I’m sure we can all agree that this year has been busy for anyone who had anything, even remotely, to do with security. The year 2021 started off with a bang as we all dealt with the fallout from a handful of Exchange bugs, dealt with the repercussions of the Accellion and Kaseya attacks, and saw ransomware splashed on the news and just about every media publication out there. And just when we thought we could coast through the last couple of weeks, the Log4j vulnerabilities dropped like a bomb. To paraphrase a couple of popular Tweets and memes floating around, this year has been a helluva decade.
Our own Photon team has been busy this year. Between investigating the internets for signs of breaches and attacks, reading the tea leaves of forum chatter, and writing reports and intelligence updates for our clients, we found the time to bring you relevant articles about what’s happening in the news and other important information.
In the spirit of Spotify’s year in review and the data mining results from your favorite social media and fitness apps, we decided to talk a little bit about the blogs y’all found important and relevant. While we won’t be able to tell you what your musical aura is, how many stairs you’ve climbed, or which photo of yours got the most likes, we can tell you what was interesting. As one important shout out, kudos to our very own Ivan, who contributed to two of these blogs!
Side note: We also discovered that some other interesting people were reading our stuff.
So without much further ado, here are the top 5 blogs that you found important, timely, and relevant this year. Here comes the countdown!
The #5 blog: Facebook’s data leak explained
Ah, yes, the necessary evil that is social media sometimes. Back in April we did a bit of a deep dive talking about how a leak of over 500 million users’ data happened and what the potential fallout meant. The data was likely scraped public data, as well as some other information that was typically not available publicly. The purported threat actor had exploited a vulnerability (later patched by Facebook) that allowed the mass export of user data from between 2019-2020.
Our team had discovered listings of this data for sale for the bargain price of $25,000, which had interest from criminal actors. Later, the information made it to another popular forum for the unbelievable price of around $3, where it became one of the most viewed threads. From there, the data scattered to the winds, where it was reposted elsewhere and became freely available to just about anyone.
While the breach likely resulted in phishing, smishing, and other social engineering attempts; at this point, it’s better to assume most or all of the information is already out there and the better question is how to secure yourself now. With the more important pieces of data exposed being phone numbers and emails, we always recommend using strong authentication with your email accounts, such as strong passwords and multifactor authentication wherever possible, to beware of attachments, and to be careful answering texts or calls from unknown or unexpected numbers.
Read more here.
In the #4 spot: Cryptocurrency attacks in 2021
Cryptocurrency, much like QR codes, podcasts, and memes, really has had quite the “glow up” in recent years, especially as the pandemic forced people to find new interesting things and hobbies. Given how unstable crypto can be (and how hot the topic is), back in June, Photon took a peek at what was happening on criminal forums when it comes to cryptocurrencies.
The danger is that there are likely a lot of n00bs flocking to crypto without doing the proper due diligence, which opens people up to all kinds of scams and attacks. We discovered that some of the common attacks included reverse proxy phishing (essentially a man-in-the-middle attack involving domain spoofs), cryptojacking (pwning a computer to allow an unsuspecting user to mine for someone else), dusting (monitoring small transactions over several wallets to discover users), and clipping (redirects a transaction to a malicious, or attacker-controlled wallet).
We covered some of the techniques and talked about mitigations and other things to think about to keep people and their hard-earned crypto safe. As society moves on to other interesting, imaginary or intangible things to assign value (I see you, NFTs), and cryptocurrency continues to remain popular, this article stays pretty relevant, even six months later.
Read more here.
Unsurprisingly, #3 is about ransomware!
I thought I’d managed to almost make it out of 2021 without writing about ransomware again. Thanks to Log4j, I thought I’d made it.
This blog is important because while it was definitely a banner year for the ransomware operators out there, the time between roughly Q2 and Q3 was incredibly important. During that 6-month period, we saw the rise and fall of several prominent operators, a bunch of unprecedented attacks (Colonial, JBS, and Kaseya), record-breaking extortion demands, a bunch of rebrands, some notable gossip, and a lot of the media, researchers, government officials, non-security folk, Twitterati, and anyone else staying up on the news collectively gasping a very loud “WTF?”
I won’t be able to give this blog or its accompanying research its full due here, but the tl;dr is that if you were an industrial goods or technology company based in the US, there’s a pretty good chance one of about two dozen ransomware groups attacked you. As we look towards 2022 and reviewing the trends of Q4, I’m secretly hoping we don’t have the same scale as this year. Ransomware’s going to be around for awhile, but let’s just try and keep it a little more manageable, k?
Read more here, or check out the full threat report.
In the #2 spot: Vulnerability intelligence and dark web forums
Counterintelligence is the process of understanding what an adversary knows about the blue team, which often includes what news stories are of interest, what people are talking about, vulnerabilities, and talk about countermeasures or signatures that might counter an adversary’s threat. In cybersecurity it’s no different, as we’ve discovered that not only are cybercriminals avid readers of a lot of the usual trade publications, they’re paying attention to research and other commentary around vulnerabilities and exploits. They share information, either freely or after exchanging currency, and they contribute to the market for exploits.
A lot of this plays into the research we started on vulnerability intelligence back in October. As the days passed, we found some interesting threads: the zero-day market is very expensive and cutthroat, some ransomware groups are probably as well-funded as some countries, the fact that the black hats out there are likely renting out exploits, and that those old vulnerabilities still get exploited. Also, unsurprisingly, some of the old forum hands are schooling the newbies on how to do bad things.
This blog was part of a series, and definitely worth a look as we examined the world of vulnerability intelligence, but getting to understand some key themes in the underground helped add context to why things like an Apache or Windows vulnerability can be a really bad thing.
Read more here, or check out the research paper here.
And finally, our winner: The best tips and tricks for Searchlight
Besides having one of the best beards and speaking voices at Digital Shadows (now ReliaQuest), Michael Marriott is also one of our more prolific writers. Back in February, he brought us a great blog on solving the problem of making threat intelligence useful to enterprises. Nearly a year later, the advice still holds up.
The short version of this (and it still won’t do any justice) is to make threat intelligence actionable by letting software do the things to filter and make information relevant, let the people work on the true positives and real threats, and (to paraphrase a popular Python course) automate the boring stuff.
Look, it’s hard building a CTI team or program. Getting the buy-in or budget is only half the battle because the true test is making the information matter to the end user. Or making other data useful as a result of threat intelligence. Either way, it’s not an easy task under the best conditions sometimes, and the pressure to show a return on investment might become very real on day 3 of having the shiny new toy.
If you’re starting to become a threat intelligence consumer, or about to, this is a great blog to consider.
Read more here.
Let’s just all agree that we’re looking forward to 2022
At the time of this writing, we’re just nine days away from bidding 2021 adieu. We’re hopefully through the worst part of the Log4j crisis, so here’s to hoping it’ll be a quiet respite for a short time. In the spirit of holiday cheer where soldiers from both sides fighting on the European battlefield in both world wars sang songs to each other during a ceasefire, let’s just all close up our laptops and call it good until 2022.
If, for some reason, these articles have got you wanting to know more about threat intelligence, we’ve got you covered with a no-obligation 7-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) to see how even more intelligence works for you. Also, if you’re an organization with some pretty specific needs or use cases, there’s a chance we’ve got a solution for you, so contact us for a demo.