Posts

Lessons from the iSOON Leaks

Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About the iSOON Leak The iSOON leak has revolutionized the open source intelligence (OSINT) community's general understanding of the Chinese MPS' cyber operations. Its signific

Top 10 Cyber Threats of 2023

Image
Introduction 2023 was packed with a multitude of significant events that caused many to rethink their entire security strategies, especially their vendors and their team size. Unfortunately, we saw thousands of layoffs in the technology sector, including cybersecurity teams. This is despite the unrelenting and omnipresent threat of an ever growing number of cyber adversaries. The Top 10 Cyber Threats of the year that I believe are worth focusing on in this blog revolve around several common themes, like the use of zero-day exploits, supply chain attacks, targeting identity providers, as well as intentionally disruptive campaigns. #1 CL0P mass exploitation campaigns Since 2020, a professional cybercrime syndicate known as CL0P shifted from targeted big game hunting ransomware campaigns to mass data-theft-extortion attacks, minus the deployment of ransomware. Around 27 May 2023, the CL0P group exploited a zero-day vulnerability in the MOVEit file transfer server, tracked as CVE-2

Cybercriminals Leverage Hijacked Booking.com accounts for Phishing

Image
I recently heard about a wave of scams exploiting Booking.com  users. So I went and researched it for myself. I came across a post on the r/travel subreddit about such an incident. [1] The user received a seemingly authentic message with a URL via Booking.com 's app. They provided their credit card information and said that “within mere minutes of this, an attempt was made to use [their] credit card for an online purchase.” As others pointed out on Reddit, the most likely scenario here is that the hotel's account with Booking.com  has been compromised, or the hotel's own email account was compromised. I then looked up the phishing site sent via the Booking.com  in-app messaging system in VirusTotal to find the IP address and checked that in URLscan. As I imagined, the offending IP address had a bunch of other Booking.com  phishing domains that resolved to it. This revealed a widespread campaign. [2, 3] Further research on this topic led me to a recent Secureworks blog about

Geopolitical Cybercrime: LockBit attack on the ICBC

Image
  What happened? On 8 November 2023, the Industrial and Commercial Bank of China (ICBC) was attacked by the LockBit ransomware group. The ICBC is one of the world’s largest banks and is a Chinese state-owned asset. Financial media sources, such as the Financial Times and Bloomberg reported that the wider financial system was impacted as certain trades on the US Treasury market were unable to clear because of the LockBit attack. Reuters also reported that the impact on ICBC’s network was significant enough that the bank had to resort to manual processes to perform trades in the billions of US dollars. At the time of writing, ICBC has not appeared on LockBit’s data leak site. However, in a conversation over the TOX messaging application with VX-Underground , a LockBit representative did confirm that they attacked ICBC. Additional context LockBit is currently the most prolific ransomware group in the world . They claim to be a “multinational” organization and the threat a

Tracking Adversaries: Akira, another descendent of Conti

Image
The dozens of cybercriminals that made up the Conti group continue to launch campaigns unabated. Previously in 2022, I blogged about how following the Conti Leaks , the operators of Conti  continued on via multiple rebranded ransomware campaigns, such as Royal, BlackBasta, and Quantum, among others.  Since my last two blogs on the Conti/TrickBot gang, multiple members have been officially sanctioned by the US and UK government in February 2023 and September 2023 , formally confirming attribution to Russia-based threat actors. The sanctions are a vital step in the right direction and helps the public and law makers understand what organized cybercrime looks like and the scale of the fight on our hands. In this blog, however, I wanted to explore the ransomware campaign called Akira that appeared in March 2023  and focus on how Akira is connected to Conti. Akira is a rapidly growing threat to civil society and critical infrastructure and is the ransomware group I believe researchers and