Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Original Article published Decmber 2023. Update May 22nd 2025: The FBI has seized user panels and other Lumma C2 infrastructure. As of now, we don’t see the Lumma info-stealer disappearing from the arena. Our team is on guard to check and analyze the changes. This case shares similarities with the so called seizure of infrastructure of RedLine and Metta info stealers in October 2024 by the FBI, DOJ, Dutch authorities, etc.

The bigger your business, often the larger the size of the attack surface you need to secure. That’s why multi-national enterprises typically face a different set of cyber security priorities than SMBs. Here’s another, less often discussed factor that can complicate security and risk management: Whether your company is a multiple entity or a single entity.

Effective ‘dark web monitoring’ is essential for modern businesses. This intelligence practice goes beyond traditional dark web forums, actively scanning the deep web, open web, and social media platforms. It uncovers threats and risks wherever cyber criminals operate – from hidden marketplaces to public social channels – providing crucial visibility into your external threat landscape.

Organizations are increasingly recognizing that threats can emerge from various external-facing assets, including web applications, cloud infrastructure, APIs, and even shadow IT. This necessitates a robust Attack Surface Management (ASM) strategy, supported by specialized software solutions.

Originally Published May 15th 2024 Updated April 29th 2025 On May 15, 2024, the FBI and DOJ, working alongside international partners like the NCA and New Zealand Police, took control of one of the major dark web forums, BreachForums. This action came shortly after a significant data leak from the Europol portal surfaced on the forum. The site was then relaunched by ShinyHunters, but now appears to be offline again. Several copies/potential successors have emerged. See our analysis below.

Safepay is a newcomer to the ransomware landscape. Since its first published attack in October 2024, the group has attacked over 50 organizations worldwide. SafePay maintains a dark web blog and a presence on the TON network for victim communications. The group employs the increasingly common double extortion model, combining data encryption with the theft of sensitive information to pressure victims into payment.

Your organization’s attack surface extends far beyond your direct control. Exposed cloud assets, vulnerable APIs, and the security posture of your third-party vendors all introduce significant risks. Understanding and managing this external exposure is paramount. Effective External Risk Management (ERM) provides the critical visibility and intelligence needed to proactively address these threats.

Initial Access Brokers (IABs) are threat actors who infiltrate networks, systems, or organizations and sell this unauthorized access to other malicious actors. Instead of executing the entire cyber attack, IABs focus on the initial breach and monetize it by selling access to compromised systems. They assist ransomware operations, particularly RaaS schemes, by streamlining attacks and reducing workload at the start.

Lookalike domains – meaning domains where threat actors host content designed to impersonate your business or brand – can be gravely harmful. “Look-alikes prey on users’ inattention to verifying legitimate websites, and sometimes rely on human mistakes, such as entering a typo in a URL, to capture victims,” as Dark Reading notes. The good news, however, is that lookalike domains can take some time to roll out fully.

Managed Security Service Providers (MSSPs) are increasingly frustrated with their External Risk solutions, and for good reason. The tools they rely on are often not designed with their unique needs in mind, leading to stagnation rather than growth.