2023 Europol Spotlight Report: The Apex of Crime-as-a-Service Highlights Ransomware as the Most Prominent Threat of This Category
The Internet Organized Crime Assessment (IOCTA) 2023 Europol Spotlight Report on Cyber Threats calls out the ransomware ecosystem; highlighting ransomware as the most “prominent” cyberthreat across industries. [1]
Phishing emails, Remote Desktop Protocol brute forcing, and Virtual Private Network (VPN) vulnerability exploitation are listed as the most common vectors for initial access for later ransomware. The ransomware ecosystem is fueled in large part by a further network of cybercriminals categorized as initial access brokers (IAB). They are important to ransomware syndicates because IABs provide access to victims already exploited in a cache curated by IAB individuals and groups. This reduces the resource load on ransomware operators, providing a shortcut. IABs acquire persistent access that is usually opportunistic -exploiting certain infrastructure in a pattern that is based on a particular vulnerability or system weakness.
Noname057(16) Will Very Likely Expand DDoS Operations Against EU States In The Short Term
The same Europol report also makes note of the prospect of new threat actors responding to the war in Ukraine in cyberspace - specifically mentioning DDoS (distributed denial of service) cyberattacks. EclecticIQ analysts recently observed and validated a new Russian-speaking threat actor, “NoName057(16)” targeting EU member states with DDoS attacks. The threat actor is politically motivated by the war in Ukraine and responds heavily to public political moments with Telegram postings of cyberattacks that align with Russian interests. The cyber-attacks are notable for recently targeting both government infrastructure, such as main websites for prime ministers, and infrastructure serving transportation in a coordinated manner via Telegram. Reporting indicates the group engaged in renewed activity that started near the end of July 2023. [2,3]
EclecticIQ analysts have validated that some of the websites advertised on the threat actor’s main Telegram channel were unavailable within 24 hours of posting. The DDoS techniques use floods of HTTP requests, and a Telegram bot that assists with automating the DDoS attack, but are otherwise not novel.
Structured Data
Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack: https://cti.eclecticiq.com/taxii/discovery.
Please refer to our support page for guidance on how to access the feeds.
About EclecticIQ Intelligence and Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.
You might also be interested in:
Decrypting Key Group Ransomware: Emerging Financially Motivated Cyber Crime Gang
Flax Typhoon targeting Taiwan, Ransomware Emphasizing Linux-Centric Payloads
Malware-as-a-Service: Redline Stealer Variants Demonstrate a Low-Barrier-to-Entry Threat
Appendix
[1] “IOCTA spotlight report on malware-based cyber-attacks published,” Europol. https://www.europol.europa.eu/media-press/newsroom/news/iocta-spotlight-report-malware-based-cyber-attacks-published, (accessed Sep. 21, 2023).
[2] “Following NoName057(16) DDoSia Project’s Targets,” Sekoia. https://blog.sekoia.io/following-noname05716-ddosia-projects-targets/, (accessed Sep. 21, 2023).
[3] “+fiTz615tQ6BhZWFi“ NoName057(16) Main Telegram Channel. Telegram. https[:]//t[.]me/+fiTz615tQ6BhZWFi, (accessed Sep. 20, 2023).