Last month, DarkOwl participated in GISEC Global in Dubai, UAE, for the seventh year in a row! GISEC Global describes themselves as, “the leading gathering ground for the cybersecurity community worldwide.” It is the largest cybersecurity event in the Middle East and Africa. At the event, one can expect the top government dignitaries and cyber leaders, CISOs from major corporations, regional and international innovators and global experts from top cybersecurity enterprises from over 40 countries in the Middle East, Africa, and Asia. Attendees have the opportunity to network with over 3,500 delegates and hear from over 500 top Infosec leaders across multiple stages. GISEC attendees come together to lead cybersecurity transformations across sectors and nations to learn from over 300 hours of content to best to boost cyber resilience for a safer digital future.
“Embark on a thrilling journey through the largest cybersecurity exhibition, where cyber competitions collide with live hacks, revealing true stories and offering unprecedented access to the minds behind the code….”
Representing DarkOwl at GISEC Global was David Alley, CEO of DarkOwl FZE based in Dubai and Magnus Svärd, Director of Strategic Partnerships, based out of DarkOwl’s headquarters in Denver, CO.
The DarkOwl team remained busy over the three days manning the booth, meeting new prospects, visiting with customers and partners, and showcasing our industry leading darknet platform, Vision UI. The DarkOwl booth saw visitors from India, Pakistan, Kyrgyzstan, Iran, Singapore, Tunisia, Malawi, Lebanon, UAE, Oman, Seychelles, Singapore, US, Canada, UK, Sweden, France, Austria, and more – a truly international presence. Magnus stated, “Visitors to the stand were constant starting 30 minutes into the conference. Suddenly the time was 4:40pm and first day was about to end.” This sentiment was shared across the 3 days, and David shared, “Three really busy days – the busiest GISEC.”
In addition to networking and conversations at the booth, top minds of the space have the platform to share thought leadership, innovations, and the latest in the cyber security space. Speakers were present from all around the world, including the UAE, Argentina, Kenya, UK, US, Singapore, Estonia, Brazil, Oman, Turkey, South Africa, India, Switzerland, Vietnam, Philippines, Saudi Arabia, Ghana, Lebanon, and many more. Topics ranged from harnessing AI for security resilience, keeping up with high-tech cybercrimes, building a strong cybersecurity ecosystem at national level, to mastering risk with real-world insights and strategies, and so much more. In addition, there were halls dedicated to just trainings, meetings and hands on workshops. This is a major benefit of GISEC Global – the emphasis on thought leadership, sharing information and education.
Partnership advances Forensic IT’s cybersecurity offerings, adding enriched monitoring of deep, dark web and dark web adjacent sites to help deliver a comprehensive view of risk
DarkOwl, the leading provider of darknet data, is thrilled to announce its partnership with Forensic IT, a leading cybersecurity firm in Australia specializing in forensic investigations and cyber incident response. This partnership combines DarkOwl’s extensive darknet intelligence capabilities with Forensic IT’s expertise in cyber forensics to offer comprehensive cyber incident response services and digital forensics to businesses and organizations.
DarkOwl’s platform, with unparalleled access to the darknet, aggregates data from the darknet, providing insights into emerging threats, leaked credentials, and potential vulnerabilities that may pose risks to organizations. DarkOwl collects and organizes data in near real-time, empowering businesses to conduct in-depth investigations and proactively defend against potential cyber threats. Forensic IT provides a wealth of expertise in digital forensics, incident response, and cybersecurity consulting. Forensic IT is a trusted partner for businesses Australia-wide, seeking to enhance their cybersecurity posture and respond effectively to cyber incidents – from courtroom analysis to cyber incident response. Their highly skilled experts deliver unmatched digital investigation.
Because the darknet serves as a sanctuary for illicit activities, insight into its activities is essential for a comprehensive view of cyber risk and digital footprints. It is an increasingly vital component for organizations with forward-thinking strategies. By joining forces, Forensic IT aims to offer a holistic approach to cyber incident response, provided clients the full picture of their potential risk.
Luke McCarthy, Director of Forensic IT, states, “Forensic IT’s partnership with DarkOwl is an exciting step forward in our objective to provide the best possible proactive Dark Web Intelligence to our clients in Australia. By integrating DarkOwl’s advanced tools into our Dark Web Monitoring service, we are able to deliver an even more comprehensive and robust solution, ensuring that our clients are better informed of potential threats than ever before.” CEO of DarkOwl, Mark Turnage, adds, “We are excited to partner with Forensic IT to deliver comprehensive cybersecurity solutions to their clients and help them in their mission by utilizing the strengths of both companies. Combining our strengths will enable organizations to stay ahead of ever-evolving cyber threats.”
About Forensic IT Forensic IT is a specialised cyber security firm with expertise in Digital Forensics and Incident Response (DFIR). We regularly work with law enforcement, investigators, government agencies and commercial organisations to bridge critical expertise gaps to safeguard clients’ environments and manage cyber incidents, including in Operational Technology / Industrial Control Systems (OT/ICS) environments. To learn more, visit www.forensicit.com.au.
About DarkOwl DarkOwl uses machine learning and human analysts to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. For more information, visit www.darkowl.com.
DarkOwl Analyst, Steph Shample, joins Authentic8’s Needle Stack Podcast to discuss dark web research and all its facets. From AI and other trends on the dark web to operational security, learn how to turn on the light beneath the surface of the internet.
Key Takeaways
AI and other dark web trends
Operational security in dark web research
How to search an unindexed environment
The links to the podcast, YouTube Channel, and the transcription can all be found below.
Transcription
Jeff: Welcome to Needlestack. I’m your host, Jeff Phillips.
Shannon: And I’m Shannon Reagan. Today, we are talking to Steph S., Senior Intelligence Analyst at DarkOwl. Steph, thanks for joining us.
Steph: Hi, Shannon. Hi, Jeff. Thank you so much for having me and for having DarkOwl. We’re so excited to be here.
Jeff: Well, let’s start with that, Steph. Um, to kick things off, can you tell us a little bit about, uh, DarkOwl for those that don’t know?
Steph: Absolutely, we are the world leading data provider of the dark web, deep and dark web as well as dark web adjacent technology. So think telegram discord those chat platforms. Also, the markets and forums that you see frequently in the news ransomware victim blogs where they advertise. Other general markets that sell malware, drugs, animals on the dark web.
So, we have a mixed manual and automated collection to safely get that, scrape that information, and then put it in a very friendly user interface or an API if you need. That way you can enrich that information with ClearNet, information from social media, all kinds of different enrichment that you can do to best paint the picture of where your exposure is on What precautions and mitigations you need to take. So it’s just a fascinating company. Truly. It’s really cool.
Shannon: It is very cool. I think Jeff and I are pretty jazzed about dark owl. This might seem like a silly question to you. Um, but what is your perspective of why? Companies, you know, need dark web intelligence, if not maybe going into the dark web directly.
Steph: Yeah, I get that. And no, I truly stand by no silly, no stupid questions. A lot of people really only know the dark web as it pertains to ransomware, right? They see, okay, ransomware is being announced on here, but there is so much more and there always has been so much more on there. So the dark web is not indexable, right?
You can’t Google on it. So you really do have to know a little bit more navigation of where you’re going, what you’re looking for. Why you should have it is because everybody these days is very, very concerned about privacy. So we all want to be online and be connected and have that social aspect. But we also want to try to reduce, you know, what we’re leaking, what we’re exposing.
Unfortunately, with everything these days, um, you know, phishing, Ransomware social engineering. There are so many ways that malicious actors infiltrate an organization or an entity and then sell or monetize that information, or they do it for their own notoriety. You as an organization have got to be aware of what’s out there.
You can’t just Google yourself or your organization and find all of the threats. When you’re caught up in data breaches that are sold online and then cross sold on a market, right? To maximize profit, you’ve got to take a look at what actors are doing with their IP addresses, how they’re innovating and just making their operations more quick, more quick, uh, more efficient.
They’re streamlining them. You’ve got to have the dark web piece of information because they’re very open and talk a lot on there. They train on another. They share in addition to saying. Yeah. I’m going to move my C2 from this provider to that, right? Or don’t message me on this platform anymore. I view it as unsecure.
Let’s all move to telegram discord. You’ve got to keep yourself informed on the dark web. I respect and realize it is not for everybody, but if you do have a presence on there, if you have an incident, you really do need that piece of information or you’re seriously lacking a part of the picture. Follow
Shannon: up to that for those that companies that aren’t, um, kind of I’m going to be chatting more about that. Um, either they may be put into a dedicated effort to understanding the information that is out there on the dark web, either they don’t aren’t staffed with the right people to do it. They maybe don’t have the right tools to do it. What advice do you have for people that think this isn’t for me?
Steph: Sure, yeah, I would say, take a look, right?
Take a look at any dark web service provider. Start a trial, start a conversation, go install tor, right? It’s really easy to do that. Tor is open source. You can download it and just self teach, right? So many people these days want to spend so much time on social media or posting pictures or what have you. Great. But there is a way for self empowerment to go educate yourself, type, uh, type something into a tour browser, take a look at what. People are using the dark web for, and educate yourself, you know, and if you don’t want to do that, then maybe look on LinkedIn or other social media, or just contact a company who does have dark web coverage and truly educate yourself before you make that final decision of, meh, I don’t need this.
Jeff: By the way, for some of our audience, I like to, I don’t know if I like to do this stuff, but TTPs, right? Tactics, techniques, and procedures.
Steph: Yeah, call me out. I’m going to throw every acronym in the book at you tactics, techniques, and procedures. So, for instance, I’m an Iran analyst by trade and Iran was really big about using European VPNs in their malicious operations.
So they would use namely Germany and the Netherlands constantly abuse when the European Union started to crack down on that. They moved to. Japanese infrastructure. That is a tactic technique and procedure that I observed. And then we put out in the researcher community, like, Hey, be aware, you know, you’re going to start to shift.
Jeff: Thank you for that. Um, of course, uh, pretty hot topic these days on the OSINT front, um, is AI. I guess AI is a hot topic on every front, but in specific to us, can you tell us a little bit about any AI trends you’re seeing on the, on the dark web when it comes to AI?
Steph: Absolutely. Yeah. It’s just like you said, everyone’s like, I want AI, but they don’t really know what AI is, but they want it.
Actors have embraced it and are successfully using it. So one use case that we are seeing constantly right now, fishing templates, right? Um, AI is enabling them to write a little cleaner. So there’s not as many English mistakes, grammar mistakes, what have you. And then previously, you know, you can code and you can automate and do all the things to really streamline your operation.
So previously actors would only be able to get those templates to maybe tens or hundreds of companies or organizations that they were trying to infiltrate. Now with AI, you’re getting up to. Thousands, if not tens of thousands, so they can work faster, get more. And it’s harder to tell who wrote this. You know, usually.
The joke is, of course, the Nigerian prince, or you get this email that’s riddled with so many grammatical mistakes. You’re like, really? But now that’s no longer the case. It’s not as easy to tell. And that’s probably the forefront of AI right now and how malicious actors are using them. It’s increasing their operation space.
Shannon: When we were talking ahead of the call, you mentioned that you have a linguistics background, maybe related to, you know, the AI space, you know, that there is such an element of writing and language as part of that. How, uh, Does linguistics play a role in OSINT or, you know, threat intelligence?
Steph: Of course. I’m so glad that there’s a space for that, right? So I think in tech, in AI, whatever you wanna call it, cyber tech, what have you, there is this misconception that you have to be a hardcore programmer, ones and zeros, coding, all the things, right? That there’s no space for other people. And I want to dispel that myth so, so, so much. Linguistics, especially. So, I started translating, you know, of course, and then French and Spanish and saying, you know, this is what they’re doing, et cetera, et cetera. That is happening online, right? Yes. Technology and the Internet. A lot of is in English 80%. I’ll give you guys that. But think of now, if you have kids or little cousins, little nieces and nephews, right? Number one, how can you even understand what they’re saying in the tech jargon and neologism now take that and try to translate from a Spanish little kid or a Persian little kid, right? Or even a Persian actor. So, you have to really be able to understand the nuance of language. If they’re circum locating around an operation, you know, if they say, hey, I’m going to buy this video game from you on steam or a gaming platform. It’s 1400 dollars. Are you good with that? And you’re like, yeah, What kind of video game is 1400 right now? There’s someone malware, right? Gotta pick out the nuance of the language. Translation will never go away. Yes, automation will help it. We’ll streamline it, make it faster. But humans always need that niche and always have to analyze the language, analyze the sentiment.
Those very, very fine things that You’ve got to have a background of, and you’ve got to understand with AI, it’s coming into tune as well. So, you know, word clouds, for instance, it’s a really great way to capture. We have so much data from AI word clouds come out. And let’s say it’s a protest, right? Protests are taking place. So the word cloud comes back, and Berlin is in huge letters, whereas Munich and other cities are smaller. So, you know, it’s like, okay, well, how is this represented? Does this mean I should pay attention to it? Does this mean it’s an anomaly? Should I throw it out? There are so many different ways to involve linguistics translation and just divergent translation. Thinking into this field. So whatever your background is, welcome come and also learn another language because cognitively speaking, I can’t even espouse the benefits enough. I will nerd out with you on a separate podcast.
Shannon: As a former creative writing major, I will welcome you into those.
Steph: Foreign language, linguistics for life.
Jeff: That’s funny. Can I just be a wannabe? Cause you know, I don’t know. It’s a little late to learn a new language
Shannon: anytime.
Jeff: Well, you have, um, a lot of passion about shining a light on the dark web. Um, obviously it’s, so it’s great that you’re a dark owl. Um, do you think shining that light and, and putting out more dark web education can actually start to have an impact or mitigate some of the threats or the particular threat actors?
Steph: It’s a great question. Uh, we are seeing reflections of security and clampdowns shape actors and where they’re moving what they’re doing, how they’re communicating. So I do think that if we keep this up. Yes, absolutely. And public education for cyber cybersecurity, you know, your 2 year old has an iPad. Your grandmother’s on Facebook. The entire spectrum of humanity is tech enabled. We need to protect them. They don’t know if they’re exposing themselves. Then you’ve got the people who use the same password for their corporate account versus again, personal accounts. There’s a lot of education to do. And I say all that because passwords are sold on the dark web, right?
Repeatedly passwords are then put to paste sites and, and put monetized that data, They’ll just put it on a free pay site for other people to use in their operations. I do think it’s a slow process. It’s slower than we would want. And that is tough because tech is so dynamic and move so quickly, but we cannot stop trying to educate and elucidate and really raise the problems of, Hey, this is not going to [00:11:00] stop. This is happening in the background and you’ve got to pay attention.
Jeff: You know, follow up when we were talking earlier, you mentioned, I believe the way you portrayed it was that with all that focus and attention on the dark web that you’re seeing them start to migrate to other platforms and other venues.
Can you talk a little bit about that?
Steph: Absolutely. Yeah. So, you know, dark web, the. onion sites are markets and forums, and you can basically go on. I’ll use dread as an example. Dread is basically the reddit of the dark web, right? It’s the same thing threads, forums, advice, communities, like minded people. So, dread, you can go on there and just find something that, you know, I want to sell malware.
I am, I’m looking for this. I’m having trouble developing this part of it of my malware operation or this code or whatever. Um, so it’s really just essential to. Follow that and follow the actors and they have openly stated, you know, think of Alphabay and Silk Road, those markets that went down. Think of recent ransomware groups have also gone down, right?
You’ve been arrested, taken offline. Those groups are talking, they are sharing in telegram in discord. And then, of course, on talks, which is primarily used for ransomware comms, but it is growing in popularity. Talks is just a peer to peer messaging system. Direct messaging. They are using more opsec. They are saying, do not post on this forum.
We think there’s a law enforcement presence. Contact me on telegram. They are using more controls on Telegram. So you can shape a channel that only you, the admin can post and nobody else can. So we’re definitely seeing them paying attention to what’s happening in the security and law enforcement world and applying that to where they’re moving more secure messaging platforms, direct messages versus public.
Shannon: It is tough to, you know, it feels like an arms race, like that. You’re always, you know, we’re all just chasing each other around the internet.
Jeff: I like that we’re all just chasing each other around the,
Steph: it was awesome.
Shannon: I do wanna talk about tools in a minute, but with [00:13:00] the constant changes in technology and uh, keeping up with threat actors. Is there any advice that you have, particularly for training or, um, you know, recommended forums and platforms that, you know, like dread on the dark web for threat actors?
Like, where do you find the kind of, um, threat intelligence folks getting the most value out of information sharing among other professionals?
Steph: Absolutely. So the two main ones that have really emerged are task forces and trust groups, honestly. So let’s start with task forces. We realize that it’s got to be Government, private and academia has to all participate to best shape and fight the threats we’re facing.
So find someone who’s in your geographical area of interest, right? If you have an interest in China, if you have an interest in Russia, find groups there, use LinkedIn, use all of those and then it’s usually private signal groups, or maybe a private WhatsApp group and there’s a lot of, you know, just that are shared in their talk amongst practitioners and the task forces really bring all 3 perspectives of those industries that are necessary.
Trust groups are. I know this won’t be popular, but analysts are skeptical by nature. Hi. Um, you know, we don’t trust anybody, but when you have a trust group that starts up, so for instance, when Afghanistan fell in 2021 and they were using Snapchat as well as some other hidden, um, underground communications to avoid the Taliban, to get people out of country who were very much in danger, a trust group started up with that for, you know, Operations, getting people to safe houses, monitoring what the Taliban were doing on Twitter, as well as other places.
It was similar with when Russia invaded Ukraine. Okay, find analysts, you know, who has on the ground experience, who has language experience, who has tech experience, especially, you know. What are the Russians using? What are they going after? So task forces and trust groups are one thing. GitHub. I would suggest combing that left and right.
Then I also really want to highlight. There are quite a few really great open source organizations out there. You know, I follow China, so I need to understand how to get behind the firewall. If I can, how do I pick up information or open source information on WeChat, QQ, et cetera, um, the digital Sherlock program handled that.
They have a by area, um, by area of operation, AOR, uh, program that you can do for free. All you have to do is apply, state why you need it. So there’s a lot of free open source training. You can never go wrong with the SANS course. They just do it. Started a cybercrime one, which I’m super excited to take. It’s to 500 level, so I’m gonna wait on that. But yeah, , um, the tech. And then also, I’m not gonna shy away from things like Coursera or Udemi. There’s plenty of baseline foundational classes that you can do on there. You don’t need to say, be a coder yourself, but maybe you wanna understand why your malicious actor is doing what they’re doing on the dark web.
Take a while, one, understand what’s happening, an object versus a whatever. Right. Immerse yourself and use those free resources, YouTube, Coursera, Udemy, work training, trust groups to really flesh out an area and flesh out expertise and share information.
Shannon: That’s great. Okay. Aside from groups, what are, uh, some of the tools with the right know how that you think are really valuable to, you know, dark web threat intelligence understanding?
Steph: Big that, uh, when I first got started years and years and years ago, and it’s still around dark dot fail, type that in your, in your tour browser, honestly. This is a, I give anybody who’s like, I’m curious about the dark web, but I’m also afraid, right? Understood. There are risks. Dark. fail is, is like a how to, it’s like lower than a one on one course, right?
Basically it gives you every listing of, okay, here’s a popular market. This is its onion site because onion sites are now at 57 characters. If I’m not mistaken, they used to be 22. We can memorize that. And it’s not like a google. com or it’s not like a authenticate. com. The URL doesn’t make sense. The onion ones are obfuscated for a reason.
Dark. fail lists them, lists if they’re up and down, lists if they’re temporarily unavailable, gives you the mirrors or the clear net site equivalents. And then another one I really love is ransomlook. io. That’s, of course, for ransomware, but that site also is amazing. Open source, type that in your browser. It gives you every single ransomware group that’s out there, right? What their blog looks like, what are some of their latest victims is their server up and running. In some cases, where do they host their server? So there’s no perfect way to index the dark web. But there are starting points. Those 2 that I just named to really get you started. And then that curiosity will take…
Shannon: over. I think that’s great to just recognize, you know, even like a tool like dark L is that, you know, a lot of the work can be done for you, but you can still utilize, you know, the intelligence and the information.
Steph: Yeah. And go, you know, whatever your provider is. We like analysts love writing and blogging and be like, this is what I discovered, right?
Go check out blogs from any company that has a dark web focused. If you’re curious, if you’re curious, they have wonderful insight, wonderful how to’s. And then generally they keep it short and sweet, right? Because we’re all busy. We don’t have enough hours in the day. So we’re not going to give you a PhD level thesis of this dark web actor.
We’re going to give you the nitty gritty. Here’s some IOCs, here’s some mitigation, Good luck, right? That’s what we’re going to try to do. So
Jeff: yeah, IOC indicator of compromise. There’s my value. Acronym value. That’s my value. You’re a cyber security linguist, Jeff. Or a linguist. Well, Steph, thank you for joining us today. And thank you to dark owl for letting you join us today. That was great. Much appreciated. Uh, and thank you to our audience for joining us. You can view transcripts and episode info on our website, authentic8.com slash needle stack. That’s authentic with the number eight and be sure to let us know your thoughts on social at needlestack pod and to like, and subscribe wherever you’re listening today and please tune in again next time for needle stack.
Steph: Thank you guys so much.
Learn more about the DarkOwl and Authentic8 partnership here.
Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
A March 2024 email campaign targeting German organizations was possibly authored by initial access broker TA547 AKA Scully Spider. The script loads the Rhadamanthys infostealer, which can steal cookies, browser and clipboard information, and more system metadata. As the security community studied the malicious code that is used in the script, they noted a hashtag used in coding comments, along with very verbose comments, indicating that AI or a non-human entity possibly authored the code. Read article.
2. U.S. Treasury Sanctions Iranian Firms and Individuals Tied to Cyber Attacks – The Hacker News
The US Treasury sanctioned several Iranian individuals and front companies who have been targeting the US on behalf of the Iranian Government. Their operations used spear phishing and social engineering to target US military veterans, US defense contractors, and other US government entities. Full article here.
3. UnitedHealth confirms it paid ransomware gang to stop data leak – Bleeping Computer
United Health publicly admitted that they paid BlackCat/AlphV ransomware actors in February 2024 to prevent the sale of private healthcare data to criminal actors. Payment activity was confirmed by the public transaction on the blockchain as a Bitcoin payment to the wallet used by BlackCat ransomware gang was visible. Read article.
4. Indian Government Rescues 250 Citizens Forced into Cybercrime in Cambodia – The Hacker News
India’s government issued a public statement and update about the rescue of 250 Indian nationals who went to Cambodia under the pretense of employment but were then forced to participate in cybercrime. In what some dubbed “cyber slavery”, organized crime groups are luring people to Cambodia and other countries with false employment opportunities, and then forcing them to create thousands of social media accounts to use for various purposes, such as gambling, crypto fraud, romance schemes, and more. If the trapped individuals didn’t meet their quota of accounts created, the cybercrime groups denied them food and sleep. Other hotspots observed for this kind of activity include Myanmar, Thailand, and the Philippines. Read more.
5. DPRK hacking groups breach South Korean defense contractors – Bleeping Computer
Targeting technological information, North Korean hacking groups including Lazarus and Kimsuky used extant vulnerabilities to plant malware that sent data back to their cloud servers and was used by the North Korean government. One group accessed the account of an employee who worked with defense subcontractors, while another took advantage of an email server vulnerability. Read more.
6. US Health Dept warns hospitals of hackers targeting IT help desks – Bleeping Computer
The US Department of Health and Human Services issued a public warning this week, concerning social engineering techniques used by threat actors to go after IT desks of the health sector. In these operations, threat actors will call health organizations using a local number of the area they are targeting. They’ll provide details of the organization which are stolen, providing actual corporate ID and/or social security numbers procured in malicious cyber operations. By providing this real information to the IT department, they appear legitimate and then the helpdesk enrolls the threat actor device into corporate multi-factor authentication, allowing deep access to corporate information. Malicious actors then change ACH information regarding payments gain access to corporate email accounts and continue social engineering. Read more.
7. Russia charges suspects behind theft of 160,000 credit cards – Bleeping Computer
Six Russian individuals were recently charged by the Russian Prosecutor General’s Office. The men were charged with skimming 160,000 carss — using malware to steal credit card and other payment details – throughout the past seven years. The group didn’t use the stolen cards instead selling them on various dark web platforms for profit. Article here.
8. Cybercriminals Targeting Latin America with Sophisticated Phishing Scheme – The Hacker News
ZIP files are currently being used to deliver malicious files which appear as an invoice, targeting Spanish-speakers in LATAM. The files redirect the user to another domain, newly set up by the malicious actors. This redirection activates a script that then takes metadata from systems and checks for anti-virus software, collecting system information to use and further malicious operations. Read article here.
9. Scammers offer cash to phone carrier staff to swap SIM cards – SC Media
Cyber actors are cold-contacting employees of various US cell phone companies and offering them cash in exchange for their participation in SIM swapping operations. In SIM swapping incidents, actors fool a wireless carrier, such as Verizon or T-Mobile (who were both targeted in this latest campaign) into rerouting services to a device controlled by the criminals themselves. Once the “swap” is completed, the victims lose access to most personal accounts and personal data attached to the cell phone account is also stolen and used in other malicious operations. Read more.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
DarkOwl’s robust darknet data enables our customer, Silobreaker, to provide their customers enriched monitoring of deep, dark web and dark web adjacent sites to help identify risk at scale and drive better decision-making.
Want to understand how DarkOwl darknet data can provide your organization with more robust threat intelligence? Contact us.
Cyber Insurance has become a hot topic in recent years. As DarkOwl has previously documented, frequent attacks against organizations mean that there is ever increasing demand for coverage which assists in reducing the negative financial impacts and risks of conducting activities on the internet.
One of the things that cyber insurance can cover is extortion payments associated with ransomware attacks. As ransomware attacks are expected to continue to increase during 2024, with more and more groups adopting double-extortion techniques, it is prudent for organizations to explore their insurance options.
However, insurance carriers are not immune from cyberattacks and can also fall victim to attacks and credential loss. As a third-party supplier, their data can also be exposed through the ransomware attacks of their customers. In this blog we explore this exposure.
Ransomware
The term “Insurance” appears in over 100,000 documents linked to ransomware activity in DarkOwl’s Vision platform. Ransomware groups such as CL0P, Medusa, BlackBasta and 0mega to name just a few have published documents from victims which include insurance information.
The Dunghill Leak group, published on their leak site details of a UK-based transportation company called Go-Ahead Group who they alleged they had obtained data from. They provided descriptions of the data as well as sample images of the documents. They claimed that this included details of insurance claims made by the company. One of the sample documents they provided appears to be related to medical insurance.
Figure 1: Stolen document from Go-Ahead Group
Insurance carriers and providers themselves are also not immune from ransomware attacks. The ransomware group BlackBasta posted information relating to an insurance marketing firm named LeClair. They provide marketing services to insurance brokers. All of the data relating to this organization was published on the leak site of BlackBasta and according to the site has been viewed over 3000 times.
Figure 2: LeClair sample data on BlackBast leak site
Another insurance provider, Delaware Life Insurance Company appeared to be a victim of the group Ransom House. All data relating to this organization was disclosed including a file tree of all documents obtained. The group claimed to have stolen 1.4TB of data from the organization as well as being able to download this is full they also provided proof which contains confidential documents, health records, and pricing information.
Figures 3 and 4: RansomHouse Leak site and proof of documents listed
The CL0p ransomware group, when posting data for one of their victims, a university, detailed that the victim had used their insurance company to negotiate. They stated that they were cheap and the negotiator was bad. Despite the claim that the university offered to pay $950,000 the full data was still leaked. This highlights how insurance providers interact with ransomware groups and their review of the activity.
Figure 5: Post on CL0p leak site from DarkOwl Vision
Leaks
Insurance companies can also appear in other types of data leaks, with information relating to the insurance provider appearing in leaks. This can include email addresses, locations, passwords, and names of employees.
The leak etenders.gov.za, of a government service in South Africa which documents tenders for government initiatives, included information relating to insurance providers including their telephone numbers and email address.
Figure 6: etenders.gov.za leak
Data purported to be from Farm Bureau Insurance – Tennessee was posted on the Telegram channel BF Repo V3 Files, a backup repository for data leaks from BreachForums, on January 20, 2024. Data exposed included full names, email addresses, physical addresses, phone numbers, vehicle information, and dates of birth. The leak appeared to include customer information and the cars that had been insured and the broker.
Figure 7: fbitn.com data leak
The naz.api is reported to be one of the largest credential stuffing lists released and was originally posted in September 9, 2023 on well known darkweb forum BreachForums. According to that post, the database was created by extracting data from stealer logs, and contains over 1 billion unique records of saved logins and passwords in users’ browsers. Infostealer logs are files produced when a trojan is installed on a system that collects information from the infected system.
Searching though this data, almost 700 results were identified which included the statefarm.com domain, indicating that these records likely belong to employees of StateFarm. The data included websites that the addresses had visited as well as the password associated with this account. These types of leaks could give threat actors access to accounts which may lead to a network intrusion and highlight why it is so important for organizations and individuals to practice good password hygiene.
Insurance Fraud
It would be remiss to review insurance on the darknet and not touch on insurance fraud. Although we do not always see the direct activity of fraud, we do see guides and tutorials being offered as well as documentation being sold that can assist an individual in conducting insurance fraud.
Figure 8: Guide for sale on the dark web
Posts on Telegram offer insurance documents for sale, likely to be used to conduct fraud operations.
Figure 9: Telegram channel Skimming Central
As well as actors claiming they are able to produce car insurance documents so individuals do not need to insure their cars.
Figure 10: Post on Telegram channel Bazaar Lounge
A post on the dark web marketplace nifheim.world offers insurance documents as well as other counterfeit documents.
Figure 11: Post on Nifheim.world
Conclusion
Although cyber security insurance is an ever growing business, adopted to protect organizations from the financial and reputational damage a cyberattack can cause, insurance companies themselves are not immune from the threat of cyber attacks. Whether it be data leaks, ransomware attacks, or the continued threat of insurance fraud, insurance companies too need to be vigilant to the threat of attacks to ensure they protect themselves and their customers. As insurance covers large swaths of our lives from our vehicles, houses, sentimental items and health they can hold sensitive information on their customers, it is therefore imperative that this data is secured.
Although cyber actors continue to successfully target victims globally, extorting and fraudulently obtaining large sums of money, Law enforcement are becoming increasingly adept at capturing these cybercriminals and holding them to justice.
Throughout 2023 there were a number of notable arrests and prosecutions. In this blog, DarkOwl analysts summarize what are arguably the biggest law enforcement actions of 2023 globally.
Conor Brian Fitzpatrick AKA POMPOMPURIN
In March 2023, an individual named Conor Fitzpatrick was arrested by the FBI in upstate New York. He was accused of being the administrator of popular dark web forum BreachForums.
Fitzpatrick was charged with hacking, wire fraud, and possession of child abuse imagery. He admitted to the majority of these offenses upon his arrest and was facing up to 40 years in prison. In January 2024, he was sentenced to 20 years’ supervised release. Fitzpatrick will have no access to the internet for the first year of his home confinement and must register with state sex offender registries.
Prosecutors said the following:
“By creating a platform for hackers and fraudsters to connect and conduct business, the defendant made it possible for BreachForums members to commit exponentially more crimes and more sophisticated crimes than any could have done alone.”
However, soon after Fitzpatrick’s arrest, BreachForum was back up, being run by his reported partner Baphomet. It remains to be seen how this will continue.
The Hive Ransomware Gang’s Takedown
In January 2023, the FBI announced they had successfully disrupted the Hive Ransomware group that has targeted more than 1,500 victims in over 80 countries around the world, including hospitals, school districts, financial firms, and critical infrastructure.
Since 2022, the FBI had successfully infiltrated the servers for the group and was able to provide decryption keys to their victims. This led to them, in partnership with European partners successfully seizing the infrastructure used by the group. Unlike disruptions which were attempted by Law Enforcement later in 2023 and into 2024, this appeared to disrupt the group.
In December 2023, French authorities arrested a Russian national in Paris for allegedly helping the Hive ransomware gang with laundering their victims’ ransom payments. They also seized €570,000 worth of cryptocurrency. This highlights that even after infrastructure is seized, authorities globally will continue to hunt the individuals perpetrating the crimes.
Denis Gennadievich Kulkov
Kulkov was identified as the mastermind behind the Try2Check credit card checking operation. In May 2023, the DOJ unsealed an indictment charging Kulkov with access device fraud, computer intrusion, and money laundering in connection with his operation of Try2Check, the primary service offering “card-checking” to cybercriminals in the stolen credit card trade. Kulkov reportedly earned over $18 million from the scheme.
According to the DOJ:
“The Try2Check platform catered to cybercriminals who purchased and sold stolen credit card numbers in bulk on the Internet, offering criminals the ability to quickly determine what percentage of the cards were valid and active. As such, Try2Check was a primary enabler of the trade in stolen credit card information, processing at least tens of millions of card numbers every year.”
Despite being wanted by the U.S. Secret Service, he remains in Russia, beyond U.S. authorities’ reach.
Interpol’s Arrests in Africa
In April 2023, Interpol’s Africa Cyber Surge II operation led to the arrest of multiple individuals and the seizure of assets worth millions across Africa. These operations targeted groups involved in various cyber crimes including business email compromise (BEC), romance scams, and credit card fraud. They were also able to seize, or takedown infrastructure linked to the group’s operations.
Cameroon: 3 suspects arrested for $850,000 online art scam.
Nigeria: 1 individual arrested for defrauding a Gambian victim.
Mauritius: 2 money mules arrested linked to messaging platform scams.
Gambia: 185 malicious IPs taken down through proactive measures and partnerships.
Cameroon: 2 darknet sites shut down by authorities.
Kenya: 615 malware hosters taken down by authorities.
Ragnar Locker Ransomware
In October 2023, Europol announced that it had disrupted the infrastructure associated with the Ragnar Locker Ransomware group. In addition, French authorities arrested a key individual linked to the gang, who was said to be a central developer. Further individuals were also interviewed in Spain and Latvia. Two suspects associated with the ransomware crew were previously arrested from Ukraine in 2021. A year later, another member was apprehended in Canada.
This highlights that the most effective way to take down a ransomware group is not just to seize the infrastructure but also arrest the individuals behind it.
Warzone RAT Malware Operation
In February 2023, the FBI announced that it had dismantled the Warzone RAT operation, arresting two individuals associated with the malware – in Nigeria and Malta. They also indicated that they had seized multiple domains.
The Warzone RAT malware, was a Remote Access Trojan (RAT), which enabled cybercriminals to browse victims’ file systems, take screenshots, record keystrokes, steal victims’ usernames and passwords, and watch victims through their web cameras, without their knowledge or permission.
Operation ‘SpecTor’
In May 2023, the FBI spearheaded 288 arrests across multiple countries, taking down the dark web Monopoly marketplace responsible for selling drugs. It was reported to be the largest international operation against darknet trafficking of fentanyl and opioids. The operation also seized 117 firearms, 850 kilograms of drugs that include 64 kilograms of fentanyl or fentanyl-laced narcotics, and $53.4 million in cash and virtual currencies.
Lapsus$ Arrests
In August 2023, two teenagers in the United Kingdom were found guilty of conducting cyberattacks against Uber, Nvidia, Rockstar Games, and Okta, among others as part of the criminal gang Lapsus$. Arion Kurtaj, an 18 year old from the UK was sentenced to indefinite detention in a hospital.
As well as hacking major companies he was also accused of blackmailing employees and causing millions worth of damage to the companies that he targeted. He also leaked data that he had stolen from them. Another individual was also found guilty of similar charges but could not be named due to his age. This case highlighted that young individuals that are perpetrating hacking crimes results in difficulty prosecuting them because of their juvenile status.
Conclusion
Only some of the law enforcement action that took place in 2023 are described in this blog. Law enforcement are becoming more and more successful in their operations against cybercriminals both in terms of arrests and seizure of infrastructure – including on the dark web.
However, events this year (2024) have already shown that some law enforcement action is not enough to take down groups, particularly ransomware groups. Notable activity against BlackCat/ALPHV and LockBit have shown to only take the groups out for a matter of days, when no arrests take place. BlackCat are reported to have recently conducted an exit scam after a high-profile ransomware was paid, and Lockbit seem intent on revenge after their recent skirmish with the law.
It is unlikely that law enforcement will be able to eradicate cybercrime and the game whack-a-mole will continue. However, the events of 2023 show that the law enforcement bodies globally are taking action and standing up to the criminals creating dire consequences for some, which will hopefully deter future threat actors.
Interested in learning how DarkOwl can help with our darknet use case? Contact us!
The darknet has long been a place for criminal actors to operate with the hope of anonymity – they utilize forums to discuss nefarious and extremist activities, use marketplaces to buy and sell illicit goods, and more. In efforts to stop security researchers and law enforcement from accessing and scraping information from these sites threat actors are using increasingly sophisticated methods. In this blog, we explore some of the more complex CAPTCHAs we have seen threat actors using on darknet sites. Could you solve them?
What is a CAPTCHA?
A CAPTCHA is a type of challenge-response test used in computing to determine whether the user is human. This is done in order to deter Bots and Spam from accessing certain portions of online content. The acronym loosely comes from the phrase; “Completely Automated Public Turing test to tell Computers and Humans Apart.”
The tool was developed by two groups working in tandem in the late 90s and was put to the task of protecting sites soon after. The first form required a user to enter a sequence of letters and numbers in a distorted image. Since then, comparable tools like Cloudflare and others have been employed for similar reasons, and CAPTCHAs have continued to develop and become more complex. Google’s reCAPTCHA and the independent hCaptcha have emerged as the most commonly used tools to ensure that the person on the other end of the browser is human.
CAPTCHAs on the Darknet
The black markets and community platforms on the darknet have developed a lot of different versions of these CAPTCHAs, which are also sometimes known as “Turing Tests” and have become pretty ingenious with their various methods of preventing automated traffic on their sites.
Some of the puzzles are colorful, funny or intentionally misleading, and have definitively become a way that the various Markets and darknet operators express themselves; but not all are created equally. Some require logic, needing a human to parse out directions in the text, while others are simple. Typically, the more advanced the CAPTCHA, the more involved the other protocols of a darknet market or forum will be. Often times, they are also multi-layered, using the usual method of geometric or graphical interfaces to confuse a would-be bot attacker alongside text and other information that explains what to do. Over time, when the CAPTCHA fails to do its job, it is improved, upgraded and deployed to prevent their sites from getting crawled.
Of course, not all sites on the darknet are in English. There are many sites which represent countries across the globe, and many of the CAPTCHAS function in the native languages of the market. An emerging trend around the darknet are CAPTCHAS intentionally implemented in different languages so that the user must manually adjust to be able to access what’s on the other side.
Examples
In the following section, we explore some of the more interesting CAPTCHAs frequently found on the darknet.
The below image from the Russian market, OMG!OMG!, requires the user to input the characters shown in the box, in the traditional way that CAPTCHAs have operated. However, this site is Russian and it therefore requires you to input your response in the Cyrillic language. If the user is not a Russian native or resident, this will require them to change their keyboard settings or copy their input from a Cyrillic character tool.
The following CAPTCHA asks the “human” to pick the odd one out. It shows various images on a confusing background. In this case, the plant would be the odd one out as all the others are animals. This appeared on the site RuTOR.
The marketplace Kerberos requires you to complete two puzzles, one asks you to identify what is in the image from a selection of answers in a drop-down menu, to make this more difficult the pixels in the image constantly change. The other asks you to select the correct characters from a phrase, again using a drop-down menu. You have to complete this in a given amount of time otherwise the CAPTCHA will expire, and you will have to start over again.
The below CAPTCHA from the seized and now-defunct Kingdom Marketplace asks you to fill in the characters in the image, but it also highlights the characters that should appear in the URL to ensure that you are not on a scam site and that you are not being phished.
Another methodology that has been adopted by darknet operators is asking you to fill in the characters, but it will highlight which character to enter based on the box that you are filling in – meaning that the characters are not sequential as shown in the image below.
Another example is shown below where the circle will move to different characters as you enter in more. In some cases, you are able to correct your work, other times you have to reload the CAPTCHA, but these more interactive versions are fairly commonplace among the various dark web sites, many of which are tailored versions of each other.
The below image shows an example of a CAPTCHA that requires you to solve a math problem in order to be admitted into the site. More and more sites are using sometimes quite complex math problems to make it more difficult for bots to enter the site.
Others focus more on images. Asking you to identify which image is missing. In the below image, in order to enter the site you have to figure out which hieroglyph is missing.
Another, from AlphaBay, will test how good you are at telling the time, but complicates the task by adding shapes to the clock face that make it very difficult to see the accurate time. You are also only given 1 minute to complete the test before it will reset.
Conclusion
In this blog, we have shown you the wide range of CAPTCHAs that are used across darknet sites to protect them. CAPTCHAs are used to ensure that bots are not entering a site, usually for the purposes of crawling the site or to flood the site for malicious purposes or to ensure access, such as with ticket purchasing bots. They are widely utilized on the dark web to not only protect the sites from DDOS attacks (distributed denial-of-service attack) but also to protect the users and the information on those sites from security researchers and law enforcement. This can make it particularly difficult for some users to access the darknet.
The team at DarkOwl routinely deals with these CAPTCHAs and are able to access the dark web in order to assist those who seek to protect their information and bring an end to online criminal activity.
Learn more how DarkOwl’s expertise in the darknet can help your organization. Contact Us.
Now in its 16th year, FIC proudly asserts itself as the preeminent gathering in the realm of digital security and trust. Positioned as a cornerstone event in the European cybersecurity landscape, FIC distinguishes itself by fostering an inclusive environment that unites every facet of the cybersecurity ecosystem. From end consumers to service providers, law enforcement agencies to academic institutions and consultants, FIC’s scope encompasses them all.
With a dual mission, FIC addresses the operational hurdles of cybersecurity while also championing the development of a digital future aligned with European values and interests. This holistic approach ensures that attendees and sponsors gain comprehensive insights into the state of cybersecurity in Europe and have the opportunity to glean knowledge from industry luminaries.
At FIC, the over 20,000 attendees have unparalleled access to both end-users and providers of solutions and services, facilitating discussions on both tactical challenges and strategic imperatives in cybersecurity.
“Ready for AI?”
The theme of FIC 2023, was “Ready for AI?”. According to a recent report by Forbes, the artificial intelligence (AI) market is projected to reach $407 billion by 2027 and 64% of businesses expect AI to increase overall productivity.
To build relationships and trust, and share the value and essential need of darknet data for any cybersecurity posture, David Alley, CEO of DarkOwl FZE based in Dubai and Magnus Svärd, Director of Strategic Partnerships, based out of DarkOwl’s headquarters in Denver, CO, represented DarkOwl at FIC.
In addition to networking and conversations at the booth, top minds of the space have the platform to share thought leadership, innovations and the latest in the cyber security space. Speakers were present from all across Europe and the world: France, Switzerland, Luxembourg, Belgium, the United States, Netherlands, Germany, Spain, Canada, Singapore, Poland, Norway, Romania, Mexico, South Africa, China, Thailand, and more. Topics ranged from industrial infrastructure cybersecurity, quantum-resistant cryptography, identity security, international cybersecurity law, AI and counterterrorism, digital crime, social engineering, cybercrime trends, trust and safety in the cloud, and many more. Many of the presentations throughout the three days were not just thought leadership, but also practical presentations – showing the “how to.”
David and Magnus both expressed that they experienced “non-stop traffic” and kept busy on the show floor throughout the event meeting new prospects and showcasing our industry leading darknet platform, Vision UI, and meeting with several current clients and partners. With many current clients present, the DarkOwl team was able to spend time understanding how we can best optimize and elevate our current partnerships and how we can continue to provide the most value as their darknet data provider, focusing on continuing to build up our customer relationships and building trust. The DarkOwl team is confident there will be many follow ups and successful connections coming from our participation at FIC and looks forward attending The International Cybersecurity Forum in 2025.
As the tax deadline fast approaches, it is important for us all to be aware of the risks that are posed to us by cyber criminals at this time of year. Whether it be identity theft from tax forms, targeting of tax filing providers, or fraudulent returns, there are a number of ways that the tax system can be exploited for criminal financial gain.
As we do each year, DarkOwl analysts have reviewed the activity of cyber criminals on the dark web and dark web adjacent sites and messaging platforms to highlight some of the activities cyber criminals are participating in.
Selling Tax Refund Methodologies
Fraudsters on the dark web will sell step by step guides on how to conduct specific types of identity fraud. The below advertisement from Telegram is soliciting users to contact an individual to buy a tax refund methodology that allegedly bypasses the ID.ME facial recognition verification method that has recently been implemented by the IRS as a fraud prevention method.
DarkOwl analysts have also noted several instances where the technology vendor, ID.ME, has been targeted on stealer log marketplace websites like 2Easy or Russian Market, which may allow threat actors to access accounts of users for fraudulent purposes, as stealer logs usually contain usernames, passwords and session cookies.
Another Telegram post claims to provide buyers with a guide to obtain a Federal Tax refund claiming to offer advice on what bank account you should cash out to and what method to use. They claim that a refund will be guaranteed.
Phishing Templates
ID.ME is commonly targeted across the darknet. DarkOwl analysts have observed fraudsters selling phishing admin panels for sites like ID.ME, PayPal, and USPS on Telegram as well, meaning that they are able to collect the data of unsuspecting victims who believe they are adding their credentials to a legitimate site. Access to these accounts could mean that a threat actor is able to steal someone’s identity whether that be for tax fraud or other types of financial fraud.
Selling Tax Forms
DarkOwl analysts identified threat actors on the popular carding forum 2crd and found an actor advertising counterfeit identification documents, and also included tax return information and common tax forms which could be used to impersonate an individual. It is unclear if these documents are fraudulent in nature or had been stolen from a legitimate owner.
Similar postings were found on another site, ProCRD, offering W2 forms with a 1040 and full info. These documents are being sold for as little as $10. These appear to be sold as part of Fullz, which is a term used by dark web actors to indicate they have the full information for an individual – this usually includes financial information and identity details to be used to conduct identity fraud or financial crime.
A post on a Telegram channel claimed to have W2 forms, tax returns, and pay stubs for sale as well as credit card numbers, Social Security numbers and other sensitive personal information used to conduct fraud. DarkOwl analysts note this advertisement relates to an automated Telegram bot where one can purchase these illicit items. Telegram bots are an effective way to sell illicit items on Telegram because it maintains a certain level of anonymity between the seller and end user.
Another Telegram advertisement was identified which sells similar products, but notes all of the sensitive documents being sold are from other countries like the UAE and European countries. This highlights that it is not just the US that is subject to this type of fraud.
A third similar example from Telegram is shown below. It is important to note, as shown in all of these examples that tax forms are typically sold with other identity fraud products like fullz, credit card numbers, etc. This allows the fraudsters to be more convincing in their fraudulent activities as they have more information which makes them appear legitimate.
The tax fraud community is considerable on Telegram, a search across DarkOwl’s dark web collection for the mention of “tax refund” on Telegram resulted in nearly 100,000 hits. However, Telegram fraudsters will typically also advertise across the darknet and deep web from sites like Royal or Russian Market to ProCRD or WWH Club – often moving to private messaging on Telegram for security.
Telegram is a major medium/vehicle for all types of identity fraud in 2024 because the platform allows for increased security, anonymity (between sellers and end users), as well as more efficient transactions through automated chat bots, rather than processing transactions directly on a .onion site. DarkOwl analysts therefore identify a large amount of this activity on Telegram but cross over from other dark web sites highlighting that similar communities are active on both.
Tax Filing Providers
Many individuals will use services in order to file their taxes, as it often removes some of the stress associated with tax season, and hopefully ensures that you maximize your return. However, these organizations are also targeted at this time of year.
A review of Stealer Logs collected by DarkOwl highlighted several instances in the last several months where credentials for these organizations were stolen. Allowing actors to access sensitive information and conduct fraudulent filings.
There are also Telegram channels which offer buyers the chance to obtain tax refunds through TurboTax.
Ransomware
Ransomware attacks continue to be prevalent in 2024, with many companies subject to attack, one group PLAY, like many other groups, post their victims details on their leak site as well as details about what information they have relating to them.
In almost all of the posts relating to their victims the group claim to have information relating to taxes, likely both the company taxes as well as employees’ details. Some of them also claim to have evidence of tax evasion.
If/when these details are released by the ransomware group that information can be used by other threat actors to conduct other types of fraud.
Conclusion
Tax season is just another thing that can be used by threat actors to commit fraud against individuals and companies. However, financial fraud can be committed at any time of the year and it is important to protect your personal information by practicing good cyber hygiene, do not reuse passwords, and be vigilant to phishing and malvertising campaigns.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
