Articles Tagged with
We are going to be attending the International Cyber Expo on the 27th / 28th September and we would love to meet up if you are attending.
Get in touch by emailing us or via Twitter 🙂
We are going to be attending the International Cyber Expo on the 27th / 28th September and we would love to meet up if you are attending.
Get in touch by emailing us or via Twitter 🙂
Another week and yet another cyber-attack on a major UK company. The Guardian broke the news yesterday highlighting that Go-Ahead are facing problems with their back office systems, including bus services and payroll software.
Fortunately it is only affecting the bus services they run and not their rail business.
There are a couple of important things to note here. Firstly, the UK and other countries are seeing more threats to government organisations, transport and infrastructure companies. Infrastructure, by it’s nature, is vital to the smooth running of a countries’ daily life and an interruption to this can cause serious problems.
One of the most infamous cyber attacks to infrastructure took place last year when hackers breached the Colonial Pipeline using a compromised password.
The key aspect of this case was that investigators suspect hackers got password from dark web leak. This scenario is a perfect demonstration of how SOS Intelligence could have helped, alerting the company to this in time and possibly preventing what happened.
In the UK, companies have faced sizeable fines when they have been the subject of a breach and lost customer data.
British Airways was told in July 2019 that it faced a fine of £183m after hackers stole the personal information of half a million customers. Eventually they paid £20M, still a considerable amount.
If you are reading this and wonder if we can help, we probably can. You can book a call and demo here.
Yesterday, the UK government announced that mobile and broadband carriers must follow a new set of rules that will strengthen our protection against cyber attacks.
“we know that today the security and resilience of our communications networks and services is more important than ever. From heightened geopolitical threats through to malicious cyber criminals exploiting network vulnerabilities, global events have shown the importance of providing world-leading security for our networks and services.
That’s why the creation of a new telecoms security framework via the Telecommunications (Security) Act 2021 was so important. With the help of the telecoms industry, we’ve now been able to move that framework forwards.”
– Matt Warman, Minister of State for Digital, Culture, Media and Sport
The new rules which the companies will need to follow, look at areas such as
The executive summary of the consultation outcome is one we completely endorse:
The UK is becoming ever more dependent on public telecoms networks and services. The increased reliance of the economy, society and critical national infrastructure (CNI) on such networks and services means it is important to have confidence in their security. As the value of our connectivity increases, it becomes a more attractive target for attackers. It is important to make sure that our networks and services are secure in this evolving threat landscape.
Proposals for new telecoms security regulations and code of practice – government response to public consultation – Updated 30 August 2022.
TechCrunch highlights that those who fail to comply with the new regulations will face big fines, up to £100,000 per day.
SOS Intelligence is focused on providing effective and affordable cyber threat intelligence. We would welcome a conversation with any mobile and / or broadband carrier as we can definitely help you.
We can help you avoid the question from your CEO or MD… Why didn’t we know about this?
Simply put, we monitor keywords, email addresses, domains and more online including the Dark Web, so you get to know immediately if your data has been leaked. You can then do something about it.
Forewarned in many cases will be incredibly helpful.
The results of a GOV.UK survey released in March 2020 confirms cyber security breaches are becoming more frequent. It found 46% of UK businesses and charities reported a cyber- attack during the year. Of those, 33% claimed they experienced a cyber breach in 2020 at least once a week – up from 22% in 2017.
The consultation is recognising that the threats from certain countries are not going away, but more likely to be increasing. The UK’s vigilance needs to increase to meet these threats.
Photo by Compare Fibre on Unsplash
We have recently graduated from the NCSC / Plexal startup programme which has been superb. A big thank you to everyone involved, especially making us so welcome.
At the end of the programme I spoke with James Lamb, the Programme Leader at Plexal and you can watch this below.
In the last article, I wrote about how legal firms can utilise cyber threat intelligence and the SOS Intel toolkit for cyber defence. But in this article I want to explore a different idea, namely, offensive threat intelligence for legal firms.
When someone says “cyber crime” what do most people think of? Likely something along the lines of “hacker”. Most will picture someone in a dark room staring at a computer screen with hundreds of lines of code flashing by while frantically typing on their keyboard.
While hackers like this do exist, they make up a minority of cyber criminals. Cyber stalking is, by far, the most common cyber crime.
Every year almost 10 million people in the United States are victims of cyber stalking or harassment. The vast majority, about ~80%, of cyber stalking incidents go unreported to law enforcement. To make matters worse, cases of cyber stalking that are reported often go unpunished. From 2010 – 2013, of the roughly 2.5 million reported cases of online harassment, only 10 cases resulted in a prosecution.
A major reason many of these cases go unresolved is the extensive evidence required to make a case. Collecting evidence on a cyber stalker is a difficult and time consuming process. But, this doesn’t have to be the case.
Utilising cyber threat intelligence tools, it is possible to collect large amounts of data on a target. Much like other cyber criminals, cyber stalkers use platforms like Telegram and Signal. Threat intelligence tools like the SOS Intel toolkit can pull data from these platforms on a mass scale. Just by crafting a few keywords you can search thousands of terabytes of data.
This “offensive” use of the SOS intelligence toolkit is not isolated to just cyberstalking cases. The SOS toolkit is incredibly versatile, it’s capable of assisting with any sort of research into any internet crime. Let’s take a look at what the SOS toolkit is capable of…
SOS Intelligence Toolkit API
The best way to utilise the SOS Toolkit is the API. The API allows you to integrate the toolkit into 3rd party programs. The API provides you the raw aggregate data and leaves the organisation up to your personal preferences. To start working with the API, first you will need to generate your API key.
You can do this in the “API” tab of the web interface. Once you click the “generate” button you will see this message:
There are many API clients out there, but for the purpose of simplicity in the example I will be using Postman.
SOS Intelligence offers a Postman Collection file to further simplify the process of implementing API requests in postman. If you are interested in using the Postman collection, please send an email to “[email protected]”
Once you have your API key and have imported the Postman collection file (or you plan on manually adding the API requests) you need to add the key to Postman as such:
Once you have your API key set you are ready to start making API requests! In this example I will be making queries as if I was investigating a cyber crime case.
Quick note: The user I am searching for in this example is “pompompurin” a known cyber criminal who is active on Twitter and Telegram and administrator of the infamous “Breached Forums”.
Here is a simple query for “breached forums” using the Twitter search function. (Note: At the moment the Twitter search function has a search history limit of 6 months)
The Twitter search function will return any data that matches the search query. If the query matches any of the values or sub-values of a post, the function will return all of the data of said post.
The data aggregated on each post is entirely dependent on the post itself, i.e. if other users are mentioned or if there are hashtags. It’s worth noting that searches are passed as phrases with “AND” logic. For example, my search for “breached forums” searches for “breached” AND “forums”. This way you can refine your results easily by crafting search queries that match exactly what you’re looking for, automatically weeding out all of the bad results.
Sometimes collecting intelligence from clearnet sources is not sufficient enough. Many hacking forums run both clearnet and darknet sites. The SOS Darkweb search function can search with several different categorical options. The first option is the “Full Text Search” as seen below.
The “full text search” searches through the full text of the site’s page. To narrow down your search results, you can set parameters like “phrase” to true. For example, if I search for SOS Intelligence, the query will pass as SOS “OR” Intelligence. However, if I set the “phrase” parameter to true, this query is passed as SOS “AND” Intelligence.
The Dark Web Search tool also has special functions for more specific searches like emails and Bitcoin wallet addresses.
The SOS Toolkit puts all of these tools at your disposal instantly. The API is just one method of utilising the toolkit.
The SOS web application allows you to access the same tools with a more friendly user interface. But the API allows you to integrate the SOS Toolkit into 3rd party OSINT frameworks as well as your own programs/scripts.
The API provides a simple way to work with the tool kit “offensively”. Utilising several or all of these search functions you can gather a great amount of information on a suspect. You can try these searches out yourself! Remember, we have two community APIs:
Both can be accessed via a free plan which you can sign up for here 🙂
Photo by Tingey Injury Law Firm on Unsplash.
We can’t stand still. We believe it is vital to keep investigating new threat intel feeds for our customers, so over the last 2 weeks we have created 15 new bespoke collection pipelines to gather intelligence from various hacking forums.
We have also been listening closely to customer feedback…
We value all of our customer feedback and aim to deliver feature requests as soon as realistically possible. Please continue to give us suggestions and feedback!
Photo by Fotis Fotopoulos on Unsplash.
You may have heard of the term “Cyber Threat Intelligence”, sometimes abbreviated as “CTI”.
The term is often thrown around with little to no explanation, so, what actually is CTI? It’s always useful to know what an acronym means 🙂
The origin of the term can be traced back to 2009 in reference to research on the Tactics, Techniques, and Practices (TTP) of APT 1.
Traditional threat intelligence, meaning the collection and dissemination of intelligence of emerging and reoccurring threats, was a key part of the intelligence apparatus during the Cold War.
However, traditional threat intelligence is a very general term, referring to intelligence on anything from nation-states to small guerrilla insurgent groups.
The rise of Advanced Persistent Threats (APT) forever changed the threat intelligence landscape.
Like any other covert action, a nation-state sponsored cyber attack is designed to cause as much damage as possible, while maintaining plausible deniability for guilty parties.
Threat intelligence on these APT groups became known as Cyber Threat Intelligence.
CTI analysts analyse the tactics, techniques, and practices of these groups. They collect everything from the groups’ malware to their chat logs to build a full profile for defensive purposes.
Since the rise of APTs in the mid-2000s, the field of CTI has had to evolve and adapt to new threats and attack styles. Threat actors less sophisticated than APTs can now emulate many of the tactics APTs use.
As a result, CTI has had to expand to collect intelligence on these groups as well. CTI is now not only crucial for governments, but also private organisations and businesses.
2021 saw a 1,885% increase in ransomware attacks. This was an unprecedented increase with the healthcare industry alone reported a 775% increase in cyber attacks.
CTI is not only for large businesses either, roughly 60% of ransomware attacks target businesses with less than 500 employees. However, building a CTI team is easier said than done. Collecting intelligence on relevant threat actors is often a time consuming and expensive task.
What we see time and time again is the “it won’t happen to us” conversation which can then turn into…
Why didn’t we know about this?!
The question posed by the CEO or MD when there has been a data breach.
Here at SOS Intelligence, it’s our mission to provide cyber threat intelligence that won’t break the bank and is accessible. You don’t need a big team to use it.
Our Open Source Intelligence (OSINT) tool automatically collects and aggregates data from the top cybercriminal forums, including some private forums.
Using the web UI or the custom API, you can set alerts for keywords like emails or usernames. If a keyword is posted on one of the many forums we monitor, you will get an immediate alert via several communication channels.
Using our OSINT tool you will have the capabilities of a full CTI team, minus the overhead and head count.
Save yourself the headache and risk, let SOS Intelligence be your eyes and ears in the dark world cyber criminals have built online.
Cyber Threat Intelligence is clearly an essential pillar of a modern defence strategy, but don’t take our word for it. Let’s look into a case involving CTI…
There is no better case study of modern Cyber Threat Intelligence than the case of the international hacking group known as LAPSUS$.
LAPSUS$ was first noticed in early December of 2021 when the group compromised systems belonging to the Brazilian Ministry of Health. This attack was a classic extortion attempt and would pale in comparison to LAPSUS$’s later attacks.
It took the Brazilian government more than a month to make a full recovery, the attack effectively halted the roll out of Brazil’s COVID-19 vaccine certification app; ConectSUS.
Over the next few months LAPSUS$ would go on to breach several more companies, including Impresa, a Portuguese media company and Vodafone Portugal. LAPSUS$’s first 5 attacks took place in quick succession, in just 3 months.
The group exclusively targeted Portuguese localised companies leading many CTI researchers to suspect the hackers were located in Brazil or Portugal. Members of the group solidified this suspicion, using slang like “kkkkkkkkk” the Portuguese equivalent of the English slang “hahaha”.
LAPSUS$ was put on the map after the attack on the Brazilian Ministry of Health garnering headlines like “Lapsus$: The Hot New Name in Ransomware Gangs” and “Watch Out LockBit, Here Comes Lapsus$!”.
While these headlines were catchy, the articles themselves offered no insight into the tactics or motivations of the group. At the time, many thought LAPSUS$ was just like any other ransomware/extortion group, financially-motivated with the goal of encrypting or exfiltrating data and holding it for ransom.
However, LAPSUS$’s next attack would challenge everything we thought we knew about LAPSUS$. On February 25th 2022, GPU chipmaker Nvidia announced it was investigating an “incident” that knocked some of its systems offline for 2 days. 3 days later LAPSUS$ announced “We hacked NVIDIA” on their telegram…
LAPSUS$’s breach of Nvidia was, no doubt, a big deal, but what was far more interesting were their demands.
More often than not, hacking groups fall into one of 3 motivational categories: financially-motivated, ideologically-motivated, or state-sponsored. Up until the Nvidia breach LAPSUS$ fell squarely in the financially-motivated category, but their unusual demands for Nvidia changed this fact.
Instead of demanding money or selling the data to the highest bidder, LAPSUS$ demanded Nvidia release their GPU drivers as open source software. Naturally, Nvidia refused to release their code. In response LAPSUS$ would leak some source code from Nvidia on in their Telegram group, but nothing all that interesting or noteworthy.
Less than 2 weeks after the Nvidia breach, LAPSUS$ announced they had compromised Samsung. The attackers stole roughly 200 gigabytes of data which included some source code for the Samsung Galaxy.
By this point, threat intelligence researchers were keenly aware of LAPSUS$’s tactics, techniques and procedures. CTI analysts drew up models of how LAPSUS$ operates, giving defenders insight on how to avoid a possible breach.
Continuing their attacks on large tech companies, LAPSUS$ compromised Microsoft. Again, the group started exfiltrating source code.
LAPSUS$ was able to download the partial source code for Bing, Bing Maps, and even some Windows code. However, Microsoft CTI researchers were able to halt the download before it could be completed. LAPSUS$ mentioned in a public Telegram chat how they were able to access Microsoft systems before the data exfiltration had finished.
Microsoft’s threat intelligence team had been monitoring this chat and was able to stop the exfiltration in real-time. That’s something even advanced EDR software can’t do. While LAPSUS$ would never admit their mistakes, one member did acknowledge the download was interrupted.
LAPSUS$ would soon after be exposed to be led by a teenage boy out of the United Kingdom who was arrested with six other teenagers associated with the group. Many still suspect there may have been a member located in Brazil, but as of now, this has not been confirmed.
The LAPSUS$ affair is an excellent showcase of how Cyber Threat Intelligence can protect your organisation from advanced and emerging threat actors.
The SOS Intelligence toolkit can provide you and your company the capability to monitor threats like LAPSUS$. Just as Microsoft leveraged CTI analysis to minimise damage of the LAPSUS$ attack, your organisation can use our CTI tools.
The SOS Intelligence toolkit includes advanced CTI tools capable of monitoring both Dark Web and Clear Web hacking forums and chats. Protect your assets from sophisticated threats today by checking out the SOS Intel toolkit.
Would you like to discover how SOS Intelligence can help you mitigate the cyber threats?
Click the link below to book a call: https://tinyurl.com/sosinteldemo
What is Cyber Threat Intelligence?
Cyber Threat Intelligence or CTI, is the process of collecting and analysing threat actor’s behaviours. CTI analysts build profiles of known threat actors by investigating their Tactics Techniques and Procedures (TTPs).
How is Cyber Threat Intelligence used?
Network defenders use profiles as well as the TTPs collected by CTI analysts to make informed decisions on how to protect their network.
Threat actors will often reuse attack vectors on many targets. When CTI analysts discover these attack vectors, they pass on the information to defenders.
Cyber Threat Intelligence provides the defenders the ability to fight existing and emerging threat actors.
What is a CTI framework?
A Cyber Threat Intelligence framework is an organisational tool for CTI analysts. There are many CTI frameworks, one of the most popular being the MITRE ATT&CK framework.
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
Source: https://attack.mitre.org
Why is Cyber Threat Intelligence Important?
Much like a physical conflict, cyber conflicts need proactive intelligence for good defence.
Cyber criminals often use forums and chat rooms to communicate with each other. Infiltrating these groups can provide great insight into upcoming and ongoing cyber attacks.
With the shocking increase of ransomware attacks, proper threat intelligence has become imperative. Ransomware groups are tracked and monitored day and night by CTI analysts. Analysts then alert defenders to a possible breach or upcoming attack.
Who do cyber criminals target?
The cyber criminal atmosphere is constantly evolving, but most cyber criminals fall into one of three categories.
First, you have your typical financially-motivated cyber criminal. These threat actors are motivated by one thing and one thing only; money.
They will scam, hack, and steal anything or anyone for money. In fact, sometimes they scam other cyber criminals!
The second category is the ideologically-motivated threat actor. Often dubbed hacktivists, these cyber criminals care less about money and are motivated by a political cause. Prime examples of “hacktivist” style hacking groups are “AgainstTheWest” or “Anonymous”.
The third and most dangerous category is the state-sponsored threat actor. These threat actors work directly or indirectly for a nation-state.
State-backed threat actors have almost unlimited resources as well as legal protection provided by their government. CTI analysts classify these groups as Advanced Persistent Threats or APTs.
While not every APT group is state-backed, all state-backed groups are APTs. For cyber criminals, their motivation is the key behind who they target. Financially-motivated cyber criminals often target businesses both small and large.
Ideologically-motivated threat actors tend to target governments, institutions, or individuals who they deem political enemies. State-backed threats have very specific targets given to them by whatever nation-state they work for. These targets often control vital systems, i.e. energy companies or defence contractors.
Photo by Philipp Katzenberger on Unsplash
Recent Comments