likely indicates that the broker expects the access to be used for ransomware featuring encryption since in the context of cybercrime, backup and recovery is designed specifically to ensure data availability in the CIA triad. 

Tor Ransomware Blogs

Tor ransomware blogs are run by ransom groups and used as a place to post updates to affiliates, advertise their affiliate programs, and most importantly post data leaks from victims who didn’t pay the ransom. Sites like LockBit’s blog create additional pressure for the victim by providing a countdown for the date that the victims information will be leaked, creating time pressure, and potentially alarming the victims third parties.

Ransomware blogs on Tor form a critical piece of ransomware group and affiliate infrastructure. Recently a few groups have tried posting leaked data on clear-web sites, but quickly ran into problems keeping data available on clear web sites due to rapid corporate takedowns.

Section 2: Ransomware, Data Extortion, and the Explosive Growth of Organized Cybercrime

To better understand the challenge that ransomware poses to companies in 2023, Flare analyzed ransomware publications from more than 18 months of data. We looked at data from more than 80 ransom blogs comprising thousands of events to understand how ransomware is changing in 2023 and identify key trends that can help us understand where it is heading.

Data Extortion Ransomware is Growing Rapidly

Ransomware Attacks by Month (from January 2022 to July 2023)

We begin our analysis by examining the dramatic increase in data extortion ransomware attacks in the past 12 months. After we account for the fact that our analysis runs to the end of July 2023, we find a 112% annualized increase in data extortion tactics in the past 18 months. 

The dramatic increase in attacks does not paint a full picture. Ransomware groups and victims are not distributed evenly. Next, we will look at which groups are responsible for the most attacks, and which sectors are responsible for the most victims.

For organizations that we had a sector for, Manufacturing is by far the most likely sector to be victimized. Interestingly, this result diverges significantly from our recent analysis of IABs, in which manufacturing was the fifth most common sector to be victimized in the past three months.

Number of Ransomware Attacks by Sector (from January 2022 to July 2023)

There are substantial differences in the industries that groups target. Manufacturing, Information Technology, and Professional and Consumer Services made the top of our list. 

• Information Technology: 2021 and 2022 have seen a significant number of “supply chain” ransomware attacks in which MSSPs, and SaaS companies with privileged access to customer environments were targeted and used as a method to distribute ransomware. 
• Professional and Consumer Services: Professional services encompasses organizations such as law firms, accounting practices, consultants and other types of firms that hold large amounts of highly sensitive client data. These organizations have a substantial incentive to pay ransoms to avoid compromising client data. 
• Finance and Insurance: Financial services organizations are the fourth most attacked industry in our data set. Financial services companies hold some of the most sensitive possible data on both business and individual customers. 

Next we analyzed which groups (and affiliates) are responsible for the majority of attacks. Unsurprisingly Lockbit came out dramatically ahead of every other group with more than 1,000 attacks over the time period studied. 

Number of Attacks by Ransomware Groups (January 2022-June 2023) 

LockBit Ransomware as a Service Group

Lockbit emerged rapidly in late 2019, initially distributing ACBD ransomware before renaming themselves LockBit. They now have a notoriously ambitious affiliate program and nearly 100 affiliates working to compromise companies, and a highly functional ransomware blog where victim data can be easily published.

Lockbit’s ransomware as a service offering has an easy “point and click” UI, enabling threat actors of all levels to effectively leverage it for distribution. In 2022 the group accounted for more than 20% of ransomware attacks in some countries, with tens of millions of dollars in damages. 

LockBit’s Affiliate Rules webpage 

LockBit has been responsible for numerous high-profile attacks, including on the City of Oakland, Italian Revenue Service, and the UK Royal Mail, causing significant financial losses and reputational damage to their victims. Their advanced techniques include leveraging zero-day vulnerabilities and employing social engineering tactics to exploit human vulnerabilities within organizations. This constant evolution and adaptability have made LockBit one of the most formidable and elusive ransomware groups in the cybersecurity landscape.

Section 3: Blue Teaming Recommendations

Ransomware groups exploit three primary vectors to gain access to organizations:

• Stolen Credentials
• Vulnerabilities
• Human Error

Stealer Logs and Leaked Credentials

Passwords in browser

Stolen credentials have long been considered a top vector for successful data breaches and ransomware attacks. However, their importance has only increased with the advent of a class of RAT dubbed infostealer malware. Infostealers infect computers and steal all of the credentials saved in the browser, these credentials are then distributed across the dark web and Telegram. In many cases they contain active session cookies enabling threat actors to easily bypass 2FA and MFA controls. 

Active cookie sessions

In addition, traditional leaked credentials also pose a significant threat. In many cases individuals reuse passwords across multiple services. If those services suffer a data breach and the individual has used the same credentials for RDP, VPNs, and corporate SaaS applications, this can serve as an easy entry point for ransomware operators. Typically once a group or affiliate has access to a network, they will attempt to move laterally to access AD at which point they privilege other users and begin stealing files. 

Best Practices

• Ensure you have robust detection measures in place for stealer logs on Russian Market, Genesis Market, and public/private Telegram groups. 
• Monitor for employees reusing passwords that have been breached and pay particular attention to employees that have reused the same password across multiple breaches.
• Monitor for stealer logs that contain specific access to RDP, VPN, and SSO credentials that could lead to a compromise. 

About Flare

Flare is the proactive external cyber threat exposure management solution for organizations. Our AI-driven technology constantly scans the online world, including the clear & dark web, to discover unknown events, automatically prioritize risks, and deliver actionable intelligence you can use instantly to improve security. Our solution  integrates into your security program in 30 minutes to provide your team with actionable intelligence and automated remediation for threats across the clear & dark web.

Want to learn about how Flare can support monitoring for ransomware activities?

flare.io • hello@flare.io

The post Report – Data Extortion Ransomware & The Cybercrime Supply Chain: Key Trends in 2023 appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Introduction

How many credentials do you have saved in your browser? How many form fills? How many credit cards? These may seem like innocuous questions, but the advent of infostealer malware makes them all too relevant. Infostealer variants such as RedLine, Raccoon, and Vidar infect computers and steal the browser fingerprint, which contains all of the saved passwords in the browser along with form fill data. 

There is a tendency to focus on the password  in this context, after all passwords are the linchpin of a great deal of modern security architecture. But passwords are only a small part of the data that threat actors gain from a stealer log. For many individuals, the information saved in their browser is a roadmap to their life, with all of the information a threat actor needs for highly sophisticated social engineering attacks. 

For this reason, stealer logs are likely one of the top vectors threat actors use for ransomware and other attacks against corporate environments. Thousands of individual browser fingerprints are harvested. These “logs” are then packaged together and distributed on Telegram. This report will examine stealer logs and their use in cyberattacks against enterprise organizations. 

This Flare report was inspired by the recent attacks against corporate SSO applications. We rate it as highly likely that much of the increase in attacks targeting corporate SSO environments is in part being driven by the underlying growth in infostealers with corporate credentials. There is compelling evidence that threat actors are both using stealer logs to gain initial access to corporate environments for ransomware attacks, initial access broker listings, and more.

Key Findings

• Flare’s research team identified 312,855 corporate SSO credentials in stealer logs distributed on dark web markets & public and private Telegram channels. 
• Stealer logs can be extremely valuable for both financial crime and cybercrime targeting organizations. Credentials sets saved within stealer logs enable threat actors to gain enormous insight into particular targets in addition to revealing common password patterns.
• Infostealer malware can be purchased for as cheap as $100 per month complete with command and control infrastructure on Telegram channels, creating a low barrier of entry for threat actors.
• Infostealer malware panels such as RedLine automatically parse logs and call out high-value credentials such as banking and financial services applications.
• SSO applications and the proliferation of stealer logs create a strikingly high-risk single point of failure. Threat actors are only one 2FA token away from total access to a corporate environment. 
• We rate it as highly likely that many of the recent attacks against SSO environments have leveraged stealer logs for at least part of the attack. 

Defining Infostealer Malware

Typically, infostealer malware infects computers, extracts credentials, auto-fill data, and active session cookies from the browser, and then self terminates leaving little to no trace that the device was ever infected. This data is then packaged into a “stealer log,” which is then itself combined with thousands of other stealer logs into files shared on cybercrime Telegram channels and Russian Market. This poses dramatically increased risk to corporations compared with “traditional leaked credentials” for a number of reasons to include:

• Stealer logs often contain active session cookies allowing threat actors to bypass 2FA and MFA controls 
• Stealer logs contain dozens or even hundreds of credentials, providing a wide “attack space” for actors to utilize
• Log files often contain corporate credentials to SSO applications, CRMs, cloud environments, and other critical corporate SaaS applications
• Most stealer malware self terminates after a successful infection, increasing the difficulty of detection and device identification

Infostealer malware often infects personal computers which don’t hold corporate files but do have saved credentials to corporate cloud environments, making detection even harder.  Additionally the information found on personal computers can aid threat actors in impersonating the user for future attacks, as many users save secret questions and other data as form fills in the browser. 

Most threat actors are not highly sophisticated entities looking to identify 0-day exploits, they are instead low-level cybercriminals looking for the highest return on investment pathway possible. Finding infostealer logs with corporate credentials on public Telegram channels represents a low-risk, low-cost method for gaining access to sensitive IT infrastructure.

Example of a single stealer log file that has been distributed on Telegram, containing a browser fingerprint and associated information

Stealer Logs, Single Sign On Applications, and the Dangers of Browser Form Fills

SSO applications have become a corporate information security mainstay in recent years. Corporate single sign-on applications provide considerable advantages to security teams by centralizing authentication, enabling the organization to mandate MFA, improving compliance initiatives, and creating a centralized method for monitoring application access.

Unfortunately, SSO applications also create a single point of failure for an organization’s security posture. For this project, Flare searched for five common corporate SSO providers against more than 22 million stealer logs and identified over 312,855 corporate SSO application domains present. Even if the session cookies are expired, this still represents an enormous risk. We can break the risk down into three parts:

• Stealer logs may contain credentials and active session cookies for an SSO application, enabling a threat actor to log-in directly
• Even when the session cookies are invalid or expired, stealer logs contain “auto form fill data” providing actors with employee names, addresses, answers to security questions, credit card information, and other data that could be used to social engineer 2FA and MFA codes out of help desk employees
• Stealer logs contain enormous amounts of personal information about employees that could be used as leverage such as credentials to adult content websites, banking, social media, and more

In some recent attacks against organizations using SSO applications, it appears that the threat actors already had the credentials to the SSO application, making social engineering attacks dramatically easier. It’s worth pausing for a moment and exploring the enormous social engineering opportunity that a stealer log represents for threat actors. For individuals that save credentials and form fill data in their browsers, an average stealer log may provide a threat actor with:

• Their name, address, social security number, and credit card numbers
• Saved answers to secret questions such as their pets’ names, the street they grew up on, favorite foods
• All of the domains that credentials are saved for; this can allow threat actors to ascertain highly personal information such as the school their kids go to, the airlines the individual takes, and other highly personal information that can be inferred from saved credentials
• Dozens to hundreds of examples of passwords that the individual uses, enabling threat actors to ascertain patterns in the victims passwords

Stealer Log Distribution, Panels, and the Infostealer Ecosystem

An entire ecosystem exists around stealer malware, largely on the social media and messaging application Telegram. Threat actors can easily purchase RedLine malware & infrastructure through automated Telegram applications using cryptocurrency. Typically licenses are sold on a monthly or lifetime basis.

 Once threat actors purchase a license, they are also granted access to dedicated command and control infrastructure which can be used to communicate with the malware panel and the infected devices. Infostealer panels are particularly interesting and also showcases just how far cybercriminals have come in commoditizing logs. 

To the right is an example of the panel of RedLine malware. The left hand column provides the date of the data extraction. The most interesting aspect is the far right column, where it appears that the panel automatically parses credentials from stealer logs to notify the threat actor of specific high-value credentials which can be exploited for financial gain. 

 Example of the Redline Panel 

Once logs have been sorted, they are typically distributed across three primary sources. Many stealer logs are posted directly to public Telegram channels where they can be easily found by any Telegram user. Stealer logs that are posted directly in public Telegram channels usually serve as “advertisements” for the threat actors “private” (read paid) channels.

Stealer log advertisement on Telegram

Private stealer logs channels are invite only and usually monetized on a month-tio-month basis. Typically, channel administrators limit the number of users in a private channel to 10-20 and promise a set number of “fresh” logs that will be posted to the channel on a weekly basis.

Raccoon malware panel (note they even have “beta” features)

In Flare’s previous analysis, we found that logs containing corporate credentials were disproportionately posted into private Telegram channels, indicating that actors may be intentionally funneling the highest value logs directly into private channels. 

We’ve also found considerable evidence of dark web threat actors known as initial access brokers (IABs) purchasing bulk logs, likely to utilize the access provided to compromise corporate IT environments. We rate it as highly likely that both IABs and ransomware groups are directly using logs with corporate access to gain privileged IT infrastructure access to corporate environments. 

Concluding Thoughts

Stealer logs represent more than just packaged credentials and session cookies for individual users. Many stealer logs contain all of the information needed to launch incredibly sophisticated and detailed social engineering attacks. Individuals live their lives online, and as a result save enormous amounts of personal information to their browsers which can present an incredible opportunity to threat actors looking for easy ways to gain access to corporate IT environments.

Organizations have typically focused on strengthening their internal security measures, but the growing use of SSO applications concentrates risk at a few single points of failure that can represent an existential threat to a corporate information technology environment. Leveraging external monitoring to identify corporate credentials in stealer logs is going to be increasingly necessary for any kind of effective security posture.

The post Report – Stealer Logs, Single Sign On, and the New Era of Corporate Cybercrime appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Download the report PDF

Introduction

More than 100 companies across 18 industries had access to their IT infrastructure, cloud environments, networks, or applications sold on Russian hacking forums so far in 2023. Initial access brokers (IABs) operate across multiple dark web forums and specialize in gaining access to corporate IT environments which are then auctioned off or sold on dark web forums.

These actors are often sophisticated, focused, and specialized in finding vectors that can provide them access to corporate environments. In many cases they are also stunningly successful in gaining access to highly sensitive IT infrastructure, even for large sophisticated companies.

For this analysis Flare reviewed three months of initial access broker posts on the Russian hacking forum Exploit, in that time period we observed threat actors selling access to U.S. defense contractors, telecommunications companies, chemical manufacturers, energy companies, and companies across multiple more than a dozen other industries. 

We collected, standardized and normalized 72 initial access auctions from May, June, and July to better understand how initial access brokers operate, who they target, how much they sell access for, and how active certain brokers are. 

Executive Summary

• Access to U.S. Critical Infrastructure (as defined by CISA) including Defense Contractors, Food Supply, Telecommunications, and Government Contractors was auctioned off on Russian hacking forums between May 1st and July 27th 2023.

• Attacks against U.S. companies were the most common, with 36% of all listings during the period advertising access to victims located in the United States.

• The top seven threat actors studied were responsible for 55% of listings, indicating that a few threat actors active on the dark web forum Exploit are responsible for the majority of posts. 

• Finance and Retail were the most targeted industries during this period followed by Construction and Manufacturing. 

• The average price of corporate IT access on Exploit during the time period studied with outliers removed is $1,328. Prices ranged from $150 to more than $120,000 based on the type of access being sold, the country, and the industry of the victim.

• Access to RDP and VPN accounts accounted for the vector in 60% of all initial access broker posts.

• Some actors specifically advertised the lack of backup systems at victim companies, or advertised that they had access to backup systems. This suggests that some IABs likely expect the access they sell to be used for ransomware attacks. 

• Based on posts from active initial access brokers, Flare analysts believe that it is highly likely that many initial access brokers are sourcing access from stealer logs found on Russian Market, Genesis Market, and public or private Telegram channels. 

Initial Access Brokers as a Key Linchpin of the Cybercrime Ecosystem

The cybercrime economy continues to grow. Threat actors now operate across thousands of Telegram channels, more than 100 Tor forums and marketplaces, and on numerous social media and encrypted messaging platforms. The majority of cybercrime activity is focused on consumer fraud; breaking into bank accounts, stealing cryptocurrency, and other criminal activity targeted at individuals. Only a small group of more sophisticated actors are known for targeting companies. 

Post advertising RDP access for a U.S.-based Aerospace & Defense organization

Cybercrime threat actors targeting corporate environments or that enable targeting that affects corporations generally fall under one of the following classifications:

Post advertising RPD access for a U.S.-based Aerospace & Defense organization

Stealer Log Vendors: Many threat actors distribute stealer logs across Russian Market, Genesis Market, and public/private Telegram channels. In some cases as part of normal distribution threat actors inadvertently infect 

computers with credentials that include access to corporate access. This is likely a key source for initial access to RDP/VPN credentials that can be leveraged by IABs to establish and expand access. 

Hacktivist Groups: There are numerous hacktivists that operate across Tor and Telegram including recently created groups such as Killnet and Anonymous Sudan that focus on attacking NATO countries’ critical infrastructure and government agencies. These groups are often found in large, public Telegram channels.

Ransomware Gangs: Ransomware gangs often produce specific ransomware variants which they distribute themselves, or provide to affiliates who carry out attacks and take part in the profits. Ransomware gangs are increasingly leaking data as part of double and triple extortion schemes, in some cases ransomware groups are no longer even bothering to encrypt files. There are strong indicators that there is a direct link between initial access brokers and ransomware attacks. 

Initial Access Brokers: These threat actors are primarily active on Russian hacking forums XSS and Exploit, they specialize in gaining initial access to IT environments which they then resale, likely to ransomware gangs, affiliates, nation states, and even other IABs.

This report is focused on initial access brokers. All posts were collected from the dark web forum Exploit and examined by analysts. We focused on extracting valuable features from each post that could be used to compare and contrast data. 

The Anatomy of an IAB Post 

Understanding IAB posts isn’t always simple. IAB posts are often a mix between English and Russian, with some exclusively written in Russian. There is also specific terminology that access brokers use that may not be familiar to the average English speaker. 

• Type/Тип доступа: Describes the type of access obtained, most commonly RDP or VPN access.
• Industry/Деятельность: Describes the industry of the victim company. Finance, Retail, and Manufacturing are the three most common targets.
• Access Level/Права: Describes the level of privileges obtained.
• Revenue: Describes the revenue of the victim company, often obtained from U.S. based data providers publicly available online. 
• Host Online: Often describes the number of hosts from the victim and sometimes includes antivirus and security systems in place. 
• Start: The starting price of the auction.
• Step: The bid increments. 
• Blitz: The buy it now price. 

While many posts contain all of this data, there is substantial variance between posts. Individual threat actors often have their own format for posts which may omit certain types of data. In addition, some threat actors deliberately left out data and asked potential purchasers to message them on Telegram for more information, likely in an effort to prevent law enforcement, threat intelligence providers and other organizations from determining the identity of the target. 

Research Questions & Hypothesis

We set out to answer the following research questions.

• What is the average “blitz” price that a threat actor sells corporate access for with outliers removed? 
• Which countries are most represented in IAB posts?
• Do threat actors target specific industries more than others?
• How frequently is IT infrastructure access to organizations that are classified as U.S. Critical Infrastructure by CISA being sold?
• Do certain types of access fetch a higher price than others?
• What are the most common types of access that threat actors obtain and sell?
• How many threat actors exist in the ecosystem on Exploit? How much activity are the top actors responsible for?

We hypothesize that U.S. companies would be the most targeted in the world, and that access to U.S. organizations would sell for more than access to companies in other countries. In addition we expect that the IAB ecosystem on Exploit would be varied, with many threat actors providing individual listings. 

Limitations

• We only reviewed data from May 1st to July 27th, 2023 providing us a sample size of 72 IAB events. While this sample size was sufficient to provide interesting data, it limits some statistical analysis. 
• Posts varied in information based on the threat actor. Key data such as industry, level of access, type of access and other key elements were missing from a small number of listings in our sample. In these cases data was listed as “unknown” for the analysis. 
• We only reviewed IABs active on one dark web forum out of several forums where access brokers are active. Data discussed in this paper only focuses on the dark web forum Exploit. 

The Blitz, Auctioning Access, and Whale Hunting

We began our analysis by looking at the average “buy it now” or “blitz” for an initial access auction. The average price to purchase initial access across all samples in our data set was $4,699.31, while with outliers removed it was $1,328.23. This largely reflects the extreme range of listings present in the data set. Listings were as cheap as $150 and could go up to more than $120,000 for unique access to certain IT environments in high-value segments.

Distribution of blitz prices across our data set, excluding one extreme outlier 

The histogram represents the distribution of blitz prices across our data set and excludes the single auction with a blitz price of $120,000. It immediately stands out that the vast majority of listings are available for relatively low cost, with roughly a third of all auctions having a blitz price below $1,000. 

However, one noticeable blip exists far to the right, a threat actor claiming to sell unique access to an extremely high-value IT environment (backend access to a major auction house), in many ways this can be seen as whale hunting.  

While the vast majority of access is low to medium value, occasionally extremely unique or high-value access is auctioned that can cause extreme pricing variation compared to our average. This was also on full display last year when threat actors attempted to sell 84 GB of European defense contractor and missile system data on Exploit for $100,000 USD worth of bitcoin. 

Higher priced listings often had access to unique environments or particularly sensitive files. However the vast majority of access was found in the form of RDP or VPN access to small companies and were priced fairly low. 

Geography Matters… Quite A Lot

Map showing number of IAB posts selling access to corporations globally, note that this map excludes instances where IABs listed the continent rather than country 

A significant plurality of IAB posts were focused on U.S. companies, with the second most targeted country Australia at only slightly more than 1/7th of the volume of attacks against U.S. companies. This result was expected for several reasons:

• The U.S. has some of the most valuable companies in the world, in addition to the world’s highest GDP making it a lucrative target for threat actors.
• Infostealer malware is likely a prime vector that initial access brokers use to establish access, in many cases infostealer variants are set to automatically disable when executed on hosts in a country belonging to the coalition of independent states (CIS), somewhat limiting potential countries for targeting. 
• Exploit being a Russian forum, may deter threat actors from posting targets that are neutral or allied to Russia while incentivizing them to target countries hostile to Russia.

Percentage of IAB posts selling access to corporations based in the respective countries

Next we wanted to explore how the “blitz” or buy it now price for listings changes by country. Our hypothesis was that blitz prices for access to U.S. companies would be substantially higher than non-U.S. companies due to economic differences, company valuations, and potential payments for ransomware and other cybercrime. 

The presence of outliers can significantly skew the average, so we removed them using the interquartile range (IQR) method. The IQR is the range between the first quartile (25th percentile) and the third quartile (75th percentile) of the data. We considered any data point that falls below the first quartile minus 1.5 times the IQR or above the third quartile plus 1.5 times the IQR is considered an outlier.

Our results showed that the average price, disregarding outliers, changes very little between organizations in the U.S. and the rest of the world. We were curious to test this hypothesis against data with outliers, to do this we incorporated outliers while removing a single extreme outlier. 

This changed our results substantially with the average blitz price for U.S. companies significantly increasing to $3,186, while the rest of the world increased to $3,011.11. These changes represent the fact that there were several high blitz prices for both U.S. and international companies. 

Key Takeaways: 

• U.S. corporations are heavily targeted by initial access brokers, with 36% of victims advertised as being located in the United States. 
• Australia and the UK were the second and third most targeted countries, representing 12.5% of our data set. 
• After removing outliers, access to U.S. corporations did not sell for significantly more or less than the global average, invalidating the hypothesis that U.S. companies would fetch a higher price than their global counterparts. 
• The average blitz price for our data set after excluding outliers was $1,328, while with outliers included it was more than $3,000, indicating that occasionally access to a particularly valuable company is sold for multiple standard deviations about the average price, skewing results.

How Many Threat Actors were Active During the Period?

Next we reviewed how many threat actors were actively selling access to corporate networks on Exploit during this period. We counted 31 unique usernames selling access to corporate IT environments; however the top seven actors were responsible for the majority (55.6%) of listings. 

This could indicate that a select few threat actors have developed tactics, techniques, and procedures that enable them to gain access to a large number of IT environments compared to the average threat actor. 

For this analysis we again used the IQR method to remove outliers and began by comparing threat actors based on their average blitz price. We also excluded actors that had a low sample size of events. We uncovered a substantial range in average blitz prices by actor, suggesting differences in targeting, level of access gained, and pricing strategy. 

The average blitz price with outliers removed varied substantially between threat actors, with a range of $558 to $1,400. Given that the variances in company blitz price make it exceedingly unlikely that this range is driven by country targeting, we suggest the following explanatory factors. 

• Some access brokers may focus on specific industries or verticals that yield a lower or higher average blitz price. This area represents an excellent opportunity for future research. 
• Some IABs may lack the reputation to sell high-blitz price access, resulting in smaller sales to build reputation. Correlating the number of auctions an actor has held with the blitz price achieved is an interesting area for future study.
• The type of access being sold also significantly influenced price which will be explored later in this paper, some IABs may focus on particular types of access to environments, resulting in lower or higher selling prices.

Initial Access Brokers & Industry

Average Blitz Price by Industry

The average blitz price based on industry is another interesting data point that can help shed light on how IABs operate. Industry targeting plays a critical role in determining the value of initial access offerings. To do this, we classified organizations into 18 industries as depicted. Interestingly, unlike geographic location, the industry of the victim played a very substantial role in how the post was priced. 

First we reviewed the average blitz price by industry (excluding outliers) where we found significant variation. We excluded posts with industry unknown and industries with less than four examples. Access to manufacturing sold for the highest price,coming in slightly above $2,000 while access to retail organizations was sold at the lowest price, slightly under $750. 

To further explore the relationship between industry and access price, we use a Gantt chart to visualize the distribution of IAB pricing by industry. The relative clustering for certain industries such as Media, Real Estate, Retail, and Business Services was striking compared to that of Manufacturing, Finance, and Defense, although this could be as a result of limited sample size and warrants further study. 

Distribution of IAB Pricing by Industry

Blitz price of all IAB posts (excluding unknown industry)

Key Takeaways:

• Industry has a profound impact on pricing in our sample data, with certain industries selling for far higher average prices than others. 
• Manufacturing, Finance, and Media access sold for the most, while Construction, Business Services, and Retail sold for the least. 
• Price clustering around low $1,000 and $10,000 suggests that there are significant factors that can substantially increase the price for access to an organization. 

U.S. Critical Infrastructure, IABs, and Types of Access

We also wanted to look at the prevalence of IABs selling access to U.S. Critical Infrastructure. Initial access being sold to U.S. Defense Contractors, Financial Institutions, Healthcare Entities, and Food Suppliers can pose a significant risk to U.S. National Security. Our analysis detected five instances of access to U.S. Critical Infrastructure as defined by CISA sold on Exploit during the dates studied. 

IAB Posts by Industry (U.S. Companies)

Interestingly for U.S. specific data, Construction and Business Services were the most affected industries. 

The last data point we analyzed was the type of access being sold by threat actors. Many posts excluded this information, or used different naming conventions to explain the type and level of access making normalization across our data set difficult in some cases. In some cases actors would list the vector (such as compromised RDP) but not the level of access, in other cases they would combine level of access and vector, or simply list the level of access obtained.

By far the most common vector was RDP access, with 32 of 72 posts claiming that the type of access available was through RDP. The next most common vector was VPN access occurring 11 times. Combined these types of access represented 60% of listings within our data set. 

The most common types of access obtained were administrator access to cloud environments (14 instances), local administrator privileges (five instances), and “user in domain” (two instances).   In many cases non-standard access was obtained, such as to company specific SaaS applications, specific categories of data, and other IT applications. In a few examples we noted that threat actors specifically singled out that they were selling access to backup and recovery systems in addition to corporate IT access, indicating that the access was likely intended to be used for ransomware operations. 

Key Takeaways:

• Access to U.S. Critical Infrastructure is routinely sold on Exploit but not overrepresented compared to other industries.
• IABs sell access which  affects organizations across a range of industries including Finance, Manufacturing, Defense, and Healthcare.
• Access to RDP and VPN accounted for the vector in 60% of all initial access broker posts.
• The most common level of access was for administrative access to cloud environments, followed by local administrator privileges and “user in domain.” Oftentimes, the level of access was omitted or contained a unique value. 

IABs and Russian Hacking Forums – An Urgent Call to Action

Initial access brokers represent a real and present threat to companies globally. Threat actors operating on Exploit forum are auctioning off access to a new company almost daily, and Exploit only represents one of multiple forums with initial access broker activity. We recognize that many recommendations are uniform across security reporting such as establishing MFA controls, training users, and performing other basic security practices. In addition to those, we strongly recommend that organizations:

• Monitor IAB Forums: As noted, IAB posts are almost entirely anonymized to avoid tipping off victims, however the combination of geography, revenue, industry, and type of access may be enough information to provide some organizations advanced notice that they have potentially been compromised. We recommend monitoring Exploit, XSS, and other IAB forums to receive advanced notice that access to your environment may be for sale.

• Put Monitoring in Place for Stealer Logs: We expect that stealer logs represent a significant source of vectors for IABs. It is highly likely that threat actors sort through enormous numbers of logs to find those with RDP, VPN, and other forms of corporate access which can be established, expanded, and resold. We recommend monitoring across public & private Telegram channels, Russian Market, and Genesis Market. 

• Automate Public GitHub Secrets Detection: We have not firmly established a link between public GitHub secrets leakage and access broker posts, however developers copy pasting code into public repositories containing credentials represents a potential vector of access for IABs. 

About Flare

The Flare Threat Exposure Management (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically scans the clear & dark web and prominent threat actor communities 24/7 to discover unknown events, prioritize risks, and deliver actionable intelligence you can use instantly to improve security.

Flare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools. Learn more by signing up for our free trial.

The post Report – Initial Access Brokers, Russian Hacking Forums, and the Underground Corporate Access Economy appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.