Webinar – Combo-Squatting & Homograph Attacks: Protecting Your Brand from Lookalike Domains

by Daniel Collyer

September 25, 2025

Our latest webinar is ready to go and you can join us on Wednesday October 8th at 4pm UK time.

The topic is Combo-Squatting & Homograph Attacks: Protecting Your Brand from Lookalike Domains and we are seeing this more and more.

Learn:

The difference between typosquatting, combo-squatting, and homograph attacks.
See how attackers exploit keywords and Unicode tricks to impersonate trusted brands.
Discover real-world examples of phishing and fraud campaigns.
Explore practical detection and defence strategies.
Find out how SOS Intelligence can monitor, alert, and assist with takedowns to protect your brand.

Sign up takes seconds and you will get sent a link of the recording regardless of attendance so well worth signing up now!

Investigation, Opinion

Understanding SCATTERED SPIDER: Tactics, Targets, and Defence Strategies

by Daniel Collyer

June 4, 2025

In recent months, a wave of disruptive cyberattacks has swept across high-profile organisations in both the UK and the US, affecting sectors ranging from hospitality and telecommunications to finance and retail. Many of these incidents share a common thread: attribution to a threat actor known as SCATTERED SPIDER, a group now gaining notoriety for its aggressive use of social engineering and its partnership with the DragonForce ransomware-as-a-service (RaaS) operation.

Unlike traditional ransomware gangs that rely heavily on technical exploits or brute-force tactics, SCATTERED SPIDER stands out for its deeply manipulative approach. The group has repeatedly demonstrated its ability to impersonate employees, deceive IT support teams, and bypass multi-factor authentication (MFA) through cunning psychological tactics. Often described as “native English speakers,” they are suspected to operate in or have ties to Western countries, bringing a cultural fluency that makes their phishing and phone-based attacks alarmingly effective.

As law enforcement and cybersecurity professionals scramble to contain the fallout from recent attacks, one thing is clear: SCATTERED SPIDER is not just another ransomware affiliate. They represent a shift toward human-centric intrusion strategies, blending technical skill with social deception in a way that challenges even well-defended organisations.

This article takes a closer look at how SCATTERED SPIDER operates, the tools they use, including DragonForce RaaS and, most importantly, what practical steps individuals and organisations can take to reduce their exposure to this growing threat.

Image Credit: Crowdstrike

Who Is SCATTERED SPIDER?

SCATTERED SPIDER is the name given to a loosely affiliated cybercriminal group that has quickly gained attention for its highly targeted and persistent campaigns against major organisations. Believed to be active since at least 2022, the group is often classified as an Initial Access Broker (IAB) and affiliate actor, working both independently and in partnership with larger ransomware collectives, most notably the ALPHV/BlackCat operation.

What sets SCATTERED SPIDER apart is not just its technical acumen, but its expert use of social engineering, often executed in fluent English and with a level of cultural familiarity that suggests the group is likely based in or has strong ties to the US or UK. Unlike many ransomware actors operating out of Eastern Europe or Russia, SCATTERED SPIDER’s tactics are tailored to Western corporate environments, allowing them to convincingly impersonate staff, manipulate helpdesk personnel, and bypass traditional security barriers with unnerving ease.

The group’s motivation is primarily financial, but their techniques are unusually aggressive. Rather than simply deploying ransomware after gaining access, SCATTERED SPIDER takes the time to navigate internal systems, escalate privileges, and exfiltrate data, ensuring maximum impact and leverage during extortion. This has included threats to publicly leak sensitive data if ransoms aren’t paid, a tactic made easier by their ties to DragonForce RaaS, a ransomware service that offers data leak platforms and other tools to affiliates.

Notable incidents attributed to SCATTERED SPIDER include:

The 2023 attack on MGM Resorts, which saw large-scale IT disruption across casinos and hotels in the US, was reportedly caused by a simple phone-based social engineering ploy.
Intrusions into telecommunications and managed service providers, where they have targeted identity infrastructure such as Okta and Active Directory to pivot across networks.
Disruption and data theft in the financial and insurance sectors, where highly sensitive customer and operational data were exfiltrated and held to ransom.

These campaigns reveal a group that is not only technically capable but strategically manipulative, leveraging trust, urgency, and insider knowledge to achieve access that many automated tools would struggle to obtain.

The Tools of the Trade: DragonForce RaaS

One of the key enablers of SCATTERED SPIDER’s recent success has been their alignment with DragonForce, a relatively new entrant in the expanding Ransomware-as-a-Service (RaaS) ecosystem. RaaS models have radically altered the cybercrime landscape. Much like SaaS (Software-as-a-Service) in the legitimate tech world, RaaS lowers the barrier to entry for less technically capable threat actors by offering turnkey ransomware toolkits, user-friendly dashboards, and profit-sharing agreements between developers and affiliates.

What Is DragonForce?

DragonForce is a commercially operated ransomware platform, complete with a slick user interface, customer “support” channels, and marketing-style updates promoting new features and obfuscation techniques. While it may not yet have the brand recognition of LockBit or BlackCat, it is gaining traction among cybercriminal groups for its reliability, speed, and aggressive encryption routines.

Its offerings typically include:

Highly customisable payloads: Affiliates like SCATTERED SPIDER can tweak encryption settings, file extensions, and ransom notes to suit their targets.
Data exfiltration modules: These facilitate double extortion, where files are stolen before encryption and used as additional leverage during ransom negotiations.
Dark Web leak portals: Victim data is published or threatened with publication unless payment is made.
Access to a central control panel: Affiliates can monitor infected machines, initiate encryption manually, and track ransom payments via cryptocurrency wallets.

These features allow threat actors to operate more like cybercrime startups than ad-hoc hacking collectives.

Why SCATTERED SPIDER Uses DragonForce

SCATTERED SPIDER’s strength lies in gaining initial access, often via phone-based social engineering or SIM-swapping tactics, rather than building their own ransomware from scratch. By outsourcing encryption and extortion capabilities to a RaaS provider like DragonForce, they focus on what they do best: manipulating people, navigating corporate networks, and extracting sensitive data.

In this partnership, DragonForce gains a capable affiliate who can deliver high-value access, and SCATTERED SPIDER gains a ready-made suite of tools to monetise their intrusions. This division of labour reflects a broader shift in cybercrime, one where specialisation and scalability are the name of the game.

DragonForce and the RaaS Economy

It’s important to understand that DragonForce is not an isolated actor. It is part of a wider criminal ecosystem where:

Access brokers sell stolen credentials or remote access.
Malware developers lease out payloads to trusted affiliates.
Negotiators and money launderers offer “aftercare” services.

This ecosystem enables threat actors to operate like businesses, complete with hierarchical roles, profit-sharing models, and even internal dispute resolution mechanisms. In this context, SCATTERED SPIDER is not just a lone wolf but a well-placed operator within a highly coordinated cybercrime supply chain.

Why This Matters

The use of DragonForce by SCATTERED SPIDER highlights two alarming trends:

Professionalisation of ransomware: You no longer need deep technical knowledge to execute devastating attacks; just access, confidence, and a few phone calls.
Faster time-to-impact: With everything from encryption to extortion automated and streamlined, the time between compromise and ransom demand is shrinking rapidly, leaving organisations with little time to detect and respond.

As DragonForce continues to evolve and attract new affiliates, we are likely to see more actors adopt this model of rapid-access, rapid-extortion ransomware operations.

Image Credit: Kaspersky

Anatomy of an Attack: How SCATTERED SPIDER Operates

Understanding how SCATTERED SPIDER executes its attacks is crucial for organisations looking to strengthen their defences. Unlike many ransomware operators who rely on brute-force tactics or mass phishing campaigns, SCATTERED SPIDER favours precision, patience, and psychological manipulation.

Here’s a typical flow of operations observed in their campaigns:

1. Reconnaissance and Target Selection

The group begins by identifying high-value targets, often large enterprises in sectors such as telecommunications, financial services, and IT. They may purchase access to credentials or endpoint telemetry from Initial Access Brokers (IABs) or scrape publicly available information from LinkedIn, press releases, and social media to build detailed profiles of staff and infrastructure.

What makes this phase effective:

Use of OSINT to identify staff names, departments, and third-party vendors.
Focus on companies with complex IT environments and high tolerance for operational risk—prime candidates for extortion.

2. Initial Access via Social Engineering

Once they’ve identified the right entry point, SCATTERED SPIDER often deploys vishing (voice phishing) or phishing techniques to impersonate internal staff. In some cases, they call help desks pretending to be employees locked out of their accounts, requesting MFA resets or password changes.

This is where their native English and cultural familiarity give them a dangerous edge; they sound credible, confident, and urgent.

Common tactics:

Impersonating IT staff or executives to pressure support teams.
SIM-swapping or MFA fatigue attacks to intercept or bypass two-factor authentication.
Spoofed email domains or compromised inboxes used for internal-style phishing.

3. Credential Harvesting and Privilege Escalation

Once inside, the group moves quickly to extract further credentials. Tools such as Mimikatz, Cobalt Strike, and legitimate Windows administration tools (e.g. PowerShell, PsExec) are used to escalate privileges and move laterally across the network.

They specifically look for access to:

Identity infrastructure (Active Directory, Okta, Azure AD)
Remote access tools (VPNs, RDP gateways, Citrix)
Data repositories containing sensitive customer or business data

This phase may last hours or days, depending on the target’s size and the level of access achieved.

4. Data Exfiltration and Pre-Ransom Preparation

Before deploying ransomware, SCATTERED SPIDER usually exfiltrates a trove of sensitive data. This forms the basis of their double extortion strategy; even if a victim can restore from backups, they may still pay to prevent the public release of confidential files.

Common methods:

Compressing and uploading files to cloud storage services or attacker-controlled servers
Encrypting and staging data to avoid detection by DLP or antivirus tools

In some cases, the group leaves behind backdoors or admin accounts to retain long-term access or re-extort victims in the future.

5. Ransomware Deployment via DragonForce

Once exfiltration is complete and the environment is primed, SCATTERED SPIDER deploys DragonForce ransomware across the compromised network. The ransomware is configured to encrypt files rapidly and disrupt operations, sometimes including domain controllers and backup servers, to maximise impact.

Victims then receive a ransom note directing them to a Tor-based portal for negotiations. If payment isn’t made within a specified timeframe, stolen data is posted on a leak site associated with DragonForce.

Key Takeaways:

SCATTERED SPIDER relies on human error as much as technical vulnerabilities.
The group’s knowledge of Western IT environments makes it easier for them to blend in and manipulate systems and staff.
Their multi-stage attack chain: access, escalation, exfiltration, encryption, is methodical and difficult to detect in real time.

Image Credit – Reeds Solicitors

Why SCATTERED SPIDER’s Approach Is Especially Dangerous

SCATTERED SPIDER doesn’t operate like a traditional ransomware crew. Their campaigns combine social engineering finesse with technical aggression, resulting in a hybrid threat model that blends cybercrime with tactics more often associated with espionage groups. Here’s why they stand out and why they’re so difficult to defend against.

1. Deep Impersonation and Real-Time Manipulation

Unlike typical phishing groups that rely on mass email blasts, SCATTERED SPIDER employs live, targeted deception. Their operators speak fluent, unaccented English and are adept at impersonating IT personnel, executives, or employees in distress.

They frequently call help desks or IT support lines, using:

Personalised information gathered through OSINT
Spoofed phone numbers and internal-sounding email addresses
Calm, confident delivery to manipulate support staff in real time

This level of human-centred deception is rarely seen in conventional cybercrime campaigns and poses a serious challenge for security teams.

2. Precision Targeting of Identity Infrastructure

SCATTERED SPIDER understands that identity is the new perimeter. Rather than merely compromising a system, they aim to take control of identity and access management tools like:

Okta
Active Directory
Azure AD
SSO and MFA services

By doing so, they’re not just accessing individual endpoints, they’re taking over the core trust fabric of the organisation. Once they own your identity systems, lateral movement and persistence become trivially easy.

3. Speed and Aggression Outpacing Detection

While many attackers spend weeks in a network quietly collecting data, SCATTERED SPIDER moves with urgency and intent. In many cases:

Initial access to ransomware deployment can take place in less than 48 hours.
They bypass traditional controls using legitimate tools (Living off the Land), leaving minimal forensic traces.
They often disable security tools, delete logs, or backdoor admin accounts to stay one step ahead.

Traditional defences based on known signatures, blacklists, or passive monitoring are often too slow or too blind to respond in time.

4. Blurring the Line Between Cybercrime and Nation-State Tactics

Although motivated by financial gain rather than geopolitics, SCATTERED SPIDER’s tradecraft exhibits a level of maturity and adaptation more typical of state-sponsored APT groups. This includes:

Tailored intrusion techniques for specific industries and environments
Multi-stage attacks with operational patience
Use of multiple extortion channels, including PR pressure and data leak sites

This hybrid operational model: part ransomware gang, part APT, means traditional classifications don’t fully capture the scope of their threat. For defenders, this creates both strategic confusion and escalating risk.

In short, SCATTERED SPIDER is dangerous not just because of what they do, but how they do it. Their blend of psychological manipulation, identity compromise, and rapid escalation makes them one of the most formidable threats facing organisations today.

Defending Against SCATTERED SPIDER: Practical Guidance

While SCATTERED SPIDER’s tactics are sophisticated, they often exploit basic lapses in process, communication, and identity management. That means there are precautions organisations can take to harden themselves against this type of threat, without needing to reinvent their entire security stack.

1. Reinforce Help Desk Security Protocols

Since SCATTERED SPIDER frequently targets help desks and support teams, ensure those teams are trained to:

Never reset MFA or passwords without high-assurance identity verification.
Use call-back procedures or out-of-band verification for unusual requests.
Flag repeated or urgent requests as potential social engineering.

Adding simple checklists and mandatory escalation paths for sensitive account changes can drastically reduce social engineering success rates.

2. Harden Identity and Access Management

Identity remains a prime attack surface. To reduce risk:

Enforce phishing-resistant MFA, such as hardware tokens or app-based push authentication with device binding (rather than SMS or email codes).
Implement just-in-time access and least privilege policies for administrative accounts.
Regularly audit inactive accounts, especially third-party vendors and former employees.

Integrate identity telemetry into your detection stack: suspicious logins, MFA resets, or logins from new devices should trigger alerts.

3. Monitor for Signs of Lateral Movement

Once SCATTERED SPIDER is inside a network, time is of the essence. Deploy tools and strategies to detect:

Unusual use of remote admin tools (e.g. PowerShell, PsExec)
Use of credential dumping tools or abnormal privilege escalation
Lateral movement attempts, especially to identity infrastructure like Active Directory or Okta

EDR/XDR platforms with good behavioural analytics can be critical here, especially when coupled with 24/7 monitoring or MDR services.

4. Protect Your Data, and Know Where It Is

Given the group’s focus on data theft prior to encryption, prevention isn’t just about backups:

Map your critical data locations, especially customer, financial, and IP-related data.
Use Data Loss Prevention (DLP) tools to monitor exfiltration patterns.
Segment sensitive environments and restrict data access to only those who need it.

Ensure that backups are not just secure and segmented from your main network, but also tested regularly.

5. Prepare for the Human Side of a Crisis

Even strong technical controls can be undone by panic or poor decision-making in the moment. Prepare:

A ransomware playbook with clear response roles, legal guidance, and communications plans.
Crisis simulations or tabletop exercises that include scenarios involving data leaks and public extortion.
Training for executives and PR teams on how to manage the reputational and regulatory impact.

Remember: SCATTERED SPIDER succeeds by catching organisations off guard, so make sure your teams know exactly how to respond under pressure.

Security Culture Is Your Best Defence

At the end of the day, SCATTERED SPIDER’s tactics work because they exploit human trust, urgency, and complexity. Investing in detection tools is important, but fostering a culture of scepticism, verification, and shared responsibility across the organisation is what truly builds resilience.

Stay Vigilant, Stay Informed

SCATTERED SPIDER has proven that ransomware is no longer just about encrypted files and ransom notes — it’s about controlling identities, deceiving people, and outpacing traditional defences. Their campaigns demonstrate just how effective a threat actor can be when they combine technical proficiency with social engineering and real-time manipulation.

What makes them especially dangerous is not just the tools they use, but the tactics and mindset behind their operations. This is a group that studies its targets, adapts rapidly, and blends psychological and technical attacks with striking efficiency.

For organisations in the UK, the US, and beyond, the message is clear: security isn’t just a technology problem — it’s a people and process problem too. Preventing the next SCATTERED SPIDER-style breach means:

Educating and empowering support staff
Hardening identity infrastructure
Monitoring for the unexpected
And rehearsing how you’ll respond under pressure

Cybercriminals evolve constantly. So must we.

Header image > Photo by Егор Камелев on Unsplash.

SOS Intelligence Webinar

Business Update Webinar – you’re invited!

by Amir Hadzipasic

May 21, 2025

A date for your diaries, or rather, your calendar 🙂 Please join us on Wednesday, June 4th at 4pm UK time for our third webinar of the year where I will be taking you through our platform updates, and there are many!

Look forward to seeing you and taking your questions.

Best wishes,

Amir

Who is this for?

Anyone in a business or organisation who has responsibility for online security
CTOs or senior managers who want to understand why there is a critical need for a service like SOS Intelligence
IT / Cyber Security teams
Business owners who are worried about the recent cyber attacks in the UK

What we will cover:

NEW Key Features

SSO
Better UX
Threat Tracker
Domain Monitor
DARKMAP rebuild and improvements
On demand RFIs
Vulnerability Intelligence

Our AI Analyst

Fully Integrated, private LLM agent
Alert Analysis
Content Analysis
Natural Language querying

Hosted by Jon Moss and SOS Intelligence Founder and CEO, Amir Hadzipasic

Sign up to the webinar to receive a recording via email if you cannot attend on the day. By signing up you will also receive our newsletter for future events. You can always unsubscribe with one click.

Photo by Headway on Unsplash

Investigation, The Dark Web

Analysing DDoSIA: Threat Intelligence Insights into a Coordinated DDoS Operation

by Daniel Collyer

February 19, 2025

In the evolving landscape of cyber threats, DDoSIA has emerged as a significant force, orchestrating distributed denial-of-service (DDoS) attacks against organisations worldwide. Believed to be operated by pro-Russian hacktivist groups, DDoSIA mobilises volunteer participants to overwhelm targeted networks, causing disruptions to businesses, government institutions, and critical infrastructure. With its decentralised approach and sustained campaigns, this operation has become a persistent threat to cybersecurity resilience.

Tracking DDoSIA is crucial for cybersecurity and threat intelligence (CTI) professionals. By understanding its tactics, techniques, and infrastructure, defenders can better anticipate attacks, mitigate their impact, and adapt defensive strategies. As part of our mission at SOS Intelligence, we continuously monitor, collect, and analyse DDoSIA-related data, offering actionable intelligence to help organisations stay ahead of this evolving threat.

Understanding DDoSIA and Its Attack Infrastructure

DDoSIA is a coordinated distributed denial-of-service (DDoS) campaign operated by pro-Russian hacktivist groups, notably NoName057(16). This group, along with other affiliated threat actors, is known for conducting disruptive cyber operations against organisations and governments deemed hostile to Russian interests. NoName057(16) has been active since at least 2022, launching frequent DDoS attacks against Western institutions, particularly those supporting Ukraine. The group operates as part of a broader ecosystem of pro-Russian cyber collectives, often aligning with entities like KillNet and Anonymous Russia, which share similar geopolitical motivations.

Unlike state-sponsored advanced persistent threats (APTs) that focus on espionage or destructive cyberattacks, DDoSIA is a crowdsourced DDoS initiative, incentivising participants to join attacks. Volunteers—many of whom are ideologically aligned with Russia’s geopolitical stance—are recruited via messaging platforms and forums, where they receive instructions and access to attack tools. Participants are often encouraged through financial rewards or patriotic motivations, making DDoSIA a hybrid between hacktivism and cyber warfare.

How DDoSIA Operates

DDoSIA primarily leverages volumetric and application-layer DDoS attacks, aiming to overwhelm websites, APIs, and network infrastructure. Attack vectors include:

HTTP flooding – Generating large numbers of HTTP requests to exhaust server resources.
UDP and TCP floods – Saturating network bandwidth with high-volume traffic.
Slowloris attacks – Holding connections open to deplete available server connections.
Bot-assisted attacks – Some participants utilise proxy networks and automated scripts to scale up attack intensity.

The group has targeted various sectors, including government agencies, financial institutions, defence contractors, and logistics providers. A particular focus has been placed on countries actively supporting Ukraine, such as the UK, the US, Poland, and Germany. Attack campaigns often coincide with key political events, military aid announcements, or sanctions imposed against Russia, demonstrating a coordinated cyber-influence strategy.

The Importance of Real-Time Intelligence

Given DDoSIA’s adaptive tactics and decentralised operational model, real-time intelligence is critical for understanding and mitigating its impact. Traditional DDoS mitigation measures alone are insufficient, as the threat landscape evolves rapidly. Continuous monitoring of:

Attack infrastructure changes (e.g., new command-and-control nodes, shifting IP ranges).
Recruitment activities in underground forums and messaging platforms.
Indicators of compromise (IOCs) and attack patterns.

…enables cybersecurity teams to stay ahead of threats.

At SOS Intelligence, we actively track, collect, and analyse DDoSIA-related intelligence, helping organisations anticipate attacks, implement proactive defences, and mitigate operational disruptions before they escalate. By leveraging OSINT, deep web monitoring, and network telemetry, we provide actionable insights to counter the evolving tactics of DDoSIA and its affiliates.

Analysis, Evaluation, and Recommendations

Understanding DDoSIA’s Attack Trends

Unlike financially motivated DDoS campaigns, which often involve extortion or ransom demands, DDoSIA’s attacks are ideologically driven and aim to disrupt services in nations perceived as adversaries of Russia.

Since October 2024, SOS Intelligence has been collecting data from the DDoSIA network, the analysis of which provides critical insight into DDoSIA’s recent campaigns, revealing its geopolitical focus, attack methodologies, and targeted infrastructure. The findings help contextualise the scope of the operation, exposing which nations, industries, and services are most affected.

1. Top Targeted Countries

The distribution of attacks by country reveals a strategic effort to disrupt organisations aligned against Russian interests. The most targeted nations include:

Ukraine – Consistently the most heavily attacked country, aligning with DDoSIA’s broader mission to destabilise Ukrainian institutions and weaken its digital infrastructure. The targeting of government agencies, financial institutions, and media organisations suggests an attempt to create operational disruption and information blackout scenarios.
Poland & the Baltic States (Lithuania, Latvia, Estonia) – These nations have been frequent targets of Russian-aligned cyber campaigns due to their strong support for Ukraine. Their strategic position in NATO and the EU’s Eastern flank makes them key adversaries in Russia’s hybrid warfare strategy.
Western European Nations (France, Germany, UK, Italy, Spain) – The presence of these countries in DDoSIA’s targeting list suggests an attempt to undermine NATO members and critical Western businesses, particularly those providing support to Ukraine.
Czech Republic & Slovakia – These Central European nations have seen increasing attacks, likely due to their role in military aid and logistical support to Ukraine.

Evaluation

The targeting strategy aligns with broader Russian state-aligned cyber operations, which aim to erode public trust in institutions and disrupt critical services. The focus on government, finance, and media sectors indicates an effort to undermine operational stability and create ripple effects that extend beyond the direct victims.

Implications for Cyber Threat Intelligence (CTI):

Intelligence gathering on Russian hacktivist groups should prioritise understanding evolving target lists to anticipate future attacks.
Governments and high-risk organisations in these regions should implement heightened DDoS protections and real-time monitoring to mitigate potential disruptions.

2. Top Victim IPs and Their DDoS Mitigation Status

A key insight from the dataset is the list of IPs that sustained the highest number of DDoS attacks, offering a window into DDoSIA’s strategic intent. The most frequently targeted IPs include:

Ukrainian Government Infrastructure (91.212.223.216, 18 attacks) – This aligns with previous attacks on Ukrainian state services, attempting to disrupt government communications, digital services, and emergency response systems.
Microsoft (13.107.246.44 & 13.107.246.61, 14 & 12 attacks) – These IPs are tied to Azure-hosted services, suggesting DDoSIA is attempting to target cloud infrastructure supporting Western businesses or cybersecurity initiatives.
Polish Banking Networks (193.19.152.74, 10 attacks) – The focus on financial institutions is indicative of an effort to destabilise economic activity in Poland, a strong supporter of Ukraine.
French E-commerce & Hosting Services (51.91.236.193, 8 attacks) – The targeting of commercial platforms suggests that DDoSIA is testing the impact of attacks on economic stability and supply chains.

DDoS Mitigation Status Analysis

One of the most notable findings is that many of these victim IPs do not publicly advertise their use of Cloudflare, AWS Shield, or other major DDoS mitigation services. This raises concerns about their ability to withstand sustained attack campaigns.

High-profile organisations like Microsoft likely have in-house protections, but the presence of their IPs on the list suggests that attackers are attempting to overwhelm cloud-based services.
Government infrastructure in Ukraine and Poland appears to be a primary target, reinforcing the need for centralised state-sponsored DDoS defences.
Smaller financial institutions and e-commerce platforms may lack the necessary defences, leaving them vulnerable to outages.

Evaluation

The data suggests that DDoSIA’s attack strategy is not just about volume but also persistence. By continuously targeting specific IPs associated with critical services, they are attempting to cause prolonged service degradation rather than instant takedowns.

Recommendations:

At-risk organisations should conduct a full audit of their current DDoS protection measures, ensuring they use enterprise-grade filtering solutions.
Cloud-based services should enhance their rate-limiting policies to mitigate bot-driven HTTP floods.
Government agencies should coordinate with cybersecurity providers to implement real-time defence measures.

3. Top Attack Methods and Vectors

DDoSIA utilises a combination of attack techniques designed to bypass basic mitigation measures. The most frequently observed attack vectors include:

TCP SYN Floods – A classic technique used to exhaust connection resources on servers.
HTTP GET/POST Floods – Targeting application-layer services, often overwhelming login pages, checkout processes, or API endpoints.
DNS Amplification – Leveraging misconfigured DNS servers to exponentially increase attack traffic.

Evaluation

The presence of HTTP-layer floods indicates an intentional effort to bypass traditional DDoS filtering, which primarily focuses on volumetric mitigation. The attack patterns suggest that DDoSIA’s botnet includes a mix of compromised systems, VPNs, and residential IPs, making mitigation more complex.

Recommendations

For Organisations at Risk

Implement Layered DDoS Mitigation
- Use a high-quality DDoS mitigation package, such as Cloudflare, AWS Shield, or Akamai for automated volumetric protection.
- Deploy Web Application Firewalls (WAFs) to filter out malicious HTTP traffic.
Proactive Threat Intelligence & Monitoring

Implement network anomaly detection tools to identify and block low-volume, high-impact attacks.
Use geolocation filtering to block or challenge traffic from high-risk regions.
Strengthen API & Login Security

Enforce CAPTCHAs and rate-limiting on login and checkout pages.
Deploy bot management solutions to detect automated DDoS tools.

For CTI Professionals & Security Teams

Expand DDoSIA Attribution & Tracking
- Monitor NoName057(16)’s recruitment channels to identify new botnet strategies.
- Use honeypots and deception techniques to study attack behaviour in real-time.
Enhance Threat Intelligence Sharing

Collaborate with government agencies and private sector security teams to exchange attack data.
Track botnet infrastructure and preemptively blacklist high-risk traffic sources.
Develop & Update DDoS Playbooks

Conduct regular red team exercises to test DDoS resilience.
Simulate HTTP-layer and multi-vector attacks to identify weaknesses before adversaries exploit them.

Conclusion

The DDoSIA campaign, orchestrated by the NoName057(16) collective, is more than just a disruptive force—it is a tactically coordinated effort aimed at destabilising key institutions in countries opposing Russian geopolitical interests. The data analysed from recent attacks highlights clear patterns in target selection, attack vectors, and mitigation gaps, providing crucial insights into how organisations can defend against such threats.

The attack data reveals a strong geopolitical alignment, with Ukraine, Poland, the Baltic states, and Western European nations being primary targets. The focus on government agencies, financial institutions, and media organisations suggests an intent to erode public confidence, interfere with economic stability, and control narratives in critical regions. Additionally, the fact that Microsoft-hosted services and Polish banking networks have been frequently attacked underlines the strategic importance of both public and private sector entities remaining highly vigilant.

A notable trend is the increasing use of application-layer DDoS techniques (e.g., HTTP floods, DNS amplification, SYN floods), which require more than just volumetric DDoS mitigation. Attackers are leveraging residential proxies, VPN services, and compromised IoT botnets to make their traffic appear legitimate, complicating detection and response efforts.

DDoS as a Smokescreen for Other Cyber Threats

While DDoS attacks are disruptive, they can also serve as a distraction for more insidious cyber activities, such as:

Network Intrusions & Data Exfiltration – Attackers may launch DDoS attacks to overwhelm security teams, diverting attention while stealing sensitive data or planting backdoors in the organisation’s infrastructure.
Ransomware Deployment – A coordinated DDoS attack could mask the initial stages of ransomware infections, where threat actors attempt to move laterally through a network before detonating their payloads.
Supply Chain Compromise – Threat actors may target cloud-based services or third-party providers with DDoS attacks, creating cascading failures that expose vulnerabilities in interconnected systems.

For security teams, this means that DDoS attacks should never be treated in isolation. Organisations must simultaneously monitor network traffic, logs, and user activity for signs of unauthorised access, privilege escalation, or data exfiltration attempts occurring under the cover of a DDoS event.

Strategic Recommendations

To counteract the risks posed by DDoSIA and other hacktivist-driven campaigns, organisations must adopt a multi-layered cybersecurity strategy:

Advanced DDoS Protection – Deploy Cloudflare, AWS Shield, Akamai, or on-premise DDoS mitigation solutions, with an emphasis on layer 7 (application-level) attack filtering.
Real-Time Threat Intelligence & Incident Response – Maintain continuous monitoring of attack trends and collaborate with threat intelligence providers to detect emerging tactics early.
Cross-Channel Security Visibility – Integrate SIEM solutions and Network Detection & Response (NDR) tools to ensure that security teams aren’t solely focused on DDoS traffic, but also on potential concurrent threats.
Red Teaming & Attack Simulations – Conduct regular stress-testing of infrastructure and simulate multi-pronged attack scenarios to evaluate how well defensive controls hold up under real-world conditions.
Enhanced Access Controls & Zero Trust – Implement strict user authentication, segmentation of critical systems, and anomaly detection mechanisms to prevent lateral movement during attacks.

Final Thoughts

The DDoSIA campaign exemplifies the increasingly coordinated and persistent nature of cyber threats that blend hacktivism, cybercrime, and geopolitical objectives. As attack techniques evolve, organisations must move beyond reactive defences and adopt proactive, intelligence-driven security strategies.

Crucially, security teams must recognise that DDoS attacks may not be the endgame—they could be a diversion tactic for deeper, more damaging intrusions. By combining DDoS mitigation with network forensics, endpoint monitoring, and proactive intelligence-sharing, organisations can stay ahead of evolving threats and prevent large-scale disruptions before they take hold.

Ultimately, early detection, rapid response, and holistic cybersecurity visibility will determine whether organisations withstand or succumb to these politically motivated cyber assaults.

How SOS Intelligence Empowers You to Analyse and Mitigate DDoSIA Threats

For organisations looking to take a proactive approach to defending against DDoSIA, SOS Intelligence provides raw and processed data that can be leveraged for deeper analysis. Rather than simply offering static reports, our platform enables security teams to interrogate the data in real-time, uncovering trends, patterns, and attack methodologies that can directly inform defence strategies.

Using our threat intelligence feeds, organisations can:

Correlate Attacker Behaviour – By analysing historical and live attack data, security teams can identify recurring attack patterns, such as preferred attack vectors, geographic focus, and time-based fluctuations in activity.
Investigate Victimology – By reviewing which organisations, IP ranges, and services are being targeted, defenders can assess their own risk exposure and determine whether their industry, supply chain, or region is in DDoSIA’s crosshairs.
Detect Emerging Attack Trends – With access to raw network and attack metadata, users can identify new methods being deployed by DDoSIA before they become widespread. This allows for early countermeasure deployment before adversaries refine their techniques.
Enrich Internal Threat Intelligence – Security teams can cross-reference SOS Intelligence data with their own logs, SIEM alerts, and network telemetry to detect potential early-stage reconnaissance or ongoing infiltration attempts.
Assess DDoS Mitigation Effectiveness – By tracking which victims have successfully mitigated attacks, teams can gain insight into which defensive solutions (e.g., Cloudflare, AWS Shield, on-premise filtering) have proven most effective.

Turning Intelligence into Action

The true value of SOS Intelligence’s DDoSIA data lies in its ability to empower security professionals to extract their own insights. By combining our raw intelligence with in-house security expertise, organisations can:

Adjust firewall rules and DDoS protection settings based on the latest attack techniques.
Pre-emptively strengthen defences if they belong to an at-risk industry, country, or sector.
Monitor attack shifts in real-time to anticipate secondary threats such as network intrusions, data exfiltration, or ransomware campaigns that may accompany a DDoS event.
Share intelligence within their cybersecurity community to strengthen collective resilience against DDoSIA and similar threats.

Your Intelligence, Your Analysis, Your Defence

SOS Intelligence doesn’t just provide data, it offers a toolset for investigation and insight generation. By leveraging our feeds, logs, and analysis tools, security teams can turn raw data into actionable intelligence, enabling them to detect, understand, and mitigate DDoSIA threats before they escalate.

By combining our intelligence with your expertise, your organisation can stay ahead of DDoSIA’s evolving tactics and transform threat data into a proactive defence strategy.

Header image source – GBHackers.

SOS Intelligence Webinar

Livestream: Top 5 Cybersecurity Concerns for 2025

by Amir Hadzipasic

February 5, 2025

What Security Professionals Need to Know

For our first webinar of 2025 we are going to be discussing a number of key topics that will impact us all this year and in the future.

What we will cover:

AI-Powered Cyber Attacks
Advanced Ransomware Techniques
Zero-Day Vulnerabilities
Insider Threats
Geopolitical Tensions and State-Sponsored Attacks

We will also be looking at the important Mitigation Strategies and Best Practices to try and counter these threats. There will be plenty of time for questions and discussion too. We are going to have a lot to discuss!

We are recording the session so if you sign up and are not able to make it, you will be sent a replay.

Photo by FlyD on Unsplash

Opinion, SME Cybersecurity, Tips

Proactive Digital Risk Monitoring: Stay Ahead of Emerging Threats

by Daniel Collyer

October 24, 2024

In today’s hyperconnected digital landscape, businesses and individuals are facing an unprecedented level of cyber threats. From data breaches to ransomware attacks, cybercriminals are constantly evolving their tactics, targeting vulnerabilities, and exploiting weak spots in both personal and organisational security. As the threat landscape becomes more complex, it is no longer sufficient to simply react to attacks after they occur. Instead, proactive digital risk monitoring has become essential for staying ahead of emerging threats and safeguarding valuable assets.

This blog explores the importance of proactive digital risk monitoring, the key components of an effective monitoring strategy, and how businesses and individuals can benefit from taking a proactive approach to their digital security.

Top 5 Cyber Threats Every SME Should Be Aware Of

The Growing Importance of Digital Risk

Digital risk refers to the potential for cyber threats to compromise the security, privacy, and operational integrity of businesses and individuals. This encompasses a broad range of risks, including data breaches, identity theft, cyberattacks, financial fraud, and reputational damage. As digital transformation continues to reshape industries and personal lives, the attack surface for cybercriminals expands, creating more opportunities for exploitation.

Traditional security measures, such as firewalls, antivirus software, and encryption, provide important layers of defence. However, they are often reactive, meaning they address threats only after they have already occurred. In contrast, digital risk monitoring is a proactive approach that involves continuously scanning and assessing digital environments for potential risks. By identifying threats before they have a chance to cause harm, organisations and individuals can stay one step ahead of attackers and avoid costly disruptions.

Why Proactive Digital Risk Monitoring Matters

The rapid evolution of cyber threats means that waiting for an attack to happen before responding is no longer a viable strategy. Cybercriminals are increasingly sophisticated, employing tactics such as phishing, social engineering, ransomware, and malware to bypass traditional defences. Furthermore, threats can emerge from a wide range of sources, including insider attacks, third-party vulnerabilities, and new zero-day exploits.

Proactive digital risk monitoring helps mitigate these risks by continuously monitoring for signs of suspicious activity, vulnerabilities, and emerging attack vectors. This allows businesses and individuals to detect threats early and take swift action to prevent damage.

For individuals, the consequences of a cyberattack can be devastating, with personal data, financial information, and even social media accounts becoming prime targets for exploitation. Proactive monitoring tools offer early warnings about potential security breaches, allowing individuals to protect their personal information before it’s too late. These tools can also help users monitor personal devices for malware or unauthorised access, ensuring that cybercriminals are detected before they can steal data or cause disruptions.

For businesses, the stakes are even higher. A single data breach can result in significant financial losses, damage to brand reputation, and legal penalties under data protection laws such as the General Data Protection Regulation (GDPR) or the Data Protection Act. Proactive digital risk monitoring not only helps businesses reduce the likelihood of such breaches but also enables them to fulfil their compliance obligations by showing they took preemptive measures to protect sensitive data. In highly regulated industries like healthcare and finance, such an approach is essential.

Core Components of Digital Risk Monitoring

Digital risk monitoring involves a combination of tools, technologies, and processes designed to provide a comprehensive overview of potential threats. Here are some of the key components:

1. Threat Intelligence

Threat intelligence involves gathering and analysing data about potential and current threats, helping organisations and individuals stay informed about the tactics, techniques, and procedures used by cybercriminals. This information is collected from various sources, including open-source intelligence (OSINT), proprietary databases, and the dark web.

The insights gained from threat intelligence enable more informed decision-making, helping to prioritise risks and allocate resources to address the most pressing threats. By monitoring real-time intelligence, organisations can identify emerging vulnerabilities and take preemptive measures to close security gaps before they are exploited.

Threat intelligence is especially valuable for spotting trends in cybercrime. As attacks such as ransomware continue to rise, having real-time data about threat actors’ methodologies can be the difference between successfully defending against an attack or becoming a victim. The ability to track ransomware groups, phishing campaigns, or distributed denial-of-service (DDoS) activities empowers security teams to preemptively bolster defences where needed.

2. Dark Web Monitoring

The dark web is a hidden part of the internet where cybercriminals trade stolen data, malware, and hacking tools. Monitoring this space is critical for detecting potential data breaches or threats before they escalate. Dark web monitoring tools scan underground marketplaces, forums, and chat rooms for signs that sensitive information, such as usernames, passwords, or personal data, has been compromised.

By identifying these early warning signs, businesses can take swift action to secure accounts, notify affected individuals, and prevent further damage. Similarly, individuals can benefit from dark web monitoring by receiving alerts if their personal information is being traded or misused. Being aware that stolen credentials are being sold allows individuals to change passwords or enable multi-factor authentication (MFA) before any unauthorised access occurs.

SOS Intelligence Ransomware Statistics October 23

For organisations, dark web monitoring has become a key aspect of supply chain security as well. Compromised data related to third-party vendors or partners can be an early indicator of broader cybersecurity risks. Monitoring this space ensures that businesses can track the spread of any exposed credentials or intellectual property, giving them a head start on responding to potential supply chain breaches.

3. Vulnerability Scanning

Vulnerability scanning tools are designed to automatically assess systems, networks, and applications for security weaknesses that could be exploited by attackers. These tools identify unpatched software, misconfigurations, and other vulnerabilities that cybercriminals could use to gain unauthorised access to sensitive data.

Regular vulnerability scanning is essential for maintaining a strong security posture. It ensures that potential entry points for attackers are identified and addressed in a timely manner, reducing the risk of exploitation. In today’s environment, where remote workforces rely on cloud services and various digital platforms, the need for regular scanning is even greater, as businesses must secure a rapidly expanding range of access points.

For individuals, using vulnerability scanning tools on personal devices and home networks can help secure devices such as routers, IoT devices, and computers. With many individuals now using personal devices for work, ensuring these devices are free from vulnerabilities is crucial for both personal and professional security.

4. Brand Monitoring

Cybercriminals often impersonate legitimate companies in phishing attacks or fraudulent schemes. Brand monitoring tools help organisations track how their brand is being used online and detect instances of impersonation, domain squatting, or other unauthorised uses of their identity.

By proactively monitoring brand mentions on social media platforms, domain registrations, and other online sources, organisations can detect and respond to brand abuse before it damages their reputation or puts their customers at risk. For example, phishing emails often use look-alike domains to trick recipients into thinking the message is from a legitimate source. Detecting these fraudulent domains early allows businesses to take them down before any major damage is done.

Brand monitoring also helps businesses keep track of customer sentiment and potential security-related complaints. If customers are publicly mentioning phishing attacks that appear to come from a legitimate brand, the company can act swiftly to alert customers and work with platforms to block or remove the fraudulent content.

5. Incident Response

Even with proactive monitoring in place, incidents can still occur. That’s why having a well-defined incident response plan is critical. Digital risk monitoring tools often include incident response features that guide organisations and individuals through the steps needed to contain and mitigate the damage of a cyber incident.

Spot the Scam: Recognising Phishing and Social Engineering Tactics

Effective incident response requires rapid detection, investigation, and remediation of the threat. The faster an organisation or individual can respond to a threat, the less damage it is likely to cause. Digital risk monitoring tools often provide real-time alerts and actionable insights to help guide response efforts, making it easier to isolate compromised systems, remove malicious software, or notify affected parties.

Incident response also relies on strong communication protocols, ensuring that all stakeholders are informed of the situation and can respond accordingly. For businesses, this includes IT staff, legal teams, public relations teams, and any regulatory bodies that may need to be notified.

Benefits of Proactive Digital Risk Monitoring

Adopting a proactive digital risk monitoring strategy offers numerous benefits to both organisations and individuals. Let’s explore some of the most significant advantages:

1. Early Detection of Threats

One of the primary benefits of digital risk monitoring is the ability to detect and address threats early, before they can cause significant harm. By continuously monitoring for suspicious activity, organisations and individuals can respond quickly and mitigate the risk of data breaches, financial loss, and reputational damage.

2. Strengthened Security Posture

Regular vulnerability scanning and real-time threat intelligence help improve overall security posture. Proactive monitoring ensures that weaknesses are identified and addressed as soon as they emerge, reducing the risk of cyberattacks and improving resilience to potential threats.

3. Cost Savings

Responding to a cyberattack can be costly, especially if it involves legal fees, fines, and remediation efforts. Proactive digital risk monitoring can help reduce these costs by preventing attacks before they occur, minimising the need for expensive incident response measures and lowering the risk of fines associated with data breaches.

4. Enhanced Compliance

Many industries are subject to regulations that require organisations to monitor for potential threats and report breaches. Proactive digital risk monitoring helps organisations meet these compliance requirements by providing the tools necessary to detect and address risks in real time.

5. Peace of Mind

For individuals, proactive digital risk monitoring provides peace of mind. Knowing that their personal data, financial information, and online accounts are being monitored allows individuals to take quick action if a threat is detected, reducing the risk of identity theft or fraud.

Implementing a Proactive Digital Risk Monitoring Strategy

Implementing an effective digital risk monitoring strategy requires a combination of the right tools, processes, and expertise. Organisations should start by assessing their risk landscape and identifying the most critical assets they need to protect. From there, they can deploy the appropriate monitoring tools, such as threat intelligence platforms, vulnerability scanners, and dark web monitoring solutions.

For individuals, using personal security tools, such as password managers, dark web monitoring services, and antivirus software, can help secure personal information and detect potential threats.

Conclusion

In a world where cyber threats are constantly evolving, taking a reactive approach to digital security is no longer enough. Proactive digital risk monitoring offers individuals and organisations the ability to stay ahead of emerging threats, protect valuable assets, and avoid costly disruptions. By adopting a proactive strategy that includes threat intelligence, vulnerability scanning, dark web monitoring, and incident response, businesses and individuals can significantly reduce their risk exposure and safeguard their digital environments.

What we can do to help

At SOS Intelligence, we specialise in providing advanced cyber threat intelligence and digital risk monitoring solutions. We are trusted by many organisations and businesses who recognise the essential service we provide.

Our platform is designed to help businesses and organisations identify, analyse, and mitigate potential cyber threats before they cause harm. Using a combination of AI-driven tools and expert analysis, we monitor the deep and dark web, criminal forums, and other online sources to detect potential risks such as data breaches, leaked credentials, or emerging malware threats.

Our digital risk monitoring services give organisations real-time visibility into their cyber exposure, allowing them to proactively address vulnerabilities and stay ahead of adversaries. We provide actionable intelligence that helps to protect sensitive data, intellectual property, and brand reputation. Whether it’s identifying potential phishing attacks or discovering compromised accounts, our tools ensure that organisations can act swiftly to mitigate risks.

We also offer bespoke solutions tailored to specific business needs, enabling our clients to safeguard their digital assets effectively. With SOS Intelligence, you gain the confidence of knowing that your organisation is continuously protected in an ever-evolving digital landscape.

What now? May we suggest scheduling a demo here? So many of our customers say they wish they found us earlier. We look forward to meeting you.

Photo by 🔮🌊💜✨ on Unsplash

Opinion, SME Cybersecurity, Tips

10 Best Cybersecurity Practices for Individuals and Businesses

by Daniel Collyer

October 17, 2024

In today’s increasingly digital world, cybersecurity is no longer just a concern for IT departments. With the proliferation of personal devices and remote work, individuals and businesses alike face a constant barrage of cyber threats. Whether it’s phishing attacks, data breaches, or malware, the risks are real and growing. By implementing key cybersecurity practices, you can protect sensitive data, reduce your vulnerability, and ensure a safer digital environment. Below, we explore the 10 best cybersecurity practices for both individuals and businesses, from two-factor authentication to regular data backups.

1. Enable Two-Factor Authentication (2FA)

Two-factor authentication (2FA) adds an extra layer of security to your accounts by requiring not only a password but also a second form of verification, such as a code sent to your phone. This ensures that even if your password is compromised, the attacker cannot access your account without the second factor.

For individuals, 2FA can be enabled on email accounts, social media platforms, and financial services. For businesses, implementing 2FA across corporate networks and systems significantly reduces the risk of unauthorised access. Beyond login security, 2FA is also crucial in protecting sensitive areas such as payment gateways or admin control panels.

While enabling 2FA might seem like an extra step in your daily login routine, the benefits far outweigh the inconvenience. Cybercriminals primarily target easy opportunities. By adding this additional layer of security, you’re drastically lowering your risk of falling victim to an attack. Furthermore, modern 2FA solutions offer options such as biometrics, reducing friction for users.

Why it matters: Passwords alone can be easily stolen through phishing attacks or brute-force techniques. Adding a second verification step makes it exponentially harder for hackers to gain access, even if your password is leaked in a data breach.
Tip for businesses: Ensure that all employees use 2FA for their work accounts, especially for admin-level accounts, which are often the prime targets for attackers. Also, enforce this across all remote access points to protect against network vulnerabilities.

2. Use Strong, Unique Passwords

Passwords are the first line of defence in protecting your accounts. Yet, many individuals and businesses still rely on weak or reused passwords across multiple accounts. A strong password is typically at least 12 characters long, uses a mix of letters, numbers, and special characters, and avoids easily guessable information such as birthdates or common words.

For businesses, the stakes are higher. Poor password hygiene can lead to breaches that expose sensitive data and damage customer trust. It’s crucial to enforce strict password policies and encourage employees to use a password manager to generate and store complex passwords securely. A password manager can significantly simplify the task of managing numerous complex passwords, removing the temptation to reuse them.

Beyond the immediate protection against password-based attacks, using strong and unique passwords for each service ensures that even if one account is compromised, others remain safe. Additionally, businesses should regularly audit their password policies, ensuring that no default passwords remain in use within the organisation.

Why it matters: Reusing passwords across multiple platforms can lead to a domino effect where one breach leads to multiple compromised accounts. Strong passwords help mitigate brute-force attacks, where hackers try numerous combinations to crack a password.
Tip for individuals: Avoid using personal information like pet names or birthdays. Instead, consider using a passphrase—a longer, more complex string of words that’s easier to remember but difficult to guess. Passphrases are especially effective because they balance security and ease of use.

3. Regularly Update Software and Systems

Software updates aren’t just about new features—they often contain critical security patches that fix vulnerabilities. Cybercriminals frequently exploit outdated software to gain access to systems, making it vital for both individuals and businesses to regularly update operating systems, applications, and security software. However, updates are often delayed by users or administrators who find them inconvenient, creating a significant security gap.

For individuals, turning on automatic updates for your devices can help ensure that critical security patches are applied as soon as they become available. Businesses, especially those managing a range of systems and devices, should establish clear policies around patch management, including regular audits to ensure compliance.

Neglecting updates can leave your devices exposed to a wide range of cyber threats, including zero-day exploits that target newly discovered vulnerabilities. In fact, some of the most devastating cyberattacks in recent years exploited unpatched software vulnerabilities that had been known but left unattended.

Why it matters: Keeping your software up-to-date reduces your risk of being targeted by attacks that exploit known vulnerabilities. Hackers actively scan for systems running outdated software, making it critical to stay ahead of the curve.
Tip for businesses: Implement automatic updates where possible and ensure that legacy systems are phased out or properly secured with compensating controls. For industries with regulatory compliance requirements, timely updates can also help avoid fines or penalties.

4. Backup Data Regularly

Data is one of the most valuable assets for both individuals and businesses. A well-structured data backup plan ensures that even in the event of a ransomware attack, hardware failure, or accidental deletion, your critical information can be recovered. In today’s environment, data loss could mean losing irreplaceable memories, critical business information, or legal documents.

For individuals, backing up photos, documents, and other important files to a secure location, whether in the cloud or on an external hard drive, can save you from disaster. For businesses, regular backups—ideally automated—should be an integral part of your disaster recovery plan. It’s also important to periodically test backups to ensure they function correctly when needed.

In the business context, maintaining regular backups that include system images allows organisations to restore not only data but also entire systems if necessary. This can be the difference between quickly recovering from an incident and suffering extended downtime.

Why it matters: Cyberattacks, particularly ransomware, often target your data. Without backups, you could lose irreplaceable information or be forced to pay a ransom to recover it. Even beyond cyberattacks, natural disasters or equipment failure can cause data loss.
Tip for businesses: Implement the 3-2-1 backup rule: keep three copies of your data, on two different types of media, with one stored offsite. This ensures redundancy and protection against various types of data loss, whether from physical damage, theft, or cyberattacks.

5. Educate Employees on Cybersecurity

A company’s cybersecurity is only as strong as its weakest link, and that link is often its employees. Human error is a major factor in many cyberattacks, particularly in cases of phishing and social engineering. Therefore, it’s critical to provide regular cybersecurity awareness training to employees, helping them recognise common threats such as suspicious emails or social engineering attempts.

For individuals, staying informed about common cyber threats can also help you avoid scams and phishing attacks that might target your personal accounts. However, for businesses, this extends to a formalised training programme, often involving real-world simulations, such as phishing tests, to assess employee awareness.

An educated workforce can serve as a powerful line of defence. When employees understand the risks, they are more likely to act responsibly, reducing the chances of inadvertently opening a door to cybercriminals. Regular updates to training programmes also help employees stay current on the latest threats.

Why it matters: Most cyberattacks start with an employee clicking on a malicious link or downloading a harmful attachment. Education can dramatically reduce these occurrences, making employees your first line of defence against breaches.
Tip for businesses: Simulate phishing attacks to test your employees’ vigilance and reinforce training in a practical, real-world way. Regularly updating the training content also ensures that employees stay aware of emerging threats and tactics.

6. Secure Your Wi-Fi Networks

Your Wi-Fi network is the gateway to your online activity, and an unsecured network can provide an easy entry point for attackers. Both individuals and businesses should ensure their Wi-Fi is protected with strong passwords and encryption. Unfortunately, unsecured networks are often overlooked in favour of convenience, leading to preventable breaches.

At home, many people leave the default router password unchanged, making it easy for hackers to access the network. For businesses, the situation is even more critical. Guest Wi-Fi, often provided for customer convenience, should be isolated from internal systems, ensuring that external users cannot inadvertently access sensitive business data.

Proper Wi-Fi security goes beyond just setting a strong password. It also includes using up-to-date encryption protocols, like WPA3, and disabling unnecessary features such as remote management. Businesses, in particular, should regularly audit their network configurations to ensure compliance with security best practices.

Why it matters: An unsecured network can allow hackers to intercept data, including passwords and financial information. Attackers often exploit weak network security to gain initial access, then pivot to more sensitive areas.
Tip for businesses: Use WPA3 encryption for your business network and ensure that guest Wi-Fi is isolated from critical internal systems. Consider implementing network segmentation to further limit access to sensitive systems based on user roles.

7. Use a Virtual Private Network (VPN)

A Virtual Private Network (VPN) encrypts your internet connection, making it much harder for cybercriminals to intercept your data. VPNs are particularly useful when working remotely or using public Wi-Fi, as these environments are more vulnerable to attacks. A VPN masks your IP address and makes your online activity less traceable, adding another layer of privacy.

For businesses, providing employees with VPN access ensures secure communication between remote workers and the company’s internal network. This is especially important for organisations with a distributed workforce or for employees who travel frequently. Enforcing VPN use ensures that sensitive company data is not exposed over unsecured connections.

Beyond the obvious benefit of secure browsing, a VPN can also help bypass geo-restrictions, which can be important for businesses operating in multiple regions. Additionally, VPNs prevent ISPs and other third parties from tracking your online activity, further enhancing privacy.

Why it matters: Public Wi-Fi is often unsecured, leaving your data vulnerable to interception. A VPN provides a secure connection, whether you’re checking emails in a coffee shop or working remotely.
Tip for individuals: Always use a VPN when connecting to public Wi-Fi networks. For the best security, choose a reputable VPN provider with a no-logs policy and strong encryption standards.

8. Implement Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) limits access to systems and data based on an employee’s role within the organisation. This ensures that only authorised personnel can access sensitive information, reducing the risk of internal threats or accidental data exposure. For example, a marketing team member doesn’t need access to financial data, just as an IT administrator doesn’t require access to HR records.

For businesses, implementing RBAC is a critical step in protecting sensitive data and complying with privacy regulations like GDPR or HIPAA. This approach limits the potential damage of a breach by ensuring that even if one account is compromised, the attacker doesn’t gain access to everything.

RBAC can be managed through identity and access management (IAM) tools, allowing for easy enforcement and auditing of access policies. It’s also important to review these roles regularly, adjusting them as employees move within the organisation or as job functions evolve.

Why it matters: Limiting access to sensitive data reduces the likelihood of insider threats and ensures compliance with data protection regulations. Even if an account is compromised, the attacker’s access will be limited to only what the user’s role permits.
Tip for businesses: Regularly audit user access rights to ensure that they align with current job functions. Remove access immediately when employees leave the company or change roles, as lingering access points can create unnecessary security risks.

9. Monitor for Suspicious Activity

Detecting cyberattacks before they cause significant damage is crucial. Both individuals and businesses should actively monitor for suspicious activity, such as unauthorised logins, unusual device behaviour, or changes to security settings. Many security tools offer real-time monitoring and alerts that can notify you of potential breaches.

For businesses, implementing Security Information and Event Management (SIEM) systems can help centralise the detection of suspicious behaviour across the network. By collecting and analysing data from various sources, SIEM tools can help identify patterns that might indicate a potential attack. Regular auditing of logs and systems can also reveal signs of compromise.

Monitoring is about being proactive. Once an attack is detected, swift action can limit damage and prevent further spread. Organisations should have incident response plans in place, ensuring that they are ready to act when suspicious activity is detected.

Why it matters: The faster you detect a cyberattack, the faster you can respond. Delayed detection often leads to greater damage, whether it’s more data being stolen or malicious software spreading throughout the network.
Tip for individuals: Enable login alerts for all your accounts, so you’re immediately notified if someone attempts to access your account from an unrecognised device or location. This can provide an early warning of a potential breach.

10. Conduct Regular Security Audits

A security audit is a comprehensive assessment of your security policies, systems, and practices. For businesses, regular audits are essential for identifying vulnerabilities, ensuring compliance with industry regulations, and validating that security controls are functioning as intended. Individuals can also benefit from self-audits by reviewing account security, device settings, and data backup practices.

For businesses, audits should involve testing everything from firewall configurations to employee security awareness. Conducting regular penetration tests, where ethical hackers attempt to breach your systems, can also provide valuable insights into potential weaknesses. These audits not only help improve security but also demonstrate due diligence in the event of a data breach.

By identifying weaknesses before they are exploited, you can take corrective action to strengthen your defences. Additionally, security audits provide an opportunity to review and update policies, ensuring that they reflect current best practices and emerging threats.

Why it matters: Cyber threats evolve quickly, and what was secure a year ago may not be secure today. Regular audits ensure that your defences are up-to-date and capable of defending against the latest threats.
Tip for businesses: Hire third-party auditors to provide an objective assessment of your security posture. These external audits can uncover blind spots that internal teams may overlook, offering a fresh perspective on your organisation’s security practices.

Conclusion

Cybersecurity is not a one-size-fits-all solution. It requires a combination of best practices, from using strong passwords and 2FA to regularly updating software and backing up data. For businesses, additional layers of protection, such as firewalls, access controls, and continuous monitoring, are essential to safeguarding critical assets.

Both individuals and businesses must remain vigilant and proactive, as the cyber threat landscape is constantly changing. By implementing these 10 best practices, you can greatly reduce the risk of cyberattacks and protect your personal and professional data.

In an age where digital threats are on the rise, securing your information has never been more important. Whether you’re an individual trying to safeguard your personal accounts or a business aiming to protect sensitive data, these cybersecurity practices are vital steps toward a safer digital future.

Photos by Ed Hardie Paulius Dragunas Siyuan Hu Misha Feshchak Privecstasy Luis Villasmil on Unsplash

SOS Intelligence Weekly News Round Up

Weekly News Round-up

by Daniel Collyer

August 6, 2024

29 July – 4 August 2024

CVE Discussion

Over the past week, we’ve monitored our vast collection of new data to identify discussions of CVEs.

News Roundup

Linux Servers Exposed to Data Exfiltration from TgRat

The TgRat trojan, first discovered in 2022, is now targeting Linux servers to steal data. Controlled via a private Telegram group, it can download files, take screenshots, execute commands remotely, and upload files. TgRat verifies the computer name’s hash upon startup and establishes a network connection if it matches, using Telegram to communicate with its control server.

Due to Telegram’s popularity and the anonymity it provides, TgRat’s use of it as a control mechanism makes detection difficult. It executes commands via the bash interpreter, encrypted with RSA, and manages multiple bots using unique IDs.

This unique control mechanism complicates detection, as typical network traffic to Telegram servers can mask malicious activity. Installing antivirus software on all local network nodes is recommended to prevent infection.

Threat Actors Using Fake Authenticator Sites to Deliver Malware

Researchers from ANY RUN identified a malware campaign called DeerStealer, which uses fake websites mimicking legitimate Google Authenticator download pages to deceive users. The primary site, “authentificcatorgoolglte[.]com,” looks similar to the genuine Google page to trick users into downloading malware. Clicking the download button on this fake site transmits the visitor’s IP address and country to a Telegram bot and redirects users to a malicious file on GitHub, likely containing DeerStealer, which can steal sensitive data once executed.

The Delphi-based DeerStealer malware employs obfuscation techniques to hide its activities and runs directly in memory without leaving a persistent file. It initiates communication with a Command and Control (C2) server by sending a POST request with the device’s hardware ID to “paradiso4.fun.” Subsequent POST requests suggest data exfiltration.

Analysis revealed the use of single-byte XOR encryption for transmitted data, uncovering PKZip archives containing system information. Researchers also linked DeerStealer to the XFiles malware family, noting that both use fake software sites for distribution but differ in their communication methods.

Threat Actors Abusing TryCloudflare to Deliver Malware

Cybercriminals are increasingly using TryCloudflare Tunnel to deliver Remote Access Trojans (RATs) like Xworm, AsyncRAT, VenomRAT, GuLoader, and Remcos in financially motivated attacks. TryCloudflare allows developers to experiment with Cloudflare Tunnel without adding a site to Cloudflare’s DNS, which attackers exploit to create temporary infrastructures that bypass traditional security controls.

This tactic, initiated in February 2024, has intensified, posing a significant threat due to its rapid deployment and evasion capabilities. Recent campaigns often use URL links or attachments to download malicious files, which execute scripts to install RATs and other malware.

Campaigns frequently target global organisations, using high-volume email campaigns with lures in multiple languages, often exceeding the volume of other malware campaigns. Attackers dynamically adapt their attack chains and obfuscate scripts to evade defences, demonstrating a sophisticated and persistent threat.

By abusing TryCloudflare tunnels, attackers generate random subdomains on trycloudflare.com, routing traffic through Cloudflare to avoid detection. For example, on May 28, 2024, and July 11, 2024, targeted campaigns used tax-themed lures and order invoice themes, respectively, to deliver AsyncRAT and Xworm via malicious email attachments and PowerShell scripts, providing remote system access and data exfiltration capabilities.

Ransomware Threat Actors Exploiting VMWare ESXi

Microsoft researchers have identified a critical vulnerability in VMware’s ESXi hypervisors, CVE-2024-37085, which allows ransomware operators to gain full administrative permissions on domain-joined ESXi hypervisors. This flaw, associated with the “ESX Admins” group, enables any domain user who can create or rename groups to escalate their privileges, potentially gaining full control over the ESXi hypervisor. Exploiting this vulnerability can result in the encryption of the hypervisor’s file system, access to virtual machines, data exfiltration, and lateral movement within the network.

Ransomware groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have been observed exploiting this vulnerability, deploying ransomware like Akira and Black Basta to encrypt ESXi file systems.

A notable attack by Storm-0506 involved using Qakbot and exploiting a Windows vulnerability to elevate privileges, followed by deploying Black Basta ransomware. In response, VMware has released a security update to address CVE-2024-37085. Microsoft urges organisations to apply this update, validate and secure the “ESX Admins” group, deny access or change administrative group settings, use multifactor authentication for privileged accounts, and secure critical assets with the latest security updates and monitoring procedures.

Photo by Joshua Hoehne on Unsplash

SOS Intelligence Weekly News Round Up

Weekly News Round-up

by Daniel Collyer

July 22, 2024

15 – 21 July 2024

CVE Discussion

Over the past week, we’ve monitored our vast collection of new data to identify discussions of CVEs.

News Roundup

Ransom paid by AT&T

AT&T recently paid $370,000 to a hacker affiliated with the ShinyHunters group to delete manipulated client data, including call and text metadata, which had been compromised between May 2022 and January 2023. The breach occurred from April 14th to April 25th, 2024, through unauthorised access to AT&T’s third-party cloud platform. The compromised data included phone numbers, communication dates, and call durations, but did not involve the actual content of conversations or text messages.

The payment was made in Bitcoin, and the hacker confirmed the data deletion through a demonstration video. Despite this effort to erase evidence, there is concern that some information might still be accessible, potentially posing ongoing security risks for AT&T’s consumers.

Compromise of Squarespace domain names

Squarespace customer accounts were compromised by hackers, leading to unauthorised access to sensitive information such as email addresses and account details. The breach was attributed to a third-party vendor, highlighting concerns about the security measures in place for customer data. In response, Squarespace has notified affected users and is working to enhance their security protocols.

To protect their accounts, customers are urged to change their passwords and enable two-factor authentication. This incident underscores the persistent risks associated with third-party integrations in the digital environment and the importance of robust security measures.

22 minutes to exploit

Cloudflare’s Q1 2024 Application Security Report reveals that it takes hackers an average of just 22 minutes to exploit newly disclosed vulnerabilities, highlighting a concerning trend in cybersecurity. The report indicates that Distributed Denial-of-Service (DDoS) attacks remain a significant threat, constituting 37.1% of mitigated traffic, while automated traffic makes up one-third of all internet activities, a substantial portion of which is malicious.

Additionally, API traffic has increased to 60%, with many organisations regularly missing a large number of their public-facing API endpoints. The report also underscores the growing use of zero-day exploits and the challenges posed by third-party integrations in web applications, emphasising the constantly evolving cybersecurity threat landscape.

Exploiting the Crowdstrike Issue

On July 19, 2024, Windows systems were impacted by an issue with the CrowdStrike Falcon sensor, which cybersecurity experts have flagged as a serious concern. Hackers exploited this vulnerability to target CrowdStrike customers through phishing campaigns, social engineering, and the distribution of potentially harmful software. The attackers impersonated CrowdStrike support, falsely claiming the issue was a content update error rather than a security problem.

This incident underscores the need for companies to authenticate communication channels and adhere to official guidance on modern threats. Additionally, it highlights the importance of educating employees about behaviours that could compromise security, helping to strengthen defences against such opportunistic attacks.

Photo by Joshua Hoehne on Unsplash

Product news

Business Update

by Amir Hadzipasic

February 14, 2024

We’ve had a lot going on since the start of the year and so I’ve recorded a short update for you. Click to watch and listen!

We are very thankful for all our customers, those who have been with us since we started and the new ones over the past months.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Webinar – Combo-Squatting & Homograph Attacks: Protecting Your Brand from Lookalike Domains

Understanding SCATTERED SPIDER: Tactics, Targets, and Defence Strategies

Who Is SCATTERED SPIDER?

The Tools of the Trade: DragonForce RaaS

Why SCATTERED SPIDER’s Approach Is Especially Dangerous

Defending Against SCATTERED SPIDER: Practical Guidance

Security Culture Is Your Best Defence

Business Update Webinar – you’re invited!

Who is this for?

What we will cover:

Analysing DDoSIA: Threat Intelligence Insights into a Coordinated DDoS Operation

Understanding DDoSIA and Its Attack Infrastructure

How DDoSIA Operates

Analysis, Evaluation, and Recommendations

1. Top Targeted Countries

2. Top Victim IPs and Their DDoS Mitigation Status

3. Top Attack Methods and Vectors

Recommendations

Conclusion

Strategic Recommendations

Final Thoughts

How SOS Intelligence Empowers You to Analyse and Mitigate DDoSIA Threats

Turning Intelligence into Action

Your Intelligence, Your Analysis, Your Defence

Livestream: Top 5 Cybersecurity Concerns for 2025

What Security Professionals Need to Know

Proactive Digital Risk Monitoring: Stay Ahead of Emerging Threats

10 Best Cybersecurity Practices for Individuals and Businesses

Weekly News Round-up

News Roundup

Weekly News Round-up

News Roundup

Business Update

Recent Posts

Recent Comments

dark web threat intelligence

Who Is SCATTERED SPIDER?

The Tools of the Trade: DragonForce RaaS

Why SCATTERED SPIDER’s Approach Is Especially Dangerous

Defending Against SCATTERED SPIDER: Practical Guidance

Security Culture Is Your Best Defence

Who is this for?

What we will cover:

Understanding DDoSIA and Its Attack Infrastructure

How DDoSIA Operates

Analysis, Evaluation, and Recommendations

1. Top Targeted Countries

2. Top Victim IPs and Their DDoS Mitigation Status

3. Top Attack Methods and Vectors

Recommendations

Conclusion

Strategic Recommendations

Final Thoughts

How SOS Intelligence Empowers You to Analyse and Mitigate DDoSIA Threats

Turning Intelligence into Action

Your Intelligence, Your Analysis, Your Defence

What Security Professionals Need to Know

News Roundup

News Roundup

Recent Posts

Recent Comments