Customer portal
Articles Tagged with

cyber threat intelligence

"SOS
Investigation, Ransomware

Ransomware – State of Play February 2024

by Daniel Collyer
March 14, 2024

SOS Intelligence is currently tracking 180 distinct ransomware groups, with data collection covering 348 relays and mirrors.

In the reporting period, SOS Intelligence has identified 395 instances of publicised ransomware attacks.  These have been identified through the publication of victim details and data on ransomware blog sites accessible via Tor.  Our analysis is presented below:

LockBit has maintained its position as the most active and popular ransomware strain.

This is despite significant law enforcement interruption, the impact of which will be discussed further below.

Despite law enforcement action towards the end of 2023, ALPHV/Blackcat has maintained a strong presence online and continues to post victim data.  However, owing to how the ransomware process operates, this could be seen to be victims compromised before law enforcement takedown of ALPHV/Blackcat infrastructure.

Increased activity has been identified amongst BianLian, Play, QiLin, BlackBasta, 8base and Hunters ransomware strain.  This increase may be attributed to these strains absorbing affiliates from LockBit and ALPHV/Blackcat as those services went offline.

This month, Ransomhub, AlphaLocker, Mogilevich, & Blackout have emerged as new strains.  Mogilevich has been observed targeting high-value victims, including Epic Games, luxury car company Infiniti, and the Irish Department of Foreign Affairs.

Group targeting continues to follow familiar patterns in terms of the victim’s country of origin.

Attacks have increased in South American countries, particularly in Argentina, which may be a response to presidential elections in November 2023 in which the far-right libertarian Javier Milei was elected.

Targeting continues to follow international, geopolitical lines.  Heavy targeting follows countries that have supported Ukraine against Russia.  Attacks against Sweden continued as it pressed ahead with preparations to join NATO.   This highlights the level of support ransomware groups continue to show towards the Russian state, and they will continue to use cyber crime to destabilise and weaken Western and pro-Ukrainian states.

Manufacturing and Construction and Engineering have remained the key targeted industries for February.  These industries would be more reliant on technology to continue their business activities, and so it logically follows that they would be more likely to pay a ransom to regain access to compromised computer systems.  The Financial, Retail & Wholesale, Legal, and Education sectors have also seen increased activity over the period.  Health & Social Care has seen a significant increase over the period.  This is likely in response to several groups, including ALPHV/Blackcat reacting to law enforcement activity and allowing their affiliates to begin targeting these industries.

We are seeing a shift in tactics for certain industries, particularly those where data privacy carries a higher importance (such as legal or healthcare), where threat actors are not deploying encryption software and instead relying solely on data exfiltration as the main source of material for blackmail and extortion.

LockBit Takedown

On 20 February, an international law enforcement effort was successful in taking control of and shutting down the infrastructure of the LockBit ransomware strain.  Much has been disclosed and said regarding the takedown, some of it speculative, however, it was confirmed by the UK’s National Crime Agency (NCA) and the US’s Federal Bureau of Investigation that control of their dark web domains and infrastructure was obtained, providing them with significant information regarding the activity of the LockBit group and its affiliates.

Since then, multiple LockBit blog sites have re-emerged, and new data continues to be published.  However, it is not clear whether or not this is new activity since the takedown.  It is more likely that these are victims compromised before law enforcement activity which are only now being blackmailed with data release.

We are continuing to monitor the ransomware landscape at this time to properly analyse the impact this takedown will have.  This event has had a significant impact on the reputation of the LockBit group, with many affiliates angry at the perceived lack of operational security resulting in the possible identification of their real-world identities.  We are anticipating many of these will look to gain access to the affiliate programs of other strains, and so we will expect to see a significant increase in reported attacks from those strains in the coming weeks and months.  As for LockBit, the threat actors behind the group remain active, and it is likely we will see a re-emergence as a new group in due course.

ALPHV/Blackcat exit scam

The ALPHV/Blackcat group is making headlines for all the wrong reasons.  After first having their leak site taken over by law enforcement, they now appear to have absconded with affiliate funds.

In February 2024, ALPHV/Blackcat announced an attack against healthcare provider Change Healthcare (part of United Health Group).  Following this, a ransom of $22 million was paid to ALPHV.  Several days later, the responsible affiliate took to the cybercrime forum RAMP to state that they hadn’t been paid their share of the spoils (potentially up to 90%).  It appears now that the group has collapsed from within, ending with a final exit scam as they shut down operations.  The group have further claimed to have sold their source code in the process, so we may see copycat groups emerge in due course.

While the dissolution of a notorious group should be celebrated, especially following successful law enforcement activity, it should be noted that shutting down in this way presents a significant risk to recent victims.  The affiliate responsible for the Change Healthcare data, as well as affiliates who may have been similarly affected, are likely to still hold victim data and so, for those victims, there remains a risk that they may be further blackmailed as affiliates attempt to recoup their lost earnings.

Photo by FLY:D on Unsplash

"SOS
Product news

Business Update

by Amir Hadzipasic
February 14, 2024

We’ve had a lot going on since the start of the year and so I’ve recorded a short update for you. Click to watch and listen!

We are very thankful for all our customers, those who have been with us since we started and the new ones over the past months.

"Data
Opinion, Tips

Happy Data Privacy Day!

by Daniel Collyer
January 28, 2024

Held annually on 28 January every year since 2007, Data Privacy Day was introduced by the Council of Europe to commemorate Convention 108 – the first, legally binding, international treaty on data protection signed in 1981.  Data Privacy Day exists now to bring the concept of data privacy to the forefront, and encourage everyone to consider the steps they take to keep their data safe, and what more they could be doing.

The landscape of data privacy has changed dramatically since that first celebration in 2007.  Wholesale changes to legislation have been implemented, new international regulations brought in and enforced, and on the whole, a shift in the dynamic of how the general public thinks about the privacy of their data.

Managing your data privacy can be a daunting task – our data is everywhere, and we’re not always consciously aware of what is happening to it.  Unsecured data, oversharing online, interacting with suspicious communications – these are all things that the threat actors of the world rely on from their victims to achieve their criminal goals.  Here are several simple things that can be done to improve your online privacy:

  • Limit sharing on social media

Social media is a gold mine of information for those with malicious intentions.  Sharing events such as birthdays, names of loved ones, employment details etc, can allow a threat actor to very quickly socially engineer scams to encourage you to divulge sensitive information.  Although we shouldn’t, quite often those details such as birthdays and loved ones’ names end up in our passwords too, so it doesn’t take much for a threat actor with a little motivation to work these out.  Ensuring privacy settings are set to maximum, and not over-sharing, will do much to protect from these threats.

  • Think before you click

We receive a deluge of emails every day, in both our personal and work lives.  Threat actors know this too which is why they’ll use email as a method to target individuals and businesses to gain access to sensitive data.  Phishing scams rely on the innocent victim not realising that the email in front of them is fake, or trying to get them to do something they shouldn’t be doing.  So if in doubt, stop and think before clicking on links or opening attachments.

  • Know your rights

Know your data privacy rights, and what applies in your country.  In Europe, this will be GDPR, which gives a lot of control back to the person to whom the data relates.  This includes:

  • The right to be informed
  • The right of access
  • The right of rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making, including profiling

Despite best efforts, threat actors are constantly looking for new and novel ways to gain access to our data, and inevitably, some of this will be stolen and used for criminal activity.  SOS Intelligence has been diligently monitoring the digital landscape over 2023.  Our recent findings are a stark reminder of the rising threat of phishing attacks.  Over the past year, we have observed over half a million unique credentials compromised through phishing, and with the growth of Generative AI techniques, we expect that number to grow in 2024.

One standout feature of our technology is our real-time alert system.  This capability ensures that our clients are promptly notified when their staff have fallen victim to phishing, allowing for a swift response and effective risk mitigation, helping you to ensure that your data remains as private as possible.

Photo by Jason Dent on Unsplash

"Cyber
Product news

A Special Cyber Threat Intelligence Plan for UK Charities, NHS Trusts and Schools

by Amir Hadzipasic
February 1, 2023

We like brands, companies and organisations that do the right thing. They are for good. They want to help. Their product or service is helpful, is useful and goes some way to fight the bad in the world, and let’s face it, there is way too much of that right now.

So, we are also going to try and do the right thing. We are a startup, a fledgling business and one which has not got endless reserves and pots of cash. But, we strongly believe that by helping people we can develop a loyal customer in the future…

From today, if you are a UK charity, a NHS trust or UK school, you can apply for a special account with SOS Intelligence, which gives you the first six months for free. An application takes seconds and once approved, you can up and running in minutes. We are offering this as we know this can make a huge difference to your cyber security, and we know that is more and more important.

Apply here.

What does this account include?

  • 10 Keyword Limit
  • 3 User Account Limit
  • Breach Monitoring, OSINT & Dark Web 
  • Excludes Domain Monitoring. 
  • Email Notification.

After the six months free time period, this will cost £200+VAT per month or £1,920+VAT with a 20% discount for 1 year.

We have seen time and time again that organisations who don’t act, even with intelligence we’ve come across ourselves, leave themselves open to tremendous risk.

Charities at increased risk

A new threat report published by the NCSC reveals why the charity sector is particular vulnerable to cyber attacks, the methods used by criminals, and how charities can best defend themselves.

 “More charities are now offering online services and fundraising online, meaning reliable, trusted digital services are more important than ever. During the Ukraine crisis, we saw more criminals taking advantage of the generosity of the public, masquerading as charities for their own financial gain.”
Lindy Cameron, NCSC CEO

You can read their blog post here and download the report here.

Just one set of compromised credentials is it all takes. Imagine, if you will, knowing when a user has been compromised and so you can act and secure the account. Imagine seeing an alert, almost in real time, where some of your data has been posted on a dark web forum.

Intelligence means you can do something about it.

Please do share this far and wide – we want to help! 🙂

Apply here.


FAQs

  1. Who can apply? This is open for any UK charity, NHS trust or school. If you are a non-profit, don’t fit in these categories, but think you should be considered, you can fill out the form here and click no to the fit question – you will be prompted to enter more information and we will get back to you.
  2. How long is the free account for? It is for six months from the date of account sign up. When this period has finished, you will be charged on the card you used for sign up. The annual version gives you a 20% discount and is by far the most popular option.
  3. What if I don’t want to continue using SOS Intelligence? You will need to tell us prior to the end of the six months as otherwise you may be charged.
  4. Do you provide training? At present, we offer email support and screencasts to get you up and running.
  5. What is the process to apply? To apply, head on over to the application form here and we will be in touch as soon as possible. If successful you will receive an email with a link to sign up and a voucher code to use to give you the six month free access. 
  6. Do I need to add credit card details on sign up? Yes, we use Stripe for payment and this requires card details. However, you will not be initially charged as you will use a six month free voucher. At the end of the six months the plan will renew using the card details provided.
  7. What about domain / typo / squatting monitoring? This is not included on this plan but is on the Pro or Enterprise plans.
  8. What is typo-squatting? Typo-squatting is the act of registering domain names, i.e. Web Domains that look similar to your legitimate domain name. Cyber Criminals may by several domains across a number of different Top Level Domain Registrars. Typo-squatting could be used against you, as a business to phish your employees or customers or in order to contact fraud under your name or brand. Most common occurrence is 419 Advance Fee Fraud. 

    SOS Intelligence monitors recently registered domain names from a large number of Top Level Domain Registrars and scans those against you domain type keywords.
"Dark
Investigation, The Dark Web

Dark Web Services Current Average Prices

by Amir Hadzipasic
December 14, 2022

It started with a tweet.

The dark web has long been associated with illegal activities and the sale of illicit goods and services. Among the many services offered on the dark web, hacking services are particularly prevalent.

Daniel’s tweet

We had our PIR and got to writing an Intelligence Requirements sheet following the PESTLEP model and that allowed us to prioritise our Collection Plan.

Collection plan.

With which we were able to start our collection process and begin answering Daniel Card’s Tweet.

The collection process consisted of using the SOS Intelligence platform to identify current active market places for the specific IR areas we had to answer to.

Our platform has the capability to scan the dark web very quickly, with the ability to rotate around all active Onion services within 24-48 hours. This gives us a clear view of current and active Onion services.

In addition SOS Intelligence has a broad range of automatic closed and open forum collection giving us a real time view into purchases and sales.

Gathering the relevant information and calculating averages per service, per market place. 

The research

The research for this article looked at around 40 different current dark web marketplaces and clear web and dark web forums, where hacking services are commonly offered for sale. The average prices for the services mentioned were determined based on the information gathered from these sources.

According to our research, the average price for a stolen credit card on the dark web is around $243.15.

This may seem like a low price, but the value of a stolen credit card can vary depending on the country it was issued in and the remaining balance on the card. For example, a credit card from the United States may be worth more than one from a less economically developed country. To keep things as like for like as possible we took the average card limit for a USA bank.

Counterfeit money is also commonly available on the dark web, with the average price per $1,000 coming in at around $396.24.

This may seem like a high price, but it’s important to remember that producing high-quality counterfeit money can be a time-consuming and expensive process.

Botnets, which are networks of compromised computers used to launch distributed denial of service (DDoS) attacks, are also commonly available on the dark web.

The average price for a botnet or DDoS attack is around $382.41.

Another common service offered on the dark web is the sale of  so called residential proxies,  which are more difficult to detect and block as they “proxy” a cyber criminals connection out through a residential ISP. These proxies are used to mask the true IP address of the user and are often used by hackers to avoid detection.

The average price for a residential proxy is around $645 per month.

Finally, initial access to a target network is often available for sale on closed forums and marketplaces. This can include login credentials or vulnerabilities in a network that can be exploited to gain access, Initial Access or AI is typically the first ‘open door’ into a victim’s network and can lead to ransomware.

Prices for this service ranged wildly from a few hundred dollars to tens of thousands, due to wide ranging victims and seller motivations, varying greatly depending on access offered, method of access and compromised company.

The average price for initial access to a network is around $7,700. 

In conclusion, the dark web is a hub for a wide range of hacking services, from stolen credit card information to initial access to target networks.

While the prices for these services may seem steep, it’s important to remember that at least for some of the services offered there is a more demand than supply.

It is also important to note that there is no guarantee with any of the services provided and the sellers or marketplaces themselves could be scams or scammers although a majority do offer purchase through escrow.

Header photo by Jefferson Santos on Unsplash.

"pwn
Product news

pwnReport tool for MSSP and Enterprise customers

by Amir Hadzipasic
September 23, 2022

One of the features which we’ve been working on recently is a pwnREPORT Breach Report Tool. I’m pleased to say this is now available for our MSSP and Enterprise customers.

What does it do?

  • Generates an aggregated breach report for records found across our BreachDB, OSINT collections and Dark Web.
  • Searches for a provided company email domain.
  • Returns a CSV document on completion for you to download.

Watch the short video below to see it in action.

pwnREPORT Breach Report Tool

This kind of tool is precisely what we try and focus on. Simple execution of a query and a quick, useful output for you to use and potentially share.

If you have any questions, please don’t hesitate to get in touch and book a call / demo here.

Photo by Kevin Ku on Unsplash.

"Go-Ahead
Opinion, The Dark Web

Major UK transport company battles cyber-attack

by Amir Hadzipasic
September 7, 2022

Another week and yet another cyber-attack on a major UK company. The Guardian broke the news yesterday highlighting that Go-Ahead are facing problems with their back office systems, including bus services and payroll software.

Fortunately it is only affecting the bus services they run and not their rail business.

There are a couple of important things to note here. Firstly, the UK and other countries are seeing more threats to government organisations, transport and infrastructure companies. Infrastructure, by it’s nature, is vital to the smooth running of a countries’ daily life and an interruption to this can cause serious problems.

One of the most infamous cyber attacks to infrastructure took place last year when hackers breached the Colonial Pipeline using a compromised password.

The key aspect of this case was that investigators suspect hackers got password from dark web leak. This scenario is a perfect demonstration of how SOS Intelligence could have helped, alerting the company to this in time and possibly preventing what happened.

In the UK, companies have faced sizeable fines when they have been the subject of a breach and lost customer data.

British Airways was told in July 2019 that it faced a fine of £183m after hackers stole the personal information of half a million customers. Eventually they paid £20M, still a considerable amount.

If you are reading this and wonder if we can help, we probably can. You can book a call and demo here.

"broadband"/
Opinion

New cyber security rules for for UK mobile and broadband carriers

by Amir Hadzipasic
August 31, 2022

Yesterday, the UK government announced that mobile and broadband carriers must follow a new set of rules that will strengthen our protection against cyber attacks.

“we know that today the security and resilience of our communications networks and services is more important than ever. From heightened geopolitical threats through to malicious cyber criminals exploiting network vulnerabilities, global events have shown the importance of providing world-leading security for our networks and services.

That’s why the creation of a new telecoms security framework via the Telecommunications (Security) Act 2021 was so important. With the help of the telecoms industry, we’ve now been able to move that framework forwards.”

– Matt Warman, Minister of State for Digital, Culture, Media and Sport

The new rules which the companies will need to follow, look at areas such as

  • how (and from whom) providers can procure infrastructure and services
  • how providers police activity and access
  • the investments they make into their security and data protection and the monitoring of that
  • how providers inform stakeholders of resulting data breaches or network outagesprocedures by March 2024

The executive summary of the consultation outcome is one we completely endorse:

The UK is becoming ever more dependent on public telecoms networks and services. The increased reliance of the economy, society and critical national infrastructure (CNI) on such networks and services means it is important to have confidence in their security. As the value of our connectivity increases, it becomes a more attractive target for attackers. It is important to make sure that our networks and services are secure in this evolving threat landscape.

Proposals for new telecoms security regulations and code of practice – government response to public consultation – Updated 30 August 2022.

TechCrunch highlights that those who fail to comply with the new regulations will face big fines, up to £100,000 per day.

SOS Intelligence is focused on providing effective and affordable cyber threat intelligence. We would welcome a conversation with any mobile and / or broadband carrier as we can definitely help you.

We can help you avoid the question from your CEO or MD… Why didn’t we know about this?
Simply put, we monitor keywords, email addresses, domains and more online including the Dark Web, so you get to know immediately if your data has been leaked. You can then do something about it.

Forewarned in many cases will be incredibly helpful.

The results of a GOV.UK survey released in March 2020 confirms cyber security breaches are becoming more frequent. It found 46% of UK businesses and charities reported a cyber- attack during the year. Of those, 33% claimed they experienced a cyber breach in 2020 at least once a week – up from 22% in 2017.

The consultation is recognising that the threats from certain countries are not going away, but more likely to be increasing. The UK’s vigilance needs to increase to meet these threats.

Photo by Compare Fibre on Unsplash

1 2 3 4 5
Recent Posts
Recent Comments
    Privacy Settings
    We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
    Youtube
    Consent to display content from - Youtube
    Vimeo
    Consent to display content from - Vimeo
    Google Maps
    Consent to display content from - Google
    Spotify
    Consent to display content from - Spotify
    Sound Cloud
    Consent to display content from - Sound
    Save