Initial access brokers (IABs) facilitate access for ransomware groups, data brokers, and advanced persistent threat groups (APTs) into corporate networks. They operate in an established, lucrative market, often on cybercriminal forums which are characterised by rigid rules and conventions. Our report explaining the illicit activities of IABs can be viewed here.

Cyjax recently identified a new financially-motivated extortion group going by the name Kairos, which shares data stolen from its victims on a data-leak site (DLS). An alleged spokesperson for the group, named ‘KairosSup’ made a bid on an initial access broker (IAB) listing on a prominent Russian-language cybercriminal forum. It is of note that the spokesperson’s name is likely styled after the representative of prolific ransomware group LockBit, who is called ‘LockBitSupp’.

It is nearing 2025, and data-leak sites (DLSs) for extortion groups continue to emerge. November 2024 continues this trend, with Cyjax observing the thirteenth most recent materialisation of a DLS for an extortion group calling itself “Kairos”. At the time of writing, Kairos has claimed attacks against six victims, two of which have acknowledged significant data breaches in 2024. However, it is unclear whether these are related.

CYJAX has identified a novel phishing technique which is used to harvest Microsoft credentials via websites which are masqueraded as locked Microsoft Word documents. This technique, which CYJAX is calling DirtyWord, uses a blurred Word document as the page background to inform the user that they must log in to view the document. Whilst CYJAX has not observed the delivery mechanism of the phish, it appears that it likely occurs through spear-phishing emails.

Welcome to this week’s Cyber Threat Intelligence Summary, where we bring you the latest updates and insights on significant cyber threats. This edition covers the UK-based winter fuel payment scams, a China-linked telecom hack targeting US politicians, and a new Google Chrome flaw exploited by Lazarus.

Welcome to this week’s Cyber Threat Intelligence Summary, where we bring you the latest updates and insights on significant cyber threats. This edition covers the SuperShell malware targeting Linux SSH servers, an in-depth analysis of three Chinese-linked clusters responsible for cyberattacks in Southeast Asia, and CitrineSleet exploiting a zero-day Chromium vulnerability.

Hacktivism is by its very nature reactive, as it involves the use of computer-based techniques as a form of civil disobedience to promote a political agenda or social change. Groups conduct attacks in response to the actions of others, both to encourage or discourage these actions. With the emergence and developments of the Russia-Ukraine war and the Israel-Palestine conflict escalations, there has been a resurgence in hacktivism over the past few years.

In today’s increasingly digital world, cybercrime and online criminal activities pose significant threats to individuals, businesses, and governments alike. One of the most effective strategies in combating these threats is the comprehensive monitoring of criminal forums and platforms.

On Friday 19 July 2024, CrowdStrike suffered a serious outage in which over 8.5 million computers were taken offline. Whilst it may have first appeared to be a cyber-attack, it was actually a faulty update to CrowdStrike Falcon which led to computers crashing to a blue screen on boot. Many organisations were affected, and in some cases were unable to access computer systems for multiple hours.

As the threat landscape continues to develop, ransomware and data brokerage groups constantly emerge, develop, and disband. Cyjax observed a relatively high level of data-leak site (DLS) emergence in July 2024, with a total of nine new sites. For reference, the highest observed number of ransomware groups that have emerged in a single month is ten (September 2022).