With the new year upon us, we wanted to take a moment to look back at a few of the most viewed, most loved blogs from the previous year. In 2021, our threat researchers uncovered new ransomware groups, phishing kit creators and threat landscape trends. Our product managers released new features, and thought leaders shared their knowledge on the most critical issues facing the cybersecurity space today. In this piece, we’ll review the top 10 most viewed threat intelligence blogs from 2021.
Blogs Focused on Original Threat Intelligence Research
In 2021, the ZeroFox Intelligence team ramped up research on a few critical threat areas including phishing, fraud and ransomware.
Blog #1: Babuk Ransomware Variant Delta Plus Used in Live Attacks After Source Code Leaked
In September 2021, the ZeroFox Threat Intelligence team discovered a Babuk ransomware variant calling itself Delta Plus 2.3. By October, the operator behind Delta Plus had recently made use of multiple other ransomware variants under the name Delta Plus as well. While no notable changes were made to the Babuk variant aside from modifying the file extension, the sample’s build date was just 10 days after the leak, highlighting how low the barrier to entry for running a ransom operation can be when given a complete solution.
The actor behind Delta Plus appeared to be using various freely available ransomware products with the ability to drop custom ransom notes. With freely available ransomware builders and full source code to projects like Babuk available for anyone to download, the barrier to entry has been lowered. Skilled and low-skilled actors alike now have the ability to repackage ready-made solutions with minimal changes needed.
Blog #2: Flash Report on Colossus Ransomware
Also in September 2021, ZeroFox Intelligence discovered a variant of ransomware called Colossus affecting machines running Microsoft Windows operating systems. The sample had a number of features including binary packing via Themida and sandbox evasion capabilities. The ransomware had a support website for setting up communications with victims, which most likely was launched on September 20, 2021. The ransomware shares a similar ransom note structure to EpsilonRed, BlackCocaine, and some Sodinokibi/REvil notes. As of September 24, 2021, Colossus had one known victim currently in active negotiations, an automotive group based in the United States. The operators appear at least highly familiar if not directly associated with other existing ransomware-as-a-service (RaaS) groups based on their tactics, techniques, and procedures (TTPs).
Blog #3: 16Shop Targets Cash App with Latest Phishing Kit
In March 2021, ZeroFox Intelligence monitored a new target for phishing kit operator, 16Shop. 16Shop is a prolific phishing kit provider group that has been active for almost 3 years. The group is known for targeting high profile brands. In 2020, ZeroFox discovered 16Shop’s additions of Paypal and American Express to their portfolio of kits. Then in March 2021, the group released a Cash App version of their phishing kit for $70. It was nearly a year since they had added a new brand to their arsenal, and ZeroFox detected operators deploying this new kit within hours of its release.
Blog #4: A 6 Month Review of the Ransomware Landscape
From May to October 2021, the ZeroFox Threat Intelligence team observed the changing ransomware landscape with new, current, and evolved threats. As new threats emerged, current threats persisted or evolved to include novel capabilities and techniques. Among new threats included the discovery of Colossus ransomware by ZeroFox Threat Intelligence and new ransomware families based on old ransomware with a history of success. One of the most active ransomware groups since 2019, REvil was responsible for large-scale attacks on organizations around the world including the Kaseya supply chain attack. Ransomware once more proves to be a persistent threat to businesses and individuals.
Blogs Focused on Dark Web Threat Intelligence
Throughout 2021, the Dark Web remained both a breeding ground for cybercriminals as well as a critical threat intelligence resource.
Blog #5: Dark Web vs. Deep Web: Uncovering the Difference
In June 2021, our product management team explored the key differences between the deep and dark web and offered valuable insight on how to leverage both for actionable threat intelligence. This piece compares the two and offers tools and services for combatting threats on the deep and dark web.
Blog #6: Facebook Data Leak on Dark Web: How It Impacts Executives, Enterprises and the Growing Public Attack Surface
In April 2021, the ZeroFox Intelligence team noted that users on RaidForums started posting links to download a Facebook data leak that contained approximately 533 million user records. A few hours later, news agencies began publishing reports detailing the leak. The Facebook data leak included Facebook unique IDs, phone numbers, email addresses, names, and other personally identifiable information. Released on an accessible dark web forum, the over half a billion records represent roughly 20% of Facebook’s user base. This was a particularly interesting leak because while the data was from 2019, the very nature of the data (phone numbers, specifically) made it likely that much of the information would still be active and thereby valuable for hackers.
Blog #7: Top Four Damaging Consequences of Data Leakage
A typical data breach can happen within minutes. However, discovering the attack is a different story and can take a lot longer depending on your security stack and approach. Meanwhile, the consequences of the subsequent data leakage can last years. Verizon’s “2021 Data Breach Investigations Report” findings detail how long it typically takes to detect a breach while the malicious actor is already working next steps in the attack chain. “This year we decided to take a look at which breach types take the longest to discover (Figure 39) … we were also curious what kind of data was the fastest to be compromised, and that turns out to be Credentials. This is particularly the case in phishing, which typically goes after the victim’s credentials for use in gaining further access to their chosen victim organization.”
The consequences of compromised data are vast and can have severe impacts. It comes as no surprise that PwC’s 2021 Global Digital Trust Insights report highlights just how much organizations are coming to terms with this. Businesses are investing more, increasing their cyber budget by roughly 55% and headcount by 51%. Companies are also focusing on where they need to change their cyber strategy, with 50% stating “that cyber and privacy will be baked into every business decision or plan” and 72% planning to “strengthen cybersecurity posture while containing costs.”
In this piece, we review the top four consequences of dark web data leakage.
Blogs Focused on Phishing, Fraud and Scams
In 2021, threat actors evolved tried and true phishing and scam tactics. Through the use of phishing kits and sophisticated spoofing techniques, quickly standing up a phishing campaign has never been easier, making it that much more important for security practitioners to understand actor TTPs.
Blog #8: Spoofing vs. Phishing: Uncovering the Difference
All too often, we’ve seen the terms “spoofing” vs. “phishing” used interchangeably. Once each is defined and understood a bit more clearly, it is easy to see how different these tactics are at their core. Boiled down: phishing aims to take hold of personal information by convincing the user to provide it directly; spoofing aims to steal or disguise an identity so malicious activity can ensue.
Both employ a level of disguise and misrepresentation, so it is easy to see why they are so closely paired. When both types of attacks work together in tandem, they provide a convincing and seamless double-threat. It’s critical for organizations (big or small, from employees to executives) to know the difference so either attack can be spotted quickly and mitigated from the beginning.
This blog takes a closer look at spoofing vs. phishing, how they differ, and how you can mitigate the unique risks each poses.
Blog #9: Military Romance Scams on the Rise
Scams targeting military members (and even their families) shouldn’t be a primary concern considering the sacrifices they already make for their country. Unfortunately, the droves of instances we see and the reports that come in daily paint a different picture. In fact, the number of identity theft reports from service members is much higher when compared to non-military consumers. Romance scams are just one of many ways threat actors use social media against military members. Others include, but are not limited to, exploited digital IDs, disinformation, identity theft leading to fraud, as well as military entity and organization phishing attacks.
Blog #10: What is a Phishing Kit? Analysis and Tools for Threat Researchers
In 2021, ZeroFox Intelligence saw a major rise in the use of phishing kits. Phishing kits are a new clique in the cybercrime economy hallways. These products have entire communities of developers and buyers that operate like SaaS companies. In this post, we highlight just a few of the takeaways from ZeroFox Senior Director of Threat Intelligence, Zack Allen’s 2021 RSA Conference presentation “My Phishing Kit Burnbook.” In this fascinating session, Zack reviews a year’s worth of phishing kit research, outlining organized crime groups behind these kits and presenting a new tool called Phishpond, an open-source phishing kit detection and analysis tool.
Subscribe for more ZeroFox Threat Intelligence Blogs
As we head into 2022, you can expect more valuable threat intelligence blogs from ZeroFox, focused on known, evolving and emerging TTPs. Make sure to subscribe to the blog so you never miss a post!