Blogs

Blog

How China’s “Walled Garden” is Redefining the Cyber Threat Landscape

In our latest webinar, Flashpoint unpacks the architecture of the Chinese threat actor cyber ecosystem—a parallel offensive stack fueled by government mandates and commercialized hacker-for-hire industry.

For years, the global cybersecurity community has operated under the assumption that technical information was a matter of public record. Security research has always been openly discussed and shared through a culture of global transparency. Today, that reality has fundamentally shifted. Flashpoint is witnessing a growing opacity—a “Walled Garden”—around Chinese data. As a result, the competence of Chinese threat actors and APTs has reached an industrialized scale.

In Flashpoint’s recent on-demand webinar, “Mapping the Adversary: Inside the Chinese Pentesting Ecosystem,” our analysts explain how China’s state policies surrounding zero-day vulnerability research have effectively shut out the cyber communities that once provided a window into Chinese tradecraft. However, they haven’t disappeared. Rather, they have been absorbed by the state to develop a mature, self-sustaining offensive stack capable of targeting global infrastructure.

Understanding the Walled Garden: The Shift from Disclosure to Nationalization

The “Walled Garden” is a direct result of a Chinese regulatory turning point in 2021: the Regulations on the Management of Security Vulnerabilities (RMSV). While the gradual walling off of China’s data is the cumulative result of years of implementing regulatory and policy strategies, the 2021 RMSV marks a critical turning point that effectively nationalized China’s vulnerability research capabilities. Under the RMSV, any individual or organization in China that discovers a new flaw must report it to the Ministry of Industry and Information Technology (MIIT) within 48 hours. Crucially, researchers are prohibited from sharing technical details with third parties—especially foreign entities—or selling them before a patch is issued.

It is important to note that this mandate is not limited to Chinese-based software or hardware; it applies to any vulnerability discovered, as long as the discoverer is a Chinese-based organization or national. This effectively treats software vulnerabilities as a national strategic resource for China. By centralizing this data, the Chinese government ensures it has an early window into zero-day exploits before the global defensive community. 

For defenders, this means that by the time a vulnerability is public, there is a high probability it has already been analyzed and potentially weaponized within China’s state-aligned apparatus.

The Indigenous Kill Chain: Reconnaissance Beyond Shodan

Flashpoint analysts have observed that within this Walled Garden, traditional Western reconnaissance tools are losing their effectiveness. Chinese threat actors are utilizing an indigenous suite of cyberspace search engines that create a dangerous information asymmetry, allowing them to peer at defender infrastructure while shielding their own domestic base from Western scrutiny.

While Shodan remains the go-to resource for security teams, Flashpoint has seen Chinese threat actors favor three IoT search engines that offer them a massive home-field advantage:

• FOFA: Specializes in deep fingerprinting for middleware and Chinese-specific signatures, often indexing dorks for new vulnerabilities weeks before they appear in the West.
• Zoomai: Built for high-speed automation, offering APIs that integrate with AI systems to move from discovery to verified target in minutes.
• 360 Quake: Provides granular, real-time mapping through a CLI with an AI engine for complex asset portraits.

In the full session, we demonstrate exactly how Chinese operators use these tools to fuse reconnaissance and exploitation into a single, automated step—a capability most Western EDRs aren’t yet tuned to detect.

Building a State-Aligned Offensive Stack

Leveraging their knowledge of vulnerabilities and zero-day exploits, the illicit Chinese ecosystem is building tools designed to dismantle the specific technologies that power global corporate data centers and business hubs.

In the webinar, our analysts explain purpose-built cyber weapons designed to hunt VMware vCenter servers that support one-click shell uploads via vulnerabilities like Log4Shell. Beyond the initial exploit, Flashpoint highlights the rising use of Behinder (Ice Scorpion)—a sophisticated web shell management tool. Behinder has become a staple for Chinese operators because it encrypts command-and-control (C2) traffic, allowing attackers to evade conventional inspection and deep packet analytics.

Strengthen Your Defenses Against the Chinese Offensive Stack with Flashpoint

By understanding this “Walled Garden” architecture, defenders can move beyond generic signatures and begin to hunt for the specific TTPs—such as high-entropy C2 traffic and proprietary Chinese scanning patterns—that define the modern Chinese threat actor.

How can Flashpoint help? Flashpoint’s cyber threat intelligence platform cuts through the generic feed overload and delivers unrivaled primary-source data, AI-powered analysis, and expert human context.

Watch the on-demand webinar to learn more, or request a demo today.

Request a demo today.

Blogs

Blog

Flashpoint’s Top 5 Predictions for the 2026 Threat Landscape

Flashpoint’s forward-looking threat insights for security and executive teams, provides the strategic foresight needed to prepare for the convergence of AI, identity, and physical security threats in 2026.

As the global threat landscape accelerates its transformation, 2026 marks an inflection point requiring defensive strategies to fundamentally shift. The volatility observed in 2025 has paved the way for an era soon to be defined by AI-weaponized autonomy, information-stealing malware, systemic instability of public vulnerability systems, and the complete convergence of digital and physical risk.

Flashpoint offers a unique window into these complexities, providing organizations with the foresight needed to navigate what lies ahead. Drawing from Flashpoint’s leading intelligence and primary source collections, we highlight five key trends shaping the 2026 threat landscape. These insights aim to help organizations not only understand what’s next but also build the resilience needed to withstand and adapt to emerging challenges.

Prediction 1: Agentic AI Threats Will Weaponize Autonomy, Forcing a New Defensive Standard

2026 will see continued evolution of AI threats, with future attacks centering on autonomy and integration. Across the deep and dark web, Flashpoint is observing threat actors move past experimentation and into operational use of illegal AI. 

As attackers train custom fraud-tuned LLMs (Large Language Models) and multilingual phishing tools directly on illicit data, these AI models will become more capable. The criminal intent shaping their misuse will also become more sophisticated. Additionally, 2026 will see a greater marketplace for paid jailbreaking communities and synthetic media kits for KYC (Know Your Customer) bypass.

These advancements are enabling criminals to move beyond simple tools and engage in scaled, autonomous fraud operations, leading to two major shifts:

1. Agentic AI is becoming the true flashpoint: Threat actors will be using agentic systems to automate reconnaissance, generate synthetic identities, and iterate on fraud playbooks in near real-time. In this SaaS ecosystem, AI will help attackers leverage subscription tiers and customer feedback loops at scale.
2. The attack surface will shift to focus on AI Integrations: Organizations are increasingly plugging LLMs into live data streams, internal tools, identity systems, and autonomous agents. This practice often lacks the same security vetting, access controls, and monitoring applied to other enterprise systems. As such, attackers will heavily target these integrations, such as APIs, plugins, and system connections, rather than the models themselves.

“The ubiquity of automation has dramatically increased attack tempo, leaving many security teams behind the curve. While automation can replace repetitive tasks across the enterprise, organizations must not make the critical mistake of substituting human judgement for AI at the intelligence level.

This is paramount because a critical threat in 2026 is Agentic AI autonomy weaponized against soft targets—API integrations and identity systems. The only winning defense will be human-led and AI-scaled, prioritizing purposeful use to keep organizations ahead of this exponential risk.”

Josh Lefkowitz, CEO at Flashpoint

These evolving AI threats will force a fundamental shift in defensive strategies. Defenders will have to shift to deploying systems around AI rather than trust them on their own.

Prediction 2: Identity Compromise via Infostealers Will Become the Foundation of Every Attack

Infostealers will become the entry point, the data broker, the reconnaissance layer, and the fuel for everything that comes after a cyberattack. This shift is already in motion and is accelerating rapidly: in just the first half of 2025, infostealers were responsible for 1.8 billion stolen credentials, an 800% spike from the start of the year. However, 2026 will redefine the malware’s role, making its most valuable output being access, rather than disruption.

Infostealers will become the upstream event that powers the rest of the attack chain. Identity and session data will be increasingly targeted, since it gives attackers immediate access into victim environments. Ransomware, fraud, data theft, and extortion will simply be downstream ways to monetize.

This upstream approach defines the new reality of the attack chain, which is already operational. Nearly every major stealer strain Flashpoint observes now exfiltrates the following:

• Autofill PII (personable identifiable information)
• Saved addresses
• Phone numbers
• Internal URLs
• Browsing history
• Cloud app tokens

An organization’s attack surface is no longer just composed of their own networks. It is the entire digital identity of their employees and partners. This new reality requires security teams to take a new approach. Instead of attempting to block attacks, they must proactively detect compromised credentials before they are weaponized. This will be the difference between reacting to a data breach and preventing one.

“The infostealer economy has fully industrialized the attack chain, making initial compromise a low-cost commodity. Multiple security incidents in 2025 tie back to credentials found in infostealer logs. This reality has underscored the critical importance of digital trust—specifically, verifying who can access what resources. For 2026, identity is the perimeter to watch, and security teams must proactively hunt for compromised credentials before they’re weaponized.”

Ian Gray, Vice President of Intelligence at Flashpoint

Prediction 3: CVE Volatility Will Force Redundancy in Vulnerability Intelligence

The temporary funding crisis at CVE in April 2025 and the subsequent CISA stopgap extension through March 2026 exposed the systemic fragility of a centralized vulnerability intelligence model. With the future of the CVE/NVD system hanging in the balance, 2026 will be defined by the urgent need for redundancy and diversification in vulnerability intelligence.

In today’s vulnerability intelligence ecosystem, nearly every organization’s vulnerability management framework relies on CVE and NVD—including its “alternatives” such as the EUVD (European Union Vulnerability Database). The CVE system has grown into a critical global cybersecurity utility, relied upon by nearly all vulnerability scanners, SIEM platforms, patch management tools, threat intelligence feeds, and compliance reports. A complete shutdown of CVE would result in a widespread loss of institutional infrastructure.

The next generation of security needs to be built on practices that are resilient, diversified, and intelligence-driven. It should be focused on providing insights that can be used to take action such as threat actor behavior, likelihood of exploitation in the wild, relevance to ransomware campaigns, and business context. Security teams will need to leverage a comprehensive source of vulnerability intelligence such as Flashpoint’s VulnDB that provides full coverage for CVE, while also cataloging more than 100,000 vulnerabilities missed by CVE and NVD.

Prediction 4: Executive Protection Will Remain a Critical Challenge as Cyber-Physical Threats Converge

The continued blurring of lines between cyber, physical, and geopolitical threats will elevate the risk to organizational leadership, turning executive protection into a holistic intelligence function in 2026. The rise of information warfare combined with physical world convergence means the threat to key personnel is no longer purely digital.

In the aftermath of the tragic December 2024 assassination of United Healthcare’s CEO, Flashpoint has seen the continued circulation and glorification of “wanted-style posters” of executives in extremist communities. Additionally, Flashpoint has seen nation-state actors participate, using espionage and influence to target high-value individuals.
Organizations must adopt an integrated approach that connects insights from threat actor chatter and a wealth of other OSINT sources. This fusion of intelligence is essential for applying frameworks to ensure the safety of leadership and key personnel.

Prediction 5: Extortion Shifts to Identity-Based Supply Chain Risk

2025 was marked by several large-scale extortion campaigns, demonstrating how the threat landscape is rapidly evolving. Ransomware operations have shifted into a straight extortion play. Flashpoint has observed a surge in new entrants to the ransomware market, accompanied by a decline in the quality and decorum of ransomware groups.

Furthermore, vishing campaigns attributed to “Scattered Spider” have highlighted weaknesses in identity, trust, and verification. Campaigns from “Scattered LAPSUS$ Hunters” have also exposed vulnerabilities in third-party integrations. These attacks culminated in extortion, showcasing that modern attacks will target trusted users and trusted applications for initial access, and will forgo ransomware in place of data access.

As this shift continues into 2026, threat actors will increasingly focus their efforts on exploiting human behavior and identity systems. Instead of attempting to spend resources on breaking network perimeters, attackers will instead socially engineer employees to gain access to corporate systems at scale. This change in TTPs will undoubtedly greatly increase supply chain risk, especially for third parties.

Charting a Path Through an Evolving Threat Landscape with Flashpoint Intelligence

These five predictions highlight the transformative trends shaping the future of cybersecurity and threat intelligence. Staying ahead of these challenges demands more than just reactive measures—it requires actionable intelligence, strategic foresight, and cross-sector collaboration. By embracing these principles and investing in proactive security strategies, organizations can not only mitigate risks but also seize opportunities to enhance their resilience.

As the threat landscape continues to rapidly evolve, staying informed and prepared are critical components of risk mitigation. With the right tools, insights, and partnerships, security teams can navigate the complexities ahead and safeguard what matters most.

Request a demo.

Blogs

Blog

Qakbot Takedown: A Brief Victory in the Fight Against Resilient Malware

Prior botnet takedowns like Emotet and TrickBot have shown that sophisticated malware operations, like Qakbot, can often rebuild infrastructure and return from disruptions in new forms

Qakbot takedown and seizure

A global law enforcement operation has successfully disrupted the infrastructure of the Qakbot botnet, striking a major—though likely temporary—blow to a dominant player in the cybercriminal underground supply chain. 

Qakbot, familiarly Qbot, has been a major cyber threat since 2007, infecting victims’ computers to steal financial information and distribute additional malware payloads like ransomware. As a result of the takedown, more than 700,000 infected devices worldwide were identified and cleaned of the malware. The DOJ also announced the seizure of $8.6M in cryptocurrency in illicit profits.

While there is no doubt that the Qakbot takedown is a major win in the fight against cybercrime, it may only provide short-term relief in the fight against a notoriously resilient cybercriminal ecosystem.

‘Swiss Army knife’

A Swiss Army knife of cybercrime tools, Qakbot was a complex malware that opened remote access to victims’ systems, stole credentials and financial information, and downloaded additional malware payloads. Its modular architecture enabled frequent updates to add new capabilities over its 15+ years of operation.

“The collaborative endeavors of these authoritative bodies exemplify the power of a comprehensive, multi-agency approach, designed to maximize its impact..”

Ian Gray, VP Of Intelligence

Qakbot has been a versatile workhorse for cybercriminals. Its banking trojan functionality has been used to pilfer payment information and intercept financial transactions. As a loader, it distributed ransomware such as ProLock to extort victims.

Qakbot has also powered large-scale spam email campaigns and brute force attacks. Its worm-like spreading kept it entrenched in infected networks. By providing the backdoor access and distribution channel for other malware, Qakbot played a key supporting role in the cybercrime ecosystem. Botnets like Emotet and TrickBot operated similarly, loading additional threats onto compromised systems. These jack-of-all-trades botnets have proven lucrative for their criminal operators.

A history of temporary relief

Prior botnet takedowns like Emotet and TrickBot have shown that sophisticated malware operations can often rebuild infrastructure and return from disruptions in new forms.

In the case of Emotet, the botnet came back online in 2022 using new techniques after its infrastructure was dismantled in 2021. TrickBot also persisted despite takedown attempts and remains an active threat. This resiliency highlights the challenges law enforcement faces in permanently eliminating cyber threats.

While takedowns temporarily degrade capabilities, dedicated cybercriminal groups adapt to avoid further disruption. New malware families also inevitably emerge to fill the gaps left by larger takedowns. For example, BazarLoader and ZLoader rose to prominence as loader malware after the Emotet takedown.

Yet despite their disruptions, resilient botnets often return and new ones emerge. After prior actions against Emotet and TrickBot, the lingering demand in underground markets brought them back in adapted new forms. Bots remain attractive tools for cybercriminals thanks to their versatility, automation, and money generating potential.

While Qakbot’s infrastructure was disrupted, its operators may attempt to rebuild or evolve their techniques. Sustained pressure on botnet financial flows, developer communities, and other aspects of the cybercrime supply chain is needed to deter future attacks. For now, the coordinated Qakbot takedown bought time and degraded the capabilities of a dominant cybercrime player.

The fight against cybercrime must be persistent and comprehensive

The Qakbot takedown was effectively coordinated among global governments, including France, Germany, Latvia, Romania, the Netherlands, the UK, and the US, as well as the private sector. The collaborative endeavors of these authoritative bodies exemplify the power of a comprehensive, multi-agency approach, designed to maximize its impact.

Law enforcement and the private sector should to continue coordinating takedowns while also focusing on detecting new malware variants early, disrupting communication channels, and following the money trails of criminal enterprises.

Cyber hygiene and threat awareness across organizations must also improve to reduce vulnerability to malware infections, including loaders and trojans that distribute threats like Qakbot. Technical controls like endpoint detection, network monitoring, and patching are also key.

Ultimately, defeating cybercrime requires comprehensive strategy across law enforcement operations, cybersecurity practices, and international collaboration. The Qakbot takedown represents meaningful progress, but the world must remain vigilant against an adaptable threat landscape.

Get Flashpoint on your side

Flashpoint Ignite enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.

Request a demo today.

Blogs

Blog

Lost in Transition: A Timeline of Failed Successors to Breach and Raid Forums

The legacy of Raid, Breach, and their ‘successors’ provides an important lens into how data breach communities function and the real-life implications of the information they traffic

Race to the bottom

Starting June 24, 2023, visitors to the former domain of Raid Forums were greeted by the avatar of arrested administrator “pompompurin” in tiny handcuffs—an unprecedented trolling of sorts by authorities. 

Pompompurin, whose real name is Conor Brian Fitzpatrick, became a highly reputable threat actor on the now-defunct top-tier hacking forum Raid Forums and upon its shutdown, founded Breach Forums. Breach Forums continued the legacy of Raid Forums, both as a fixture among the data breach communities and as a law enforcement target. 

The founder and administrator of Raid Forums, Diogo Santos Coelho (aka “omnipotent), was arrested on January 31, 2022. Fitzpatrick, who has been operating on English- and Russian-language forums under the pompompurin moniker since at least October 2020, was arrested by federal agents on March 15, 2023.

Now, both Raid Forums and Breach Forums are no more. And ever since their seizures, other threat actors, some of whom were involved in the Breach and Raid, have attempted to continue their legacies in the purpose and services they provide. But it has thus far been a race to the bottom. 

Insight into the illicit spaces where cyber threat actors operate is vital to any threat intelligence operation. The legacy of Raid, Breach, and their “successors” provides an important lens into how data breach communities function and the real-life implications of the information they traffic. 

Timeline

Here is a summary of the recent events that we have observed within cybercriminal communities related, in some way, to Breach Forums and its legacy as a popular home for threat actors. 

• March 17, 2023: Breach Forums administrator “baphomet” decides to shut down the forum following the March 15 arrest of administrator pompompurin. The Washington Post included Flashpoint analysis in its March 22 coverage on the end of Breach Forums.

• March 29, 2023: PwnedForum, an identically formatted clone of Breach Forums, launches and quickly gains users and shares compromised data. The forum’s creator, “Sinistery,” solicited forum administrators and developers to volunteer to operate the site. 
• However, the forum was quickly shut down on April 4, 2023, following a disagreement between Sinistery and forum administrators. A message attempting to sell PwnedForum was briefly advertised on the website before closing. One of the forum’s former main administrators, “Frost,” stated that they were working on a new forum separate from PwnedForum, though they did not provide a timeline.

• May 29, 2023: “Impotent,” the forum administrator Exposed, leaks the database of 478,870 Raid Forums users.

• June 4, 2023: PwnedForums posted on Telegram that the notorious leak collective, ShinyHunters, is launching a forum with former Breach Forums admins.
• Also on June 4, a user posted an advertisement for the Exposed forum, calling it the “new” Breach Forums and inviting the Russian hacktivist collective Killnet to join the forum.

• June 12, 2023: ShinyHunters launches a new forum called Breach Forums—eponymous by name only.

• That very same day, Exposed Forums shut down. Its founders, “Impotent” and “Purism,” share that they will no longer support the development of Exposed Forums while cautioning against using the new Breach Forums due to operational security concerns.

• June 18, 2023: Breach Forums is hacked, and the data breach exposes the personal information of over 4,000 registered members.
• OnniForums, which appears to have launched in April 2023, took responsibility for the attack. It also claimed to have breached the forum Exposed, using a zero-day vulnerability in the open source forum software MyBB. The data leak included login keys, usernames, email addresses, IP addresses, password hashes, registration dates, members’ last visits and posts, number of posts, last activity, and social media handles with profile links.

• June 24, 2023: The user database of DarkForums, a relatively new and unknown forum, is breached and leaked, joining the ranks of Raid Forums and the new Breach Forums. 

Though it is difficult to assess if any of these forums will sufficiently fill the void of the data breach communities that Raid Forums provided, threat actors continue to start new darknet venues—a perpetual cycle that shows the resiliency of illicit communities and forums, despite law enforcement, in-fighting, and the adversarial nature of these communities that lends itself to, well, data breaches. Though there may not be a centralized venue for data breaches, it will not be for a lack of trying … even if it means leaking the databases of their competitors.

Get Flashpoint on your side

Flashpoint’s suite of actionable intelligence solutions enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.

Request a demo today.

Blogs

Blog

Lessons From Clop: Combating Ransomware and Cyber Extortion Events

Recent attacks from Clop emphasize the importance of implementing an organization-wide ransomware and cyber extortion strategy, from preparedness to detection and isolation

Lessons from Clop

It’s been one month since the Clop ransomware group began exploiting the MOVEit vulnerability (CVE-2023-34362 (VulnDB ID: 322555) to claim nearly 100 victims across the globe, many of which have come public. This attack comes on the heels of Clop leveraging the GoAnywhere MFT vulnerability (CVE-2023-0669), which led them to claim they’d illegally obtained information for more than 100 companies.

When a ransomware or cyber extortion event occurs, security teams are racing against the clock:

• What do we know about the cybercriminal group that’s claiming responsibility for an attack or double extortion?
• Is our organization affected? If so, what is the extent of the breach and its impact on our systems, networks, people, and data?
• How do we respond to and mitigate the situation?

These questions are of vital importance to organizations across the public and private sectors. And the recent Clop attacks—which affected organizations across the globe in nearly every vertical—are yet another example of why it’s vital to have proactive defense measures in place.

Targeting upstream data providers

First, it’s vital to have a deep understanding of the adversary, such as a RaaS (ransomware-as-a-service) group like Clop. Here are five ways that ransomware groups like Clop attack targets, as well as the threat vectors they seen to exploit:

1. Supply chain attacks. As illustrated through MOVEit, Clop often targets upstream software vendors or service providers so that it can cast a wide net. A number of the known Clop victims are companies who were attacked via a third-party vendor. Attackers like Clop may exploit vulnerabilities in the communication or data exchange between these companies, or compromise the software or hardware components supplied by third-party providers to inject malicious code or backdoors.
2. Cloud Service Providers (CSP). If a cloud service provider experiences a security breach, it can potentially impact third parties that utilize their cloud services in several ways. Clop successfully breached a cloud service provider, giving them potential access to highly sensitive information.
3. Managed Service Providers (MSPs), who inherently have access to clients’ IT infrastructure, are also a lucrative target for ransomware groups like Clop as they service a multitude of businesses. 
4. Software vulnerabilities are common, as ransomware groups often exploit known vulnerabilities in widely used software. Here, Clop exploited MOVEit, a file transfer software used by organizations globally, to install a malicious web shell called LEMURLOOT.
5. Zero-days. Ransomware groups may also exploit zero-day vulnerabilities, or previously unknown security flaws, in software leveraged by a wide range of organizations.  

Putting vulnerabilities into context

CLOP’s use of the MOVEit and GoAnywhere MFT vulnerabilities provide us with two recent high-profile examples of the power and impact of the group’s attacks—as well as the damage they can have on victims. 

It also shines a bright light onto the level of information and context that CTI analysts and vulnerability management teams require in order to better prioritize and take action on the vulnerabilities likely to be used in ransomware and other attacks. 

Tools such as Flashpoint’s VulnDB can unpack vulnerabilities like MOVEit in order to provide practitioners with access to real-time, comprehensive information so that they can understand the scope of the incident and develop effective response strategies to make faster, informed decisions and mitigate the attack. 

This includes information about 300,000 vulnerabilities, including thousands not listed in the public source, as well as robust metadata and numerous prioritization and prediction metrics, including:

• a CVSS score
• social risk score
• EPSS score
• ransomware likelihood score
• supplemental information on which versions of software may be affected

Furthermore, when equipped with this context, vulnerability practitioners should be able to gain an active understanding of how the software, services, and other third-party assets they use are affected.

Alerting for faster awareness and remediation

Speed is crucial when responding to or setting up defenses for a ransomware or cyber extortion event. In order to stay current on known exploits and better understand potential organization risks, vulnerability managers, analysts, and researchers should be able to set up customizable, automated ransomware alerts of leaked assets as a result of an extortion incident, and gain insight into the extent of exposure and damage. 

The combination of threat intelligence and vulnerability intelligence is a powerful weapon against adversaries. For instance, when a ransomware event occurs, vulnerability practitioners should be able to easily raise their awareness levels by using a robust alerting system. From there, they can quickly drill down into supplemental information to identify if exploits are being shared, see which threat actors are discussing the vulnerability across all illicit and open-source communities (forums, chats, ransomware sites, paste sites, blogs, social media, e.g.), and better assess the risk.

Understanding incidents as they unfold

Gaining continuous intelligence and context on ransomware attacks is vital throughout an attack, which often extends for weeks in the public sphere (and undoubtedly longer behind closed doors). It is therefore important to ensure that your organization is being provided with an active understanding of the situation as it unfolds in real-time—beyond vulnerability intelligence.

Flashpoint’s Intelligence Team, for example, delivers to customers incident pages and regular updates that communicate the most important details of an extortion event in progress. This includes background and assessments of the vulnerability, status updates with timelines, known victims, change logs, and intelligence that contributes to a more holistic understanding of a risk and informs decision-making.

Managed attribution for investigations

A managed attribution solution allows intelligence teams to shift from defense to offense by enabling security teams to safely and anonymously conduct investigations. Analysts will often access or download files from a ransomware blog to verify if their organization was impacted in the incident. While doing so, it’s vital to protect and keep your organization safe via a secure research environment that is isolated from analyst browsers, computers and network infrastructure. Flashpoint’s Managed Attribution solution allows security teams to interact with files, conduct online investigations, and browse safely without risk to their organization.   

Ransomware response and readiness

To quickly assess, contain, and mitigate the impact of such incidents, it is crucial for organizations to have robust risk management practices in place. This includes conducting thorough due diligence when selecting third-party vendors, assessing their security practices, actively monitoring their security posture, and implementing contractual obligations and security controls to protect the company’s interests. 

Additionally, it’s crucial to have incident response plans in place in order to respond effectively and recover from security breaches.In the event that an organization is impacted by ransomware, having a well-practiced incident response plan can greatly minimize damages. This includes: 

• Creating an Incident Response playbook
• Holding mandatory training sessions for employees
• Enabling staff members to proactively thwart attacks

Ransomware and cyber extortion events are undoubtedly stressful and challenging, but there are practical and proven ways to lessen that burden to reduce risk across your organization. To learn more about how Flashpoint empowers security teams to prevent and respond to ransomware attacks, contact us, sign up for a free trial, or watch this video to understand the top ways to prevent a ransomware attack at your organization.

Request a demo today.

Blogs

Blog

Risk Intelligence Index: Cyber Threat Landscape by the Numbers

Flashpoint’s monthly look at the cyber risk ecosystem affecting organizations around the world, including intelligence, news, data, and analysis about ransomware, vulnerabilities, insider threats, and takedowns of illicit forums and shops.

Ransomware

Flashpoint’s latest ransomware infographic paints a sobering picture of the evolving threat landscape, as cybercriminals employ increasingly sophisticated—and effective—tactics. Last month, our analysts observed a total of 397 ransomware attacks.

Key takeaways for the state of ransomware

• Organizations in the United States bore the brunt of ransomware attacks, accounting for a staggering 211 incidents—a 66 percent increase compared to last month.
• The top three industries targeted by ransomware were Professional Services, Internet Software & Services, and Construction & Engineering.
• Clop ransomware has emerged as one of the most active ransomware groups, securing the second spot in March’s top 10 ranking. Last month, Clop garnered attention by exploiting a remote code execution vulnerability—allegedly enabling them to acquire data from over 100 organizations, although they only disclosed a few victim names on their blog.

Vulnerabilities

According to our intelligence, 2,245 new vulnerabilities were reported in March, with 379 of them being missed by the Common Vulnerabilities and Exposures (CVE) and National Vulnerability Database (NVD).

Key takeaways for the state of vulnerability intelligence

• Approximately 34 percent of March’s disclosed vulnerabilities are rated as high-to-critical in severity, which if exploited, could pose a significant risk to an organization’s security posture.
• Over 78 percent of March’s vulnerabilities are remotely exploitable, meaning that if threat actors are able to leverage these issues, they can execute malicious code no matter where the device is located.
• Nearly 29 percent of March’s vulnerabilities already have a documented public exploit, which drastically lessens the difficulty to exploit.
• Vulnerability Management teams can potentially lessen workloads by nearly 88 percent by first focusing on actionable, high severity vulnerabilities—i.e., vulnerabilities that are remotely exploitable, that have a public exploit, and a viable solution; 253 of March’s vulnerabilities meet this criteria.

Insider Threat

The tactic of recruiting insiders has become immensely popular amongst threat actors aiming to breach systems and/or commit ransomware attacks.

In March, our analysts collected 5,586 posts advertising insider services—both from threat actors seeking insiders and malicious employees offering their services. Of those, 1,127 were unique posts from individuals in illicit and underground communities.

Key takeaways for the state of insider threat intelligence

• In March, Flashpoint tracked 5,586 posts related to insider threats activity—both from threat actors attempting to solicit insider-facilitated access and from disgruntled employees offering their services. Of the total, 1,127 were unique postings.

• At this time, the Telecom industry is the most targeted sector, followed by Financial and Retail.

• Looking into the state of insider threats further, Flashpoint found that the majority of insider threat related postings originated from inside the organization with malicious insiders offering their services. Most of this activity came from the Telecom sector. 

Takedowns

In March 2023, there were numerous takedowns, voluntary shutdowns, and arrests affecting ransomware, markets, account shops, card shops, and individual cybercriminals. Here are the high-profile takedowns.

Breach Forums

On March 21, 2023, mid-tier hacking forum Breach Forums was shut down following the arrest of its administrator, Conor Brian Fitzpatrick (aka “pompompurin”), six days prior.

Read the court doc here.

Worldwiredlabs

On March 3, a US Magistrate Judge issued a seizure warrant for Worldwiredlabs[.]com, a domain used by cybercriminals to sell malware, including remote access trojan (RAT) “NetWire,” which is capable of targeting and infecting major computer operating systems.

On March 7, an international law enforcement effort led to the seizure of Worldwiredlabs. The FBI had begun its investigation in 2020, and uncovered that it was the only known online distributor of NetWire.

Read the court doc here.

Get best-in-class intel

The following data is derived from the Flashpoint Intelligence Platform and VulnDB, the most comprehensive and timely source of vulnerability intelligence available. Sign up for a free trial today.

Request a demo today.