Author: DarkOwl Content Team

What are APIs?

June 06, 2024

Cybersecurity might has well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.

In this blog series, we aim to explain and simplify some of the most commonly used terms. Earlier this month, we covered CVEs. In this edition, let’s dive into APIs.

Simply put, application programming interfaces (APIs) allow for two software applications to communicate each other, to make requests, receive responses, and exchange data. This is true for both mobile and web-based applications. APIs permit humans and machines to exchange, process, and use data using rules and protocols. Once of the important benefits is that APIs allow for and enable applications that are written in different programming languages, or are running on different operating systems, to easily communicate and pass data.

While APIs run behind the scenes and allow for software to communicate with other software, but there are plenty of current examples of API use one might not be aware of. For instance, if a user logs into an account or service by opting to use their Google or a social media account (to avoid having to create a brand new account), this login flow uses API services to exchange authentication information between the Google or social media account and the platform to enable a convenient and seamless login experience for the user.

There are two primary designs for APIs – Simple Object Access Protocol (SOAP) and Representational State Transfer (REST) approaches. While we will not dive deep into the technical aspects, the main takeaway is that SOAP is a very structured XML data format, while REST is more flexible and permits data exchange in multiple formats, such as JSON, Plaintext, or XML. Being more flexible, REST can use SOAP protocol, but the reverse is not true – SOAP cannot use a REST protocol. REST protocols are useful for mobile devices that use an API.

Here at DarkOwl, we allow for access to our platform via a curated User Interface (UI) as well as several API endpoints. The APIs enable our customers to use DarkOwl Vision data in their own software applications. You can view our product offerings here.

Unfortunately, while APIs automate and permit quick transfer of a large amount of data, like so many facets of the cyber world, they are subject to malicious activity and attacks.

Malicious actors are focusing on attacking APIs more and more as APIs transmit loads of valuable information and data. Without proper security, including regular software updates and securing the multiple entry points that facilitate API function, as well as legacy APIs which could be overlooked and left unprotected, APIs can be subjected for malicious use. This is especially true when in most cases, developers provide very detailed API documentation to allow for sanctioned API use. New and prospective customers are not the only ones who rely on API documentation to fine tune API use.

Actors can go against APIs with several traditional types of attacks. This list is not exhaustive, but is provided as a high-level example of the possible kinds of attacks directed against API infrastructure:

  • Distributed denial of service (DDoS) attacks, which would overwhelm an API and make its services unavailable to legitimate, paying customers.
  • Malicious actors can also brute-force APIs, using credentials to gain access and abuse the interface, and then steal sensitive/proprietary/corporate information.
  • Machine-in-the-middle or attacker-in-the-middle (MITM or AITM, respectively) is where an actor can intercept and change communications, permitting data theft or manipulation of API data.
  • Procuring legitimate API keys, which are often left accidentally exposed or compromised.

DarkOwl constantly observes actors discussing methods for API attacks at multiple layers of the tech stack, trading methods for having maximum impact, and selling possible API access to various organizations:

Figure 1: An actor on (now defunct) Breached Forums advertises possible methods to attack APIs at various levels of the tech stack; Source: DarkOwl Vision
Figure 2: A Discord server publishes materials, including a website, that specifically aids attackers in going after and attacking APIs; Source: DarkOwl Vision

Mitigating API attacks includes protection at multiple stages.

  • First, like everything that involves data transfer, data must be encrypted both at rest and during transit. Role-based access control (RBAC) permits explicitly approved applications and users to have access, lessening the possibility for an unintended individual to gain unauthorized access.
  • APIs also have their own gateways, which are positioned between the client and the provided services. The gateway implements rules and standards that allow for access and authenticates attempted access.
  • Finally, zero-trust models are also applicable to protecting APIs. Zero trust requires user rights for authentication and is an effective way to prevent repeat users that, behind the scenes, could be an imposter. In addition to all of the above specific steps, constant monitoring and vigilance is suggested, as API’s are a data rich source, and technology is constantly changing.

Contact DarkOwl today to learn more about our API access, as well as protection methods we suggest based on observing actor discourse and tactics live on the deep and dark web.

Rebrandly and DarkOwl Announce Domain Management Partnership

June 04, 2024

Industry leaders join forces to provide end-to-end domain threat intelligence to customers.

Rebrandly, the leader in branded link and domain management, and DarkOwl, the leader in darknet data and intelligence, are proud to announce a partnership that revolutionizes domain and link management services with comprehensive domain security and intelligence monitoring, powered by AI. Together, the companies set a new standard for domain and link management, leveraging their respective products and expertise.

As the volume and variety of threats to organizational domains proliferate—from phishing to ransomware to typosquatting—the need for total awareness of a domain’s use has become essential. Rebrandly’s branded link management platform, combined with DarkOwl’s unique and comprehensive database of domain intelligence and cyber threats, allows large enterprises, domain registrars, cloud service providers, and cybersecurity firms to effectively manage their domain portfolios in a holistic and secure manner. The aggregate power and innovative differentiation of Rebrandly and DarkOwl technology are what make this pioneering management, visibility, and ongoing monitoring possible.

Carla Bourque, CEO of Rebrandly, commented, “Security, brand protection, and trust are core to Rebrandly’s enterprise link management platform, and there is a natural synergy in our partnership with DarkOwl. Furthering our mission to make the internet safer for all, we’re proud to bring Rebrandly’s link-level abuse detection together with DarkOwl’s darknet threat intelligence in the industry’s first holistic domain security solution.”

“We are excited to partner with Rebrandly in this important and innovative endeavor”, said Mark Turnage, CEO of DarkOwl.  “As threats grow, demand for secure domain management continues to be a request by our customers.  This partnership offers the ability for organizations, agencies and companies to benefit from each of our companies’ best-of-breed platforms.”

About Rebrandly
Rebrandly is the market leader in enterprise link management solutions. Rebrandly’s customers include global enterprise businesses, developers, and agencies that prioritize brand protection and security. With a flexible API and real-time click analytics that integrate easily into existing workflows, many of today’s most innovative brands rely on Rebrandly to optimize performance with every link.

Founded in 2015, with headquarters in the United States, Italy, and Ireland, Rebrandly is a global company with diverse teams worldwide. The company is SOC 2 Type 2, GDPR, CCPA, and HIPAA compliant. Visit Rebrandly’s Trust Center for more information.

About DarkOwl
DarkOwl uses machine learning and human analysts to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. For more information, visit www.darkowl.com.

Threat Intelligence RoundUp: May

June 03, 2024

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. LockBit ransomware admin identified, sanctioned in US, UK, Australia – Bleeping Computer

Dmitry Yuryevich Khoroshev, a Russian citizen, was revealed as the admin and developer of LockBit ransomware. Earning approximately $100 million dollars through the ransomware gang activity, Khoroshev is now subject to travel bans and his assets are frozen. His enjoyment of speaking and granting interviews to media outlets and his high level of activity posting on Russian dark web forums also contribute to the totality of the picture of LockBit’s ransomware activity. Five other members of the gang were arrested and are pending trial. Full article here.

2. FBI warns of fake verification schemes targeting dating app users – Bleeping Computer

Malicious actors are using malicious links to lure dating app users to a (fake) website that proves they are not sex offenders. On this fake website, the user enters their email, phone, and other pieces of personal information to verify they are not a sex offender and prove this to the audience on the dating site. However, after this information is entered, the person is subject to a monthly fee that is charged on their credit card, and their other PII is sold in criminal operations on dark web markets, as well as in certain cases, on Telegram. Read more.

3. Ascension redirects ambulances after suspected ransomware attack – Bleeping Computer

In another example of the digital realm having a physical impact, US-based Ascension healthcare had to change the destination hospital for several ambulances when a ransomware attack impacted their systems. The incident also caused clinical treatment disruption, such as delaying medical test and medication orders, as well as system outages. No group has publicly claimed this incident as of the time of this writing. Article here.

4. US Post Office phishing sites get as much traffic as the real one – Bleeping Computer

Continuing to emphasize the usefulness and success of typo- and combo-squatting, researchers observed that websites impersonating the US Postal Service official website get as much web traffic as the actual website, and during holiday times, the fake websites receive more web traffic than the official website. Combined with SMS messages that send “package unable to be delivered” themed messages and often provide a link to a malicious website, the fraud targeting the USPS is sophisticated, and expected to continue to remain elevated. Read article.

5. Chinese hackers hide on military and govt networks for 6 years – Bleeping Computer

A new threat actor attributed to China, “Unfading Sea Haze,” has been hiding on military and government networks in the South China Sea for the past six years. Their primary goals are both espionage and intel collection, and their tools appear to overlap with APT41. The group uses spear-phishing to begin their attacks, and sends documents laced with LNK files that will execute a PowerShell script under the right circumstances. They also use a custom keylogger named “xkeylog” as well as some GhostRAT malware variants. Full article here.

6. A Russian Influence Campaign Is Exploiting College Campus Protests – Wired

In what has become a normal operation for Russian intel operatives, the Kremlin is using Telegram, bot farms, and other social media platforms such as X (formerly Twitter) to increase division in US society. Doppelganger, a well-known, Kremlin-aligned group of actors, uses its vast botnet network to pass links that contain fake news about real world events to global publications, including Le Monde and other European new networks, as well as news outlets in the United States. Full article.

7. Owner of Incognito dark web drugs market arrested in New York – Bleeping Computer

Continuing the trend of actor arrests and online market/malicious operation takedowns, this week witnessed the arrest of Incognito Market operator Rui-Siang Lin. Lin was arrested in New York City for his oversight and operations of the popular drug market, which had over ~200,000 customers that purchased all types of narcotics. Read more.

8. US charges two brothers with novel $25 million cryptocurrency heist – Reuters

Two MIT students who are also brothers stole $25 million dollars in Ethereum in 12 seconds in an attack that questions the very integrity of blockchain technology. The actors gained access to pending transactions by fraudulent means and altered the movements of Ethereum cryptocurrency. The brothers experimented with manipulating protocols in the months leading up to the theft, using a software vulnerability. Read here.

Small businesses and home internet users often use open-source HTTP and HTTPS proxy servers in their internet access. Cisco warned of a new flaw covered under CVE-2023-49606, which detailed a remote code execution issue that impacts incorrectly managed HTTP headers. This leads to actors possibly being able to access freed memory. Censys also confirmed approximately 90,000 internet exposed Tinyproxy services, over half of which were subjectable to the aforementioned CVE. Read more.


Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

DarkOwl RSA Conference Recap: The Art of Possible

May 31, 2024

RSA Conference in San Francisco, this year held May 6-9, is one of biggest and most anticipated cybersecurity events of the year. The DarkOwl team plans and looks forward to RSA each year; to see friendly and new faces alike, hear the latest trends, news and innovations in cybersecurity, share our latest product updates and offerings, and of course have some fun around San Francisco. This year, the team had a booth on the show floor, a private meeting space around the corner from Moscone Center to hold one-to-one meetings with prospects, partners, press, and clients, and for the first year ever, host a party with several of our customers and partners on Tuesday night!

“The Art of Possible”

The RSA Conference slogan, “Where the World Talks Security” is the perfect quick elevator pitch for what happens each year at RSA – thousands of security professionals from around the globe gather together to hear and discuss new and leading perspectives, innovation and best practices. The most memorable RSA moments can be found on their website here.

The theme of RSA this year was “The Art of Possible.” According to Dr. Hugh Thompson, Executive Chairman of RSAC and Program Committee Chair in his keynote speech describes the theme as “a phrase that, on the one hand, is meant to inspire hope, but it also serves as a warning. We should never underestimate what is possible by our adversaries.” It is a great point as over 40,000 cyber security professionals across 130 countries around the globe all gather at RSA.

DarkOwl Highlights

Representing the DarkOwl team, we had several executive team members, sales reps, customer success managers, and analysts present manning the booth and holding private one-to-one meetings. Of note, DarkOwl Chief Business Officer, Alison Halland, shared, “Great week of seeing new and friendly faces alike – tons of great conversations, especially at the booth which a welcomed change of pace – not just attendees looking for some freebies, but genuinely interested in what DarkOwl has to offer.” Magnus Svärd, Director of Strategic Partnerships, echoed that sentiment, “RSA this year was the busiest yet with a higher number of meetings compared to previous years. The names of the companies were top tier visiting the booth.”

Big shoutout to all our customers and partners that stopped by the booth to say hi, see the latest updates and provide feedback. These face-to-face conversations are invaluable to us as we work towards making darknet data relevant, actionable, and digestible for all our clients!

Showcasing Customers and Partners

This year, we were happy to host several sessions at our booth, highlighting the work that we do with different customers. We hosted OSINT Combine, Silobreaker, Authentic8 and Datastreamer. This was a great way to showcase how we work together. Below, we briefly summarize how DarkOwl works with each of these companies.

This collaboration empowers OSINT Combine’s clients with access to DarkOwl’s extensive darknet database, bolstering their open-source intelligence capabilities and enabling them to address complex operational requirements more effectively through training, software solutions, and consulting services. Read more.

DarkOwl’s robust darknet data enables our customer, Silobreaker, to provide their customers enriched monitoring of deep, dark web and dark web adjacent sites to help identify risk at scale and drive better decision-making. Use Case here.

This partnership brings together the advanced technologies and expertise of both Authentic8 and DarkOwl to address the escalating challenges posed by cyber threats. By combining DarkOwl’s comprehensive darknet database and monitoring capabilities with Authentic8’s Silo cloud browser, which is known for its secure browsing environment, organizations will gain unprecedented visibility and protection against cyber threats surfacing on the darknet. Read more.

With Datastreamer and DarkOwl’s combined solution, organizations can integrate dark web data without in-house engineering teams needing to maintain complex data pipelines. Furthermore, analysts can broaden coverage by merging additional web data including TikTok, Threads, news, forums and more. Previously raw unstructured data is federated for analysts to perform queries and real-time surveillance as easily as they would with structured data. Learn more.

Product Highlights

Ahead of RSA, the team put together several product highlights and updates to be able to share on the showfloor. Below, we outline a few of them, but a full blog of Q1 product highlights can be found here and a summary 1-Pager here. Curious about how any of these can help your use case? Contact us!

Last quarter the team released “Direct to Darknet” within Vision UI in partnership with Authentic8, a leading provider of cloud-based secure browsing solutions. This feature allows users to further investigate Vision UI search results on forums, marketplaces, and other Onion sites. This can be helpful for an investigation to view the original website, view images or advertisements that may be on the sites, take a screenshot for reporting, and more. By combining DarkOwl’s comprehensive darknet database and monitoring capabilities with Authentic8’s Silo cloud browser, which is known for its secure browsing environment, organizations will gain unprecedented visibility and protection against cyber threats surfacing on the darknet.

Last quarter showed tremendous growth in data collection. The team had 5% growth quarter over quarter in added Tor documents, 27% growth in I2P documents, 31% growth in ZeroNet documents, 15% growth in records from Telegram, to highlight a few.

On Tuesday night, for the first time, DarkOwl hosted a happy hour after the show floor closed… and what a fun night! We’d like to extend a huge thank you to our co-sponsors, Doppel, OSINT Combine, and Socialgist. From networking with net new prospects, current customers, partners and everything in between, it was a great event and we hope that everyone that attended enjoyed their evening. If you didn’t get an invite this year, make sure to ask for invite next year! We would love to see you and look forward to hosting again!


Didn’t get a chance to meet with our executive team at RSA? Contact us to set up some time to chat!

Engineering Insights into Information Stealers

May 28, 2024

In December of 2023, DarkOwl analysts released a blog answering the burning question of “What are Stealer Logs”. In another piece, DarkOwl analysts presented an overview of the different types of Information Stealers (Info Stealers) that are sold on the Darknet.

Now, DarkOwl would like to shed some insight into info stealers from an engineering perspective, to further explore the functionality, specific behaviors, and technical characteristics of this sophisticated form of credential theft.

Info Stealers infiltrate systems and compromise data primarily through social engineering attacks. Common tactics include but are not limited to:

  • Phishing Emails
  • Malicious Websites
  • Exploiting Software Vulnerabilities
  • Remote Access Trojans (RATs)
  • Removable Media Attacks
  • Drive-by-Downloads

Info stealers are very sophisticated forms of malware, and the complexity of the modular architecture allows them to often go undetected even by anti-virus software. While each type of info stealer does vary in its level of refinement, as they are still relatively new but rapidly evolving, this review will be focused on generalizing key elements commonly found in info stealers. Info stealers are known for their evasion techniques and for targeting what people want to protect, their private information, credentials, and financial data.

Part of what makes info stealers so sophisticated are their complex modular architecture. A simplified overview of that architecture includes the following key elements:

  1. Core Engine Module
  2. Communication Module
  3. Data Collection Module
  4. Encryption Module
  5. Exfiltration Module
  6. Evasion Module

To understand what each of these modules are and their functionality within a stealer log we will review each term and look at a very basic version of the complex code that is used to design an Information Stealer.

Core Engine Module

This serves as the central intelligence hub of the info stealer and manages its functionality. The core engine drives tasks such as initialization and configuration of all the other modules coordinating their actions. It also initializes the malware, establishes communication with the command control (C2) server and houses the execution codes for the other five modules.

Below is a basic sample of what part of the code for a Core Engine could look like:

  • Keylogger – provides a basic framework for logging keystrokes
  • log_keystroke – this captures and logs keystrokes
  • save_logs – method used to save and send the logged keystrokes to a remote server
  • start_logging – acts as a place holder for when to start the keylogging process

Communication Module

This establishes and maintains communication with the C2 server, handles sending/receiving commands, transmission of stolen data, and maintains a covert channel of communications. Generally, this module will have some form of encryption in place to prevent the interception of the data that is being stolen as well as protecting the location of where the stolen data is being sent.

Below is a basic Communication Module code to demonstrate part of the module’s functionality:

  • request – this library is used to send a HTTP request to the C2 server
  • send_request – sends what is called a POST request to the C2 servers URL which generates a JSON response
  • handshake – initiates communication with the C2 server and contains information about malware versions, system architecture and contains the installation ID
  • execute_command – simulates the execution commands from the C2 server
  • exfiltrate_data – simulates the exfiltration of the stolen data

Data Collections Module

The responsibility of this module is to identify and harvest the data the threat actor is after once the system has been infected. The Data Collections Module can house a large array of submodules for specific forms of data the threat actor wants to collect. Common forms of data such as PII, financial data, device information, Geo locations, and personal photos would all require their own submodule to identify. In addition to the targeted data, the Data Collections Module also collects from numerus other sources such as browsers, system files, and apps installed on the device.

Below is a basic example to demonstrate the structure and functionality of Data Collections Module often found in info stealers:

  • keystroklogger – mentioned above in the core engine module
  • NetworkMonitor – captures network traffic (a placeholder) and sends it to a remote server.
  • DataExfiltration – mentioned above in the core engine module
  • If _ _name_ _ == “_ _main_ _”: – this creates a block instance of the three submodules are created, and separate threads are started to run their respective functions concurrently

Encryption Module

This provides cryptographic functionality and encryption keys used to communicate with the C2 server. As ironic as it seems the use of strong encryption algorithms (AES) is used to prevent interception of “unauthorized” access to the data that is currently being stolen. Only instead of protecting the device owner from the threat actor it is protecting the threat actor from the device owner, authorities, and aids in keeping the info stealer from malware detection.

Below is an example of one type of AES often used in info stealers:

  • EncryptionModule – methods for encrypting/decrypting data with the use of the AES algorithm
  • encrypt_data – imports plaintext data, encrypts it using AES, and outputs encrypted data as a “base64” encoding string
  • decrypt_data – does the reverse action of “encrypt_data”
  • if _ _name_ _== “_ _main_ _”: – generates a random encryption key

Exfiltration Module

This module handles the transmission of the stolen data once it has been encrypted. Exfiltration module formats the encrypted data into messages and sends them through the communications channel established by the communications module. This module often includes contingencies for when there are network interruptions, failed transmissions, and bandwidth issues.

Below is an example of the type of code that could be used in the Exfiltration Module:

  • ExfiltrationModule – this is a class that will provide a method to send the stolen data to the remote server
  • send_data – takes the stolen data as an input and sends it to the designated server URL
  • if _ _name_ _== “_ _main_ _”: – creates and instance of the exfiltration module with the URL of the remote server
  • data_to_exfiltrate – stolen data is sent to the remote server

Evasion Module

Just as it sounds this final module is responsible for the evasion tactics to evade malware detection by software and humans. Some common evasion techniques include polymorphism, obfuscation, and anti-debugging to hide the malware. This module acts as a chameleon as it continually adapts and evolves to remain under the radar. This is a highly scalable and adaptable to the various environments and target systems but below is a simple example of what the code could look like.

  • EvasionModule – defines the methods for simulating normal user activity while detecting virtualization/sandboxing and analysis tools
  • simulate_normal_activity – mimics typical user behavior, by opening files, browsing websites, or launching apps to hide amongst legitimate activity
  • detect_virtualization AND detect_analysis_tools – check for signs of virtualization/sandboxing and the presence of analysis tools
  • evade_detection – continuously runs evasion checks
  • if _ _name_ _== “_ _main_ _”: – the EvasionModule class is created, and the evade_detection method is called to start the evasion process.

There is no doubt about it, information stealers are a formidable threat to cybersecurity on multiple levels. Info Stealers are sophisticatedly engineered to stealthily execute malicious intent. By studying the architecture, functionality, and technical characteristics through an engineering perspective, cybersecurity analysts can gain a deeper understanding of how to create effective countermeasures and create robust detection strategies.


Questions? Contact us!

Privacy Bypass WebTunnel 

May 23, 2024

Internet censorship is arguably a critical threat facing freedom of expression and access to information today. This is especially true for countries where access to information is restricted by governments or other controlling entities. For many countries around the world, controlling entities use various tools, techniques, and technology in order to control and restrict access to certain websites and publicly available content. The Tor Project’s response to such targeted censorship is WebTunnel.

In this blog, DarkOwl analysts summarize WebTunnel, not to be confused with TORTunnel, what it is, how it is implemented, and the impacts it has.

Image 1: Source: Tor Blog

Released March 12th, 2024, WebTunnel is a bridge developed by the Tor Project that allows users to bypass censorship by disguising traffic to mimic encrypted web traffic. Essentially, WebTunnel helps users evade censorship by hiding traffic in plain sight. The bridge tunnels TOR traffic by wrapping the TOR connection in a websocket-like HTTPS connection, making traffic more difficult for tools, techniques, and technology to detect and block. The Tor Project designed WebTunnel to be easy to use and simple to deploy. 

Key Features:

  • HTTPS Tunneling:
    • Uses HTTPS tunneling to mimic ‘normal’ HTTPS traffic 
  • Obfuscation: 
    • Uses obfuscation techniques to disguise Tor traffic 
  • User-Friendly Interface: 
    • Designed to be user-friendly and easy to use 

Configuring a TOR browser to use the new WebTunnel feature is easy. Users simply navigate to the TOR Project bridges resource from any browser, select “webtunnel”, and copy the provided line. The user then simply opens the TOR browser, selects “add a bridge manually”, pastes the copied line, and restarts the browser. No further modifications or configurations are required. 

Tor provides individuals with a means to protect and obfuscate online privacy and anonymity, enabling users to browse internet connected resources without potentially revealing personal or location data. WebTunnel has the potential to significantly impact censorship evasion by providing users with an easier, more effective and reliable means to access restricted content. 

The availability of features like WebTunnel impacts corporate security and further extends the corporate risk surface. Corporate security policies and technology often lock down networks and devices to protect the organization. Anonymity driven tools and features often allows users to bypass corporate defenses to browse the totality of the internet both good and bad. While it’s fair to assess most users using privacy-driven tools to bypass corporate security policies, technology, and controls are likely not doing it out of spite or hostility towards the organization, these users often lack the guidance and information on why these tools and features should not be used to bypass corporate defenses.

Educate users on the risks bypass tools expose the organization to and why such tools are not allowed inside the corporate environment or on corporate devices. Allow staff to understand the potential impact and outcome. TOR is a tool neither good nor bad until assigned an action by the user. Encourage staff to include the security of the organization in their decisions.  


Don’t miss any updates or research from DarkOwl. Register for email.

ISIS Activity on Messaging Apps

May 21, 2024

The Islamic extremist group formerly known as ISIS (Islamic State of Iraq and Al-Sham) or IS (Islamic State), a designated terrorist group, came to prominence in 2014, formed from al-Qaeda linked groups, declared itself a caliphate and occupied territory in Iraq and Syria. IS is a transnational Islamic extremist movement that now has more widespread support today in parts of Africa and Asia than at the time of its formation in 2014. The group has been responsible for and inspired terrorist attacks throughout the world, killing and injuring thousands.

Figure 1: ISIS Flag 

The group has remained active and strengthened despite losing most of its territory in 2019 and receiving less attention in Western media headlines. They have continued to operate in a clandestine fashion and continue to have operations in Iraq, Syria, Africa, Asia, and Europe.

When Hamas attacked Israel on October 7, 2023, IS saw this as an opportunity to increase their exposure and began to release propaganda to more mainstream media outlets. Although the groups are not affiliated, they share some common ideals. Western Intelligence chiefs have warned that the threat from Islamic extremists is increasing.

In this blog, DarkOwl analysts review recent terrorist attacks from IS and the groups activity on Telegram and Rocket.Chat.

In March 2024, the IS affiliated group Islamic State in Khorasan (ISKP) claimed responsibility for a deadly attack in Moscow. This came after they had conducted two bombings in Iran in January. The attack in Moscow targeted a concert venue, as had previously occurred at the Bataclan in Paris in 2015 and the Manchester arena bombing in the United Kingdom in 2017, highlighting a continued modus operandi.

Lone wolf attacks have also been reported. In October 2023, an individual claiming to be a member of IS, shot dead two Swedish football fans in a reported response to the burning of the Quran in Sweden.

France raised its domestic threat level, after a suspected Islamic extremist stabbed and killed a teacher and wounded three others at a school in the north of the country in October 2023. Authorities stated at the time that they believed this attack was linked to the Hamas attack in Israel. In reaction to this, France deployed 7,000 soldiers to the region. The terror alert remains at the highest level in France, having been raised after the attacks in Moscow. As France prepares to host the summer Olympics, and recently hosted the UEFA cup final, they are a prime target for IS attacks.

Figure 2: Propaganda released by ISIS highlighting its recent “successful” attacks on RocketChat and other chat applications 

DarkOwl analysts have also observed IS propaganda which boasts about recent “successful” attacks. A staple of their weekly productions since 2016, the poster named “Harvest of the Soldiers” details the numbers of those killed and injured, property damaged, and vehicles destroyed. The most recent publication identified by DarkOwl analysts on a Rocket.Chat server, claimed 39 operations in a single week.  

DarkOwl analysts regularly monitor Telegram and other messaging apps for extremist activity, identifying new channels, and monitoring for threats. As well as Telegram, DarkOwl have identified extremist channels on Rocket.Chat and a newer platform known as TeleGuard. These channels are mainly used to promote propaganda and radicalize new members rather than strategically planning operations and attacks.  

Telegram 

IS accounts are regularly banned from Telegram, this came after pressure from countries that claimed Telegram was a breeding ground for terrorist activity. However, this is one of the only topics that Telegram bans, with users regularly discussing criminal and right-wing extremist activity. Despite this, they are diligently removing IS linked channels, which are often shut down shortly after their creation. There are also channels on Telegram which purport to “hunt” IS related channels, presumably reporting these to Telegram for removal as they are discovered.  

Despite this, Telegram channels reportedly controlled by IS members for disseminating propaganda continue to appear. DarkOwl analysts have observed invites to these channels being shared on other messaging apps that are not so quick to remove accounts allegedly associated with IS.  

While they struggle with Telegram, this religious extremist group seems to have found a haven on Rocket.Chat. Rocket.Chat is a messaging app that was founded in 2015. It describes itself as a fully open-source communications platform which has been developed for organizations to enable team communications, discussion with other companies, and customers with privacy and security top of mind.  

However, other users have also adopted this platform, including IS, where they can communicate securely. The group has multiple channels within a server for different topics, some of which are read-only and others with which users can chat together. Images, pdfs, and mp4s are commonly shared depicting recent operations, violent attacks, and other propaganda messages.  

DarkOwl are increasing our coverage of this messaging platform to ensure that we are able to identify any threats that are being discussed.  

TeleGuard 

DarkOwl analysts recently identified a relatively new messaging app which is also being utilized by ISIS affiliated users to share propaganda and communicate.  

TeleGuard is a messaging platform which has been developed in Switzerland, claiming to be developed with privacy in mind. The developers claim that all transmitted data is encrypted, data is located in Switzerland and there is no need to connect to a telephone number and no user identification data is collected. These anonymity features make the platform very attractive to those wishing to communicate about nefarious topics.  

Figure 5: Official ISIS server on TeleGuard 

DarkOwl analysts were recently invited to the above channel linked to ISIS. We will continue to monitor for new and emerging threats using this messaging platform.  

As messaging apps become more focused on privacy and security, often encrypting all messages, they will continue to be a popular vehicle for terrorists and criminals to communicated. As some apps develop and become more discerning about what information should be shared on their systems, actors will move to other apps which are more sympathetic to their cause or simply do not care about what information is shared.  

In early April 2024, through the monitoring of IS affiliated Telegram and Rocket.Chat channels and servers, DarkOwl analysts identified posts calling for lone wolf attacks at the UEFA Champions League Quarterfinal7 matches which were to take place between April 9 and April 17 2024. 

Five identified images have been shared across Telegram channels and Rocket.Chat servers that pledge both official and unofficial support for the Islamic State. These images call for Islamic States supporters to target the four stadiums hosting the UEFA Champions League Quarterfinal Competition in Madrid, Paris, and London. 

Figures 6 and 7: Images naming the stadiums to be targeted 

More information was provided in another image which gave individuals instructions on how they should target the stadiums. The below image suggests potentially targeting the three entrances of the Emirates Stadium in London, England.  

Figure 8: Image encouraging lone wolf IS sympathizers to strike the 3 entrances at Emirates Stadium in London

A further post aimed to invoke sympathy for the cause of the Islamic State and to “recreate the glory of the 2015 Paris” attack. Rhetoric of this kind heightens the threat to France, given previous attacks and upcoming events. It is a common tactic to evoke previous attacks and the “martyrs” they claim are associated with them.  

Figure 9: Image encouraging sympathizers to target Stadion Parc de Princes in Paris 

Meanwhile, another post also called for IS supporters to target these gatherings with IEDs (Improvised Explosive Devices) and “decoy devices,” again providing followers with ideas for how they could successfully target the event. These are tactics that could also be used at other events in the future.  

Figure 10: Image encouraging sympathizers to target Santiago Bernabeu in Madrid 

Fortunately, no attacks occurred at the Quarterfinal match or the subsequent Semi-Final. The final is due to take place on June 01 in London, England. Our analyst team continues to closely monitor ISIS primarily on Rocket Chat for any further threats or calls to arms, and will post any updates on our social channels: LinkedIn and X.

It is assessed that the threats at the UEFA Quarters were an attempt to obtain media headlines and to cause panic in the West. Analysts expect similar lone wolf calls to arms will emerge and increase as we approach 2024 Summer Olympics in Paris, France. France remains on high alert.  

Counterterrorism experts have noted that IS does not always announce their targets. For instance, the attack in Moscow was not highlighted as a target prior to the attack, although western intelligence agencies did warn Moscow of a heightened risk. The appeal to target the Champions league appears more like a propaganda exercise, likely in part motivated to cause fear and spark a reaction from the West. However, these threats should not be underestimated, and caution is advised as lone wolf actors have been incited towards violence by these groups in the past and the lone wolf attacker is usually one of the harder targets for law enforcement to intercept.  

Recent events have highlighted that IS and their affiliates remain active and deadly. While they continue to conduct attacks in many different countries, it is important that we monitor their communications to identify potential threats and targets, so organizations can be on alert.


Don’t miss any research from DarkOwl. Subscribe to email.

The Rise and Fall of BreachForums… For Now?

Updated: May 30, 2024

As we reported last week, the popular data sharing dark web forum, BreachForums was seized by Law Enforcement. At the time of writing one of the clearnet mirrors was still up and pointing to a new Telegram channel promising to be back soon. 

By 23 May, BreachForums was back with a new onion address, the administrators ShinyHunters announced the new site on Telegram. Initially only those who had previously had an account were able to enter. Whereas its predecessor had many open areas the new site required users to login before any information could be shared. However, a few days later registration was opened. 

Many in the community have speculated that this new site is a honeypot from Law Enforcement and are avoiding it. However, ShinyHunters have been posting large leaks from well know organizations such as Ticketmaster which some have speculated is to increase interest in the site again.  

Others have decided to start their own site. Well known threat actor USDoD, who often posted on the now seized BF, announced via Twitter that he would be launching his own site called Breach Nation to be launched in early July.  

DarkOwl analysts will continue to monitor both the new version of BreachForums and any new sites which pop up to replace it.  


May 16, 2024

At around 8am PST on May 15 2024, BreachForums (BF), the infamous dark web marketplace known for trading in stolen data was seized by the FBI. The FBI declared that the site had been seized in conjunction with international law enforcement partners. In conjunction they also announced that they had taken control of Telegram channels which were linked to one of the administrators, Baphomet.  

Figure 1: Seizure notice on BF 05/15/24 

However, this is not the first time this site has been subject law enforcement action, with two of its predecessors having been seized.  

BreachForums is the third in the line of dark web forums which was set up to trade in stolen data. Threat actors would upload data relating to companies which was usually stolen through hacking activity but also though scraping and unintentional open access. The site was also used to sell access to others, with initial access brokers selling access to corporations for large volumes of money. Other services were also available as well as access to things like stealer logs and malware.  

Figure 2: RaidForums Seizure Notice 

The site which began this model was known as RaidForums, which emerged onto the scene in 2015 and quickly became one of the largest sites dealing in stolen data. The site was live until 2022 when the owner and administrator of the site known as Omnipotent, was arrested and charged with six criminal counts. Omnipotent turned out to be a 21 year old Portuguese national living in London named Diogo Santos Coelho who continues to fight his extradition to the US to be prosecuted. Ironically it was possible to identify Coelho’s true identify using the very breach data that he facilitated on his site.  

Not long after the seizure of RaidForums an actor known as Pompompurin, who had been active on the site created a new forum which he named Breach Forums which would fill the gap which had been left by Raid. However the site did not operate for long, Pompompurin was arrested in March 2023 and a few months later the site was seized. The seizure notice included the avatar used by Pompompurin highlighting that he was a target of the investigation and likely how they had gained access to the sites backend. As part of the affidavit the FBI also confirmed that they had access to the BreachForums site.  

Figure 3: BreachForum seizure notice June 2023 

Pompompurin was exposed as Connor Brian Fitzpatrick, a 20 year old from New York State. He pled guilty to hacking and child pornography possession and was sentenced to 20 years supervised release.  

The co-administrator of Breached with Pompompurin was known as Baphomet, he took control of the domain(s) in the period after Fitzpatrick’s arrest, however after a short amount of time he shut down the site claiming the FBI had access and it was not safe to use. A lot of back a forth between actors and across domains ensued, with warning not to trust new forums and leaks of BF users being circulated. Telegram was used heavily to communicate about the arrest and the possibility of a new site. However, Baphomet did later bring back the forum, reportedly partnering with a group known as Shiny Hunters, which were well known for selling stolen data they claimed to have obtained. Many in the community speculated that the new site was a LE (Law Enforcement) honeypot, but users continued to use the new site.  

The latest iteration of BreachForums has been operating since mid 2023, operated by Baphomet. As well as being the administrator of the forum, he also maintained several Telegram channels relating to the forum, including on which was used to upload stolen data which was freely available to viewers of the channel.  

Although the site was active for just under a year before it was seized some very high-profile breaches have been leaked to that site in that time including AT&T, 23&Me and T-Mobile. DarkOwl analysts have collected over 100 leaks from this site in the last year.  

One actor who has been very active in recent weeks on the site and was also a moderator is known as IntelBroker who reports to be part of a hacking collective known as “CyberNi**ers.” (Redacted for sensitivity reasons). He has claimed access to data from corporations such as Hilton, Dell and Government access to the DOD, Canada and United Arab Emirates. As recently as May 15, he posted on BF claiming to have access to an Aerospace and Defense company, the site was seized shortly after.  

Figure 4: Source: DarkOwl Vision

Last week he claimed to have data stole from Europol, specifically the EC3 group. Europol did confirm the data was from them although stipulated that no sensitive information was stolen. Some in the community have speculated that the release of this information is what led to Law Enforcement taking action against the site.  

At the same time the BF site was seized a message was posted on a Telegram channel controlled by Baphomet, claiming that it was now under the control of the FBI. The same was true for a second channel also in his control. The post encouraged subscribers of the channel to report any information they knew to the FBI through a dedicated Telegram channel. DarkOwl analysts observed actors claiming that they had contacted the FBI and received a response although it is unclear if they were sharing any content of value.  

Figure 5: Baphomet Telegram channel under control of the FBI

This marks one of the first times that the FBI have appeared to take action on the Telegram platform, presumably they have obtained credentials which allow them to control the channel rather than from cooperation with the owners of Telegram given the way the message was posted. This highlights the role that Telegram has with this underground community and how large numbers of actors are communicating. 

Indeed, it was on Telegram that rumors started to circulate that Baphomet had been arrested. This was shared by several actors including Shiny Hunters and IntelBroker. Shiny Hunters also moved to make their Telegram channel private, meaning it could not be identified through a global search and only invited users would be able to see the content.  

Figure 6: Telegram message from Shiny Hunters stating that Baphomet was arrested

We await confirmation from the FBI as to whether or not this is the case and who the individual behind the alias is. However, perhaps foretelling the arrest, the avatar of both Baphomet and Shiny Hunters was shown on the FBI Seizure notice behind bars.  

Figure 7: Baphoment and ShinHunters Avatar behind bars on Breach Forum seizure notice 

Multiple Telegram channels have been very active over the last 24hrs with speculation about what has happened to the actors involved in BF and what sites should take its place. Two Breach Forums Telegram channels where data can be uploaded, and chat can be conducted remain active at the time of writing with documents being shared and rampant conversations held speculating on the arrest of Baphomet and the role of undercover agents on the site. There was also speculation about a site called Doxbin which seemed to go down at the same time, although operators are claiming to still have control of the domain.  

A new channel was also created to share “news” and claiming they had warned that the site was an FBI honeypot the whole time.  

Figure 8: Telegram Post claiming the forum was a honeypot the whole time 

It is therefore clear that Telegram will have a role to play in whatever happens next for BreachForums and the users that make data available and purchase and download it.  

There has also been speculation about what sites will fill the void left by BreachForums, with many existing forums being suggested as front runners. From the history of RaidForums to the current iteration of BreachForums it does seem likely that a successor will emerge whether that is a new or existing site.  

DarkOwl analysts will continue to monitor the situation to identify what emerges.  


Don’t miss any updates from DarkOwl. Subscribe to Email.

What are CVEs?

May 14, 2024

Cybersecurity might has well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.

In this blog series, we aim to explain and simplify some of the most commonly used terms. In this edition, let’s dive into CVEs.

CVEs 101

CVE is an acronym thrown around frequently in the cybersecurity space. CVE stands for Common Vulnerabilities and Exposures. A CVE is a list of publicly disclosed cybersecurity vulnerabilities that are assigned a unique identifier called a CVE ID. According to the National Institute of Standards and Technology, CVE defines a vulnerability as “a weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability. Mitigation of the vulnerabilities in this context typically involves coding changes, but could also include specification changes or even specification deprecations (e.g., removal of affected protocols or functionality in their entirety).” When a security vulnerability is identified, it receives a CVE ID number. This identifier is used to monitor and reference the vulnerability in security advisories released by vendors and researchers, and have a uniform way in searching the same vulnerability across databases.

The concept of the CVE database originated in a whitepaper by co-creators Steven M. Christey and David E. Mann of the MITRE Corporation. The initial CVE list was publicly available in 1999, and continues to grow. There are currently over 247,000 CVEs and in the first week of 2024 alone, over 600 were cataloged. The system is maintained by the United States’ National Cybersecurity FFRDC, which is run by the MITRE Corporation and receives finding from the US Department of Homeland Security’s National Cyber Division.

Keeping a record of all CVEs allows security and IT researchers to coordinate efforts in prioritizing and resolving these vulnerabilities. To keep CVE records organized, there is a CVE Program dedicated to identifying, defining, and cataloging publicly disclosed cybersecurity vulnerabilities.

Not only are CVEs important for keeping track of vulnerabilities in a way that is repeatable, searchable and trackable, but they raise security awareness. Because CVEs are publicly documented, there is better awareness of potential threats and security concerns. Individuals and organizations have the ability to search vulnerabilities and take the necessary actions to secure their computer systems and networks. CVEs allow security professionals to stay up to date on the latest security flaws and vulnerabilities.

CVEs in the Wild

In 2019, the Cl0p ransomware gang shifted their focus to exploiting the MOVEit vulnerability to target victims starting in May 2023, and they carried on with this campaign throughout the summer. They exploited the SQL injection vulnerability known as CVE-2023-34362 in the MOVEit transfer system, which is extensively utilized for managing file transfer operations across numerous organizations. Cl0p’s exploitation of this vulnerability had significant repercussions for several prominent brands and companies, garnering substantial media coverage. It’s estimated that roughly 2,000 instances of the MOVEit vulnerability were exploited, affecting approximately 60 million individuals worldwide. These figures may be conservative due to under-reported incidents and efforts by affected entities to conceal the extent of network intrusions. Nevertheless, experts projected that the group stood to gain around $100 million from exploiting this vulnerability. If this vulnerability were to be left unaddressed, it could lead to significant data breaches, loss of sensitive information, and severe disruption of services.

Figure 1: Initial vendor alert on the newly discovered MOVEit vulnerability; Source: Community Progress

CVE-2023-22515: Confluence Data Center and Server by Atlassian

Last fall, the Ukrainian Cyber Alliance (UCA) used CVE-2023-22515, which involves Confluence, to escalate privileges and access Trigona’s confluence server. They gained insight into the infrastructure and published Trigona’s support documents, exfilled the developer environment and information pertaining to Trigona’s crypto payments, as well as the back-end of Trigona’s chat service and blog/leak site details. After collecting all the information, UCA defaced and deleted Trigona’s site. Open CVE’s provide danger to all, including the cybercriminals who use the impacted tools.

CVE-2022-42475: FortiOS SSL-VPN Vulnerability

Continuing their world-wide efforts to infiltrate government, military, and key sources of intel, China exploited an extant Fortinet vulnerability (CVE-2022-42475) in early February of this year. This was done to deploy a backdoor named COATHANGER and gain access to a network used by the Dutch military. This was the first time the Dutch have publicly attributed a cyber incident to Chinese actors. This vulnerability, along with CVE-2023-22515, emphasize the importance of maintaining good security hygiene and always updating computer systems to the latest version.

Cyber Actors Discuss CVEs on the Darknet

Cyber criminals and hackers frequently discuss vulnerabilities on the darknet for various platforms. Discussions of relevant software and exploitability of specific CVEs can assist an organization in determining potential unpatched vulnerabilities. Figure 2 shows a forum discussion about an exploit for CVE-2022-30190, which is a Microsoft office vulnerability that hackers can leverage for remote code execution.

Figure 2: DarkOwl Vision search reveals an exploit based on CVE-2022-30190; Source: DarkOwl Vision

Figure 3 shows a post to a hacker forum on the darknet by the user known by the moniker, PresidentXS, that discusses an Azure vulnerability, CVE-2019-1306, “Azure DevOps and Team Foundation Server Remote Code Execution Vulnerability.” An attacker successfully exploiting this vulnerability allows for malicious code execution on an ADO service account.

Figure 3: Source: DarkOwl Vision

Posts and discussion threads like these examples in DarkOwl Vision are useful for reviewing comments, exploring applications, and use cases for the vulnerability specifically.

Based on feedback from our customers, CVEs are identified and tokenized within our indexed documentation collection. DarkOwl Vision UI users can search for results containing a specific CVE number, as well as for results containing any number of CVEs. CVE tokenization makes it easier to search for CVEs along side keywords or other entities such as onion domains or threat actor aliases.

Figure 4: CVE search in Vision UI; Source: DarkOwl Vision

Actor Explore

DarkOwl’s Actor Explore feature provides invaluable insights into cyber threat actors, empowering security professionals, researchers, and organizations with analyst curated information about threat actors, enhancing their ability to understand and combat cybersecurity threats effectively. Each actor profile in Actor Explore includes a detailed dossier, offering an in-depth overview of the threat actor and includes extensive information such as darknet fingerprints, targets, tools, CVEs, contact information, and more. Actor Explore connects this information to our other data sets, including leak sites, ransomware sites, alias, cryptocurrency, etcetera that actors are associated with. This wealth of data enables users to gain a profound understanding of the threat actors, their tactics, and the potential risks they pose.

A DarkOwl Vision user can also search in Actor Explore by CVE. This filtering option makes it easier to find and compare actors of interest.

Figure 5: DarkOwl Actor Explore result for Cl0p and the CVEs they exploit; Source: DarkOwl Vision
Figure 6: Example of CVE filtering in Actor Explore; Source: DarkOwl Vision

Keeping up to date on CVEs is essential to maintaining a secure IT environment. Below are a couple free resources available for tracking and researching CVEs.

To take investigations the next step, root cause mapping of vulnerabilities is best done by correlating CVE Records. Check out guidance from Mitre here.


To see DarkOwl Vision and our collection of CVEs in action, contact us.

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.