Customer portal
Articles Tagged with

cyber threat intelligence

"SOS
Ransomware

Ransomware – State of Play May 2024

SOS Intelligence is currently tracking 193 distinct ransomware groups, with data collection covering 384 relays and mirrors.

In the reporting period, SOS Intelligence has identified 474 instances of publicised ransomware attacks.  These have been identified through the publication of victim details and data on ransomware blog sites accessible via Tor.  While this data represents known and publicised data breaches and ransomware attacks, the nature and operation of these groups means that not every successful attack is published and made public, so true figures on the volume of attacks are likely to be higher.   Our analysis of available public data is presented below:

Threat Group Activity and Trends

Ransomware activity showed a 30% increase in May when compared to the previous month, and a 4% increase in activity when compared to the previous year.  Furthermore, the number of active groups has increased to 37 from 36 the previous month.

This significant increase in activity has been driven by a surprise surge of activity from the Lockbit group.  In May, the group published 176 victims to its Data Leak Site (DLS), representing 37% of all publicised attacks for the month.  Further, this is a 633% increase in activity from the previous month and comes at a time when Lockbit was expected to be showing a continued decrease in activity.  Rather what we have seen is Lockbit’s busiest month on record.

The sudden surge from Lockbit has been a surprise to many.  The first tranche of published data emerged shortly after further law enforcement announcements regarding the group and its takedown.  Notable among the data released is an unusually high volume of affected victims in Spain and India being released quickly.  This may indicate the activity of an affiliate or affiliates with a particular proclivity for targeting those countries.  It should be noted that some of the victims had previously had their data released in the previous year, suggesting that Lockbit might be recycling data for additional ransoms and also to appear active.  Furthermore, it isn’t clear when these victims were targeted, so the actual point of breach may have been before law enforcement activity against Lockbit in February 2024.

Analysis of Geographic Targeting

Over the last month, the percentage volume of attacks against the US dropped by 7%.  Targeting continues to follow financial lines, with the majority of remaining attacks targeted at G7 and BRICS bloc countries.

Compared to April, 41% more countries were targeted in May.  Our data is also showing interesting geographic targeting data.  We have observed emerging or developing strains targeting developing countries in Southeast Asia, Africa and South America, whereas more established variants focus more on North America, Western Europe and Australia.

Industry Targeting

Targeting has broadly increased across all victim sectors, however significant increases have been seen in the Manufacturing, Construction & Engineering and IT & Technology industries.

Notably, there appears to have been increased targeting against public-sector entities.  This is likely a result of many groups abandoning their affiliate rules on targeting of such victims.

Significant Events

LockBit Black distributed via Botnet in the wild

Since April, the Phorpiex botnet has sent millions of phishing emails to distribute LockBit Black ransomware. These emails, often sent using aliases with simple names, include ZIP attachments containing executables that install the ransomware. Leveraging LockBit 3.0’s leaked builder, the campaign targets various industries worldwide. Active for over a decade, the Phorpiex botnet has evolved from a worm to an IRC-controlled trojan, and has been implicated in sextortion and cryptocurrency theft.

Social engineering attacks delivering Blackbasta

Researchers have observed the threat actor Storm-1811 using Microsoft Teams and Quick Assist for social engineering attacks that result in the deployment of Blackbasta ransomware. Storm-1811 employs voice phishing (vishing) and malicious links to gain access through Quick Assist. They use tools such as Qakbot, remote monitoring and management (RMM) tools like ScreenConnect and NetSupport Manager, and Cobalt Strike. Additionally, Storm-1811 utilises EvilProxy phishing sites and SystemBC for persistence and command-and-control. After compromising a system, they use PsExec to deploy Black Basta ransomware.

INC Ransomware source code for sale

Threat actor “salfetka” is alleging to have for sale the source code to INC Ransom, valued at $300,000.  The legitimacy of the sale is uncertain.   This comes at a time where there have been changes within the groups operation, which suggests possible plans for a new encryptor.

Threat actors targeting Windows admins with fake ads

A ransomware campaign is targeting Windows system administrators by promoting fake download sites for Putty and WinSCP through search engine ads. These fraudulent sites offer Trojanized installers that deploy the Sliver toolkit, facilitating further network access and potential ransomware deployment. The campaign employs tactics similar to those used by BlackCat/ALPHV ransomware, highlighting an increasing threat from search engine advertisements for popular software.

New Groups

SpiderX

SpiderX, a new ransomware-as-a-service promoted by threat actors on underground forums, is designed for Windows systems and boasts advanced features surpassing its predecessor, Diablo. Key capabilities include ChaCha20-256 encryption for rapid file encryption, offline functionality for stealth operations, comprehensive targeting of all connected drives, and a built-in information stealer that exfiltrates data to MegaNz. Priced at $150, SpiderX poses a significant cybersecurity threat due to its affordability and efficiency.

Fakepenny

Researchers have identified a new North Korean hacking group, Moonstone Sleet, active since August 2023. This threat actor employs custom ransomware called ‘FakePenny,’ first detected in April 2024, which includes a loader and an encryptor with ransom notes resembling those used by Seashell Blizzard’s NotPetya. Moonstone Sleet’s ransom demands are notably high, with one reaching $6.6 million in Bitcoin, surpassing previous North Korean ransomware demands such as WannaCry 2.0 and H0lyGh0st.

Arcusmedia

First identified in May, the Arcusmedia group has been responsible for at least 17 incidents to date, primarily targeting South America across a wide range of sectors, including government, banking, finance, construction, architecture, music, entertainment, IT, manufacturing, professional services, healthcare, and education.

"SOS
Ransomware

Ransomware – State of Play April 2024

SOS Intelligence is currently tracking 192 distinct ransomware groups, with data collection covering 382 relays and mirrors.

In the reporting period, SOS Intelligence has identified 365 instances of publicised ransomware attacks.  These have been identified through the publication of victim details and data on ransomware blog sites accessible via Tor. Our analysis is presented below:

Group Activity and Trends

Ransomware activity showed a 13% decrease in April when compared to the previous month, and a 7 % decrease in activity when compared to the previous year. However, the number of active groups has increased to 36 from 33 the previous month.

The overall drop in victim numbers for April is likely an ongoing effect of the dissolution of AlphV/BlackCat and the significant decrease in activity from Lockbit as a result of law enforcement activity in February.

Since February, we have closely monitored group activity for signs of where AlphV and Lockbit affiliates would take their business. The top six groups for the year-to-date are represented above and as yet, no one group has emerged above the others. Hunters International, Play and Ransomhub established themselves as the most active across April, but over the three months, we have also seen significant activity from Blackbasta and 8base. This could suggest that displaced affiliates are not settled on a final product, and have been utilising different ransomware services in the wake of the downfall of AlphV and Lockbit.

Analysis of Geographic Targeting

The volume of targeting against US-based victims has remained steady at around 50% of all reported ransomware attacks.  Targeting continues to follow financial lines, with the majority of remaining attacks targeted at G7 and BRICS bloc countries.

Compared to March, 11% fewer countries were targeted in April.  Our data is also showing interesting geographic targeting data.  We have observed emerging or developing strains targeting developing countries, whereas more established variants focus more on North America, Western Europe and Australia.

Top Strains per Country

United States
Canada
United Kingdom
Germany
Italy
– play
– play
– snatch
– ragroup
– ransomhub
– hunters
– blacksuit
– dragonforce
– 8base
– rhysida
– blacksuit
– akira
– lockbit3
– lockbit3
– ciphbit

Industry Targeting

Despite a reduction in victim volume, Manufacturing and IT & Technology remain at the forefront of threat actor targeting. Health & Social Care and Retail & Wholesale continue to see an emergence as a target of choice amongst multiple different variants, likely due to many groups removing targeting restrictions in the wake of law enforcement activity and continued western support for Ukraine.

Top Strains per Industry

Manufacturing
IT & Technology
Health & Social Care
Construction & Engineering
Retail & Wholesale
– play
– ransomhub
– incransom
– play
– hunters
– hunters
– darkvault
– qiulong
– cactus
– ransomhub
– blackbasta
– cactus
– ransomhub
– lockbit3
– lockbit3

Significant Events

8base targets the United Nations

The United Nations Development Programme (UNDP) was subject to an 8base ransomware attack, resulting in the exfiltration of human resources and procurement information. Despite significant demands being made, the UN has stood fast in its decision to not make payment.

Akira collects ransoms worth USD 42 million

An advisory provided cyber security centre’s in the USA, Netherlands and Europe has revealed that, since March 2023, the Akira ransomware strain has been responsible for attacks against 250 victims, with an estimated total ransom value of USD 42 million.

Lockbit not disappearing without a fight

The District of Columbia Department of Insurance, Securities & Banking,a local government department in the US capital, was added to the long list of Lockbit victims.  An estimated 800GB of sensitive data was obtained in the breach, which has not been made available to the public amid reports of it being sold privately.

New Groups

APT73

  • Suspected to be a LockBit spin-off – several pages on their leaksite resemble those used by LockBit
  • Listed 4 victims since appearing in late April

DarkVault

  • Suspected to be a LockBit spin-off – several pages on their leaksite resemble those used by LockBit
  • Also involved in other illicit activities, such as bomb threats, doxing, and fraud.
  • Listed 22 victims since appearing in April

Quilong

  • Currently exclusively targeting victims in Brazil
  • Listed 6 victims since appearing in April

SEXi

  • Emerged in April 2024, targeting a hosting company in Chile. 
  • Encrypts VMware ESXi servers and backups, appending the .SEXi extension to encrypted files and dropping ransom notes named SEXi.txt. The name ‘SEXi’ is believed to be a play on ‘ESXi,’ as the attacks exclusively target VMWare ESXi servers.

Space Bears

  • Sports a unique front end with corporate stock images but also maintains a classic “wall of shame” for their victims.
  • Alongside instructions for affected companies, they operate both a .onion site and a clearnet website.

Vulnerability Exploitation

Threat actors are maintaining techniques focusing on the exploitation of vulnerabilities in public-facing corporate infrastructure.  

In recent weeks, Linux variants of the Cerber ransomware have been seen to be deployed utilising exploitation of Atlassian Confluence Data Center and Server, specifically CVE-2023-22518.  CVE-2023-22518 is a critical severity (CVSS 9.1) Improper Authorisation Vulnerability which allows an unauthenticated attacker to reset Confluence and create an administrator account for persistent access.

"SOS
Investigation, Product news

Cracking CAPTCHAs for fun and profit

Through synthetic training sample dataset generation and ML training.

Preface

Cracking CAPTCHAs is already a well-documented and established process which this article looks to expand on. We will approach this article with a general view of how we’ve cracked CAPTCHAs within undesirable conditions. This article is not meant to be a how-to or detailed guide to replicate our steps. However, it may give you some inspiration for your specific challenge. 

We believe that the methods laid out in this article are novel and significantly improve the efficiency of automated CAPTCHA solving in contrast to traditional approaches. Especially when considering a target CAPTCHA system with poor sample harvesting opportunities.

Ethics

We bypass human verification checks to maintain automatic information collection pipelines. The use of the methods we have developed only extends as far as what is required to automate our collection process. 

If a CAPTCHA or other human verification check system is poorly designed and not adequately rate limited, condition checked etc. bypassing it on scale may lead to a DDoS (Distributed Denial of Service) attack in the worst of cases. But with correctly implemented human verification systems, you should mitigate this even with the system bypassed. At best, unethical manipulation of these verification systems can lead to spam posts/comments and otherwise undesirable automated “bot” interaction. We do not condone this type of use. 

The Problem

There are several well-established methods to automate the solving of CAPTCHAs, depending on the complexity of the CAPTCHA, and if we start at the easy end of the spectrum we are presented with a fairly basic alphabetical captcha. 

With a simple distortion background, one might choose to apply a straightforward process of applying denoise filters or Gaussian blurring to an image to reduce or remove the amount of “stars” or random dot pixels present in its background that are applied at random. 

This process can give us a less noisy picture and we can further convert the image to grayscale.  If the source sample is a colour image doing so improves edge detection. 

The image can then be processed through a standard OCR (Optical Character Recognition) library and in our experience can result in a 0.1% failure rate yielding excellent stable solutions. 

In some cases, a good test of CAPTCHA ease of solvability is to feed it to Google Translate as an image; have Google Translate attempt to read the text and translate the letters back into English. If it can, then you have a very good chance that rudimentary OCR libraries will also work for you.

But this article is not about the easy end of the challenge…

What we are dealing with is a CAPTCHA that is both alphanumeric, upper and lower case with random character placement and rotation, and random disruption lines across the image and characters.  Furthermore, most importantly, a point that we will discuss in more detail is where the target source is a Tor Onion website that, at the best of times loads slowly and at the worst of times is offline or responds with backend timeout errors. 

The image complexity of the source CAPTCHA means it’s nearly impossible to effectively read it by OCR. This is made challenging due to the disruption patterns provided by the background random line arrangement (an outward star pattern) and each of our characters are independently disrupted with seemingly random lines of various length and width. Combining all that with offset angles of each character it’s beyond what most OCR or OpenCV methods can handle. 

Therefore, for more complex CAPTCHAs image manipulation (removing noise, grey scaling etc.) is typically not sufficient. These challenges usually require machine learning to get a reasonable failure rate and sufficient solving speed. 

The biggest factor in achieving a good model that will solve accurately is having a large enough sample base. In some cases, many thousands of samples are required for training. Certainly, when dealing with a CAPTCHA that may have upper, lowercase and numerical characters with randomisation of all these points plus randomisation on disruption patterns or lines the larger the sample set, the more accurate a model the training will produce. 

So how do you get thousands of samples from a source that is slow to load and has poor availability, both conditions of the source being a Tor website? Harvesting samples this way would be far too inefficient and we can’t hang around! 

Even with a target source that responds reasonably quickly, has good availability, and can be harvested without aggressively hitting rate limits, who would want to sit there endlessly solving eight thousand captchas to feed to an optical character recognition model? 

I know that’s not going to be me! Sure, there are options to outsource these problems and crowdsource them, but those options take time, money and are likely to introduce errors in our training sample data. Neither of these is desirable, so how do we get 100% accurate sample data cheaply without human solving, without having to harvest the source, and that can scale? 

The Solution

The solution we came up with was first to not focus on the solving of the CAPTCHAs, or the training of our model, or anything that was a direct result or outcome of the end goal we are driving towards. Instead, we looked at how the CAPTCHAs are constructed; what do they look like and what are their elemental parts. 

We know harvesting is not an optimal option, so we have put that aside. Doing so leaves us with a handful of maybe 20 or so harvested solved CAPTCHA samples. Nowhere near enough to start training but it’s enough to start focusing on the sample set we have.

If we look at how the CAPTCHA is constructed and try and break its construction down piece by piece, in a way “reverse engineering” the construction of the CAPTCHA we might either: 1) be able to generate our own `synthetic` CAPTCHAs on demand and at scale all 100% accurately pre solved, or 2) sufficiently understand the method of construction to identify the library or process in which the CAPTCHA is constructed and reimplement it for ourselves with the same 100% accurately pre-solved outcome. 

In our case and the example, we are writing this article from the path of the former option. This option was chosen as some time was spent trying to identify the particular CAPTCHA library but no exact match was found, and in the interest of not burning too much time, and depending on external factors we decided to attempt to create our own synthetic CAPTCHA generation process.

To create our CAPTCHAs, we used Pillow (a PIL Python Fork), a Python Image Manipulation Library that offers a wide range of features all well suited for the job at hand. 

We start by defining a few values that we have observed to be fixed, such as a defined image size (in our case, 280 by 50 pixels) and use this to create a simple image. 

Then we define our letter set (a to z, A to Z, 0 to 9) as we know these to be fixed. 

Using `random.choice` we can pick a required amount of characters.  In our case, the CAPTCHA uses a fixed length of 6 characters. 

The text font is also important and from our source samples we see it is fixed: therefore we try to match the font type as closely as possible. Font size also remains constant. This will be important in ensuring that our training is as accurate as possible when our model is presented with real sample data.

To kick things off, the process carefully establishes the dimensions of the image canvas, akin to laying out a pristine piece of paper before beginning a drawing. Then, with a deft stroke, we construct a blank background canvas, pristine and white, awaiting the arrival of the CAPTCHA characters. But here’s where the true artistry takes centre stage; the process methodically layers complexity onto the character, 

With each character in the CAPTCHA text, our process doesn’t simply slap it onto the canvas; instead, it treats each letter as an individual brushstroke, adding specific characteristics at every turn. We begin by precisely measuring the width and height of each character, ensuring that characters will not be chopped off the edges, correctly fit and fill the CAPTCHA, and that they resemble the source CAPTCHA text. Then, like with the source samples, we introduce randomness into the mix, spacing out the letters with varying degrees of separation, akin to scattering scrabble pieces.

We are also introducing a touch of chaos by randomly rotating each character, giving them a tilt that defies conventional alignment. This clever sleight of hand resembles the source samples accurately and adds to the difficulty level of solving this CAPTCHA. 

Yet the process doesn’t stop there. No, it goes above and beyond, adorning our canvas with a riotous display of crisscrossing lines, as if an abstract artist had gone wild with a brush. These random lines serve as a digital labyrinth, obscuring the text beneath a veil of confusion and intrigue.

We then add and overlay lines of random length and weight across each character, aligned to the character’s angle closely matching that of the source sample. 

Now that we have a way to populate our image canvas, we have a working framework with which we can iterate to get an output that resembles the source samples as closely as possible. 

For now, we generate a few hundred samples, each image file is named the randomly selected CAPTCHA text, assisting us by essentially generating a sample set that has already been solved. 

After that, we compared each iteration’s output closely to the source and made tweaks and adaptations. For each iteration of the CAPTCHA generator we looked closely at just one specific attribute to simplify the synthesis process. We adjust the random scattered background lines, adjusting their length, width and count.  Moving then onto tweaking the letter placement and random angles, to closely match the apparent pseudo randomness of the sample data set.

Following sufficient tweaking and iterations, we are producing a CAPTCHA that is at least visually very closely matching our source samples. It matches so closely that if mixed with real samples it’s difficult to distinguish. This is the ideal level of synthesis we are looking to achieve. 

Example synthetic captcha on the left, real on the right

Next steps

Now that we have a way to produce synthetic CAPTCHAs that very closely match our target, it’s time to produce a few thousand of them. This is easily and quickly done by specifying the total count in our process loop and out pops 5,000 freshly generated pre-solved captchas all nicely labelled and ready for shoving into our training process. 

For model training, we’ve chosen to use the TensorFlow framework alongside the ONNX Runtime machine learning model accelerator. This combination worked well for us for both training accuracy and efficiency. All training was conducted with the use of a Nvidia GPU.

Following initial training, using just our best-produced synthetic CAPTCHA samples as our data set, we achieved a CER (Character error rate) of 3.26%. For a first batch run of a model trained against a synthetic data set was not too bad at all. But we knew we could do better. 

Now that we had a model to work with, we could use it to start solving actual real target CAPTCHAs.  This would allow us to generate a larger pool of real CAPTCHA samples, with a solve set, and mix those in with our synthetic set.  We were looking to generate 5k synthetic and 1k real harvested CAPTCHAs with our newly trained, albeit unoptimized model. 

With a framework in place that would interface with the target website, collect CAPTCHAs, generate a text prediction, check that with the website and if solved, store the solved and labelled CAPTCHA image we generated about 1,000 samples over a short time.

Feeding this back into the mix of training model data we dropped the CER down to 2.77%.

A screen shot of a black screen

Description automatically generated

We were confident that even with 2.7% it was a rate better than a human could achieve, and we were also confident that our methodology was working. 

Our remaining tasks were to reiterate the model once more, using this slightly more optimised model and generate a slightly larger set of labelled real CAPTCHAs. 

We were able to go from the initial model, with a worse CER (orange line) to the best model (green line) in only a few training iterations.

The model training improvements are best shown in the graph below with each improvement yielding a lower CER, for longer (more stable) and at a sooner point in time. 

At which point we settled on a final model, with a CER of 1.4%, opting for an optimal  mix real CAPTCHAs to synthetic. 

Our final ML model diagram: 

Once the efficacy of this model was validated it was then a task of simply plugging it into the collection pipeline process and enlivening it into our production collection system. The automated solver process has been running stable ever since and most of the disruption we’ve observed has solely been to the target source going offline and being unavailable. 

Bias and Variance

A key consideration during the training process was to be aware of and mitigate where possible Overfitting and Overtraining our model. Instead of using the terms `overfitting` and `overtraining` I like to instead use Bias and Variance as two potential pitfalls of ML training as they better explain undesirable conditions that may occur. Without diving into too many details around these ML concepts as to fully understand them you would probably need a PhD. The best way I can describe what my simple mind can understand is as follows.

Due to the nature of our novel, one might say clever iterative process to train a CAPTCHA solver on a very low original source data set we are by virtue potentially adding bias into our training process. For example, from the first model any solved data sets will be solved by a model that has a predefined bias to solving a particular set, style or character combination potentially resulting in a new data set that is biassed towards what that previous model was good at solving thereby amplifying the bias in our next model’s training. 

This bias would result in a real world regression of CER as the model is unoptimised to solve a wider range of character combinations and randomisation characteristics. 

Our second pitfall: overfitting slides at both ends of the extreme in terms of providing an overly varied training set or an insufficiently varied training set, i.e. creeping into bias. Whereby we must consider that although we could train a model to solve many different types of CAPTCHAs, beyond just this one example, from one model using a very varied data set doing so and if not carefully tuned could result in `overfitting` our data set thereby introducing an unoptimised CER as our model is essentially training on more noise than signal. 

We therefore considered both Bias and Variance closely, ensuring a healthy mix of varied real correctly labelled CAPTCHAs harvested from source to a ratio of synthetically generated CAPTCHAs with a randomly distributed character set. An optimal CER band was then discovered through iterative AB testing of data set mix, training iterations until a stable plateau was identified. 

Conclusion

We deploy a final model, incorporating a mix of synthetic and real CAPTCHAs, achieving a CER of 1.4%. The automated solver process seamlessly integrates into our production collection system, ensuring stability and efficiency.

By leveraging synthetic sample training data generation, we’ve advanced CAPTCHA cracking. Our approach offers an effective and efficient solution for CAPTCHA cracking without significant human involvement or effort allowing for effective automated data collection.

With this capability, we are able to add value to our customers by automating the collection from otherwise programmatically inaccessible sources, where we would have to manually have a human solve the CAPTCHA access the page, insert any updates and then alert our customers. Automation is key to what we do at speed and at scale especially when dealing with many hundreds of collection sources as we do.

Photo by Kaffeebart on Unsplash.

"SOS
Uncategorized

Ransomware – State of Play March 2024

SOS Intelligence is currently tracking 183 distinct ransomware groups, with data collection covering 368 relays and mirrors.

In the reporting period, SOS Intelligence has identified 439 instances of publicised ransomware attacks.  These have been identified through the publication of victim details and data on ransomware blog sites accessible via Tor.  Our analysis is presented below:

LockBit has maintained its position as the most active and popular ransomware strain, despite law enforcement activity against the group in February 2024.  However, we are seeing a significant decrease in their activity level, which is to be expected.  The impact of law enforcement activity against the group is still being monitored, but it has already been seen that the group has suffered significant reputation damage.  Many affiliates have lost trust in the group to keep their data safe and their identities anonymous.  

March also saw the sudden exiting of ALPHV/BlackCat from the scene, in what appeared an exit scam.  Affiliates were left stunned when the group shut up shop shortly after receiving a significant ransom from UnitedHealth Group.  As previously reported, the code for ALPHV/BlackCat was purported to have been sold, so a new group is expected to emerge using similar TTPs in due course.

As such, we have seen increases in activity amongst other high-profile groups.  Most groups have seen small increases in activity over the last month. Still, BlackBasta, Medusa, Play, and RAGroup seem to have profited most from LockBit’s misfortune and ALPHV/BlackCat’s sudden disappearance.  All have been operating for at least 12 months and have carved their own niche in the space vacated by these high-profile group.

Group targeting continues to follow familiar patterns in terms of the victim’s country of origin.

Attacks have increased in South American countries, particularly in Argentina, which may be a response to presidential elections in November 2023 in which the far-right libertarian Javier Milei was elected.  Brazil remains a popular target, as the most economically developed country in the region

Targeting continues to follow international, geopolitical lines.  Heavy targeting follows countries that have supported Ukraine against Russia.  Attacks against Sweden continued as it pressed ahead with preparations to join NATO.   This highlights the level of support ransomware groups continue to show towards the Russian state, and they will continue to use cyber crime to destabilise and weaken Western and pro-Ukrainian states.

Manufacturing and Construction & Engineering have remained the key targeted industries for March.  These industries would be more reliant on technology to continue their business activities, so it logically follows that they would be more likely to pay a ransom to regain access to compromised computer systems.  The Financial, Retail & Wholesale, Legal, and Education sectors have also seen increased activity over the period.  Health & Social Care has seen a significant increase over the period.  This is likely in response to several groups, reacting to law enforcement activity and allowing their affiliates to begin targeting these industries.

We are seeing a shift in tactics for certain industries, particularly those where data privacy carries a higher importance (such as legal or healthcare), where threat actors are not deploying encryption software and instead relying solely on data exfiltration as the main source of material for blackmail and extortion.

Significant Events

Targeting against the UK took an aggressive turn, with NHS Scotland (INC Ransomware) and media outlet The Big Issue (Qilin) amongst the most high-profile victims.  This highlights ransomware groups’ apathy towards who they target, and the secondary impacts that that targeting can have.

The Oceania arm of Nissan suffered a significant data breach, which was associated with the Akira ransomware.  The attack was limited to operations in Australia and New Zealand but did have a significant impact on distribution, marketing, sales, and services.

New Groups

March saw the emergence of three new groups; Donex, Kill Security (5 victims each) and RedRansomware (12 victims).  Kill Security has shown some aggressive public-sector targeting, including police services in India and Romania.

Vulnerability Exploitation

BianLian and Jasmine groups have been observed exploiting CVE-2024-27198 (CVSS 9.8).  This is a vulnerability in JetBrains TeamCity CI/CD server products up to version 2023.11.4, which allows a remote unauthenticated attacker to execute arbitrary code to take complete control of affected instances.  This would allow threat actors to gain access and maintain permanence within an affected network, while conducting reconnaissance, exfiltrating data, and uploading ransomware payloads.

JetBrains has implemented a fix for the impacted system, so it is advised to update to the latest available version.

"Compromised
Uncategorized

Compromised Password Analysis

How threat actors target your credentials and what you can do to protect yourself

Across the dark web, and shadier parts of the clear web, there is a booming marketplace for compromised credentials.  Threat actors are looking to make a quick return can monetise your sensitive data, leaving you vulnerable to further compromise.  So how do threat actors get ahold of your credentials, and what can you do to protect yourself?

How do threat actors get your credentials?

Threat actors have an arsenal of tools and techniques for obtaining credentials to facilitate further criminal activity. These range from the highly technical to meticulously researched to plain and simple brute force.  We discuss a sample of these techniques below to assist you in understanding how threat actors can obtain your credentials.

Malware

For the more technically-minded, malware can be utilised to intercept passwords being input across the internet, or just simply to steal passwords from your device.

A “man-in-the-middle” attack sees a threat actor tactically position themself between a victim and the service the victim is accessing.  While the victim is inputting their credentials, the threat actor can see the input and capture this for their use.  This technique has commonly been utilised with banking trojan’s, such as TrickBot.

Once installed on a victim’s device, TrickBot would identify when victims attempted to access banking services online and provide them with a cloned website, controlled by the threat actor.  Subsequently, they would then be able to see what the victim was typing, thereby gaining access to their login details.  To preserve the illusion that nothing was amiss, the threat actor would then redirect the victim to the legitimate site as if they were logged in.  The threat actor would then capture the victim’s credentials, allowing them to log in whenever they saw fit.

Infostealer malware is much simpler.  Once installed on a device, it can quickly query common areas of a device used for password storage, and send this data to a waiting server controlled by a threat actor.  Owing to the various deployment methods used, threat actors can quickly generate a large volume of content from infostealer malware.  This content is then sorted and sold online, or at times even given away.  Further information regarding infostealer malware can be found in our article here.

Phishing

Phishing requires an element of trickery from the threat actor.  In this situation, they are portraying themselves as something they aren’t to trick the victim into divulging their credentials.  This can often be in the form of messages (email, SMS etc) asking victims to clarify their credentials associated to a legitimate service, i.e. banking, or premium services such as Netflix.  The threat actor will also provide a convenient link for the victim however, this link will invariably lead to a cloned website controlled by the threat actor, who can then collect credentials as victims input them.

Social Engineering

Remembering passwords for all the different services we use can be tiresome.  It has been estimated that the average person has over 100 passwords to remember.  Therefore it’s only natural that we utilise the things in our lives that matter most when coming up with passwords.  Significant dates, names of pets, and our favourite locations.  All can be useful when creating passwords as you’re more likely to remember these details.

The problem comes with our online activity.  Many people are very public about what they post online, and we talk about the things we like and what’s important to us.  If we’re then using those important things to generate our passwords, it becomes very easy for threat actors to do a little research into us to discover those passwords for themselves.

As an example, we have identified within our data collections that “fiona2014” is one of the most commonly used passwords.  If someone were to be using this password, it could be very easy to use social engineering to obtain it.  It would be straightforward to talk to someone, engage them about their life, and quickly find out they have a daughter called Fiona who is 10 years old.  Putting these details together we can come to “fiona2014”.

Dictionary Attacks

We are inundated with accounts requiring passwords, so it is common for people to use simple passwords to avoid having to remember anything too complex.  Threat actors rely on this as the basis for a “dictionary attack”.  Years of data regarding passwords has allowed for generating files containing thousands of common passwords and their variants.  These files then allow a threat actor to query a service, armed with a victim’s email address, and try each password until the service allows them to log in.

Thankfully, dictionary attacks are somewhat easier to defend against.  Most services will now only allow a few login attempts before any suspicious activity is flagged and the account is locked down.  Threat actors will constantly look for methods to bypass this security, so the best option is to keep those passwords unique.

Brute Force

When finesse will not work, take a sledgehammer to the door.  Brute force requires a threat actor to have some coding knowledge.  They can write code which will query a service to attempt a login, but instead of being more methodical, this method is more trial and error.  Commonly, brute force attacks will iterate through millions of potential combinations to find the correct password (assuming that any security the service has does not lock the account down).  This method can be more easily defeated by using longer, more complex passwords, and we will explain why shortly.

Brute force attacks can also occur when a threat actor obtains a username:password combination for a particular site.  Banking on poor password hygiene, they will attempt the same combination across multiple sites to see if there has been any password reuse.

What happens when your credentials are compromised

What happens when credentials are compromised depends on who the victim is.

Compromise of personal accounts tends to provide threat actors with access to various services and information, including the victims’ banking, online shopping, premium entertainment services etc.  These have some value to others, who may want the benefits of those services without having to pay, e.g. to watch Netflix, listen to Spotify etc.  These types of data will often be grouped and sold in bulk on online forums for a fraction of the cost of the service they give access to.

Real value for threat actors comes from compromised corporate accounts.  These accounts allow a threat actor to access a corporate system, giving them a platform to launch further criminal activity.  There is an entire marketplace dedicated to gaining initial access to corporate systems – initial access brokerage – and depending on the size of the victim, can bring in thousands of pounds for the threat actor selling credentials.  Such access can be a precursor to more serious cybersecurity events, such as data theft/loss, or the deployment of ransomware.

Password hygiene and habits

Now for the statistics.

We have taken a sample of data collated by SOS intelligence in March 2024, totalling over 10 million passwords obtained by infostealer malware.

The most common password length was 8 characters, with an average length across the dataset of 10.5.  This was to be expected as 8 characters is often presented as a minimum across many password policies.  Additionally, it’s also the number of characters in “password”…

Top 20 most common passwords
PasswordCount
12345651022
admin22322
https16682
1234567816525
12345678915737
123458958
Profiles8611
password6533
Opera3946
12345678903326
1231233093
12345672923
Aa1234562866
Kubiak222821
Pass@1232761
Password2665
1111112488
fiona20142206
123456789102043
P@ssw0rd2029

On that note, the word “password”, and numerous variants utilising common character substitutions, appeared over 37,000 times.  “admin” appeared more than 22,000 times, while “https” was used more than 16,000 times.  This is concerning as dictionary attacks will often focus on keywords such as this first, knowing they are so common.  “admin” is frequently used as a default password on routers and other IoT devices which highlights the ongoing vulnerability of these devices.

In total, approximately 1 million passwords contained only digits, while approximately another 1 million contained only letter characters.  Overall, over 7.5 million passwords contained no special characters.

So the fundamental question is, why are these statistics important, and how can we use them to improve our password hygiene?

Password strength works based on “entropy” – the measure of randomness or uncertainty of the password.  Password entropy allows us to quantify the difficulty or effort required to guess, or “crack”, a password using brute force or other similar methods.  As a general rule, higher entropy passwords are deemed stronger and more secure.

We measure entropy in bits. The number of bits a password has indicates how strong it is.  The basic formula for calculating entropy looks like this:

 Entropy = log2​(NL)

Where:

  • N is the number of possible characters in the character set used for the password
  • L is the length of the password (in characters)
  • log2 is the base-2 logarithm

Taking this formula we can see that the longer a password is, and the more characters it pools from, the higher entropy it will have.  We can visualise this with our data.

Using a length of 8 (being the most commonly seen) we can see the entropy when different sizes of character sets are used:


NumericalSingle CaseAll CaseAlphanumericAlphanumeric w/ Special Characters
Total # of characters1026526292
Entropy26.5837.6045.6047.6352.19

If we increase the password length to 12, strength increases significantly:


NumericalSingle CaseAll CaseAlphanumericAlphanumeric w/ Special Characters
Total # of characters1026526292
Entropy39.8656.4168.4171.4578.28

Based on the above, working at 1000 guesses per second, a brute force attack on an 8-character numerical password would take about 27 hours.  However, a similar attack on a 12-character password utilising alphanumeric and special characters would take roughly 11.5 billion years!

The key factor to note here is that there is a reason we’re always asked for longer passwords with uppercase, lowercase, numbers and special characters – they’re that much stronger and secure.

So a crucial question remains; what should be done with this information?  We sincerely hope that what we’ve discussed here will highlight the need for strong and enforced password policies.  These should factor in the following:

  • Use of alphanumeric and special characters
  • Mandatory lengths (at least 10, but longer is better)
  • No password reuse
  • Frequent and enforced password changing.

Wherever possible, we would highly recommend the use of password managers.  They can save a lot of time for users, allow for significantly more complex passwords to be used, and only require the user to remember one password.  We don’t recommend using one product over another, but one such example would be KeePassXC.  KeePassXC is a host-based password vault which keeps passwords encrypted when not in use.  It offers numerous options for password generation, varying on characters used, length etc.  The benefits of this are that you can generate passwords up to 128 characters long, which simply need to be copied and pasted whenever they are required.  Here is one such example with an entropy value of 715:

J4kKutHec3RYxQo3kpm4mot5EAVp&opRCSr&x4J5r%fQ$XxzrjdW2ZgRg@k42XhA@zz`S4ofiR4~^s`&43zZ@JQ&qQ$Mad2^jtQdHSZ@hbJbVk5Qabvs5Kc$KW3#W@Rm

What our external research shows

Research conducted by NordPass in 2022 identified that the average person has approximately 100 user accounts requiring password verification.  This is the most probable cause for password reuse and password fatigue; where users are exasperated by the constant need to generate unique strong passwords and fall into a habit of using weak, easy-to-remember passwords, or reusing old ones. Verizon’s Data Breach Investigations Report, published in 2021, estimates that 80% of hacking-related breaches were a result of stolen or brute-forced credentials.  This number could be significantly reduced by ensuring and maintaining good password hygiene.

Forgetting passwords can have a significant impact on the password owner, the services they use, and the organisations they work for:

  • Research firm Forrester has indicated that, for some organisations, the costs associated with handling password resets could be up to $1 million USD per year.  Gartner estimates that around 40% of help desk queries in large companies relate to password resets, taking up a substantial part of billable work, and taking focus away from more business-critical support.
  • In 2017, MasterCard and the University of Oxford published a study looking at users of online shopping platforms.  Their research indicates that 33% of users would abandon a purchase if they could not remember an account password, while 19% would abandon a purchase while waiting for a password reset link.
  • Chainalysis, a cryptocurrency data firm, estimates that 20% of all mined Bitcoin are locked in lost or otherwise inaccessible wallets.  In one such example, one user has 7002 Bitcoins locked within a hard drive, which risks being encrypted following two more incorrect password attempts.

What is SOS Intelligence doing, and how can it benefit you?

At SOS Intelligence, we understand the risk that credential theft can pose to the security of your data.  What we can provide is early detection for when your data has been exposed. 

We are actively collecting and analysing stolen credentials from multiple sources which feeds into our intelligence pipeline.  Within moments of ingestion, we can generate bespoke alerts for you to indicate when you may be at risk.  Early detection is vital to allow you to take action before an issue becomes serious and impactful against your business.

If you are serious about your cyber security, why not book a demo?

Photos by Ed Hardie on Unsplash,  Ryunosuke Kikuno on Unsplash, Joshua Hoehne on Unsplash

"SOS
Investigation, Ransomware

Ransomware – State of Play February 2024

SOS Intelligence is currently tracking 180 distinct ransomware groups, with data collection covering 348 relays and mirrors.

In the reporting period, SOS Intelligence has identified 395 instances of publicised ransomware attacks.  These have been identified through the publication of victim details and data on ransomware blog sites accessible via Tor.  Our analysis is presented below:

LockBit has maintained its position as the most active and popular ransomware strain.

This is despite significant law enforcement interruption, the impact of which will be discussed further below.

Despite law enforcement action towards the end of 2023, ALPHV/Blackcat has maintained a strong presence online and continues to post victim data.  However, owing to how the ransomware process operates, this could be seen to be victims compromised before law enforcement takedown of ALPHV/Blackcat infrastructure.

Increased activity has been identified amongst BianLian, Play, QiLin, BlackBasta, 8base and Hunters ransomware strain.  This increase may be attributed to these strains absorbing affiliates from LockBit and ALPHV/Blackcat as those services went offline.

This month, Ransomhub, AlphaLocker, Mogilevich, & Blackout have emerged as new strains.  Mogilevich has been observed targeting high-value victims, including Epic Games, luxury car company Infiniti, and the Irish Department of Foreign Affairs.

Group targeting continues to follow familiar patterns in terms of the victim’s country of origin.

Attacks have increased in South American countries, particularly in Argentina, which may be a response to presidential elections in November 2023 in which the far-right libertarian Javier Milei was elected.

Targeting continues to follow international, geopolitical lines.  Heavy targeting follows countries that have supported Ukraine against Russia.  Attacks against Sweden continued as it pressed ahead with preparations to join NATO.   This highlights the level of support ransomware groups continue to show towards the Russian state, and they will continue to use cyber crime to destabilise and weaken Western and pro-Ukrainian states.

Manufacturing and Construction and Engineering have remained the key targeted industries for February.  These industries would be more reliant on technology to continue their business activities, and so it logically follows that they would be more likely to pay a ransom to regain access to compromised computer systems.  The Financial, Retail & Wholesale, Legal, and Education sectors have also seen increased activity over the period.  Health & Social Care has seen a significant increase over the period.  This is likely in response to several groups, including ALPHV/Blackcat reacting to law enforcement activity and allowing their affiliates to begin targeting these industries.

We are seeing a shift in tactics for certain industries, particularly those where data privacy carries a higher importance (such as legal or healthcare), where threat actors are not deploying encryption software and instead relying solely on data exfiltration as the main source of material for blackmail and extortion.

LockBit Takedown

On 20 February, an international law enforcement effort was successful in taking control of and shutting down the infrastructure of the LockBit ransomware strain.  Much has been disclosed and said regarding the takedown, some of it speculative, however, it was confirmed by the UK’s National Crime Agency (NCA) and the US’s Federal Bureau of Investigation that control of their dark web domains and infrastructure was obtained, providing them with significant information regarding the activity of the LockBit group and its affiliates.

Since then, multiple LockBit blog sites have re-emerged, and new data continues to be published.  However, it is not clear whether or not this is new activity since the takedown.  It is more likely that these are victims compromised before law enforcement activity which are only now being blackmailed with data release.

We are continuing to monitor the ransomware landscape at this time to properly analyse the impact this takedown will have.  This event has had a significant impact on the reputation of the LockBit group, with many affiliates angry at the perceived lack of operational security resulting in the possible identification of their real-world identities.  We are anticipating many of these will look to gain access to the affiliate programs of other strains, and so we will expect to see a significant increase in reported attacks from those strains in the coming weeks and months.  As for LockBit, the threat actors behind the group remain active, and it is likely we will see a re-emergence as a new group in due course.

ALPHV/Blackcat exit scam

The ALPHV/Blackcat group is making headlines for all the wrong reasons.  After first having their leak site taken over by law enforcement, they now appear to have absconded with affiliate funds.

In February 2024, ALPHV/Blackcat announced an attack against healthcare provider Change Healthcare (part of United Health Group).  Following this, a ransom of $22 million was paid to ALPHV.  Several days later, the responsible affiliate took to the cybercrime forum RAMP to state that they hadn’t been paid their share of the spoils (potentially up to 90%).  It appears now that the group has collapsed from within, ending with a final exit scam as they shut down operations.  The group have further claimed to have sold their source code in the process, so we may see copycat groups emerge in due course.

While the dissolution of a notorious group should be celebrated, especially following successful law enforcement activity, it should be noted that shutting down in this way presents a significant risk to recent victims.  The affiliate responsible for the Change Healthcare data, as well as affiliates who may have been similarly affected, are likely to still hold victim data and so, for those victims, there remains a risk that they may be further blackmailed as affiliates attempt to recoup their lost earnings.

Photo by FLY:D on Unsplash

"SOS
Product news

Business Update

We’ve had a lot going on since the start of the year and so I’ve recorded a short update for you. Click to watch and listen!

We are very thankful for all our customers, those who have been with us since we started and the new ones over the past months.

"Data
Opinion, Tips

Happy Data Privacy Day!

Held annually on 28 January every year since 2007, Data Privacy Day was introduced by the Council of Europe to commemorate Convention 108 – the first, legally binding, international treaty on data protection signed in 1981.  Data Privacy Day exists now to bring the concept of data privacy to the forefront, and encourage everyone to consider the steps they take to keep their data safe, and what more they could be doing.

The landscape of data privacy has changed dramatically since that first celebration in 2007.  Wholesale changes to legislation have been implemented, new international regulations brought in and enforced, and on the whole, a shift in the dynamic of how the general public thinks about the privacy of their data.

Managing your data privacy can be a daunting task – our data is everywhere, and we’re not always consciously aware of what is happening to it.  Unsecured data, oversharing online, interacting with suspicious communications – these are all things that the threat actors of the world rely on from their victims to achieve their criminal goals.  Here are several simple things that can be done to improve your online privacy:

  • Limit sharing on social media

Social media is a gold mine of information for those with malicious intentions.  Sharing events such as birthdays, names of loved ones, employment details etc, can allow a threat actor to very quickly socially engineer scams to encourage you to divulge sensitive information.  Although we shouldn’t, quite often those details such as birthdays and loved ones’ names end up in our passwords too, so it doesn’t take much for a threat actor with a little motivation to work these out.  Ensuring privacy settings are set to maximum, and not over-sharing, will do much to protect from these threats.

  • Think before you click

We receive a deluge of emails every day, in both our personal and work lives.  Threat actors know this too which is why they’ll use email as a method to target individuals and businesses to gain access to sensitive data.  Phishing scams rely on the innocent victim not realising that the email in front of them is fake, or trying to get them to do something they shouldn’t be doing.  So if in doubt, stop and think before clicking on links or opening attachments.

  • Know your rights

Know your data privacy rights, and what applies in your country.  In Europe, this will be GDPR, which gives a lot of control back to the person to whom the data relates.  This includes:

  • The right to be informed
  • The right of access
  • The right of rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making, including profiling

Despite best efforts, threat actors are constantly looking for new and novel ways to gain access to our data, and inevitably, some of this will be stolen and used for criminal activity.  SOS Intelligence has been diligently monitoring the digital landscape over 2023.  Our recent findings are a stark reminder of the rising threat of phishing attacks.  Over the past year, we have observed over half a million unique credentials compromised through phishing, and with the growth of Generative AI techniques, we expect that number to grow in 2024.

One standout feature of our technology is our real-time alert system.  This capability ensures that our clients are promptly notified when their staff have fallen victim to phishing, allowing for a swift response and effective risk mitigation, helping you to ensure that your data remains as private as possible.

Photo by Jason Dent on Unsplash

"Cyber
Product news

A Special Cyber Threat Intelligence Plan for UK Charities, NHS Trusts and Schools

We like brands, companies and organisations that do the right thing. They are for good. They want to help. Their product or service is helpful, is useful and goes some way to fight the bad in the world, and let’s face it, there is way too much of that right now.

So, we are also going to try and do the right thing. We are a startup, a fledgling business and one which has not got endless reserves and pots of cash. But, we strongly believe that by helping people we can develop a loyal customer in the future…

From today, if you are a UK charity, a NHS trust or UK school, you can apply for a special account with SOS Intelligence, which gives you the first six months for free. An application takes seconds and once approved, you can up and running in minutes. We are offering this as we know this can make a huge difference to your cyber security, and we know that is more and more important.

Apply here.

What does this account include?

  • 10 Keyword Limit
  • 3 User Account Limit
  • Breach Monitoring, OSINT & Dark Web 
  • Excludes Domain Monitoring. 
  • Email Notification.

After the six months free time period, this will cost £200+VAT per month or £1,920+VAT with a 20% discount for 1 year.


We have seen time and time again that organisations who don’t act, even with intelligence we’ve come across ourselves, leave themselves open to tremendous risk.

Charities at increased risk

A new threat report published by the NCSC reveals why the charity sector is particular vulnerable to cyber attacks, the methods used by criminals, and how charities can best defend themselves.

 “More charities are now offering online services and fundraising online, meaning reliable, trusted digital services are more important than ever. During the Ukraine crisis, we saw more criminals taking advantage of the generosity of the public, masquerading as charities for their own financial gain.”
Lindy Cameron, NCSC CEO

You can read their blog post here and download the report here.

Just one set of compromised credentials is it all takes. Imagine, if you will, knowing when a user has been compromised and so you can act and secure the account. Imagine seeing an alert, almost in real time, where some of your data has been posted on a dark web forum.

Intelligence means you can do something about it.

Please do share this far and wide – we want to help! 🙂

Apply here.



FAQs

  1. Who can apply? This is open for any UK charity, NHS trust or school. If you are a non-profit, don’t fit in these categories, but think you should be considered, you can fill out the form here and click no to the fit question – you will be prompted to enter more information and we will get back to you.
  2. How long is the free account for? It is for six months from the date of account sign up. When this period has finished, you will be charged on the card you used for sign up. The annual version gives you a 20% discount and is by far the most popular option.
  3. What if I don’t want to continue using SOS Intelligence? You will need to tell us prior to the end of the six months as otherwise you may be charged.
  4. Do you provide training? At present, we offer email support and screencasts to get you up and running.
  5. What is the process to apply? To apply, head on over to the application form here and we will be in touch as soon as possible. If successful you will receive an email with a link to sign up and a voucher code to use to give you the six month free access. 
  6. Do I need to add credit card details on sign up? Yes, we use Stripe for payment and this requires card details. However, you will not be initially charged as you will use a six month free voucher. At the end of the six months the plan will renew using the card details provided.
  7. What about domain / typo / squatting monitoring? This is not included on this plan but is on the Pro or Enterprise plans.
  8. What is typo-squatting? Typo-squatting is the act of registering domain names, i.e. Web Domains that look similar to your legitimate domain name. Cyber Criminals may by several domains across a number of different Top Level Domain Registrars. Typo-squatting could be used against you, as a business to phish your employees or customers or in order to contact fraud under your name or brand. Most common occurrence is 419 Advance Fee Fraud. 

    SOS Intelligence monitors recently registered domain names from a large number of Top Level Domain Registrars and scans those against you domain type keywords.
1 2 3 4
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound