Intel 471 Blog
Cutting edge threat intelligence and researchSubscribe
The blurry boundaries between nation-state actors and the cybercrime underground
June 8, 2021
Intel 471 has seen a slow and steady change in behavior where nation-states are incorporating the cybercrime underground to achieve their goals more than ever before.
How SOAR plus threat intelligence empowers security operations teams
June 8, 2021
Intel 471 celebrates launch of Palo Alto’s Cortex XSOAR Threat Intelligence Management 2.0.
Alleged REvil member says gang has no fear over U.S. government’s major ransomware focus
June 4, 2021
REvil says it’s doubling its focus on U.S. targets as the country's government intensifies its focus on stopping ransomware attacks.
Call for crimes? Russian-language forum runs contest for cryptocurrency hacks
June 2, 2021
Criminals are starting to target the underlying infrastructure that powers cryptocurrency-based systems.
Look how many cybercriminals love Cobalt Strike
May 19, 2021
Cobalt Strike has become a very common second-stage payload for many malware campaigns across many malware families.
Cybercriminals have so many schemes aimed at your credentials
May 17, 2021
Credentials are a core enabler of cybercriminals' ability to establish and perpetuate their operations.
The moral underground? Ransomware operators retreat after Colonial Pipeline hack
May 14, 2021
The ransomware attack on Colonial Pipeline has caused a lot of trouble in the United States. It looks as if that trouble has made its way back to the cybercrime underground.
Here’s what we know about DarkSide ransomware
May 10, 2021
An examination of how DarkSide rose to prominence among cybercriminals before the Colonial Pipeline incident.
The cybercriminal underground hasn’t forgotten about financial services
April 26, 2021
It is a well-worn cliche in cybersecurity: criminals prey on banks and financial services because that’s where the money is. In 2021, that remains a fact. However, while the overall crime remains the same, who is responsible for it and the method by which the crimes are carried out have been modified.
How China’s cybercrime underground is making money off big data
April 19, 2021
Both of these things are true: Big data is big business, and cybercriminals love money. So it shouldn’t be a surprise that these two ideas have blended together in some corners of the cybercrime underground.
EtterSilent: the underground’s new favorite maldoc builder
April 6, 2021
The cybercrime underground often mimics behaviors that we see in everyday facets of life. Intel 471’s latest discovery is an example of one of these patterns: when a product takes off in the marketplace, users will rush to obtain it and find unique ways to use it in order to fit their needs.
Cybercriminals still leveraging COVID-19 pandemic for scams
March 23, 2021
While the world is starting to see the light at the end of the tunnel when it comes to the coronavirus pandemic, the cybercriminal underground is finding ways to continue its schemes as civil society is trying to repair the wreckage COVID-19 has caused.
Friendly fire: Four well-known cybercriminal forums dealing with breaches
March 4, 2021
Since the beginning of the year, Intel 471 has observed four well-known cybercriminal forums dealing with a breach, including two since the beginning of March. The forums, all predominantly Russian-language forums, saw the breaches publicly disclosed elsewhere, with some instances of user data being leaked or put up for sale.
Here’s who is powering the bulletproof hosting market
March 3, 2021
Most cybercriminal schemes don’t happen all at once. There are multiple parts to an attack, with each part needing some support from infrastructure to succeed. Take for instance, Hancitor, a very popular piece of malware which sets the stage for cybercriminals to launch a variety of different attacks. It’s been used to allow drops of banking trojans, information stealers, and other types of malware. In use since 2014, it’s delivered via spam that contains a link someone must visit. That link, if clicked on, leads to a malicious document that drops Hancitor on a victim’s machine.
Bulletproof hosting: How cybercrime stays resilient
February 23, 2021
If we were to list all of the malicious acts carried out by cybercriminals who leverage bulletproof hosting (BPH), we’d have a report that would rival “Infinite Jest” or “War & Peace” for length. Bulletproof hosting has been hand-in-glove with cybercrime for decades, supplying criminals with the infrastructure they need to carry out their crimes.
Egregor operation takes huge hit after police raids
February 17, 2021
On Feb. 9, 2021, Ukrainian law enforcement conducted a joint operation with U.S. and French authorities against several Ukrainian nationals believed to be deeply involved with Egregor ransomware operations. Intel 471 has learned that authorities targeted the purported ring leaders, as well as associates who helped run the related affiliate programs.
Hiding in plain sight: Bulletproof Hosting’s dueling forms
February 15, 2021
A June 2020 feature in The New Yorker was really more cyberpunk than cybersecurity. The story focuses on the people who ran CyberBunker, a server farm built in an underground European military bunker that served as a host for spammers, botnet command-and-control servers, malware and online scams. The story follows the familiar arc of dystopian techno-fiction: an absolutist attitude toward privacy, the use of technology to commit crimes, and the eventual downfall in the form of law enforcement action.
Cybercriminals are interested in your SCADA systems
February 12, 2021
The public learned this week of an alarming cybersecurity incident that could have physically harmed people: Someone managed to access a system that controlled a Florida city’s water treatment plant, temporarily adjusting sodium hydroxide levels to amounts that could have made the population sick had the chemicals been introduced into the water supply. While city officials caught the action and reversed it within minutes, further reporting has shown the plant had an austere cybersecurity profile that is sadly familiar for public-sector organizations: use of outdated operating systems, disregard for best practices, and lack of a budget to support any real upgrade or staff additions.
Emotet takedown is not like the Trickbot takedown
January 27, 2021
On Wednesday, January 27, U.S. and European law enforcement agencies announced that they had seized control of Emotet, the notorious botnet that’s been used by cybercriminals all over the world for the past decade.
Last Dash for Joker’s Stash: Carding forum may close in 30 days
January 15, 2021
One of the most notable carding shops may be shutting down for good. The Joker’s Stash shop will be closing operations on Feb. 15, 2021, according to the site’s owner. In a message board post on a popular Russian-language cybercrime forum, the operator said the site is closing “forever” and its team is heading into a “well-deserved retirement.”
Nation-states are taking their supply-chain attack strategy from the cybercriminal underground
January 15, 2021
It’s clear the SolarWinds incident has rocked the infosec community to its core, with the still-unfolding episode expected to reverberate in the industry for years to come. While there is still much to be uncovered, the public details point to a known Russian APT inserting code into a third-party IT provider’s services, allowing for further targeting of approximately 50 organizations.
TA505’s modified loader means new attack campaign could be coming
December 18, 2020
After months of inactivity, hacking group TA505's Get2 Loader has sprung back into operation, possibly signaling that the group is ready for a new round of malicious activity. On December 14, 2020, the Get2 loader had resurfaced with new download and execute configuration parameters named "LD" and "ED." Intel 471 last observed the loader in operation on September 14, 2020.
More annoying than crippling: Joker’s Stash takedown is temporary
December 17, 2020
Law enforcement has allegedly seized proxy servers used in connection with the blockchain-based domains belonging to Joker's Stash, a prolific vendor of compromised financial card data in the cybercrime underground. On December 17, an image adorned the shop's website that claimed the U.S. Federal Bureau of Investigation and Interpol had taken it into law enforcement's possession. After noticing the action, Joker's Stash operators took down the site completely.
No pandas, just people: The current state of China’s cybercrime underground
December 10, 2020
China's internet is a lot different than the rest of the world. Yet, that hasn't stopped its population from engaging in cybercrime. Despite the various measures the Chinese government has taken to censor and surveil its residents on the internet, a significant cybercrime underground full of financially motivated actors exists. Efforts like "The Great Firewall" or government crackdowns on content related to cybercrime force actors to put in remarkable effort to maneuver around those roadblocks in order to access, create or participate in criminal marketplaces that mirror those more commonly known to the rest of the world.
Steal, then strike: Access merchants are first clues to future ransomware attacks
December 1, 2020
Cybercrime does not happen in a vacuum. While ransomware variants like REvil, Ryuk and DoppelPaymer have become household names for cybersecurity professionals, those deploying ransomware only represent part of the process by which criminals are forcing organizations to either pay them millions or watch their business go under.
Here’s what happens after a business gets hit with ransomware
November 23, 2020
When the cybersecurity community focuses on ransomware, the concentration tends to be two-fold. There’s tons of information on how the software encrypts files, how it spreads from machine to machine, and the various vectors by which it causes havoc. Then there is the chase to figure out who is responsible for creating the variant, what marketplaces they may be attached to, and if they can be tied to any other attacks.
Ransomware-as-a-service: The pandemic within a pandemic
November 16, 2020
Ransomware is a massive problem. But you already knew that. Technical novices, along with seasoned cybersecurity professionals, have witnessed over the past year a slew of ransomware events that have devastated enterprises around the world. Even those outside of cybersecurity are now familiar with the concept: criminals behind a keyboard have found a way into an organization’s system, prevented anyone from actually using it by locking it up, and won’t let anyone resume normal activity until the organization pays a hefty fee.
Trickbot down, but is it out?
November 10, 2020
Since the separate and independent actions taken against Trickbot, we have observed successful disruption of its command and control infrastructure. However, the actors linked to Trickbot have not ceased their criminal activities
Alleged REvil member spills details on group’s ransomware operations
October 28, 2020
An alleged member of one of the most notorious ransomware gangs in the world divulged numerous details about its operation, including that it allegedly takes in more than $100 million per year from its attacks.
Global Trickbot disruption operation shows promise
October 20, 2020
On Oct. 19, 2020, when this latest Trickbot sample was distributed, none of the above listed control servers were able to respond to Trickbot bot requests, a state that continued at the time of this report. Intel 471 believes disruption operations against Trickbot are currently global in nature and have had success against Trickbot infrastructure.
Leveraging Intel 471’s Malware Intelligence Data using MISP
October 20, 2020
Intel 471’s Malware Intelligence provides our clients with constant coverage of top-tier malware families. It delivers near real-time alerts of targeting changes, spamming and malware campaigns, updates in infrastructure and much more. In the first in a series of blogs and white papers, we take a look at how this high-volume and high-fidelity data has been modeled in MISP and demonstrate how you can use the platform to make acquiring and processing the data more manageable.
That was quick: Trickbot is back after disruption attempts
October 15, 2020
The Trickbot botnet looks to be working once again, despite separate efforts in the past few weeks aimed at disrupting its operation. On October 14, 2020, the Emotet spam botnet — which is often the precursor to TrickBot being loaded onto a system — began receiving spam templates intended for mass distribution. These spam templates contained a Microsoft Word document attachment with malicious macros that fetch and load a copy of Emotet onto the victim machine. The Emotet bots reached out to their controllers and received commands to download and execute Trickbot on victim machines.
Criminals posing as Lazarus Group threatened Travelex: Bitcoin or DDoS
October 13, 2020
A group posing as notorious nation-state-linked hacking group “Lazarus Group” threatened to hit British foreign exchange company Travelex with a distributed-denial-of-service (DDoS) attack unless it paid 20 bitcoins. According to an email discovered by Intel 471 researchers, attackers threatened to hit Travelex with an “extremely powerful” attack that would “peak over 2 Tbps” until the company paid a ransom. The demand, which was sent in late August, asked for a value of approximately US $213,000.
Recent Trickbot disruption operation likely to have only short-term impact
October 13, 2020
On Oct. 10, 2020, the Washington Post reported that “four U.S. officials” claimed U.S. Cyber Command was conducting an operation to disrupt the Trickbot botnet. This action first was identified by Intel 471’s Malware Intelligence systems Sept. 22, 2020. On Oct. 12, 2020, Microsoft announced legal action against Trickbot.
Partners in crime: North Koreans and elite Russian-speaking cybercriminals
September 16, 2020
This blog post takes a look at the credibility of claims in public reports of North Korean (referred to as DPRK for the rest of this post) links to Russian-speaking cybercriminals.
Prioritizing “critical” vulnerabilities: A threat intelligence perspective
August 12, 2020
Recently, there have been many vendor security advisories containing multiple critical vulnerabilities potentially impacting organizations that may be conflicted with patch prioritization when looking at the variables seen for each reported vulnerability. Threat intelligence can supplement publicly disclosed information and provide a contextual view of exploitation efforts and general interest in open source reported vulnerabilities from an underground threat actor perspective.
Flowspec – TA505’s bulletproof hoster of choice
July 15, 2020
Here at Intel 471 we spend a fair amount of time tracking malicious infrastructure providers. In the world of cybercrime the malicious infrastructure provider, or Bulletproof Hoster (BPH) as they are called in the underground marketplace, is a core enabling service that often gets little attention from threat intelligence analysts.
Iran’s domestic espionage: Lessons from recent data leaks
July 8, 2020
In the last decade, Iran has undergone a quiet revolution. Since the“Green Movement” uprising in 2009, more Iranians have dared to openly oppose their regime. The reasons include accusations of elections tampering, global sanctions, increased inflation, heavy investment of state funds in the nuclear and arming programs, and ambitious regional policies in Lebanon, Syria, Iraq, Yemen and others, amid a deteriorating socioeconomic situation of the average Iranian.
Coronavirus having minimal impact on prices, demand, and availability across the cybercriminal underground
June 17, 2020
Coronavirus Disease 2019 (COVID-19) continues to surround our everyday lives and its presence remains a topic of interest and discussion within underground forums. In the earlier days of the pandemic, we took a look at how attackers were leveraging the fear surrounding the disease to launch campaigns such as business email compromise (BEC), phishing and malicious domains, but questions remain about how or whether the marketplace has been directly impacted.
You need to adjust your patch priorities!
May 21, 2020
Some business people might say the security folks don’t understand the dollar impact of taking a system offline. The reality is in business often time is money and quantifying the cost of key systems being taken offline is a real thing. Some security folks might also say that your business folks don’t understand or care about the risk or impact of a vulnerability being exploited.
A brief history of TA505
May 21, 2020
A brief history of TA505
Changes in REvil ransomware version 2.2
May 4, 2020
The REvil ransomware-as-a-service (RaaS) operation continues to impact businesses worldwide. The threat actors responsible for developing and maintaining the malware have released an updated ransomware, namely version 2.2.
COVID-19 pandemic: Through the eyes of a cybercriminal
April 30, 2020
By the Intel 471 Intelligence team. Cybercriminals’ exploitation of the global Coronavirus Disease 2019 (COVID-19) pandemic (in phishing lures, for example) has been covered widely in the media. But one underreported aspect is how the coronavirus itself is impacting cybercrime actors, their activities and their infrastructure.
Understanding the relationship between Emotet, Ryuk and TrickBot
April 14, 2020
By the Intel 471 Malware Intelligence team. One of the more notable relationships in the world of cybercrime is that between Emotet, Ryuk and TrickBot. This loader-ransomware-banker trifecta has wreaked havoc in the business world over the past two years, causing millions of dollars in damages and ransoms paid. Our Malware Intelligence team receives a lot of great questions from our clients on this subject, so we thought it would be good to do a Q/A style blog covering some of the more general questions.
REvil Ransomware-as-a-Service: An analysis of a ransomware affiliate operation
March 31, 2020
REvil aka Sodinokibi, Sodin is a ransomware family operated as a ransomware-as-a-service (RaaS). Deployments of REvil first were observed in April 2019, where attackers leveraged a vulnerability in Oracle WebLogic servers tracked as CVE-2019-2725.
REvil Ransomware-as-a-Service: An analysis of a ransomware affiliate operation
March 31, 2020
REvil ransomware first was advertised on a Russian language cybercrime forum in June 2019. The main actor associated with advertising and promoting REvil ransomware is called Unknown aka UNKN. The RaaS is operated as an affiliate service, where affiliates spread the malware by acquiring victims and the REvil operators maintain the malware and payment infrastructure. Affiliates receive 60% to 70% of the ransom payment.
Analysis of an attempted attack against Intel 471
March 25, 2020
The following write-up is our analysis of an attack attempted against one of our employees this week. At no point was our employee’s system at risk of being compromised. Interestingly, the employee’s email address only had been used in very few instances externally. We are releasing this information publicly to share tactics, techniques and procedures (TTPs) and encourage others to share similar incidents.
Malicious actors leverage Coronavirus Disease 2019 fear to increase business
March 18, 2020
Our lives continue to be inundated with emails, mobile applications and websites that promise to deliver critical information related to the Coronavirus Disease 2019 (COVID)-19 pandemic threatening millions of people across the globe.
Introducing Intel 471’s Cybercrime Underground General Intelligence Requirements (CU-GIR): a common framework to address a common challenge
February 25, 2020
As a framework, the USMC Intelligence Activity has long used “Generalized Intelligence Requirements (or “GIRs”) to assist human intelligence (HUMINT) collectors in the physical areas they operate. Collectors use a set of prescribed GIRs as a baseline tool to spot and assess collection opportunities against common observables they might encounter in the field.
Intelligence requirements: Moving from concept to practice
February 13, 2020
Our industry talks a lot about intelligence requirements. Yet I’ve noticed over the years a lack of practical advice being shared about how to actually work with or implement intelligence requirements as a fundamental component of a cyber threat intelligence (CTI) program. In a future blog, I’ll share how we do things at Intel 471, hopefully to help address this gap.
Melting the deep and dark web myth and why we hate the phrase
September 9, 2019
The deep and dark web, or simply the “underground,” as we like to call it at Intel 471, is an organized ecosystem of products, services and goods consisting of real life suppliers and consumers who can be mapped, tracked, understood and exposed.
No, the criminal underground isn’t dropping its use of Bitcoin anytime soon
January 3, 2018
I recently read an article which claimed the “criminal underworld” was dropping its use of Bitcoin. In the past month, Intel 471 has looked closely at the criminal underground to identify if Bitcoin was still strong in its use and whether there were any up-and-coming cryptocurrencies that were gaining traction or which eventually might overtake Bitcoin’s current usage levels.
Naming malware: What’s in a name?
May 30, 2017
This week’s incident with Petya/NotPetya/GoldenEye/Nyetya/Petrwrap has reignited the debate about how security companies name malware. In my opinion, the security industry’s use of different names for the same thing isn’t good for either customers or the industry at large, and it’s something that could be solved without too much effort.
Being a cyber threat intelligence analyst and operating in the fog of uncertainty
May 17, 2017
The objective of this blog isn’t to critique, support or disprove any specific hypothesis. The goal is to highlight what it means to be a cyber threat intelligence professional who will most certainly be faced with the reality of incomplete information and/or different levels of uncertainty.
Who hacked the Democratic National Committee?
June 16, 2016
I’ll preface this post by saying that I possess no information on this incident beyond what has been mentioned in open sources. This post is my personal opinion and is based on my experience researching and tracking both state and non-state cyber threat actors.
Cyber threat intelligence: Why should I be worried about threats that aren’t specifically about my organization?
May 18, 2016
When it comes to cyber threat intelligence, the big question that comes to mind when evaluating intelligence or intelligence collection, external from a vendor or internally generated, is whether it is relevant to me and my organization.
Actionable intelligence — Is it a capability problem or does your intelligence provider suck?
May 18, 2016
Significant numbers of security and threat intelligence vendors spruik their intelligence or data as being the most actionable but is it? In this post I’ll hope to make the argument that whether intelligence is actionable or not is really up to the consumer of said intelligence, not the producer.
Cyber threat intelligence requirements: What are they, what are they for and how do they fit in the…
May 18, 2016
There are many definitions of what is an intelligence requirement but the definition to me that is most accurate is: “Any subject, general or specific, upon which there is a need for the collection of information, or the production of intelligence.”
Cyber Threat Intelligence: Comparing the incident-centric and actor-centric approaches
May 18, 2016
When it comes to cyber threat intelligence, the security industry mostly appears to take the view that indicators of compromise (IOCs) are the best approach to initiate/drive the intelligence process.
Cyber Threat Intelligence: Observing the adversary
May 17, 2016
Following my previous blog post that compared the incident-centric and actor-centric approaches to cyber threat intelligence, this post will detail a number of ways we can potentially observe our adversary. I’ll preface this post by saying that prioritizing and identifying who the adversary is, their motivations, their intentions and goals will drive where you seek to observe them. This could be different depending on the vertical in which your organization sits.