The public sector has been relatively untouched by financially motivated cybercriminals, with organizations within the sector primarily being the target of Advanced Persistent Threat (APT) groups conducting nation-state cyber activities. But times have changed, the ever increasing blurred line between nation-state and financially motivated cybercriminals. Global government organizations have become more vulnerable to a wide variety of cyberattacks.

Cobalt Strike is a suite of tools used by red teams in penetration testing tasks. This whitepaper examines the feature and functionality described on the official website of the suite is Cobalt Strike. Features included and described at the website are: Reconnaissance, Attack Packages, Spear-phishing, Post Exploitation, Covert Communication, Browser Pivoting, Reporting and Logging.

In May 2021, we observed and reported about 301 potential breach events from threat actors offering to sell unauthorized access to data, compromised networks or systems. There was minimal change in reported statistics from April 2021 to May 2021.

Cybercriminals consistently have shown the ability to adapt to changes in the underground threat landscape and evolving company security protocols with resiliency to increase the success rate of their nefarious activity and maximize profits. A growing trend in adaptive techniques we recently observed was the increase in cooperation between vendors of compromised access, access brokers, ransomware-as-a-service (RaaS) and affiliated ransomware operators unassociated with a group.

This report provides an overview of the role compromised access plays in the modern threat landscape and highlights the perceived increase in cooperation between the two underground services.

Financially motivated cybercrime observed on underground forums and marketplaces runs on a central understanding that all participants are in the business to make money. The means to achieve this goal vary with the different levels of sophistication or technical understanding required to conduct a specific type of attack. However, we continue to observe threat actors attempt different tactics, techniques and procedures (TTPs) against financial institutions and their information technology (IT) infrastructure to steal customer account information.

The Common Vulnerabilities and Exposures (CVE) Weaponization Report is a quick reference tool designed to assist patch prioritization and vulnerability management decision-making. This regularly updated report tracks the life cycle of significant vulnerabilities observed in the underground from initial disclosure to exploit weaponization and productization.