KELA Archives - Deliver Intelligence - Dibiz JSC

Telegram’s Policy Shift: How Cybercriminals Are Reacting to New Data Sharing Rules

admin — Tue, 08 Oct 2024 07:27:00 +0000

Telegram recently made waves by updating its privacy policy, marking a significant departure from its long-standing reputation as a haven for privacy-focused users, including cybercriminals. The messaging platform, known for its hands-off moderation approach, will now share users’ phone numbers and IP addresses with law enforcement following court orders. This change applies to various criminal investigations, expanding beyond the previous limit of only terror-related offenses. You can read the full details of the new policy on Telegram’s Privacy Policy page.

What Telegram’s New Policy Means for Privacy and Security

The update comes amidst increasing legal pressures on Telegram and its founder, Pavel Durov, after his recent detainment in France. Authorities have been pressuring Telegram to combat the illegal activities flourishing on the platform, which ultimately led to this sweeping policy update. For more context on Durov’s detainment, you can check out our blog post: Durov’s Arrest and Telegram’s Transformation.

For years, Telegram was a go-to platform for those seeking to operate below the radar of law enforcement. For more context read our report: Telegram: How a messenger turned into a cybercrime ecosystem. This update signals a turning point, as the platform will now cooperate with authorities in criminal investigations.

How Cybercriminals Are Reacting to Telegram’s Policy Update

KELA’s research reveals widespread unease within cybercriminal communities about these changes. Groups like Ghosts of Palestine have publicly declared their intentions to leave Telegram and seek out more privacy-centric platforms. RipperSec, another prominent hacktivist group, has already begun setting up backup channels on Discord, anticipating that Telegram’s cooperation with law enforcement will pose a threat to their anonymity. Al Ahad, also hacktivists, created a Signal group and promised to close their Telegram channel soon. The GlorySec hacktivists even mentioned they “may or may not created” Facebook and Threads accounts, though without taking any actions.

Ghost of Palestine announcing their intention to find alternative to Telegram

Al Ahad claiming to leave Telegram in favor of Signal

Meanwhile, other groups are taking more pragmatic approaches. UserSec, for example, is now offering tutorials on how to maintain anonymity on Telegram, sharing tips on evading detection under the new data-sharing rules. On the BF Repo V3 Chat group, a Telegram chat related to BreachForums’ users, members have even floated the idea of creating a custom messaging platform using Telegram’s GUI as a foundation to continue their activities with less risk of exposure.

Overall, KELA has witnessed different cybercriminals discussing Jabber, Matrix, and Session as alternatives to Telegram, however, mostly for private messaging or private groups — while Telegram provides them with an opportunity to create open communities around illegal activity. So far only Discord was mentioned as a platform that can provide the same functionality, as well as Signal groups.

Despite these initial responses, there hasn’t yet been a mass exodus of cybercriminals from Telegram. However, these discussions signal potential future movement as groups and individuals weigh their options in response to the platform’s shift.

Will Telegram’s Policy Shift Impact Criminal Activity?

It is yet unclear if this policy change has the potential to significantly disrupt criminal activity on Telegram and drive them to Discord or other platforms. While cybercriminals are definitely expressing their concerns on the matter, their operations on Telegram are just too scaled to be shifted to another platform right away.

For example, infostealers’ operations use Telegram not only to sell and share harvested data through “clouds of logs”. Read more in our blog: Telegram Clouds of Logs – the fastest gateway to your network. Commodity infostealers provoked the emergence of cybercriminal gangs and teams working together to infect as many people as possible. To coordinate their activities, many use Telegram, creating all types of tools: channels for hiring new traffers and advertising the team, public and private chats for coordinating activities and discussions, and Telegram bots for automating tasks, payments and more. Such behavior is common among many malware-as-a-service operations, as well as hacktivists and other cybercriminals.

Moreover, Telegram’s new dedicated team of moderators, leveraging AI, is stepping up efforts to monitor and remove illegal content from its search features. This heightened focus on moderation could make it more difficult for cybercriminals to operate openly on the platform. However, many of them are used to deal with such barriers. As seen with groups like UserSec, some may attempt to exploit loopholes or develop strategies to continue their operations despite these new challenges. KELA is aware of cybercriminals maintaining backup Telegram channels for a while now; usually, once their main channel is banned, they will switch to another one, which was proactively advertised to their followers.

RipperSec listing their backup channel for subscribers

The policy shift won’t eliminate cybercrime on Telegram, but it’s likely to change how threat actors operate in the short and long term.

What This Means for Threat Intelligence: Insights from KELA

For companies like KELA, these changes present both challenges and opportunities. While some cybercriminals may move to other platforms, KELA’s unmatched coverage ensures we continue to track and monitor activity across a wide range of forums and messaging apps. It’s not just about knowing the right sources — it’s about gaining access to these underground communities. KELA’s combination of human expertise and advanced technology provides unique access to forums and channels that are often hidden from other intelligence providers.

This constant vigilance allows us to stay ahead of emerging trends, tracking where threat actors are moving and how they are attempting to evade detection. By adapting quickly to shifts in the cybercrime landscape, KELA ensures our clients receive actionable insights, helping them to stay proactive in their defense strategies, even as platforms like Telegram evolve.

Conclusion: The Future of Telegram and Cybercrime

Telegram’s recent policy shift is a clear response to mounting legal pressure and a broader need to curb the platform’s use for illegal activities. While the new rules may drive some criminals to more secure platforms, Telegram’s 900 million active users mean it will likely remain a key player in the cybercrime ecosystem for the time being

As these changes take hold, KELA will continue to provide critical intelligence on how threat actors are adapting to the evolving landscape, ensuring that security teams stay one step ahead of malicious activity.

Nguồn: kelacyber.com

The post Telegram’s Policy Shift: How Cybercriminals Are Reacting to New Data Sharing Rules appeared first on Deliver Intelligence - Dibiz JSC.

What is Ransomware? And Why is it Such a Big Business?

admin — Tue, 08 Oct 2024 07:15:19 +0000

Between Q2 2023 and Q2 2024, KELA has tracked more than 5,000 victims of ransomware and extortion actors, and the numbers are only growing year-on-year. Ransomware has become a huge business, and monetization opportunities are far broader than just the ransom demand itself.

Our latest eBook takes a deep dive into the business of the ransomware supply chain, looking at headline-grabbing attacks, key personas that leverage the cybercrime underground for financial gain, and best practices for protecting your own organization. Download the eBook here, or keep reading for some choice highlights.

How Does Ransomware Work?

When we think of ransomware, we imagine the end game — where attackers encrypt data and demand a ransom for its return. In a double extortion attack, the threat actors threaten to leak the stolen data, and in a triple extortion attack, additional methods are used such as DDoS attacks or a spam campaign, usually intended to up the pressure.

However, by the time any of these tactics become apparent to the victim, the ransomware attack is at its final stages.

A ransomware attack begins long before an organization has any idea that they are under fire. First, attackers gather intelligence and conduct active reconnaissance, picking an organization that they believe may lead to a large pay-day. Attackers then need to obtain initial access to the victims’ network. They can do this by purchasing initial access from Initial Access Brokers (IABs) who have done the majority of the legwork, or through compromised employee accounts mostly obtained through infostealers which often infect a system via malicious links and attachments hidden in emails, social engineering, malvertising or perhaps as a result of software vulnerabilities.

Once inside, attackers use lateral movement and privilege escalation to expand their reach, finding sensitive data or gaining control over endpoints. This puts them where they need to be for data exfiltration, which they can then leverage when they threaten to leak the data, or sell it on. Only then do attackers deploy their ransomware, encrypting files and making them inaccessible, and establish a communication channel to demand a ransomware payment.

The Evolution of Ransomware Attacks

Historically, a single hacker or group might have targeted an enterprise, going through all of these steps in their own silo. However, today ransomware attacks are predominantly the work of different people with different specializations, coming together to make an attack possible through the cybercrime ecosystem.

Those who have the expertise to build the malware can focus there — while others may be hired as traffers, individuals whose role it is to spread the malware far and wide, or as negotiators, who are highly-skilled in getting ransoms paid quickly. Ransomware-as-a-Service is a growing trend, and Autoshops are also more common than ever — allowing hackers to simply ‘click-to-buy’ what they need, whether that’s attack tools, initial access, or lists of credentials.

The cybercrime ecosystem isn’t only used to buy things, it’s also a community of threat actors who can use it to recruit and coordinate for attacks, negotiate with victims, and share their own methodologies and support for one another.

These changes have allowed ransomware efforts to scale beyond what anyone could have imagined, giving attackers many more opportunities to target organizations, and providing a greater chance of financial gain.

Where Do Criminals Find Initial Access in the Cybercrime Ecosystem?

In the past year compromised valid accounts (MITRE ID: 1078) and user credentials have become the top initial access vector for cyber attacks. Criminals can find credentials and compromised accounts from a combination of four main sources:

Botnet markets: These offer threat actors a list of data and logs to sift through and choose from, starting from as little as $0.50.
Telegram cloud of logs: By subscribing to a monthly channel, criminals can gain access to all credentials from compromised machines.
ULP files: These credential lists can often contain millions of plaintext credentials, which are usernames and passwords with a corresponding URL.
Initial access brokers: IABs directly sell remote access to a compromised organization, so criminals can step in at the final stage and launch the attack.

Identity Security Offers Proactive Defense against Ransomware

Keeping a spotlight on these sources is a core part of protecting your organization against ransomware. After all, your attack surface is no longer about perimeter security — it’s about knowing what the attackers know about you. By onboarding a robust identity security platform like KELA Identity Guard, you get exactly this vantage point.

KELA Identity Guard monitors illicit dark web marketplaces, cybercrime forums, and messaging and bot marketplaces, so that any compromised credentials related to organizational domains, SaaS tools and IP addresses can be intercepted in real-time. It offers a wide range of insights into infostealer and bot-related information, including threat trends, compromised service categories, and more.

Nguồn: kelacyber.com

The post What is Ransomware? And Why is it Such a Big Business? appeared first on Deliver Intelligence - Dibiz JSC.