Flowspec – TA505’s bulletproof hoster of choice

By the Intel 471 Intelligence Analysis team. Here at Intel 471 we spend a fair amount of time tracking malicious infrastructure providers. In the world of cybercrime the malicious infrastructure provider, or Bulletproof Hoster (BPH) as they are called in the underground marketplace, is a core enabling service that often gets little attention from threatContinue reading “Flowspec – TA505’s bulletproof hoster of choice”

Iran’s domestic espionage: Lessons from recent data leaks

By the Intel 471 Global Research Team. In the last decade, Iran has undergone a quiet revolution. Since the“Green Movement” uprising in 2009, more Iranians have dared to openly oppose their regime. The reasons include accusations of elections tampering, global sanctions, increased inflation, heavy investment of state funds in the nuclear and arming programs, andContinue reading “Iran’s domestic espionage: Lessons from recent data leaks”

Coronavirus having minimal impact on prices, demand, and availability across the cybercriminal underground

By the Intel 471 Intelligence Analysis team. Coronavirus Disease 2019 (COVID-19) continues to surround our everyday lives and its presence remains a topic of interest and discussion within underground forums. In the earlier days of the pandemic, we took a look at how attackers were leveraging the fear surrounding the disease to launch campaigns suchContinue reading “Coronavirus having minimal impact on prices, demand, and availability across the cybercriminal underground”

You need to adjust your patch priorities!

By the Intel 471 Intelligence Analysis team. Some business people might say the security folks don’t understand the dollar impact of taking a system offline. The reality is in business often time is money and quantifying the cost of key systems being taken offline is a real thing. Some security folks might also say thatContinue reading “You need to adjust your patch priorities!”

Changes in REvil ransomware version 2.2

By the Intel 471 Malware Intelligence team. Summary The REvil ransomware-as-a-service (RaaS) operation continues to impact businesses worldwide. The threat actors responsible for developing and maintaining the malware have released an updated ransomware, namely version 2.2. In this short blog post, we will cover the significant changes from the previous version, which we covered inContinue reading “Changes in REvil ransomware version 2.2”

COVID-19 pandemic: Through the cybercriminal’s eyes

By the Intel 471 Intelligence team. Cybercriminals’ exploitation of the global Coronavirus Disease 2019 (COVID-19) pandemic (in phishing lures, for example) has been covered widely in the media. But one underreported aspect is how the coronavirus itself is impacting cybercrime actors, their activities and their infrastructure. Our research of the underground marketplace and these actorsContinue reading “COVID-19 pandemic: Through the cybercriminal’s eyes”

Understanding the relationship between Emotet, Ryuk and TrickBot

By the Intel 471 Malware Intelligence team. One of the more notable relationships in the world of cybercrime is that between Emotet, Ryuk and TrickBot. This loader-ransomware-banker trifecta has wreaked havoc in the business world over the past two years, causing millions of dollars in damages and ransoms paid. Our Malware Intelligence team receives aContinue reading “Understanding the relationship between Emotet, Ryuk and TrickBot”

REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation

By the Intel 471 Malware Intelligence team. Summary REvil aka Sodinokibi, Sodin is a ransomware family operated as a ransomware-as-a-service (RaaS). Deployments of REvil first were observed in April 2019, where attackers leveraged a vulnerability in Oracle WebLogic servers tracked as CVE-2019-2725. REvil is highly configurable and allows operators to customize the way it behavesContinue reading “REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation”

Analysis of an attempted attack against Intel 471

By the Intel 471 Malware Intelligence team. Background The following write-up is our analysis of an attack attempted against one of our employees this week. At no point was our employee’s system at risk of being compromised. Interestingly, the employee’s email address only had been used in very few instances externally. We are releasing thisContinue reading “Analysis of an attempted attack against Intel 471”