@BushidoToken Threat Intel

Introduction 2023 was packed with a multitude of significant events that caused many to rethink their entire security strategies, especially their vendors and their team size. Unfortunately, we saw thousands of layoffs in the technology sector, including cybersecurity teams. This is despite the unrelenting and omnipresent threat of an ever growing number of cyber adversaries. The Top 10 Cyber Threats of the year that I believe are worth focusing on in this blog revolve around several common themes, like the use of zero-day exploits, supply chain attacks, targeting identity providers, as well as intentionally disruptive campaigns. #1 CL0P mass exploitation campaigns Since 2020, a professional cybercrime syndicate known as CL0P shifted from targeted big game hunting ransomware campaigns to mass data-theft-extortion attacks, minus the deployment of ransomware. Around 27 May 2023, the CL0P group exploited a zero-day vulnerability in the MOVEit file transfer server, tracked as CVE-2...

I recently heard about a wave of scams exploiting Booking.com  users. So I went and researched it for myself. I came across a post on the r/travel subreddit about such an incident. [1] The user received a seemingly authentic message with a URL via Booking.com 's app. They provided their credit card information and said that “within mere minutes of this, an attempt was made to use [their] credit card for an online purchase.” As others pointed out on Reddit, the most likely scenario here is that the hotel's account with Booking.com  has been compromised, or the hotel's own email account was compromised. I then looked up the phishing site sent via the Booking.com  in-app messaging system in VirusTotal to find the IP address and checked that in URLscan. As I imagined, the offending IP address had a bunch of other Booking.com  phishing domains that resolved to it. This revealed a widespread campaign. [2, 3] Further research on this topic led me to a recent Secureworks blo...

  What happened? On 8 November 2023, the Industrial and Commercial Bank of China (ICBC) was attacked by the LockBit ransomware group. The ICBC is one of the world’s largest banks and is a Chinese state-owned asset. Financial media sources, such as the Financial Times and Bloomberg reported that the wider financial system was impacted as certain trades on the US Treasury market were unable to clear because of the LockBit attack. Reuters also reported that the impact on ICBC’s network was significant enough that the bank had to resort to manual processes to perform trades in the billions of US dollars. At the time of writing, ICBC has not appeared on LockBit’s data leak site. However, in a conversation over the TOX messaging application with VX-Underground , a LockBit representative did confirm that they attacked ICBC. Additional context LockBit is currently the most prolific ransomware group in the world . They claim to be a “multinational” organization and the thre...

The dozens of cybercriminals that made up the Conti group continue to launch campaigns unabated. Previously in 2022, I blogged about how following the Conti Leaks , the operators of Conti  continued on via multiple rebranded ransomware campaigns, such as Royal, BlackBasta, and Quantum, among others.  Since my last two blogs on the Conti/TrickBot gang, multiple members have been officially sanctioned by the US and UK government in February 2023 and September 2023 , formally confirming attribution to Russia-based threat actors. The sanctions are a vital step in the right direction and helps the public and law makers understand what organized cybercrime looks like and the scale of the fight on our hands. In this blog, however, I wanted to explore the ransomware campaign called Akira that appeared in March 2023  and focus on how Akira is connected to Conti. Akira is a rapidly growing threat to civil society and critical infrastructure and is the ransomware group I believe r...

After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor...

Welcome to the world of hacktivism, where technology and activism collide. Verifying and researching hacktivist claims can be a challenging and time-consuming endeavour. The sheer volume of claims made by various hacktivist groups and individuals can be overwhelming. With numerous events occurring simultaneously, resources can be strained when attempting to fact-check each claim thoroughly.  Hacktivist activities can involve digital intrusions such as website defacements or data theft. These intrusions may leave limited residual forensic evidence. However, these digital artifacts are often ephemeral and are rarely shared publicly for cross examination. DDoS attacks can be even harder to verify as a third-party without access to the website or infrastructure's logs. This lack of transparency makes it challenging to confirm the authenticity and scope of many hacktivist actions.  This difficulty in promptly verifying and debunking claims can lead to misinformation spreading unche...