RESEARCH & INSIGHTS CENTER
"SecurityScorecard's globally recognized, ubiquitous security ratings are changing how business leaders think about cybersecurity and operate in today's digital ecosystem."
Explore industry trends, data breaches and topical news to discover how our top data scientists and global thought leaders help organizations of every size tip the scale against cyber crime.
Cyber Risk Intelligence: Exploitation of CVE-2023-47246
On November 8, SysAid disclosed that the Cl0p ransomware group had exploited a previously unknown vulnerability, now tracked as CVE-2023-47246, in SysAid’s on-premise IT Service Management (ITSM) software.
The SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team consulted SecurityScorecard’s Attack Surface Intelligence data and a partner’s network flow (NetFlow) data to identify possible targets of the exploit.
Cyber Threat Intelligence Update: New Claims of Attacks Against Israeli SCADA Systems
SecurityScorecard’s ongoing collections from hacktivist channels involved in cyber activity provoked by the conflict in Gaza highlight the international scope of the conflict, with hacktivist groups in Indonesia and Malaysia claiming attacks against organizations in Israel and allied states.
Cyber Risk Intelligence Update: Hacktivist Involvement in Israel-Hamas War Reflects Possible Shift in Threat Actor Focus
A Deep Dive into Cactus Ransomware
Cactus ransomware was discovered in March 2023. The malware creates a mutex called “b4kr-xr7h-qcps-omu3cAcTuS” to ensure that only one copy is running at a time. Persistence is achieved by creating a scheduled task named “Updates Check Task”. The ransomware requires an AES key to decrypt the encrypted public RSA key stored in the binary.
The files are encrypted using the AES algorithm (OpenSSL library), with the key being encrypted using the public RSA key. The extension of the encrypted files is changed to “cts0” or “cts1”.
New Deep and Dark Web Collections Regarding the Israel-Hamas War
With the outbreak of the ongoing war between Israel and Hamas, SecurityScorecard rapidly expanded its deep and dark web (DDW) collections to include messaging channels affiliated with Hamas and other militant groups.
The SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team combined automated analysis of these collections using SecurityScorecard’s large language model (LLM) with its researchers’ regional expertise to derive insights into these channels.
Cyber Risk Intelligence: Cyber Activity, Israeli Industrial Control Systems, and the Israel-Hamas War
Following the outbreak of war between Israel and Hamas on October 7, 2023, a wide variety of threat actors began claiming responsibility for cyberattacks against entities linked to both sides of the conflict.
Because attacks on ICS devices could have severe consequences, the SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team focused on those. When further investigating the cyber activity surrounding the conflict, the STRIKE Team focused on identifying other exposed Israeli ICS devices.
Attack Surface Intelligence Identifies Additional Cuba Ransomware-Linked Indicators of Compromise
Following the publication of a report regarding the Cuba ransomware group’s recent activities, the SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team leveraged SecurityScorecard’s unique data to enrich the indicators of compromise (IoCs) linked to this activity.
STRIKE Team researchers identified additional IoCs not explicitly linked to the Cuba threat actor group in prior public reporting.
Cyber Risk Intelligence Update: STRIKE Team Investigation Identifies Possible Flax Typhoon Links to Higher Education
The SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team conducted further research into indicators of compromise (IoCs) connected to the China-backed Flax Typhoon threat actor group. This has revealed additional IP addresses the group may use.
A detailed analysis of the Money Message Ransomware
The threat actor group, Money Message ransomware, first appeared in March 2023, demanding million-dollar ransoms from its targets. Its configuration, which contains the services and processes to stop a ransomware attack, can be found at the end of the executable. The ransomware creates a mutex and deletes the Volume Shadow Copies using vssadmin.exe.
The files are encrypted using the ChaCha20 algorithm, with the key being encrypted using ECDH (Elliptic-curve Diffie-Hellman). The extension of the encrypted files isn’t changed, however the structure of the files indicates they were encrypted.
SecurityScorecard Identifies Possible Flax Typhoon Infrastructure
On August 24, Microsoft published its analysis of espionage activity it attributes to a new threat actor group tracked as Flax Typhoon assesses to act on behalf of the People’s Republic of China.
The SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team consulted SecurityScorecard’s Attack Surface Intelligence tool and a strategic partner’s network flow (NetFlow) data to develop further insight into the group’s activity and identify a population of servers the group appears to use in addition to those Microsoft identified in its report.