Content Category: Publications

Reports and advisories from the RedSense CTI team.

Understanding CISA’s Traffic Light Protocol: A Guide to Responsible Information Sharing

In an era dominated by digital information and cybersecurity threats, the importance of responsible information sharing cannot be overstated. The Cybersecurity and Infrastructure Security Agency (CISA) has endorsed a system known as the Traffic Light Protocol (TLP) to facilitate secure communication channels among industry stakeholders. This protocol provides a structured framework to enhance cooperation while ensuring that sensitive information remains protected.

Q1 2024 RedSense Threat Briefing

The Winter 2023-2024 RedSense Threat Briefing provides updates on threats and intelligence for the final months of 2023 and the early part of 2024. It covers key areas including visibility updates, the current overall instability across the threat landscape, the decline of ransomware, emerging attack methodologies, analyses of victim patterns, and updates on important CVEs. It also offers forecasts on threat trends for the remainder of 2024.

LockBit Story: A Three-Year Investigative Journey

LockBit, until its recent downfall, was a standout in the ransomware-as-a-service (RaaS) landscape, notably enduring the RaaS model crisis that saw the collapse of many other groups between 2021 and 2022. While these competitors faltered, LockBit survived and thrived into early 2024, showcasing remarkable resilience. RedSense’s extensive investigation into LockBit’s durability, grounded in SIGINT, telemetry analysis, forensics, incident reviews, and malware reversal, demystify its resilience without succumbing to speculation.

Yearly Intel Trend Review: 2023

RedSense is excited to present our first “Yearly Intel Trend Review” for 2023! This is a summary review taken from our year-long project: The Ransomware APT White Paper—a 200-page cumulative research covering our five-year insights into ten top-tier ransomware groups serving as the backbone of today’s ransomware economy. The complete White Paper will be available for all RedSense customers in January 2024.

How Law Enforcement Actions Break Down Ransomware (featuring a Black Cat)

Early in the morning on Thursday, December 7th, my team at RedSense and I learned that a federal offensive was taking place against AlphV (aka BlackCat)’s infrastructure and had subsequently downed its servers. I share my personal thoughts on what long-term impacts a Law Enforcement Action (LEA) can have on the threat ecosystem at large.

November 2023 RedSense Threat Briefing

RedSense has released its November 2023 Threat Briefing. The summary published here constitutes a brief glimpse of the comprehensive insights available to our subscribers. The full report contains more extensive and detailed threat intelligence provided exclusively to our RedSense Advantage and RedSense As-a-Service clients on a regular basis.

Don’t Trust Your Ears

Vishing, a blend of “voice” and “phishing,” is a type of social engineering attack where scammers use phone calls to trick individuals into disclosing sensitive information. This technique can be particularly effective when the scammer impersonates a trusted authority, such as an IT support or service desk professional. 

Your Phone May Be Lying to You

Smishing, a portmanteau of “SMS” and “phishing,” is a type of cyber attack where scammers use text messages to trick recipients into divulging personal information, financial details, or security credentials. Unlike traditional phishing which primarily uses emails, smishing exploits our reliance on smartphones, the generally weakness of SMS security filters, and the perception that text messages are more trustworthy than emails. 

Artificial Intelligence in Cybersecurity

The greatest irony of current technology is that threat actors around the world are using artificial intelligence to more convincingly impersonate humans. That’s right, ChatGPT – a machine! – is enabling malicious activity like email phishing attacks. One might wonder what commentary Alan Turing would offer on this development.

October 2023 Redsense Threat Briefing

We are publishing a summary of our RedSense Threat Briefing for October 2023. This summary is just a small sample of the information RedSense customers receive on a regular cadence in much greater detail as part of either RedSense Advantage or RedSense As-a-Service for Cyber Threat Intelligence.

Holidays Routine

Naughty or nice, there’s a few things in cyber circuits that won’t change in this year’s Holiday Season. Threat actors are financially motivated, driven by human needs, and the holidays are expensive.

Advanced Adversary SSO Abuse

Low and slow Multi-Factor Authentication (MFA) exploitation abounds, as adversarial campaigns target exposed Single Sign-On (SSO) endpoints (e.g., Centralized Authentication Services) throughout August and September

Healthcare Still Under Threat

Since early 2022, leading security industry experts have made broad estimations that ‘ransomware is on the decline’, but did they properly contextualize their data and findings? Given destabilization from the Russia-Ukraine conflict and tightening U.S. and EU law enforcement activities, ‘ransomware is on the decline’ proponents underestimate their adversaries’ motivations, resiliency, and abilities to support persistent criminal operations.

Ransomware is Dead, Long Live Ransomware!

It seems to be a common misconception in business today that ransomware is dead or dying. The perception is that we haven’t seen a huge daily deluge of new major businesses making eight figure payments to prolific centralized operations in the way that they were over the last few years. Incidents like Medibank feel less common. This perception is inaccurate at best, and dangerous at worst.

VOIP Ecosystems: A Deep Dive

The methods enclosed in this write up can be used for several different types of malicious activities from call center support scams to just generic vishing campaigns.

Silent No More

Red Sense routinely collaborates with Industry and open source researchers. We are honored to republish an article by Dissent Doe (@PogoWasRight).

Daixin Hits Healthcare

Over the last several months, Red Sense has observed the growing threat of Daixin Team, who have successfully targeted multiple U.S. Healthcare victims.    

Insights Into BlackBasta

Blackbasta is an active former-Conti staffed ransomware group that began organizing in late 2021 behind the dissolution of Conti’s centralized operations. Active operations were first observed in spring and summer of 2022, and there are several TTP similarities that carry forward from Conti to blackbasta operations.

Insights Into Lionkebab

During the final week of June 2022, Red Sense adversary space operations acquired a large victim list relating to criminal activities centered around a recent Confluence 0-Day, CVE-2021-26084.