Posts

Cybercriminals Leverage Hijacked Booking.com accounts for Phishing

Image
I recently heard about a wave of scams exploiting Booking.com  users. So I went and researched it for myself. I came across a post on the r/travel subreddit about such an incident. [1] The user received a seemingly authentic message with a URL via Booking.com 's app. They provided their credit card information and said that “within mere minutes of this, an attempt was made to use [their] credit card for an online purchase.” As others pointed out on Reddit, the most likely scenario here is that the hotel's account with Booking.com  has been compromised, or the hotel's own email account was compromised. I then looked up the phishing site sent via the Booking.com  in-app messaging system in VirusTotal to find the IP address and checked that in URLscan. As I imagined, the offending IP address had a bunch of other Booking.com  phishing domains that resolved to it. This revealed a widespread campaign. [2, 3] Further research on this topic led me to a recent Secureworks blog about

Geopolitical Cybercrime: LockBit attack on the ICBC

Image
  What happened? On 8 November 2023, the Industrial and Commercial Bank of China (ICBC) was attacked by the LockBit ransomware group. The ICBC is one of the world’s largest banks and is a Chinese state-owned asset. Financial media sources, such as the Financial Times and Bloomberg reported that the wider financial system was impacted as certain trades on the US Treasury market were unable to clear because of the LockBit attack. Reuters also reported that the impact on ICBC’s network was significant enough that the bank had to resort to manual processes to perform trades in the billions of US dollars. At the time of writing, ICBC has not appeared on LockBit’s data leak site. However, in a conversation over the TOX messaging application with VX-Underground , a LockBit representative did confirm that they attacked ICBC. Additional context LockBit is currently the most prolific ransomware group in the world . They claim to be a “multinational” organization and the threat a

Tracking Adversaries: Akira, another descendent of Conti

Image
The dozens of cybercriminals that made up the Conti group continue to launch campaigns unabated. Previously in 2022, I blogged about how following the Conti Leaks , the operators of Conti  continued on via multiple rebranded ransomware campaigns, such as Royal, BlackBasta, and Quantum, among others.  Since my last two blogs on the Conti/TrickBot gang, multiple members have been officially sanctioned by the US and UK government in February 2023 and September 2023 , formally confirming attribution to Russia-based threat actors. The sanctions are a vital step in the right direction and helps the public and law makers understand what organized cybercrime looks like and the scale of the fight on our hands. In this blog, however, I wanted to explore the ransomware campaign called Akira that appeared in March 2023  and focus on how Akira is connected to Conti. Akira is a rapidly growing threat to civil society and critical infrastructure and is the ransomware group I believe researchers and

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor

Hacktivists: Liars and Morons

Image
Welcome to the world of hacktivism, where technology and activism collide. Verifying and researching hacktivist claims can be a challenging and time-consuming endeavour. The sheer volume of claims made by various hacktivist groups and individuals can be overwhelming. With numerous events occurring simultaneously, resources can be strained when attempting to fact-check each claim thoroughly.  Hacktivist activities can involve digital intrusions such as website defacements or data theft. These intrusions may leave limited residual forensic evidence. However, these digital artifacts are often ephemeral and are rarely shared publicly for cross examination. DDoS attacks can be even harder to verify as a third-party without access to the website or infrastructure's logs. This lack of transparency makes it challenging to confirm the authenticity and scope of many hacktivist actions.  This difficulty in promptly verifying and debunking claims can lead to misinformation spreading unchecked.

Investigating SMS phishing text messages from scratch

Image
Online and at conferences, people ask me how to get started in threat intel. What I usually offer as advice to budding analysts starting out is to practise analysing things in the wild. And by 'analysing things in the wild' I mean looking for live reports of cybercriminal activity by others online. One of my favourite examples is SMS phishing text messages, also called Smishing scams.  It is a commonly held view that new analysts learn best by doing. It also does not matter if you are not the first to report on something. New analysts should not worry about that, as long as they do a bit of OSINT at least to confirm they do not accidentally say they are the first and only researcher to find whatever it is they found.  In my experience, there are always organizations and teams with more experience and telemetry than you. It's just that they did not report on it publicly (yet). This goes for even the top research teams at incident response or antivirus companies. Not "be

Writing Hacker Fiction With Help From AI

Image
  I wanted to do something a bit different and fun so I created a new site  hackerfiction.medium.com  with one purpose: Telling fictional short stories about hacking using AI. I’ve explained why and how I’m doing this in my Introduction blog, I recommend checking it out first. Ultimately, I made these stories for me. But think others may enjoy them too so I shared them. I’ve enjoyed making these short stories and generating some visuals. And I may make some more. To me, these stories show how the future of all entertainment will be influenced by AI. Interestingly, some have noted that these hacker fiction short stories, initially designed purely for fun, could also be used productively by governments, militaries, and organizations. The ideas are fundamentally generated by the human through a series of "what if" scenarios. The story contents are generated by the AI and then further edited to make sense by the human. For these stories to be useful, though, they would have to be

Unmasking Ransomware Using Stylometric Analysis: Shadow, 8BASE, Rancoz

Image
  I recently came across a cool GitHub repo from Zscaler's ThreatLabz team (see here ) which contains a whole array of ransom notes from known and new ransomware families. I imagine that Zscaler has some sort of malware hunting capability (potentially LiveHunt YARA rules in VirusTotal) and they manually check for ransom notes uploaded to VT containing strings such as ".onion" to find new and interesting ransomware families. However they actually do it, this is a handy repo for the community to use. Three new ransom notes that Zscaler shared that caught my eye belonged to Shadow, 8BASE, and Rancoz. Tracking new ransomware families can be an interesting task because so many new groups are appearing, it is hard to tell which ones are worth paying attention to of the literal hundreds of variants out there launching attacks. These three stick out, however, due to the presence of the ".onion" Tor link inside their ransom notes though because that means they have setup