TRIAGE - Threat Reporting and Intelligence on Attacks and General Exploits #65
Week of November 25th, 2024
The essential five strategic threat intelligence stories of the week. This is from TLP white/open-source websites, so please feel free to share and enjoy reading about these events. Leave a comment if you want to discuss any of these events!
1. Russia delivers historic life sentence to suspected founder of darknet marketplace
Area of Impact: Cybercrime, Dark Web, Law Enforcement
Overview: A Russian court has handed down an unprecedented life sentence to the suspected kingpin of the dismantled darknet drug marketplace Hydra. Fifteen of his accomplices were also sentenced, with punishments ranging from 8 to 23 years in maximum-security penal colonies.
TRIAGE Response: There has been an uptick in Russian law enforcement actions against different threat actors in the past couple weeks, which is hopefully a change for the better and not just a flash in the pan like right before the Ukraine invasion where we saw a flurry of activity and then it quickly died out. This is also a first for Russia with a life sentence handed down for cybercrime along with major sentences for his collaborators and real fines.
2. UK cyber chief warns country is ‘widely underestimating’ risks from cyberattacks
Area of Impact: Cybercrime, Malware, Ransomware
Overview: The cyber risks facing the United Kingdom are being “widely underestimated,” the country’s new cyber chief will warn on Tuesday as he launches the National Cyber Security Centre’s (NCSC) annual review. In his first major speech since joining the NCSC — part of the signals and cyber intelligence agency GCHQ — Richard Horne will drive a shift in tone in how the cybersecurity agency communicates these risks.
TRIAGE Response: It is not good news when we hear about attacks increasing at this rate year over year, but it is great news when top leaders of these organizations, whether public or private, acknowledge they are behind and need to focus on matching attacker capabilities. The push for sharing frameworks with private organizations is also a positive and we hopefully see more traction in the U.K. and in the USA with similar programs.
3. Cloudflare says it lost 55% of logs pushed to customers for 3.5 hours
Area of Impact: Incident Response
Overview: The incident was caused by a misconfiguration in Logfwdr, a key component in Cloudflare's logging pipeline responsible for forwarding event logs from the company's network to downstream systems. Specifically, a configuration update introduced a bug that issued a 'blank configuration,' wrongly telling the system that there were no customers whose logs were configured to be forwarded, and thus the logs were discarded.
TRIAGE Response: This is a nightmare for anyone doing DFIR work for any organization during this outage window. This is the latest in a series of major outages at large IT/Infosec platforms that hits hard for any organization using those toolsets.
4. U.S. Citizen Sentenced for Spying on Behalf of China's Intelligence Agency
Area of Impact: Insider Threat, Cybercrime, Law Enforcement
Overview: Ping Li, 59, of Wesley Chapel, Florida, is said to have served as a cooperative contact for the Ministry of State Security (MSS) as early as August 2012, working at their behest to obtain information that's of interest to the Chinese government. Li was employed at telecom giant Verizon and later at information technology service company Infosys.
TRIAGE Response: In the middle of all the technical and security alerts we have coming from U.S. Governmental organizations warning about the threat group Salt Typhoon and their targeting of major telecom companies in the USA, we have an actual spying case being handled at the same time. This is again the perfect kind of case for insider threat training and awareness.
5. The Dark Web and Cybercrime: How Hidden Networks Operate
Area of Impact: Dark Web, Cybercrime, Ransomware
Overview: Understanding the Dark Web is critical for modern organizations to effectively protect themselves against its threats; the Dark Web facilitates criminal activities by acting as a marketplace for stolen credentials, stealer logs, and other illicit goods. This makes it an important area of focus for cybersecurity efforts. This blog explores the Dark Web’s structure, common cybercrimes, and the challenges faced by law enforcement and cybersecurity teams in addressing its threats.
TRIAGE Response: Great overview and training resource for dark web markets and the dark web for monitoring in general.