This year, Flashpoint intelligence analysts worked with reporters at a wide variety of publications serving a variety of audiences across the private and public sectors. Their expertise—along with many of the 150 new blogs we published in 2022—was featured in The Wall Street Journal, Axios, The Washington Post, WIRED, The Financial Times, Bloomberg, Dark Reading, ThreatPost, Bleeping Computer, and many other news outlets, linked below, that produce the journalism you read daily.

We’ve organized a list of some of the most important Flashpoint blogs and press clippings from the year that was. Together, they illustrate Flashpoint’s intelligence, innovations, and impact in helping organizations tackle a wide variety of cyber and physical security challenges.

Contributing to the vulnerability intelligence landscape

Discovering new vulnerabilities

Amidst numerous reports by Federal cybersecurity agencies that Advanced Persistent Threats (APTs) were targeting vulnerable network routers and devices, our in-house vulnerability research team discovered two critical vulnerabilities affecting NetModule Router Software (SC Magazine).

Shedding light on newly disclosed zero-days and other critical vulnerabilities

2022 introduced many new vulnerabilities. However, when new issues catch the attention of the media or threat actors themselves, security teams often struggle to triage them—since actionable details are not often available yet in CVE, at time of its disclosure. As such, we made sure that we helped clear the air for several in-demand vulnerabilities such as SpringShell (VentureBeat), Text4Shell (The Hacker News), and the zero-days affecting Microsoft’s Exchange Server software (The Record).

Security teams that often struggle with their workloads need a comprehensive source of vulnerability intelligence. It is also paramount that organizations understand how CVE’s passive approach to vulnerability aggregation negatively impacts their teams:

Tracking illicit marketplaces and threat actor activity

Breach Forums

Earlier this year we observed that Raid Forums, a popular illicit online community notorious for its high-profile large-scale database leaks, was suddenly seized by an unknown identity. Raid Forums had run unimpeded since 2015, however, no official government agency or other cyber threat groups had claimed responsibility for shutting down the domain. Three weeks later, Breach Forums took Raid Forum’s place and is now poised to become its successor.

Follow the story on TechTarget, PC Magazine, and the Hacker News.

Alphabay

Before Alphabay’s shutdown in 2017, it was considered one of the most popular darknet marketplaces—selling a wide array of illicit and illegal goods and services. Now, it is back to its former glory with plans to innovate. One year after its reemergence, we laid out what we saw and what we believe will come next for Alphabay Market. Our Alphabay-related intelligence research was featured in WIRED, among other outlets.

Rarely has a dominant dark web market been busted by a law enforcement operation only to rise from the ashes and regain its top spot—a feat that may very soon be pulled off by AlphaBay, the once and future king of the contraband crypto-economy. https://t.co/GsdJMRug3s

— WIRED (@WIRED) June 6, 2022

LAPSUS$

APTs, threat actors, and ransomware groups have been quite prolific this year, but so have we—our analysts have been hard at work detailing their illicit activities.

“Many of LAPSUS$’s recruitment ads are written in both English and Portuguese. According to cyber intelligence firm Flashpoint, the bulk of the group’s victim (15 of them) have been in Latin America and Portugal.”

KrebsonSecurity

Among many threat actor groups, LAPSUS$ made serious headlines this year. Initially targeting Latin American and Portuguese organizations in 2021, LAPSUS$ has since broadened their scope, successfully breaching well-known organizations such as Nvidia, Microsoft, and Okta. Despite the sophistication of these attacks, there were rumors that the group was possibly led by, or had, teenagers in their ranks (Bloomberg)—a theory that Flashpoint analysts helped to corroborate.

On September 18, a threat actor named “teapotuberhacker” posted on an online forum claiming to have hacked Rockstar Games, the creator of the popular and controversial Grand Theft Auto (GTA) video game series. Our analysts quickly took note that several sources in monitored illicit channels had tied teapotuberhacker to the recent Uber hack, also stating that he was a member of LAPSUS$—and a minor. Read the aftermath of our findings by reading The CyberWire, The Hacker News, and ITWorldCanada’s follow-up stories.

Cyber meets kinetic: Russia’s invasion of Ukraine

Before Russian troops invaded Ukraine, there was a trail of cyber intelligence seemingly leading to a potential conflict. Two days before the war, US intelligence noted that Russia had gathered 190,000 soldiers along the Ukrainian border. At that time there were no visual signs of fighting between the two nations, our analysts observed that much of the “action” was taking place on the internet as both Ukrainian nationalists and Russian-aligned groups raced to recruit people for their causes—with cybercriminal groups also joining the fray.

“Researchers at threat intelligence group Flashpoint said they have tracked close to 50 hacking groups that had now joined the latest cyber efforts, with the majority supporting Ukraine and several financially motivated criminal groups, such as the Conti ransomware group, declaring allegiance to Russia.”

The Financial Times

When Russia declared war on Ukraine, we offered free access to our intelligence helping the countries and organizations who would be impacted by the crisis. The Cybersecurity Infrastructure and Security Agency (CISA) saw increased activity from Russian APTs, and in response President Biden announced the Shields Up campaign—further highlighting the need for detailed vulnerability intelligence. As the war continued we saw the Conti ransomware group declare their allegiance to Russia, in addition to other groups such as Killnet—who would partner together on “judgment day”—where they bombarded Lithuania with relentless DDoS attacks.

Lithuanian Internet services came under intense DDoS attacks yesterday as the pro-Russia group Killnet took credit, saying the attacks were retaliation over a recent shipment blockade.https://t.co/hY1phFsSeZ

— Ars Technica (@arstechnica) June 28, 2022

Our analysts are continually monitoring the crisis, and have observed the digital ripple effect that the war has had on Russia’s black market and its cybercriminal underground:

Excellent piece by András Tóth-Czifra @NoYardstick on the changing scene of Russian cyber crime.https://t.co/zwvHqm0J9M via @meduzaproject

— toomas ilves a.k.a. @[email protected] (@IlvesToomas) November 16, 2022

Since the war is ongoing, there will be more updates and more stories to cover. To keep up to date on Flashpoint’s coverage of the Ukraine-Russian war, bookmark our Timeline of Russia’s Invasion of Ukraine: Cyber and Physical Warfare post which is continually being updated with the latest news:

Stay informed with Flashpoint

There is something new happening everyday and the incessant noise can make it hard for security teams to protect their organizations effectively. Therefore, the analysts and writers at Flashpoint are dedicated in providing you details and updates for the most important threat-related current events you need to be aware of. To stay in-the-know, bookmark our Threat Intel Blog. Sign up for a free trial to gain access to Flashpoint’s best-in-class threat and vulnerability intelligence.