TRIAGE - Threat Reporting and Intelligence on Attacks and General Exploits #68
Week of January 6th, 2025
The essential five strategic threat intelligence stories of the week. This is from TLP white/open-source websites, so please feel free to share and enjoy reading about these events. Leave a comment if you want to discuss any of these events!
1. FunkSec – Alleged Top Ransomware Group Powered by AI
Area of Impact: Ransomware, Insider Threat, Breach
Overview: The FunkSec ransomware group first emerged publicly in late 2024, and rapidly gained prominence by publishing over 85 claimed victims—more than any other ransomware group in the month of December. Presenting itself as a new Ransomware-as-a-Service (RaaS) operation, FunkSec appears to have no known connections to previously identified ransomware gangs, and little information is currently available about its origins or operations.
TRIAGE Response: This is a well-researched technical breakdown on the group’s activity. They also included technical details that would be extremely useful in threat hunting for activity and a list of general IOCs at the end. The call out of the blurred lines between hacktivist groups and ransomware groups is a fun line of discussion and definitely applies here, as well as the point that this is one of the first threat groups that appears to be relying heavily on AI systems to help semi-technical members iterate on new code!
2. Easterly: SEC vs. CIRCIA a ‘recipe for dysfunction’ after private sector complaints
Area of Impact: Incident Response, Audit Reporting, Public - Private Cooperation
Overview: Easterly said private sector companies have come to her with issues about how to balance the U.S. Securities and Exchange Commission’s cyber incident reporting regime against the upcoming incident reporting rules under the Cyber Incident Reporting for Critical Infrastructure Act, also known as CIRCIA. While the SEC rule is meant to notify shareholders of cyber incidents and CIRCIA is meant for critical infrastructure organizations to report incidents to the federal government, Easterly explained that there is significant confusion among companies trying to follow both rules.
TRIAGE Response: Incident Response activities are difficult and complex no matter what size of an organization is affected by a security incident. Many private organizations have gaps in their processes, do not have the DFIR process mapped out in the form of a Security Incident Response Plan or have not done any tabletop exercises for testing out their plans. This also necessitates coordination with BCDR and IT Teams for systems recovery testing. The last thing we need are confusing laws that require different reporting requirements to different areas of the U.S. Government under conflicting reporting timeframes.
3. IntelBroker Unmasked: KELA’s In-Depth Analysis of a Cybercrime Leader
Area of Impact: OSINT, Data Breach, Insider Threat
Overview: IntelBroker entered the scene in late 2022, first appearing on BreachForums and rapidly building a reputation as a ransomware operator at first and then an actor responsible for many data breaches. Over time, he transitioned into a leadership role, taking over BreachForums, an infamous hacking forum. His portfolio includes breaches of notable entities such as AMD, Europol, and Cisco, targeting sensitive data and demanding ransom payments exclusively in Monero (XMR).
TRIAGE Response: It is excellent to see attempts to expose cybercrime actors through OSINT techniques and research into their activities. We have seen a large uptick in legal actions from different areas of the U.S. government and several other western nations in 2024, and I hope this also helps lead to further sanctions and arrests going into 2025.
4. Russia warned its 'shadow fleet' could face action from NATO allies
Area of Impact: Nation State Threats, Critical Infrastructure Destruction
Overview: NATO allies bordering the Baltic Sea issued a statement on Tuesday warning they reserve the right to take action against Russian ships that threaten submarine infrastructure. The joint statement, issued at the Baltic Sea NATO Allies Summit in Helsinki, follows a significant series of undersea cable breaks, most recently on Christmas Day when the Eagle S, an alleged Russian spy ship, is suspected to have dragged its anchor for more than 100km along the seafloor to damage power and telecommunications infrastructure.
TRIAGE Response: After the Christmas day destruction by a Russian ship dragging its anchor and the subsequent seizure of that ship by Finland, a group of NATO allies has quickly responded by forming a “task force” called Baltic Sentry to focus on protecting critical infrastructure such as the destroyed undersea cables. Russia has already been accused of spying with this “shadow fleet” and we will see how it escalates from a geo-political standpoint as well as affecting internet communications.
5. The Evolution of Ransomware: From Simple Encryption to Double Extortion Tactics
Area of Impact: Ransomware, Insider Threat, Data Breach
Overview: The evolution of ransomware represents one of the most significant transformations in the cybersecurity landscape over the past three decades. From its humble beginnings in the 1990s as a relatively crude form of digital extortion, ransomware has evolved into a sophisticated, multi-billion dollar threat. What started with the AIDS Trojan in 1989 – a primitive attack that required victims to mail $189 to a post office box in Panama – has morphed into highly coordinated operations employing advanced encryption, double-extortion tactics, and cryptocurrency payments.
TRIAGE Response: An excellent overview of ransomware through the years and the perfect type of thing to share with your team members in functions like GRC and IAM as well as upper management and executive teams. Especially if you break down this data into a quick presentation at your next department meeting.