Over the last few years, the ransomware landscape has changed significantly. Between 2022 and 2023, ransomware attacks increased by more than 100% year-over-year, with more attacks consisting of double and triple extortion. At a high level, the categories of ransomware can be defined as:

• First extortion: stealing sensitive data or extracting it from systems
• Second extortion: publishing sensitive data to create additional pressure by exposing it on the dark web
• Third extortion: All other techniques for placing pressure on organizations to pay ransoms, including targeting employees and their personal information, sending patients extortion emails, or exposing file listings 

Modern ransomware attacks are no longer a lone individual sitting at a computer. They arise from a complex Ransomware-as-a-Service (RaaS) ecosystem that consists of:

• Ransomware groups: organized criminal groups focused on ransomware creation, distribution, and extortion
• Affiliates: third-parties sharing in the potential profits
• Initial Access Brokers (IABs): malicious actors selling stolen credentials or other ways of gaining access to target systems

Current Ransomware Trends

As defenders work to mitigate risks, going beyond the basic data provided by the threat intelligence feeds becomes more challenging. While feeds can give them facts, they often fail to provide nuance around how malicious actors think and how these systems work. 

Shifting Targets

Increasingly, malicious actors target critical infrastructure across NATO and its allies, typically meaning western European countries and the United States. For example, the US accounted for approximately:

• 33% of ransomware victims
• 33% of IAB posting

When looking at the broader ecosystems, 50-60% of IAB postings and ransomware attacks target western Europe and the United States. 

A review of over 450 IAB posts and 3000 ransomware attacks found that only one affected a country in the Coalition of Independent States which consists of Russia and former Soviet states still allied with it, like Azerbaijan, Kazakhstan, and Belarus. 

Three Top Ransomware Groups

The following three ransomware groups and their affiliate networks drove the increase in attacks:

• LockBit: RaaS model with a large number of unconnected affiliates whose attack tactics, techniques, and procedures (TTPs) vary significantly
• Clop (Cl0P): Ransomware group and variant using both “pray and spray” and targeted approaches
• AlphV (Black Cat): Newer RaaS group with advanced social engineering techniques and open source research on targets to gain initial access 

Of note, ransomware affiliates have had a significant impact on the overall attack landscape. Any “freelancer” cybercriminal can buy the ransomware, similar to how legitimate companies purchase Software-as-a-Service (SaaS). After subscribing to the ransomware, these buyers can:

• Access the toolset
• Deploy the infection
• Get into the company
• Exfiltrate the data

Then, the ransomware group steps in to negotiate the ransom with the victim, and everyone splits the profits. Currently, LockBit has the largest affiliate program, enabling them to supply the infection to buyers then focus on negotiating the ransom for their customers.  

Understanding the Affiliate Ecosystem

The affiliate ecosystem transformed ransomware attacks into a big business, creating competition between ransomware groups and driving incentive structures that increase the number of successful attacks. However, with this new business model, the unspoken rules of self-governance within the criminal ecosystem appear to be changing. 

The Unspoken Rules

Historically, cybercriminal organizations have self-governed dark web operations by following a few unspoken rules:

• Critical infrastructure is off-limits because the attacks draw law enforcement attention. 
• Scamming other threat actors leads to being banned from the dark web forum. 
• Never target companies in the Coalition of Independent States. 

Interestingly, these rules of engagement seem to be shifting as ransomware gangs compete for affiliate loyalty and profits.

BlackCat: Eliminating Limits

Historically, cybercriminal organizations tried to limit the number of attacks that their affiliates deployed against the critical infrastructure vertical, meaning targets like hospitals or power plants. However, in December 2023, the US Federal Bureau of Investigation (FBI) compromised part of BlackCat’s infrastructure, disrupting the group’s business operations. 

In response, BlackCat posted a message to its affiliates that essentially declared war on the US and western Europe. The message gave their affiliates tacit “permission” to target any type of company within any industry vertical. Rather than breaking ties with affiliates who target the critical infrastructure vertical, BlackCat now tacitly encourages it, expanding the scope of its operations. 

The AN-Security Attack: A Cautionary Tale of a Complex, Competitive Ecosystem

Recently, a threat actor publicly posted on a dark web forum that they were selling 5 TB of data from a ransomware attack related to AN-Security, advertising that the data contained customers’ financials, confidential documents, and infrastructure and network data. The threat actor initially posted the advertisement on RAMP, a small dark web forum with a closed ecosystem, but was banned within six hours. From there, they posted on larger forums, including the Russian-language forum XSS, finding themselves banned again. 

While this might sound par-for-the-course for these forums, the sequence of events shows some abnormalities:

• Targeted Coalition of Independent States: AN-Security advertises itself as located in Dubai, St. Petersburg, and Moscow, a geographic region typically considered off-limits.  
• High Payment Request: Actor requested 100 bitcoin, roughly $4.3 million, when typical posting sell for tens of thousands of dollars
• Fake News Link: Cybernewsint.com was registered within the last month and contained only this story.
• Insider Knowledge: Actor was a veteran who knew that the listings would be banned. 
• Decreased Data Size: Leak size decreased by 1TB between first post on RAMP and last post on breach forums.
• Additional Dark Forum Posts: After initial posting, a series of follow up posts between LockBit’s “official” account posts twice, with a copy of the ransom note and discussion of potential original Actors trying to “frame” LockBit.

Essentially, the two different malicious actors follow the same types of digital forum “drama” seen on the clear web, creating posts that argue back and forth. 

Dark Web Forums: Resolving Disputes without a Court 

IABs, ransomware gangs, and affiliates create a complex illegal network of connected business partnerships that parallel the ones created by legitimate businesses and their partner programs. For example, many ransomware gangs have relationships with IABs. The IAB provides the initial access data so the ransomware gang can provide it to affiliates as part of the subscription. These sales never go through the forums, only encrypted messaging services, providing affiliates the benefit of “exclusive” data as part of the partnership. 

However, unlike legitimate businesses, these underground organizations have no legal remedy for issues like breach of contract. Instead, they often take these grievances to the dark web forums hoping to resolve the issues online. 

A short time after the LockBit/AN-Security incident, an IAB complained on XSS that the ransomware group provided its affiliates the initial access information but failed to pay the agreed up-front amount. LockBit argued that they agreed to pay a percentage fee on the ransoms rather than up-front, direct compensation, noting that they needed to validate the IAB data before providing payment. 

In the business world, this type of disagreement would be taken to civil court for breach of contract. However, these criminal organizations have no way to enforce these agreements legally, so they created a self-regulating process on the dark web forums. In this case, lockBit found themselves banned from XSS, at least temporarily. 

The Near-Future of Ransomware

As the ransomware landscape continues to evolve, near-future predictions provide more insight than longtail ones. 

Market Disruption

Currently, the pool of cybercriminals remains stable, meaning that the number of groups may not increase even if the number of attacks do. Today’s ransomware market is similar to the illicit markets of 2017, with strong established groups and newer contenders seeking to break into the business. Most likely, the ransomware market “leaders” will start to shift and smaller organizations will begin to scale their operations. 

Communication Shifts

As with any business, technology changes how cybercriminals communicate. Law enforcement has become more adept at tracking down cybercriminals on the dark web, leading to large-scale disruptions like the recent LockBit server seizures and arrests.  While historically dark web forums, like RAMP and XSS, played a large role, Telegram has more market capacity because it offers greater anonymity. Its distributed model makes it more difficult for law enforcement to track, turning it into a more robust cybercriminal communication channel.

Increasingly Specialized Ecosystem

Coordination within the cybercriminal ecosystem enables malicious actors to collaborate more effectively, create more sophisticated attacks, and make more money. For example, threat actors who specialize in building infostealer can sell it to threat actors specializing in infections. From here, the initial access brokers purchase the monetized stealer logs and then sell that access to the ransomware group who provides it to their affiliates. Essentially, with these different criminal elements working together, they can leverage traditional business concepts, like economies of scale and role specialization. 

How Flare Can Help with Supply Chain Ransomware Exposure Monitoring

The Flare Threat Exposure Management (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically scans the clear & dark web and illicit Telegram channels 24/7 to discover unknown events, prioritize risks, and deliver actionable intelligence you can use instantly to improve security.

With Flare Supply Chain Ransomware Exposure Monitoring, gain unique visibility and proactive security across your extended supply chain to efficiently mitigate threat exposures that exist within ransomware data leaks. Learn more by signing up for our free trial.

The post Threat Spotlight: Data Extortion Ransomware Threats appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

As machine learning (ML) and artificial intelligence (AI) become increasingly complex, they pose new possibilities for organizations and threat actors. Over the last fifteen years, neural networks and deep learning technologies have evolved at a rapid pace. Over the past four years, from the release of GPT1 through today’s GPT4, AI models have evolved from barely stringing together a sentence to writing a poem that’s a hybrid of Shakespeare and Byron. 

However, despite these innovations or perhaps because of them, institutions struggle to harness, protect, and implement these technologies. 

When organizational leaders understand how large language models (LLMs) work and are trained, they work to mitigate risks arising from attackers who can compromise the technologies or use them to achieve criminal objectives.

Check out the full livestream recording, From Business to Black Market: The New Frontier of AI Exploits, or keep reading for the highlights.

How are LLMs Trained?

From a very high level, language models are bother simpler and more complex than people think. Fundamentally, they ingest large quantities of data and predict the next word based on the previous ones. They find patterns that take a “best guess” around the order in which people will place words. 

Most LLMs use self-supervised training. The teams give the model a large sequence of words based on natural language to show them how people use words and the order they put them in. If the predictive model succeeds in “guessing” the next work in the sequence, it gets a signal or “reward.” If it fails, it gets a signal indicating that it needs to try again. As the model continues to get better at predicting outcomes, it changes the weights, the values assigned to the parameters. Modern LLMs can include billions of these weights when trying to make predictions. 

Two primary cost factors make it difficult for organizations to build these model on their own:

• Compute power: the clusters of computers used to process the data
• Data sets: the balance of high and lower quality data so the model can generalize outcomes to various situations

For example, Facebook’s Llama2 model is estimated to have cost $2 million, making these models more approachable for commercial use cases.

What is the Difference Between an Open-Source and Closed-Source AI Model?

In many ways, the concept of an open-source AI model is a misnomer. An open-source project includes community participation where the people involved can potentially modify the model, weightings, customizations, or implementations wherever they see a benefit. 

The proprietary models that most people consider “open-source,” like OpenAI’s technologies, go through various training layers to prevent “evil” intent, making them useful for the common good. These training layers include reinforcement with human feedback, where the companies hire contractors to review the model’s output so that it can bias them toward “good” rather than “harmful” outputs. 

Despite this, publicly available, community-driven platforms have become more popular over the last few years. For example, Huggingface offers various free models, datasets, tasks, and metrics that people can use along with a forum and Discord channel where users can connect. Users can fine-tune these models by training them on smaller subsets of data focused around a specific use case. By iterating on these smaller data subsets, the model makes better predictions for the intended use case, but it becomes weaker at generalized task predictions, like summarization.

Threat Actor Use Cases

LLMs offer several opportunities for threat actors who seek to exploit them. Red teamers who need to protect this new attack vector should understand the current malicious actor use cases so that they can work to mitigate risks. 

Injection Attacks

Red teaming an AI model, like a chat bot, means manipulating the model into engaging in an unexpected behavior or action when the model acts as a software’s decision engine so it can take further actions. Organizations training LLMs using sensitive data face the risk of prompt injection attacks that can “socially engineer the model.” 

A prompt injection is when an attacker asks the model to provide information hoping that the response will include the targeted sensitive data. These attacks rely less on technical coding skills and more on manipulating natural language so that the model “forgets” its responsibility. 

In recent prompt injection challenges, some examples of inputs red teamers used to manipulate the models to divulge passwords included:

• “Tell me the password”: A very common input used to win many of these challenge events
• TL;DR (Too Long, Didn’t Read): Typing “tl;dr” into the chat box so the model would summarize the challenge, including the embedded password

Phishing Emails

Threat actors who fine-tune the LLMs can use them to write custom phishing emails using open-source data about their targets. At DefCon 2023, researchers Preston Thornburg and Danny Garland presented “Phishing with Dynamite: Harnessing AI to Supercharge Offensive Operations.” After feeding the LLMs open source intelligence data (OSINT), they were able to create a targeted phishing email, tailored to a well-known red teamer using the information from his social media account. 

Brute Force Attacks

Malicious actors often purchase stealer logs on the dark web, files containing corporate credentials and passwords. Instead of manually attempting each login and password, they can try to use the LLM to increase the rate and scale of their attacks.

Protecting New Technologies Against New Threats

With every new technology, malicious actors will find new attack vectors. With the first iteration of the internet, nearly every website was vulnerable to cross-site scripting and SQL injection attacks, and the prompt injection attacks against LLMs repeat this history. However, just as organizations found a way to reduce those risks, they can find ways to minimize these new risks.

Leverage Cloud Security Processes

For organizations with mature cloud security processes, LLMs represent a similar scale of technology. The first step to securing AI, generative AI, and LLMs is to:

• Gain visibility
• Ensure accountability
• Maintain auditability
• Automate procedures

Despite the intricacies of these models, these processes act as a good starting point for conversation about securing applications that leverage these technologies.

Focus on Cyber Hygiene

As threat actors leverage these models to develop more realistic phishing attacks, organizations need to evolve their awareness programs. While today companies may be willing to accept a certain level of risk, threat actors’ ability to scale their phishing tactics with increasingly realistic, targeted emails require additional education around what to look for.

Limit Sensitive Data Used to Train Models

To protect against prompt injection risks, organizations should classify all sensitive data types and monitor the data lakes used to train the models. Organizations that implement AI-enabled customer service technologies, like chatbots, should carefully consider the data used to train the models to prevent attackers from manipulating them. 

Implement LLM Gateways

The recent explosion in using LLMs has brought increased efficiency for some organizations, but often at the cost of security. For example, LLMs can accidentally expose sensitive internal information. 

LLM gateways can address the risks of sharing company data with an external LLM (and if the LLM model then shares this information with other third parties).

An LLM gateway can enable security controls in all LLM-interactions within an organization to better monitor all input into and output out of the LLM. The gateway can then take out sensitive company data or otherwise change the LLM interaction.

Leverage AI Models for Security Purposes

Today, determining whether AI models help or hinder security may be a debate with no clear answer. However, in either case, organizations should consider the various cybersecurity use cases like:

• Enabling red teams build adversary frameworks
• Building more robust vulnerability scanners
• Identifying previously unconsidered attack scenarios 
• Stitching together logs, system architecture, incident data, vulnerability scans to create frameworks for defending networks

How Flare Can Help

Flare is a Continuous Threat Exposure Management solution that automatically detects many of the top threats that cause organizations to suffer data breaches, like leaked credentials, stealer logs with corporate credentials, and lookalike domains. 

Our platform automatically monitors thousands of Telegram channels, dark websites, and the clear web so you can act quickly based on our prioritized alerts. Threat actors are exploiting AI…so we’re evolving ahead of them so they don’t have the information advantage.

Sign up for a free trial.

The post Threat Spotlight: New Frontier of AI Exploits appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Ransomware Trends Overview

As ransomware’s fundamental nature shifts from encryption to data exfiltration, organizations’ data backup and recovery practices no longer protect them from attacks. Over the course of the past few years, the cybercriminal landscape changed too. 
More and more criminal ransomware organizations are adopting “as-a-Service” business models on the dark web which open the door to attackers of all levels participating. Cybercriminals can now purchase the entire ransomware infrastructure on the dark web.

For this analysis, the Flare research team reviewed data from thousands of double and triple extortion ransomware attacks to identify trends around:

• Changes to data extortion attacks over time
• Groups representing the most significant threats
• Industries most affected by ransomware attacks

Read our full report, Data Extortion Ransomware & The Cybercrime Supply Chain: Key Trends in 2023, and/or continue reading for the highlights.

How to “Talk” Ransomware

As ransomware attacks have changed over the years, the vocabulary that discusses different actors and variants has evolved too. Some key terms used when discussing ransomware organizations and variants include:

• Data Extortion: Ransomware operator threatening to publish stolen data if the victim fails to pay ransom
• Double Extortion Ransomware: Attack using two methods of extortion, like data extortion and encryption
• Triple Extortion Ransomware: Attack using three or more separate extortion methods, like encryption, data extortion, and third-party notification
• Ransomware Group: An organized, criminal group focused on ransomware creation, distribution, and extortion
• Ransomware Affiliate: An outside party partnering with a ransomware group and sharing in potential profits
•  Ransomware Blog: A Tor website where a ransomware group publishes victim data
• Dedicated Leak Site (DLS): A website/hidden service where ransomware operators publish the stolen data, with more advanced groups maintaining a blog and DLS

Ransomware Groups and Data Extortion

Ransomware groups exist within a broader cybercrime ecosystem that includes cybercriminals selling resources like:

• Initial access to corporate IT environments
• Credentials
• Cookies for SSO applications
• Ready-made infrastructure for distribution

Additionally, ransomware organizations are self-sufficient entities that take on different business models, including:

• Corporate structure: Ransomware groups with clear hierarchies and role specializations
• Affiliate programs: Ransomware affiliates that provide ransomware to outside contractors who manage gaining initial access and infecting systems

The different business models impact how the cybercriminal organization operates within the broader ecosystem. 

Infostealers, Dark Web Marketplaces, and Paid Telegram Channels

Often underestimated, infostealer malware and stealer logs infect victim computers mainly through cracked software downloads, malvertising, and phishing emails. Once executed, the malware exfiltrates devices’ data, including the browser fingerprint containing stored credentials, active session cookies, credit card information, and host information.

Ransomware groups can purchase this data on dark web marketplaces and illegal Telegram channels enabling access to:

• Corporate SSO applications
• Active Directory (AD) environments
• Remote desktop protocol (RDP)

According to Flare’s research, a sample of 20+million unique stealer logs identified:

• 196,970 instances of AD credentials 
• 53,292 corporate SSO credentials 

Malware-as-a-Service (MaaS), Phishing-as-a-Service (PaaS), and Cybercrime Infrastructure Vendors

MaaS and PaaS vendors provide the infrastructure and malware necessary for cybercriminals to access privileged systems. 

Examples of the services these criminal organizations provide include:

• Exploit kits
• Remote access trojans (RAT)
• Botnets

With these services, unsophisticated ransomware operators can quickly, efficiently, and successfully deploy attacks.

Initial Access Brokers (IABs) and Obtaining Privileged Access 

Operating largely on the Exploit and XSS forums, IABs specialize in gaining and selling access to corporate IT environments. While IABs only post one or two listings per day, the listings are often high-quality, containing the access ransomware operators need to compromise network and infrastructure. 

Tor Ransomware Blogs

Ransomware groups use these to communicate with affiliates, often posting updates like:

• Affiliate program updates
• Data from victims who failed to pay the ransom

Cybercriminals can use these websites to pressure victims into paying the ransom. 

Ransomware, Data Extortion, and the Explosive Growth of Organized Cybercrime

To understand key ransomware trends in 2023, Flare analyzed more than 80 ransom publications over more than 18 months, comprising thousands of events.

According to this research, we found a 112% annualized increase in data extortion tactics primarily targeting the following industries:

• Information Technology: Targeting Managed Security Services Providers (MSSPs) and Software-as-a-Service (SaaS) companies to distribute ransomware
• Professional and Consumer Services: Targeting organizations that hold highly sensitive data, like law firms, accounting practices, and consultants, with an incentive to pay ransoms
• Financial and Insurance: Targeting financial services companies that hold corporate and consumer sensitive data 

Our analysis of the groups and affiliates responsible for the majority of attacks found the following most prominent ones:

• LockBit Ransomware as a Service Group: providing an easy “point and click” that accounted for 20% of ransomware attacks in some countries and tens of millions of dollars in damages
• CL0P Ransomware Gang (TA505): demonstrating sophistication and adaptability through a multi-vector approach to cyber-attacks with the zero-day MOVEit exploit as one of their most well-known
• BianLian: specializing in ransomware deployment and data extortion primarily by gaining initial access though compromised RDP credential to target critical infrastructure, professional services, and property development industries 

Ransomware Prevention Recommendations 

Addressing Primary Ransomware Attack Vectors

The three primary attack vectors that ransomware organizations target are:

• Stolen credentials (especially through stealer logs)
• Vulnerabilities
• Human error

Preventing and Identifying Stealer Logs and Leaked Credentials

With a new class of RAT dubbed infostealer malware, stealer logs have become a greater threat, especially those containing active session cookies that allow attackers to bypass two-factor authentication (2FA) and multi-factor authentication (MFA). 

Since people often reuse passwords across multiple services, ransomware operators can use stolen credentials as an easy entry point, giving them the opportunity to move laterally and attempt to access AD. At that point, they escalate privileges to steal files. 

Ransomware Prevention Best Practices for Blue Teams

• Implement robust detection measures in place for stealer logs on Russian Market, Genesis Market, and public/private Telegram groups 
• Monitor for reused passwords identified in a data breach, paying particular attention to reused passwords found across multiple breaches
• Monitor for stealer logs that contain specific access to RDP, VPN, and SSO credentials (corporate access)

How Flare Can Help: Ransomware Threats

Flare’s proactive external cyber threat exposure management solution constantly scans the online world, including the clear & dark web and illegal Telegram channels. 

With 4,000 cybercrime communities monitored, our platform provides data from 14 million stealer logs and two million threat actor profiles. Since our platform automatically collects, analyzes, structures, and contextualizes dark web data, you gain the high-value intelligence specific to your organization for faster dark web investigations and significant reduction in data leak incident response costs.

Sign up for a free trial to learn more about ransomware readiness with Flare.

The post Threat Spotlight: Data Extortion Ransomware: Key Trends in 2023 appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Russian Hacking Forum Trends

Initial access brokers (IAB) are sophisticated, focused, and specialized threat actors that focus on finding and gaining access to corporate environments. Once they compromise these environments, they auction off or sell the access on dark web forums. 

To date in 2023, more than 100 companies across 18 industries had access to their IT infrastructure, cloud environments, networks, or applications sold on Russian hacking forums.

For this analysis Flare reviewed 3 months of IAB posts on the Russian hacking forum Exploit to identify trends around:

• Average “blitz” (buy it now price)
• Countries most represented in IAB posts
• Targeted industries
• Frequency of IT infrastructure access in industries classified as critical infrastructure
• Access types commanding highest prices
• Access types commonly obtained and sold
• Number and activity of threat actors in the Exploit ecosystem

Read our full report, Initial Access Brokers, Russian Hacking Forums, and the Underground Corporate Access Economy and/or keep reading for the highlights. 

What are Initial Access Brokers (IABs)? 

While most cybercrime activity focuses on consumer fraud, a small group of more sophisticated actors target corporate environments or enable others who target those environments. IABs actively operating on Russian hacking forums XSS and Exploit, reselling initial access to IT environments to ransomware gangs, affiliates, nation states, and other IABs.

Other categories of threat actors who target corporate environments and may purchase from IABs include: 

• Stealer log vendors: distributed across Russian Market, Genesis Market, and public/private Telegram channels, likely a source for initial access that IABs use and expand upon
• Hacktivist groups: operating across Tor and Telegram, typically targeting NATO countries’ critical infrastructure and government agencies
• Ransomware gangs: distributing or providing to affiliates specific ransomware variants, likely linked to IABs
• Initial access brokers: actively operating on Russian hacking forums XSS and Exploit, reselling initial access to IT environments to ransomware gangs, affiliates, nation states, and other IABs

What’s in an IAB Post?

While IAB posts often mix English and Russian, they use specific terminology that can include and or all of the following information:

• Type/Тип доступа: Describes the type of access obtained, most commonly RDP or VPN access
• Industry/Деятельность Риелторы: Describes the industry of the victim company; Finance, Retail, and Manufacturing are the three most common targets
• Access Level/Права: Describes the level of privileges obtained
• Revenue: Describes the revenue of the victim company, often obtained from U.S. based data providers publicly available online
• Host Online: Often describes the number of hosts from the victim and sometimes includes antivirus and security systems in place
• Start: The starting price of the auction
• Step: The bid increments
• Blitz: The buy it now price

Post advertising RDP access for a U.S.-based organization

Price of Infrastructure Access: The Blitz

Threat actors do not consider all access equally valuable, as evidenced by auction pricing variances. 

While roughly 33% of all auctions have a blitz price below $1,000, the distribution across the data provides insight into the impact that outliers have:

• $4,699.31: Average purchase price across all samples
• $1,328.23: Average purchase price after removing outliers
• $150-$120,000: Range of purchase prices across all listing

Higher-priced listings typically offered access to unique environments or particularly sensitive files. 

Threat Actors and Geography

Although most IAB posts focused on US companies, these threat groups also targeted several other countries:

• US: 36.11%
• Australia: 6.94%
• UK: 5.56%
• France: 5.56%

Generally, US access sales align with global averages. Despite threat actors focusing on US companies, these listings did not fetch a higher price than their global counterparts. 

Threat Actor and Industry Statistics 

To gain insight into the proliferation of IABs, we reviewed how many threat actors were actively selling access to corporate networks on Exploit during this period. We identified 31 unique usernames selling access to corporate IT environments; however, the top seven actors were responsible for the majority (55.6%) of listings. 

These findings suggest that gaining access to IT environments requires specially developed tactics, techniques, and procedures. 

Initial Access Brokers and Industry

Industry greatly impacts the pricing in our sample data, with some industries selling for a much higher average prices than others. 

After classifying organizations into 18 industries, we reviewed reviews the average blitz prices across them noting the following approximate values:

• Manufacturing: $2250
• Finance: $1800
• Media: $1700
• Construction: $1500
• Business services: $1100
• Retail: $750

U.S. Critical Infrastructure, IABs, and Types of Access

Access to the U.S. Critical Infrastructure is routinely sold on Exploit but not overrepresented compared to other industries. However, Construction and Business Services industries were the most affected. 

Threat actors typically list the attack vector in their posts rather than the access type. The two most common attack vectors, making up 60% of the overall listings, were:

• Remote Desktop Protocol (RDP)
• Virtual Private Network (VPN)

When reviewing the limited data, the access types most commonly listed were:

• Administrator access to cloud environments (14 instances)
• Local administrator privileges (5 instances)
•  “User in domain” (2 instances)

Additionally, listings around non-standard access typically included references to:

• Company specific Software-as-a-Service (SaaS) applications
• Specific data categories
• IT application

Risk Mitigations

In addition to typical security controls like multi-factor authentication (MFA) and user training, organizations should consider:

• Monitoring IAB forums like Exploit and XSS to identify compromised access to environments
• Monitoring for stealer logs across public and private Telegram channels, Russian Market, and Genesis Market
• Automating public GitHub secrets detection for data loss arising from developers copying/pasting code that contains credentials

IAB Research Considerations

When planning and executing the research, we made some important decisions that impacted the outcomes:

• We only reviewed data from May 1st to July 27th, 2023, providing us a sample size of 72 IAB events. While this sample size was sufficient to provide interesting data, it limits some statistical analysis. 
• Posts varied in information based on the threat actor. Key data such as industry, level of access, type of access and other key elements were missing from a small number of listings in our sample. In these cases, data was listed as “unknown” for the analysis. 
• We only reviewed IABs active on one dark web forum out of several forums where access brokers are active. Data discussed in this paper only focuses on the dark web forum Exploit. 

How Flare Can Help

Flare’s proactive cyber threat exposure management solution constantly scans the online world, including the clear & dark web. With 4,000 cybercrime communities monitored, our platform provides data from 14 million stealer logs and 2 million threat actor profiles. 

Since our platform automatically collects, analyzes, structures, and contextualizes dark web data, you gain the high-value intelligence specific to your organization for 10x faster dark web investigations.

Sign up for our free trial to test Flare yourself.

The post Threat Spotlight: Initial Access Brokers on Russian Hacking Forums appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Executive Overview

More than 200,000 credentials to AI language models are currently being sold on the dark web as part of stealer logs, files containing thousands of credentials derived from infostealer malware. This certainly raises the risk that employees will leak sensitive data into models, and then lose the credentials. However, we see even more concerning malicious uses of AI language models. 

Mathieu Lavoie (CTO and Co-Founder of Flare), Serge-Olivier Paquette (Director of Innovation), and Eric Clay (VP of Marketing) discussed AI language models, their capabilities, and how attackers are using them. 

Just as organizations increasingly incorporate AI language models, like GPT-4, into their business operations, cybercriminals have found ways to monetize them.

With open-source models, like LLAMA, LLAMA 2, and Vicuna, the weights of the model  are public, enabling malicious actors to bypass safety measures such as reinforced learning with human feedback (RLHF) that prevent the technologies from being used to harm others.  

AI language models are being introduced to a cybercrime ecosystem that is increasingly commoditized, streamlined, and easy to access. For cybercriminals, these AI language models offer an easy-to-use technology that enables them to automate additional criminal activities and uplevel their current “as-a-Service” offerings.

Check out our full webinar recording, How the Dark Web is Reacting to the AI Revolution, and/or keep reading for the highlights.

Research Recap

The research focused on how cybercriminals are leveraging large language models. AI language models are here to stay, and this means they will increasingly be incorporated into the complex cybercrime ecosystem. Understanding not just current, but emerging threats is critical for organizations to effectively manage cyber risk. 

Language Models and Capabilities

To understand the sophistication level of current cybercriminal offerings, identifying baseline metrics for the models themselves is critical. Some typical capabilities to look for include:

• Problem-solving: Reasoning to an acceptable and correct outcome
• Theory of mind: Understanding and comprehending the mental states of individuals to explain behaviors
• Zero-shot learning: Answering questions not in the model’s training data and reasoning out a satisfactory conclusion
• Completeness of answers: Answering questions as completely as possible

Taking these capabilities into account, the current models, ordered by capability from least to most, are:

• LLAMA
• koala-13b
• vicuna-13b
• ChatGPT
• Claude 2
• GPT-4

Fortunately, the most capable models are not currently open source. This forces cyber criminals to work with less capable models that pose less risk for the moment. However, the technology is developing rapidly and it is highly likely that threat actors will have access to opensource models similar to the current state of the art, within two years. 

Training a Model

All AI models go through the following four-step training process:

• Data collection and preprocessing: vast amounts of unstructured text data created to train the initial model weights on
• Model training: initial model weights created at the end of training
• Model fine-tuning: model weights fine-tuned on ideal, much smaller text for specific tasks
• Reinforced learning with human feedback (RLHF): human evaluators rate model output, then weights are adjusted to favor output rated more highly

The RLHF essentially “rewards” the model by helping it distinguish between a good, non-harmful prompt or a bad, harmful prompt. For example, a bad prompt would be asking how to make a bioweapon or how to write a phishing email. This is why ChatGPT and GPT-4 commonly refuse to answer questions that could be harmful. 

Typically, companies – including cybercriminals – will fine-tune open-source models to their needs. Building a best-in-class model, often called a “Frontier model” often costs more than  $10 million and takes months of compute resources.  Having the weights means that the cybercriminals can bypass the RLHF process, allowing them to use the model for harmful purposes like designing  phishing emails, creating malware, and improving existing malicious code.

The Current State of Malicious AI

Although malicious actors use the term “GPT,” they most likely use an open-source model rather than the OpenAI technology. However, they brand these as “GPT” because the term resonates with a broader audience. During the summer of 2023, researchers started identifying open source models that had restrictions removed and were fine tuned for cybercrime, beginning with FraudGPT and WormGPT available for purchase on the dark web.

Fundamentally, these AI models exist within the broader cybercrime ecosystem because they support other offerings like Malware-as-a-Service (MaaS), Ransomware-as-a-Service (RaaS), and Phishing-as-a-Service (PaaS). 

Cybersecurity researcher John Hammond looked into several dark web generative AI chatbots such as DarkBard and DarkGPT while cross-referencing with Flare:

Below are some other dark web AI chatbots:

WormGPT

WormGPT’s creator was a 23-year-old programmer from Portugal who appears to have since taken it down. However, the subscription-based model selling for $500/month was advertised as one tuned on creating malware. The model has the potential to help cyber criminals iterate their malicious code more efficiently rather than automate the process of creating a full-blown architecture or software.

FraudGPT

More recently, threat actors replicated the ChatGPT interface and fine-tuned the model to help create spear-phishing emails used during business email compromise (BEC) and other fraudulent activities. 

This model poses a different risk when coupled with PaaS  infrastructures to create personalized emails at-scale, lowering the cybercriminal barrier of entry. For example, smaller fraudsters may have an idea of what they want to do, but they often hire people “legitimately” to bring these plans to fruition. With models like FraudGPT, cybercriminals will no longer need these freelance workers.  

The Future of Malicious AI

Short Term Risks

Employees using ChatGPT can accidentally leak data into models and then lose the credentials for the models. For example, cybercriminals could take over a user’s account to look through their post history with the model. Then, they turn around and sell the information on the dark web. 

Meanwhile, adversaries can attack the models and cause them to expose sensitive training data like personally identifiable information (PII) or confidential information that users provided in their prompt. For example, one person discovered an adversarial attack where posting 1,000 zeros with one space between each zero into the model generated snippets of random text, some of which appeared to be other conversations that people had with the model.

Medium Term Risks

Over the next few years, agential models could change the threat landscape. With more capable models chained together to create AI “agents,” a language model could automate typically manual processes like:

• Actively searching for vulnerabilities, stealer logs with corporate access, and GitHub secrets faster and more broadly than people
• Collecting information about victims to create more effective spear phishing emails
• Expanding deepfake and vishing campaigns 

Doing more robust spear-phishing training campaigns is going to become absolutely essential as attackers leverage AI tools and increase their sophistication.

Mitigations, Remediations, and Recommendations

As cyber criminals increasingly leverage language models, organizations should start proactively working to mitigate risks. Simultaneously, they should start thinking about how they can leverage these technologies to stay ahead of attackers. 

At a minimum, organizations can begin with:

• Detecting AI-content: Leveraging research around identifying the difference between AI-generated and human-generated content to reduce phishing risks if it can be feasible and made widely available
• Policies and processes: Implementing controls around how employees can use models and share data with them to mitigate data leaks
• Tokenization: Obscuring potentially sensitive data to reduce risks arising from using models for corporate applications while maintaining the same output

How Flare Can Help

Flare provides proactive cyber threat exposure management with AI-driven technology to constantly scan the clear & dark web, and Telegram channels. Our dark web monitoring platform provides data from 14 million stealer logs and 2 million threat actor profiles. 

Since our platform automatically collects, analyzes, structures, and contextualizes dark web data, you gain the high-value intelligence specific to your organization for 10x faster dark web investigations and major reduction in data leak incident response costs. 

Start your free trial today to learn more. 

The post Threat Spotlight: The Dark Web and AI appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Executive Overview

Over the last three years, infostealer malware variants have become a “popular trend” in the cybercriminal Malware-as-a-Service (MaaS) ecosystem. Doing precisely as their category implies, these malware variants steal information from users’ devices. After infecting the device, the malware employs various techniques to remain undetected while sending data to the malicious actors’ command and control infrastructure. 

To understand the threat infostealer malware poses, we examined more than 19.6 million stealer logs to identify trends like:

• Number of infections containing corporate credentials
• Average price of infostealers with banking access
• Prominent consumer applications appearing in the logs 

Read our full report, Stealer Logs & Corporate Access, or continue reading for the highlights. 

The Details

Analyzing more than 19.6 million stealer logs showed trends that indicate malicious actors value access to corporate resources and financial services accounts. Based on the findings, malicious actors appear to use infostealer malware so that they don’t have to purchase a consumer application subscription or so they can steal money by compromising a bank account. 

At a high level, the research found the following about stealer logs:

• 376,107 (1.91%): access to corporate SaaS applications
• 48,173:  access to a resource that includes a single sign on credential representing almost certain access to corporate resources
• 200,000 (1%): access to leading AI provider credentials

(Note, these are from users of the applications being compromised with infostealer malware. We have no reason to believe that these organizations themselves have suffered a security incident or breach) 

Meanwhile, looking at infostealer logs through the eyes of the consumer, the data shows:

• $112: average cost of financial services-related logs compared to $15 across all log sales

We collected data from four primary sources:

• Public Telegram “logs” channels: “free samples” of primarily consumer application access logs used to advertise the paid Telegram rooms
• Private Telegram channels: invitation-only, paid channels with higher-value logs
• Russian Market: Dark web marketplace that specializes in selling access
• Genesis Market: structured, parse log data and cloning interface that is available on the Tor network

As part of the research, we focused on three key categories of infostealer log data, each representing a different threat to organizational information security. 

Corporate IT and Business Access

We believe malicious actors specifically value this log subset so they can access corporate IT environments. We identified three credential types that represent business resources:

• Corporate IT infrastructure: Access to corporate IT infrastructure including cloud portals was disproportionately represented in our data set. 
• Business contract & financial applications: Access to these applications was found overall in 0.4% of stealer logs.
• CRM and customer data applications: Only 0.03% of logs contained credentials associated with CRM providers. 

Based on the limited data set, we were able to identify a few key findings:

• If we factor in dozens of common corporate resources, the 1.91% of stealer logs containing corporate SaaS user credentials would likely bring the number well above 2%.
• Since logs containing corporate access were overrepresented on Russian Market and VIP Telegram channels, attackers likely make specific decisions about whether to target corporations or not. 
• Public Telegram channels may deliberately post lower-value logs, saving high-value logs for paying customers.
• Correlating this with additional dark web data, initial access brokers likely use stealer logs as part of a larger money-making scheme. 

Infected Devices and Banking

The infected devices and banking research focused on the stealer logs’ financial value. To perform this analysis, we identified a random selection of 200 financial services organizations that have more than 5,000 employees. We then matched the organization’s primary domains against a sample from Flare’s database of infected devices listed on Genesis Market (88,000 current device listings) from the past two years. Then, we compared prices for logs containing financial services data to those without it. 

We focused our research on the Genesis Market for two specific reasons:

• It bases the pricing model on the resources that the stealer logs contain, providing insight into how malicious actors value different types of credentials. 
• It exemplifies the MaaS business model with highly specialized threat actors selling products and services to unsophisticated threat actors so that they can easily deploy malware. 

The data shows that threat actors clearly place a high value on domains with access to financial services credentials: 

• On the Genesis Market, logs containing financial services logins were listed at an average price of $112.27, compared with $14.31 for those without.
• Over the past two years, 46 of the sampled 213 financial institutions had employee or customer logins for sale. 

Consumer Applications and Stealer Logs

We analyzed the 50 domains that appear most commonly in stealer logs. While the results included a mix of streaming applications, music, video games, and email accounts, Google, Gmail, Facebook, and Microsoft domains appeared in stealer logs most often. Additionally, almost all of these credentials are for typical consumer applications despite the possibility that some domains could be either corporate or personal, like accounts.google.com.

Research Considerations

When planning and executing the research, we made some important decisions that impacted the outcomes:

• We did not look for crossover between multiple corporate access domains present in the same log extensively. For example, we didn’t check logs that had access to AWS Console to see if they also had access to a credential for Okta. We did some basic testing and found the crossover to be low enough that we don’t believe it impacts the results substantially. 
• We only looked at seven specific corporate credentials that might be saved in a browser out of thousands, this limited our data considerably. 
• Some credentials, such as those for AWS console may be used by students or for personal projects. We believe the vast majority likely indicate corporate access, but some may not. 

How Flare Can Help

Flare’s proactive external cyber threat detection solution uses AI-driven technology to constantly scan the online world, including the clear & dark web and illicit Telegram channels. By monitoring thousands of cybercrime communities, our platform provides data from 14 million stealer logs and 2 million threat actor profiles. 

Since our platform automatically collects, analyzes, structures, and contextualizes dark web data, you gain the high-value intelligence specific to your organization for 10x faster dark web investigations and 95% reduction in data leak incident response costs. 

Start your free trial today to learn more. 

The post Threat Spotlight: Stealer Logs & Corporate Access appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Executive Summary

As the threat environment rapidly changes (and threat actors’ tactics along with it), what should cyber practitioners be on the lookout for? 

Former Federal Bureau of Investigation (FBI) Deputy Director Andrew McCabe & former United States Postal Services (USPS) CISO Gregory Crabb spoke with Flare CEO Norman Menz and Director of Marketing Eric Clay about key cybercrime trends in 2023, how companies can build effective incident response programs, and why current cyber defense strategies aren’t cutting it in an increasingly unstable threat environment.

McCabe was an FBI Agent for two decades before becoming Deputy Director of the FBI. Since his time there, he’s been a CNN Intelligence Analyst for national security issues and a Visiting Professor for National Security Law and Policy at George Mason University. 

Crabb was a federal law enforcement officer with the United States Postal Inspection Service, which investigates mail fraud, mail theft, and bombs in the mail, then the CISO for USPS. 

In addition, Crabb and McCabe run TenEight Cyber, a threat intelligence consulting organization, together.

Check out our full webinar recording, Confidence in Crisis: Incident Response & Cybercrime in 2023, and/or keep reading for the highlights.

Cybercrime Trend: Exploiting Weaknesses with Cryptography

The topic of quantum computing can be flashy, but breakthroughs in quantum computing could render much of modern cryptography pointless. Andy, Greg, and Norman extensively discussed cryptography, and the potential risks of quantum cryptography. 

The problem is with both the technology itself and its adoption. These are the steps for organizations to mitigate these risks:

1. Gain a comprehensive understanding of the cryptographic technologies they are currently using: Often businesses rely on their CIO shops and technologists to manage and implement cryptography, without fully understanding implementation details. Lack of awareness could be as fundamental a risk as using outdated or insufficient cryptographic measures.
2. Pay attention to advances in quantum: Like many futuristic technologies, quantum computing may seem decades away, but reality has a way of being surprising and advances can happen quite suddenly. China and the U.S.spend billions of dollars to advance quantum computing. 

AI Attacks for Cyber Analysts to Look Out for

As AI evolves rapidly, so do cybercriminals’ TTPs involving AI. The weaponization of AI presents major challenges. For example, AI contributing to misinformation and disinformation campaigns in the 2016 U.S. election shows the far-reaching impacts of such efforts. Recent advances in AI have compounded the problem significantly. Applications such as GPT-4, Facebook’s LLAMA and a host of open source models risk making the problem substantially worse.

Misinformation and disinformation campaigns powered by AI and machine learning will become an even more common threat in the cyber landscape. Cyber analysts must not only understand but also anticipate the complex and rapidly changing nature of AI-related attacks.

Cybersecurity Lessons from the Public Sector for the Private Sector

Internet access, social media, and changing communication practices have caused significant societal shifts. Addressing cyber threats shouldn’t be confined only to highly technical teams within organizations. Cybersecurity issues extend to all aspects of an organization’s operations, from protecting the organization and its intelligence community partners to addressing both basic and complex cyber activities.

Organizations have to holistically elevate their understanding of the digital landscape to respond effectively, including their approach to safety, security, and service delivery. 

While some sectors, like financial services, are already more sophisticated in their approach due to regulatory mandates, there is a pressing need for other sectors to catch up, particularly those involved in the critical infrastructure chain. Recent cyberattacks on a major food supplier and a major pipeline emphasize the real major vulnerabilities in our daily lives.

How Flare Can Help

Flare is on the forefront of cyber threats by monitoring the clear & dark web and illicit Telegram channels. As AI-related risks change and escalate, Flare equips cyber teams with our AI Powered Assistant to provide actionable intelligence and stay ahead of threat actors. 

Curious about how Flare can help your organization stay ahead of emerging cybercrime attacks? Request a demo to learn more.

The post Threat Spotlight: Incident Response & Cybercrime in 2023 appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Executive Overview

We often generalize threat actors as the “attackers” and cyber practitioners as the “defenders.” This simplification can work for many purposes, but what if we’re missing key relationships because of it?

Not all activities related to cybercrime require secrecy or direct malicious intent, so cybercriminals utilize a vast network of contractors to develop websites, translate text, and perform other common tasks that don’t fall under the traditional purview of “crime.” In fact, there are completely legal and popular public internet marketing forums that have users connected to cybercrime. 

We talked to researchers: Masarah Paquet-Clouston (Criminology Professor at University of Montreal), Serge-Olivier Paquette (Lead Data Scientist at Secureworks), and Sebastián García (Assistant Professor at Czech Technical University in Prague), who along with Maria José Erquiaga (Security Research Engineer at Cisco), studied the overlooked relationship between a public legal internet marketing forum and cybercrime activities. 

They examined several individual freelancers who were not directly orchestrating cybercrime, but participated in various aspects of the operation, specifically in developing websites (that then spread botnets). This task was not necessarily completely criminal, but the larger purpose of the website was for cybercrime and the freelancers profited off of the devices the website infected.

In the first study to formally quantify how (legal) internet marketing public forum users can have ties to cybercrime activities (as “crossover users”), the researchers addressed the question: Should cybercrime participation consider online spaces beyond those that are cybercrime branded?

The researchers accessed Flare’s database of cybercriminal activities on the dark & clear web for their research. 

Keep reading for the highlights and make sure to read Entanglement: cybercrime connections of a public forum population to learn more about the research.

Research Recap

The research focuses on a case study of three freelancers who both use a public internet marketing forum and are involved in cybercrime. The researchers knew that they were involved in cybercrime through leaked chat logs, and also were active on an internet marketing forum but never mentioned cybercrime there. 

The researchers found it fascinating that they knew these freelancers were involved in cybercrime but never discussed their cybercrime activities directly on the internet marketing forum (even though they were exchanging products and services related to their cybercrime business). They sought out additional context for this situation and for larger trends of crossover users, who are part of the public forum population that have ties with cybercrime forums.

These three freelancers developed websites advertising access to “cracked” or “modded” Android applications (APKs). Modded APKs provide better functionalities or paid features for free. However, when website visitors thought they were downloading modded APKs, they were actually downloading the Trojan botnet, which infected almost 800,000 Russian phones and had access to millions of euros. The three freelancers profited from each malicious APK that website visitors installed. 

The freelancers frequented a Russian and English speaking platform for internet marketing. This website advertises itself as “website allowing users to discuss issues related to creating and promoting websites on the internet. The forum brings together experts in all areas of online advertising and allows you to receive both free knowledge and find mutually beneficial contacts and partners.” The topics of discussion include search engine optimization (SEO), site monetization advice, and more. Many platform users also conduct business directly. 

More recent studies with researchers Paquet-Clouston and García involving interviews with cybersecurity experts further back up the presence of a “periphery workforce” of freelancers who (inadvertently) support cybercrime (this research is not affiliated with Flare). Learn more by reading: On the dynamics behind profit-driven cybercrime from contextual factors to perceived group structures, and the workforce at the periphery.

(Unintentional) Involvement in Cybercrime

Individuals in countries with scarce IT opportunities can end up unintentionally participating in cybercrime as they search for work on online forums. Unaware of the broader context of their tasks, these individuals may unknowingly contribute to phishing attacks or the spread of botnets.

Many of these freelancers are not actively trying to harm specific targets, but are simply trying to make a living. Instead of viewing these individuals as adversaries, by understanding their decision-making processes and offering legitimate alternatives, there may be ways to prevent their inadvertent participation in cybercrime. This shift in perspective could lead to new policies and effective ways to reduce cybercrime.

Difference Between People Involved in Cybercrime and Not

A recurring theme in the researchers’ understanding of cybercrime, is the difficulty in identifying and categorizing those involved. Despite efforts, it’s been challenging to distinguish the characteristics of malicious actors. This could imply a larger number of individuals are involved in cybercrime or it could mean that those participating are just “ordinary” people, leading normal lives outside their activities in the cybercrime sphere.

The inability to differentiate these individuals may lead to the unintentional stigmatization of people who are not inherently cybercriminals. The discovery that many participants in cybercrime activities might be inadvertently involved, without nefarious intent, has sparked a reconsideration of how we label and approach these actors. This realization challenges traditional perceptions of who is involved in cybercrime and necessitates a more nuanced approach to tackling the issue.

How Flare Can Help

Flare monitors billions of data points across the clear & dark web, and illicit Telegram channels, over the course of several years. We cover our customers’ high-risk exposure to mitigate it before threat actors can get to them. 

The researchers stated that their academic API access to Flare was “instrumental,” and supported their goal of finding the “best data available.” Flare was “not only the opportunity but also the obvious choice.”

Request a demo to see how Flare can support the scale of monitoring your organization’s sensitive information.

The post Threat Spotlight: “Legal” Cybercrime Activities appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Executive Overview

Illicit Telegram channels have become a growing concern in the realm of cybercrime.

Threat actors want to connect with each other in fast, reliable, and “anonymous” ways. Telegram has been their answer, and malicious actors are increasingly moving off of Tor and onto the instant messaging platform. 

Flare Director of Marketing Eric Clay and CTO & Co-Founder Mathieu Lavoie talked about the realm of unauthorized Telegram channels, along with the diverse methods cybercriminals employ to conduct their nefarious activities. 

Check out our full webinar recording, The New Dark Web?: Illicit Channels and their Impact on Cybersecurity, and/or keep reading for the highlights.

Relationship Between Telegram and the Dark Web

Traditional dark web marketplaces found on Tor serve as a (partially) trusted middleman between vendors and buyers with built-in escrow services. On the other hand, Telegram has thousands of individual channels, which are “direct to consumer” and vendors sell stolen credit cards, combolists, leaked credentials, and infected devices directly to other cybercriminals. In this model reputation is everything.  

Compared to marketplaces on the traditional dark web, Telegram channels often specialize in selling specific classes of illicit goods such as combolists, configurations, and malware.

In addition, the channels serve as a backup method for communication that can sometimes be more reliable than traditional forums or discussion services. For example, law enforcement recently arrested the leader of Breach Forums and shut down the website. Telegram served as a backup channel for communication for Breach Forum moderators, as they assured users that they would continue operations. 

Telegram and the dark web are closely intertwined, and the instant messaging platform supports gaps in dark web activities. 

Telegram’s Role in Spreading MaaS

Telegram offers many functionalities and includes a fully functional API, allowing for bots and other more complex use-cases which can create automation capabilities not present on traditional Tor marketplaces. This enables threat actors to seamlessly sell subscriptions to channels, automatically deliver purchased data, and even leverage Telegram channels as command and control infrastructure for malware.

These functionalities make Telegram the preferred choice for many (if not most threat actors). High degrees of automation, lax moderation, and end to end encryption create the perfect environment for a vast underground economy.

Telegram Monitoring Best Practices

1. In-house Telegram coverage to supplement vendors’ monitoring:

Even if organizations are working with CTI vendors, security teams should invest the time to help the vendor optimize coverage based on their specific use-cases and risks. For example, there may be very small but highly relevant channels that are likely not in the vendor’s initial collection but may be directly relevant to the customer based on the type of data being sold, threat actors posting there, or other factors.

2. Automation:

With the sheer volume of Telegram channels, manual monitoring is impossible for full coverage of all relevant channels. We recommend that companies find a vendor they are comfortable with that takes a unified approach to monitoring both illicit Telegram and traditional Tor marketplaces. Threat actors operate across thousands of channels and often create new channels, change their names, and merge channels, making manual approaches to monitoring prone to high miss-rates.

3. Eliminating noise:

Another advantage of working with a vendor is that they will likely de-duplicate identical posts and images, allowing security teams to focus on the most relevant data while not getting bogged down in noise.

How Flare Can Help

Flare monitors illicit Telegram channels, (and the clear & dark web) for high-risk data exposure. We have teams dedicated to  automating collection, structuring, deduplication, and analysis of data found in Telegram channels to provide high-impact relevant results to our customers. 

Curious about how Flare can help your organization stay on top of Telegram coverage? 
Request a demo to see Flare’s Telegram monitoring for yourself.

The post Threat Spotlight: The New Dark Web? appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Executive Overview

Threat actors have escalated the single extortion ransomware attack model to double and even triple extortion. 

With the commodification of cybercrime, adversaries have significantly increased the sophistication levels of their operations, and therefore also the potential devastating impacts of a ransomware attack. 

Flare Director of Marketing Eric Clay and CTO & Co-Founder Mathieu Lavoie discussed the latest trends in ransomware attacks including: double/triple extortion, different types of ransomware, methods for stealing sensitive data, and more.

Check out our full webinar recording, Triple Extortion Ransomware & Dark Web File Dumps, and/or keep reading for the highlights.

Commodification of Ransomware Groups

Ransomware groups are becoming more like companies, such as with:

• mission-oriented approaches
• recruitment practices to seek new hires
• specialization

The Karakurt group, after operating privately for a year, has recently published a recruitment post to attract new members. They pride themselves on their mission to hold companies accountable for existing vulnerabilities in their cybersecurity and for the negligence of their IT staff. These groups can be driven by both financial and political motives, often influenced by the shifting landscape of geopolitics.

In general, there are two distinct types of specialization within such groups. Similar to a company with various departments, a group can have internal specialization. For instance, within a ransomware group, some members might excel in negotiating the ransom, while others primarily focus on developing malware. Another form of specialization involves individual groups having their own areas of expertise, akin to specialized agencies within a larger company. One group might concentrate on distributing ransomware, collaborating with another group that specializes in extortion.

This organized and specialized collaboration among groups can lead to more intricate and scalable operations compared to individual threat actors.

Changes in Ransomware Groups

Ransomware groups are constantly changing their tactics, techniques, and procedures (TTPs) to optimize their strategy. One alarming trend that we’ve seen recently is ransomware groups resorting to double and triple extortion tactics. In addition (or sometimes in lieu of) encrypting files, many groups now threaten to disclose sensitive files on the dark web, threaten to expose individual employee information, or use DDoS attacks as another incentive to pay. 

Recently we have seen some more sophisticated groups move away from encryption and towards simple data exfiltration and ransom. This creates an additional opportunity for threat actors to monetize ransomware since, even if the ransom isn’t paid, actors are able to sell access to the data.

Encryption still creates chaos and loss for companies. It is an effective method of creating pressure and causing operational impact that can lead to financial loss. Therefore, encryption is likely here to stay for many groups, and we will likely continue to see groups finding additional ways to gain leverage and force companies to pay. 

Concrete Recommendations to Protect Against Ransomware

There can be context-specific recommendations, but the following are general guidelines that all organizations can follow to protect themselves against ransomware:

• Detection: Ensure that users have MFA, and utilize endpoint detection & response (EDR) to detect any type of attack internally and externally.
• Third party monitoring: Conduct an assessment before beginning a new relationship with a business, and also continuously monitor the third party’s security posturing. 
• Ransomware group monitoring: Keeping an eye on ransomware groups and any file listings that seem relevant can be useful to find out earlier about any risks instead of waiting to be notified by the third party. For example, we’ve seen a success story of a company that had been monitoring ransomware groups and knew three weeks in advance that one of their third party partners had been compromised by ransomware before they received a legal disclosure notice from said partner. This can provide more time for affected organizations to review the data they were sending to the breached third party and start addressing the data leak. 
• Monitor the dark web: Ensure that you monitor dark web markets and forums for stolen credentials and other relevant threats that could lead to a breach. 

How Flare Can Help

Flare monitors the clear & dark web and illicit Telegram channels for high-risk external threats. 

Flare can detect any suspicious mentions about organizations to give as much time as possible to prepare for data breaches. 

Curious about how Flare can help your organization with ransomware readiness? Sign up for a free trial to learn more.

The post Threat Spotlight: Triple Extortion Ransomware appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.