By the Intel 471 Malware Intelligence team. Summary The REvil ransomware-as-a-service (RaaS) operation continues to impact businesses worldwide. The threat actors responsible for developing and maintaining the malware have released an updated ransomware, namely version 2.2. In this short blog post, we will cover the significant changes from the previous version, which we covered in …
Ten articles before and after You need to adjust your patch priorities! Coronavirus having minimal impact on prices, demand,… Iran’s domestic espionage: Lessons from recent data… Flowspec – TA505’s bulletproof hoster of choice Prioritizing “critical” vulnerabilities: A threat… Changes in REvil ransomware version 2.2 COVID-19 pandemic: Through the eyes of a cybercriminal Understanding the relationship …
Some business people might say the security folks don’t understand the dollar impact of taking a system offline. The reality is in business often time is money and quantifying the cost of key systems being taken offline is a real thing. Some security folks might also say that your business folks don’t understand or care …
Coronavirus Disease 2019 (COVID-19) continues to surround our everyday lives and its presence remains a topic of interest and discussion within underground forums. In the earlier days of the pandemic, we took a look at how attackers were leveraging the fear surrounding the disease to launch campaigns such as business email compromise (BEC), phishing and …
Coronavirus having minimal impact on prices, demand,… Read More »
By the Intel 471 Global Research Team. In the last decade, Iran has undergone a quiet revolution. Since the“Green Movement” uprising in 2009, more Iranians have dared to openly oppose their regime. The reasons include accusations of elections tampering, global sanctions, increased inflation, heavy investment of state funds in the nuclear and arming programs, and …
Iran’s domestic espionage: Lessons from recent data… Read More »
By the Intel 471 Intelligence Analysis team. Here at Intel 471 we spend a fair amount of time tracking malicious infrastructure providers. In the world of cybercrime the malicious infrastructure provider, or Bulletproof Hoster (BPH) as they are called in the underground marketplace, is a core enabling service that often gets little attention from threat …
By the Intel 471 Intelligence Analysis team. Recently, there have been many vendor security advisories containing multiple critical vulnerabilities potentially impacting organizations that may be conflicted with patch prioritization when looking at the variables seen for each reported vulnerability. Threat intelligence can supplement publicly disclosed information and provide a contextual view of exploitation efforts and …
Prioritizing “critical” vulnerabilities: A threat… Read More »
By Mark Arena, CEO of Intel 471. This blog post takes a look at the credibility of claims in public reports of North Korean (referred to as DPRK for the rest of this post) links to Russian-speaking cybercriminals. The post is based as much as possible on public and open sources from credible parties that …
Key points Recent disruption actions against Trickbot likely will have only a short-term impact on Trickbot operations. Trickbot operators have multiple methods to avoid centralization of their command and control infrastructure which would make the botnet resilient to take down. If bogus data has been inserted into Trickbot as claimed and Trickbot operators are unable …
Recent Trickbot disruption operation likely to have… Read More »
A group posing as notorious nation-state-linked hacking group “Lazarus Group” threatened to hit British foreign exchange company Travelex with a distributed-denial-of-service (DDoS) attack unless it paid 20 bitcoins. According to an email discovered by Intel 471 researchers, attackers threatened to hit Travelex with an “extremely powerful” attack that would “peak over 2 Tbps” until the …
Criminals posing as Lazarus Group threatened Travelex:… Read More »
The Trickbot botnet looks to be working once again, despite separate efforts in the past few weeks aimed at disrupting its operation. On October 14, 2020, the Emotet spam botnet — which is often the precursor to TrickBot being loaded onto a system — began receiving spam templates intended for mass distribution. These spam templates …
That was quick: Trickbot is back after disruption… Read More »
Intel 471’s Malware Intelligence provides our clients with constant coverage of top-tier malware families. It delivers near real-time alerts of targeting changes, spamming and malware campaigns, updates in infrastructure and much more. In the first in a series of blogs and white papers, we take a look at how this high-volume and high-fidelity data has …
Leveraging Intel 471’s Malware Intelligence Data using… Read More »
The following is an update on the status of Trickbot at noon GMT, Oct. 20, 2020. On Oct. 19, 2020, Emotet was used to distribute Trickbot. This is the most recent Trickbot sample Intel 471 has observed. The following is a list of control servers included as part of this Trickbot sample’s configuration: Control Server …
Global Trickbot disruption operation shows promise Read More »
An alleged member of one of the most notorious ransomware gangs in the world divulged numerous details about its operation, including that it allegedly takes in more than $100 million per year from its attacks. The figure was revealed during an interview with an alleged representative of the REvil group that was released on Oct. …
Summary Since the separate and independent actions taken against Trickbot, we have observed successful disruption of its command and control infrastructure. However, the actors linked to Trickbot have not ceased their criminal activities. These actors have continued engaging in ransomware activity, using BazarLoader instead of Trickbot. We are unable to assess the long-term impact of …
Ransomware is a massive problem. But you already knew that. Technical novices, along with seasoned cybersecurity professionals, have witnessed over the past year a slew of ransomware events that have devastated enterprises around the world. Even those outside of cybersecurity are now familiar with the concept: criminals behind a keyboard have found a way into …
Ransomware-as-a-service: The pandemic within a pandemic Read More »
When the cybersecurity community focuses on ransomware, the concentration tends to be two-fold. There’s tons of information on how the software encrypts files, how it spreads from machine to machine, and the various vectors by which it causes havoc. Then there is the chase to figure out who is responsible for creating the variant, what …
Here’s what happens after a business gets hit with… Read More »
Cybercrime does not happen in a vacuum. While ransomware variants like REvil, Ryuk and DoppelPaymer have become household names for cybersecurity professionals, those deploying ransomware only represent part of the process by which criminals are forcing organizations to either pay them millions or watch their business go under. The broader picture shows an underground marketplace …
Steal, then strike: Access merchants are first clues… Read More »
China’s internet is a lot different than the rest of the world. Yet, that hasn’t stopped its population from engaging in cybercrime. Despite the various measures the Chinese government has taken to censor and surveil its residents on the internet, a significant cybercrime underground full of financially motivated actors exists. Efforts like “The Great Firewall” …
No pandas, just people: The current state of China’s… Read More »
Law enforcement has allegedly seized proxy servers used in connection with the blockchain-based domains belonging to Joker’s Stash, a prolific vendor of compromised financial card data in the cybercrime underground. On December 17, an image adorned the shop’s website that claimed the U.S. Federal Bureau of Investigation and Interpol had taken it into law enforcement’s …
More annoying than crippling: Joker’s Stash takedown… Read More »
After months of inactivity, hacking group TA505’s Get2 Loader has sprung back into operation, possibly signaling that the group is ready for a new round of malicious activity. On December 14, 2020, the Get2 loader had resurfaced with new download and execute configuration parameters named “LD” and “ED.” Intel 471 last observed the loader in …
TA505’s modified loader means new attack campaign… Read More »
It’s clear the SolarWinds incident has rocked the infosec community to its core, with the still-unfolding episode expected to reverberate in the industry for years to come. While there is still much to be uncovered, the public details point to a known Russian APT inserting code into a third-party IT provider’s services, allowing for further …
Nation-states are taking their supply-chain attack… Read More »
One of the most notable carding shops may be shutting down for good. The Joker’s Stash shop will be closing operations on Feb. 15, 2021, according to the site’s owner. In a message board post on a popular Russian-language cybercrime forum, the operator said the site is closing “forever” and its team is heading into …
Last Dash for Joker’s Stash: Carding forum may close… Read More »
On Wednesday, January 27, U.S. and European law enforcement agencies announced that they had seized control of Emotet, the notorious botnet that’s been used by cybercriminals all over the world for the past decade. Based on the information available to Intel 471, the law enforcement operation took place Jan. 26, 2021, resulting in the arrest …
Emotet takedown is not like the Trickbot takedown Read More »
The public learned this week of an alarming cybersecurity incident that could have physically harmed people: Someone managed to access a system that controlled a Florida city’s water treatment plant, temporarily adjusting sodium hydroxide levels to amounts that could have made the population sick had the chemicals been introduced into the water supply. While city …
Cybercriminals are interested in your SCADA systems Read More »
A June 2020 feature in The New Yorker was really more cyberpunk than cybersecurity. The story focuses on the people who ran CyberBunker, a server farm built in an underground European military bunker that served as a host for spammers, botnet command-and-control servers, malware and online scams. The story follows the familiar arc of dystopian …
Hiding in plain sight: Bulletproof Hosting’s dueling… Read More »
Law enforcement action carried out last week in Ukraine has targeted the people behind some of the most notorious ransomware gangs of the past year. On Feb. 9, 2021, Ukrainian law enforcement conducted a joint operation with U.S. and French authorities against several Ukrainian nationals believed to be deeply involved with Egregor ransomware operations. Intel …
Egregor operation takes huge hit after police raids Read More »
If we were to list all of the malicious acts carried out by cybercriminals who leverage bulletproof hosting (BPH), we’d have a report that would rival “Infinite Jest” or “War & Peace” for length. Bulletproof hosting has been hand-in-glove with cybercrime for decades, supplying criminals with the infrastructure they need to carry out their crimes. …
Bulletproof hosting: How cybercrime stays resilient Read More »
Most cybercriminal schemes don’t happen all at once. There are multiple parts to an attack, with each part needing some support from infrastructure to succeed. Take for instance, Hancitor, a very popular piece of malware which sets the stage for cybercriminals to launch a variety of different attacks. It’s been used to allow drops of …
Here’s who is powering the bulletproof hosting market Read More »
Since the beginning of the year, Intel 471 has observed four well-known cybercriminal forums dealing with a breach, including two since the beginning of March. The forums, all predominantly Russian-language forums, saw the breaches publicly disclosed elsewhere, with some instances of user data being leaked or put up for sale. Intel 471 does not know …
Friendly fire: Four well-known cybercriminal forums… Read More »