Author: DarkOwl Content Team

September 19, 2024

In the ever-evolving realm of cybersecurity, social engineering stands out as a particularly cunning adversary. As we enter the last quarter of 2024, the methods used by cybercriminals (Threat Actors) are becoming increasingly sophisticated, blending technology, AI, and psychology in ways that can catch even the most discerning individuals off guard. This year, the tactics of social engineering are not just evolving—they’re advancing at an unprecedented pace. Black Hat USA 2024 & DEF CON 32 explored many of the latest trends in social engineering, uncovering the new strategies and technologies that are shaping the future of these deceptive practices. Understanding these trends is crucial for staying ahead of the curve and protecting yourself and your company in a digital landscape that’s more complex than ever.

AI and Social Engineering

It should come as no surprise that many of the emerging trends in social engineering center around the use of AI. This intersection of social engineering and artificial intelligence is particularly dynamic. At DEF CON 32, one of the highlights was the John Henry Competition: Humans vs. AI, where the evolving capabilities of these technologies were put to the test. DarkOwl had the opportunity to witness this intriguing contest firsthand.

The human team featured the renowned “Human Hacker” Snow and her co-founder of the Social Engineering Community Village, JC, both of whom brought their profound intuition, creativity, and understanding of human behavior to the challenge. In contrast, the AI team, consisting of Lisa Flynn (Human Systems Engineer & AI Researcher) and Perry Carpenter (Author & Cyber Evangelist), demonstrated the formidable precision and efficiency of advanced algorithms. Throughout the competition, both teams showcased their vishing tactics through live calls to companies.

The AI team presented cutting-edge techniques in voice modification, including both traditional robotic tones and more sophisticated, human-like audio, such as that produced by deep fakes. They also illustrated how AI models could adapt and evolve, learning from previous calls to refine their approach. Despite the impressive performance of the AI team, the human team narrowly secured victory, highlighting the enduring strength of human intuition in the face of rapidly advancing technology.

AI Vulnerabilities

When discussing social engineering and AI, it’s crucial to recognize not just how AI can be used for malicious purposes but also how AI systems themselves can fall victim to social engineering. This is particularly relevant in the context of large language models (LLMs) like ChatGPT. While these models are designed with safeguards to prevent them from assisting in illegal activities, including hacking, they are not impervious to social engineering campaigns.

At DEF CON 32, Jayson E. Street, a renowned speaker, author, and Simulated Adversary featured in National Geographic’s Breakthrough Series and Rolling Stone Magazine, delivered a compelling presentation that captivated the audience. Street, who was named one of Time’s Persons of the Year in 2006, demonstrated how LLMs can be manipulated through social engineering techniques. His talk, which drew an overflow crowd, showcased how LLMs, despite their advanced programming, can still be susceptible to Layer 8 attacks—an informal term for cybersecurity attacks aimed at human operators.

Street’s demonstration revealed that, because LLMs are ultimately built and influenced by human inputs, they can be tricked into providing information or instructions that could be used for unethical purposes. By employing sophisticated social engineering tactics, Street successfully coerced multiple LLMs into revealing codes and procedures for hacking various devices, networks, and systems. This eye-opening presentation underscored the vulnerabilities inherent in even the most advanced AI systems and highlighted the ongoing need for vigilance and robust security measures in the face of evolving threats.

Social Media Exploits

Social media has become a double-edged sword in the realm of cybersecurity. While it connects people, facilitates communication and can be used for marketing, it also serves as a rich resource for social engineers seeking to exploit personal and organizational vulnerabilities.

One of the primary tactics used by social engineers is data harvesting. Cybercriminals meticulously collect personal information from social media profiles to craft highly targeted attacks. By analyzing the details shared on platforms such as Facebook, LinkedIn, and Instagram, they can tailor their schemes to exploit specific weaknesses, whether it’s in the form of phishing emails, vishing phone calls, or physical penetration.

Impersonation scams represent another significant threat. Social engineers often create fake profiles or hijack existing accounts to deceive individuals or organizations. These fraudulent accounts can be used to gain unauthorized access to sensitive information, manipulate key contacts, or spread malicious links. The deceptive nature of these impersonation tactics makes them particularly dangerous, as they exploit the inherent trust people place in their social networks.

Moreover, the influence of social media personalities can be harnessed for malicious purposes. Influencer manipulation involves exploiting the trust and reach within a social media influencers command. By co-opting these figures, cybercriminals can leverage their established credibility to disseminate harmful content, promote phishing schemes, or even orchestrate more complex social engineering attacks. The vast reach of influencers amplifies the impact of these deceptive practices, making it crucial for both individuals and organizations to remain vigilant.

As social media continues to evolve, so too will the tactics of social engineers. Understanding and recognizing these strategies is essential for safeguarding personal and organizational information against increasingly sophisticated threats.

Evolving Threats and Responses

As social engineering tactics continue to evolve, cybercriminals are employing increasingly sophisticated methods to exploit human psychology and technological systems. Psychological manipulation techniques are at the forefront of these developments. Social engineers are leveraging urgency and fear tactics to compel quick responses from their targets. By creating time-sensitive threats or amplifying fear, they manipulate individuals into making hasty decisions without proper scrutiny.

Similarly, the use of social proof and authority figures has become more prevalent. Attackers often pose as trusted figures or leverage perceived authority to gain compliance and manipulate their targets. Emotional appeals are another powerful tool, with attackers crafting messages designed to evoke strong emotions such as sympathy or excitement. These emotional triggers can cloud judgment and make individuals more susceptible to deception.

In response to these growing threats, regulatory and legal frameworks are adapting. New legislation is being introduced to address the challenges posed by social engineering attacks. These emerging laws aim to create a more robust legal foundation for combating such threats and ensuring better protection for individuals and organizations. Compliance requirements are also evolving, necessitating that organizations adjust their cybersecurity practices to meet new standards. This often involves implementing more stringent security measures and training programs. Global cooperation has become a vital component of these efforts, with countries and organizations working together to share information, best practices, and strategies to combat social engineering on an international scale.

Another significant trend is the rise of hybrid attacks, where attackers combine multiple channels and platforms to enhance their effectiveness. By integrating email, phone, and social media attacks, cybercriminals create more complex and convincing schemes. Cross-platform exploits are particularly concerning, as they involve coordinating attacks across different communication platforms and devices, increasing the likelihood of success. Contextual attacks further heighten the danger by utilizing specific, context-relevant information—such as recent events or personal milestones—to make the attack appear more credible and targeted.

Additionally, recent insights from Black Hat and KnowBe4 have identified several noteworthy trends in social engineering:

• Consent Phishing: This tactic is on the rise, with attackers tricking individuals into unknowingly granting permission for malicious activities.
• Business Email Compromise: Cybercriminals are increasingly targeting business email systems to execute fraudulent schemes and gain unauthorized access.
• Deepfakes: The use of deepfakes creates deeper challenges by fabricating realistic but false content that can mislead and deceive.
• Nation-State Attackers: Nation-state actors are incorporating social engineering into their arsenal, adding a layer of complexity to their attacks.
• Phishing-as-a-Service: This rapidly growing market offers tools and services that enable even less technically skilled attackers to launch phishing campaigns.

Understanding these evolving tactics is crucial for staying ahead of potential threats. By recognizing the sophisticated methods employed by cybercriminals, individuals and organizations can better fortify their defenses and respond more effectively to emerging social engineering challenges.

Conclusion

As we navigate the final stretch of 2024, it’s clear that social engineering is not just a challenge for today but a growing concern for the future. The insights gained from DEF CON 32 and other sources highlight how cybercriminals are leveraging advanced technologies and psychological tactics to craft increasingly sophisticated attacks. Staying informed about these emerging trends is not just a defensive measure—it’s a proactive strategy for safeguarding yourself and your organization in an ever-complex digital world. By understanding and anticipating these evolving tactics, you can better fortify your defenses and remain one step ahead of those who seek to exploit vulnerabilities. Remember, in the world of cybersecurity, knowledge truly is power. Stay vigilant, stay informed, and stay secure.

---

Stay up to date with the latest from DarkOwl. Subscribe to email.

September 17, 2024

It seems like every day a new report is released detailing data has been leaked from an organization. There are very few individuals in the world that do not have some personal data which has been released in a data leak. It is a global problem, and the data leaked can have serious ramifications for the individuals or organizations that are exposed.  

Therefore, it is important that we understand exactly what a leak is, what it means and what challenges there are around collecting them. Furthermore, we need to know what remediation action we should take when our data is bound to be leaked, and understand exactly how our data has made it online and who it is available to. In this blog, we will explore these areas. 

Different Types of Leaks 

Although terms like “leak” and “breach” tend to be used interchangeably, they do have nuances that explain how the data was obtained, and they do mean different things. There are also several different other definitions which can be used that provide details of how the leak was obtained and what data it might include.   

Leak 

A leak refers to the unintentional or accidental release or exposure of information. It can happen due to a variety of reasons, such as human error, poor security practices, or faulty software. The majority of the time, there is no malicious intent linked to the leak and the information is released in error.  

Examples of leaks can be an organization leaving an FTP server open, or unintentionally releasing private information onto a website. It is not always the case that a malicious actor had identified and obtained this data, but that does often happen.  

One recent example of a leak collected by DarkOwl is the leak of Trello data. Data purported to be from Trello was posted on BreachForums, a hacking forum, on July 16, 2024. According to the post, Trello had an open API endpoint that allowed unauthenticated users to map an email address to a Trello account. Data exposed includes email addresses, names, profile data, user identification numbers (UID), and usernames. According to the threat actor, the leak is from January 16, 2024, and contains 15,111,945 unique email addresses. The threat actor stated that the database is useful for doxing (to publicly name or publish private information (PII) about an unwitting target), noting that email addresses are matched to full names and aliases are matched to personal email addresses. 

Figure 1: Trello Leak on BreachForums 

Breach 

A breach is a deliberate, unauthorized intrusion into a system or network to access, steal, or manipulate data. It is usually carried out with malicious intent by hackers or cybercriminals. This information is then routinely sold or shared online for profit and financial gain. Hackers will often find vulnerabilities in an organization’s network and use these to exfiltrate data. This can be as simple as obtaining a user’s credentials to deploying complex malware. Often the data that is leaked relates to customer data or employee credentials, although other data can also be taken.  

A recent example of breach data obtained by DarkOwl is the National Public Data Breach. Data purported to be from National Public Data (NPD) was posted on BreachForums, once again, on August 6, 2024. According to the post by threat actor Fenice, the full NPD database was breached by SXUL. Data exposed includes full names, dates of birth, physical addresses, phone numbers, and Social Security Numbers.  

The National Public Data leak was first offered for sale by USDoD on BreachForums on April 7, 2024, for $3.5 million USD. The dataset is reported to have 2.9 billion rows and cover data from 2019-2024. USDoD continued to advertise the sale of this data through June 2024. On July 21, 2024, Alexa69 uploaded data from the National Public Data to BreachForums, indicating it came from USDoD’s leak.  

On August 12, 2024, National Public Data disclosed a data security incident believed to have involved a third-party bad actor who hacked into the data late December 2023, and leaking data in April 2024 and July 2024. According to the company’s official statement, the breach contained names, email addresses, phone numbers, and mailing addresses. 

Figure 2: NPD breach advert on BreachForums 

Insider 

An Insider, in this context, is someone who is based within an organization and has access to information or systems and chooses to either release information or share access or assistance with others. There are many reasons that they might do this, but if they do not follow Whistle blower protocols then this is an illegal act.  

These types of leaks can be devastating due to the access that some employees have and the information that they are able to obtain. The data can be released in a variety of ways and is usually made freely available.  

Some of the most famous examples of insider leaks are that of Edward Snowden and Julian Assange, where US classified information was leaked by those individuals to journalists and via their own websites. A more recent example is that of Jack Teixeira, an airman first class of the Massachusetts Air National Guard, who photographed and leaked classified documents on a Discord server which were later shared on other social media networks.  

Figure 3: Image of classified data leaked on Discord 

Ransomware 

Traditionally, ransomware was the act of locking a company’s systems and data and demanding a payment to release that data. However, the modern concept of ransomware is not only locking access to the data but exfiltrating it and also extorting the company in order to not release the data online. This is known as the double extortion technique. However, some groups now only act in terms of releasing the data.  

Ransomware attacks are on the rise with companies of all sizes being possible targets. Most ransomware groups will host a leak site, or shame site, on the dark web where they will list their victims and threaten to release their data if they do not pay. They often provide details of the company, as well as images proving that they have access to the data.  

Unlike other leaks, ransomware leaks tend to be very large in size and contain a full dump of a company’s system. They can include very sensitive information, but often also include documents which provide no real information. Unlike some other leaks, this data is rarely curated, and security experts often have to trawl through this data to establish what exactly has been released and what threat that it poses. However, this should not diminish the huge risk and reputational damage that the release of ransomware leaks poses.  

Below is an example of a Ransomware leak site that DarkOwl collects from. 

Figure 4: Hunter Ransomware leak page 

Scrape 

A scrape is when an individual, usually a threat actor but it also can be security researchers, will scrape data from publicly available websites and amalgamate this to appear as if it is a leak of data.  The information contained in these is all publicly available and can be found using open-source techniques. However, grouping it all together can allow threat actors to use the information for nefarious means and reduce the amount of time that they need to spend researching their targets. It is always recommended that only necessary information is shared by individuals online.  

A recent example of a scraped data leak is the Yellow Pages leak. This was a consolidation of data from yellow pages, which is available online, and released on the dark web. Other companies which have been victim to this kind of activity include LinkedIn. 

Figure 5: Scraped Yellow Pages data available on BreachForums 

Combo 

A combo list is an amalgamation of data that has appeared in other leaks, although the source of the data is not always clear. A combo list traditionally consists of an email address and a password. As it is unclear where the data is from, the leak of this data usually poses a low threat and does not provide much actionable intelligence, although passwords should still be changed.  

However, recently, combo lists from stealer logs have started to be circulated that contain a URL, email address, and password. These pose a larger threat due to the fact that the threat actor could be able to access the site for which the password has been leaked.  

A recent combo list collected by DarkOwl is CHINA COMBOLIST, which was made available on Nulled, on July 26, 2024. According to the post, this data is from China. Data exposed includes email addresses and plaintext passwords. 

Figure 6: Combo list from China 

Although DarkOwl do collect combo lists, we do not prioritize them due to the fact that the data has previously been released and they have limited value. Nonetheless, if an email address appears in a combo list, as the information propagates to additional threat communities, an increase of malicious cyber activity should be expected against individuals represented in the leak. There is also additional risk if the credentials were reused on other systems. 

Stealer Logs 

A stealer is another word for an infostealer, or information stealer. A stealer is “a software-based program, typically malware, that is deployed on victim devices that when executed or downloaded is designed to take credentials, cookies, and sensitive information to take advantage of the victim financially, engage in fraud, and possibly identity theft.” After the stealer has covertly accessed stored information, it will transmit the data back to the cybercriminal.  

Threat actors will make the data stolen through stealer logs available both for free and for sale on both the darknet and Telegram. They will release information which includes, URLs of sites visited, associated usernames or email addresses and passwords as well as cookies. This data can also include details of the software installed on a machine, cryptocurrency wallets, gaming platforms and other data.  

Data from stealer logs is generally fairly fresh and released soon after the data is stolen which provides a higher risk that the passwords released are up to date and have not been changed. They can therefore pose a very high risk to individual, and companies affected.  

Figure 7: Sample of recent stealer log collected by DarkOwl 

Different Ways Leaks are Released 

Now that we have covered the different types of leaks that are made available, it is important to explore the ways in which these leaks are shared and where this information is available, as this can form part of the risk assessment of the threat posed by the release of the data. In this section the term “leak” will be used generically to cover all types of leaks listed above unless otherwise stated.  

For Sale 

Many leaks are made available on dark web forums and marketplaces for sale. Depending on the data that the threat actor has stolen and the value that they think it will have will depend on the price that it is sold for.  

It is illegal to purchase stolen data unless you are the original owner of the data! 

In some cases, after a period of time and if the seller has made enough money, the data may become freely available, also in some cases other threat actors who have been able to obtain the data will subsequently share it for free on the dark web. However, there are some leaks that never become available for free.  

For Free 

Many threat actors will release data for free on forums and marketplaces. Sometimes they do this in order to increase their reputation in the community or because they do not think that there is much value in the data. If information is made available for free it is considered open-source data and can be collected.  

Ransomware 

If a company does not pay the ransom, ransomware groups will release the data, usually on their leak site, at the time they previously designated. They will make all of the files available for free on the site for others to download. These will likely be collected by security researchers and threat actors alike. The data in these leaks can be used for further attacks or to cause reputational damage.  

There are also some ransomware groups that will seek to make further money off of the data that they have stolen, and they will occasionally make the release of the data available to the highest bidder. This is especially true for high value targets.  

Subscriptions 

Some threat actors will offer subscriptions to the data that they have stolen, this is usually the case with actors who are operating stealer malware. As new logs come in each day, they will offer subscriptions to view this data. Subscriptions can be for varying periods of time form a week to a month to a lifetime subscription.  

Figure 8: Example of a TG channel offering a data subscription 

Reputation/Credits 

Although a threat actor may offer a leak for free, on certain sites you will only be able to access the download link if you use credits which you have earnt on the site. Credits can be purchased or can be earned via reputation on a site, by making posts, sharing data, reacting to other posts, etc.  

Figure 9: Example of required credits to release a leak 

Or not released…. Nation state actors 

There are some leaks that never appear to be released. We know that they happened as the company affected reported the breach to their regulator as they are mandated to do in certain countries, but we never see the data shared on the dark web or in any other area. In most cases it is likely that this information was stolen by a nation-state actor who is using the data for their own intelligence needs. However, some actors may choose to keep the data to themselves for their own reasons.  

Challenges 

It is very important to collect leaks in order to understand what data a company has exposed and therefore what potential risk they have. This is also important on an individual basis as people can be subject to financial crime and identity theft. While threat actors will use this data to commit further crimes, security researchers use this data to protect organizations and companies. However, we all face similar challenges when dealing with this data.  

Volume 

The sheer number of leaks and breaches and others that are released on a daily basis is a challenge in of itself. It is hard to keep up with what has been posted on the various dark web sites, as well as personal websites for certain threat actors. Analysts have to trawl through this data on a daily basis to keep up and then make as assessment about what data is real, verified and will be useful to others. Some data released is much more actionable than other and unfortunately a judgment sometimes needs to be made about what to prioritize. In an ideal world we would be able to mitigate all the risk posed but this simply cannot be done for every single leak. 

Availability 

Availability is also an issue. Often reports with appear in the media highlighting a leak and often people will want access to this leak. However, there can be a variety of reasons why it might not be available. The leak may not have been released. It may be available but only for sale. The data may have been confidentially shared with a third party, either by a threat actor or sometimes law enforcement which means that it is not available to the wider security community.  

Formats 

Due to the nature of leaks, that they can take many different forms, as described above, and come from a variety of different victims the format that the data appears in can provide a challenge. No two leaks are the same and to make sure that you are exporting the most relevant and useful data it is often required to analyze a review the data and normalize it in order to understand what it contains. This can be a difficult process that takes time to achieve.  

Size of data and the slowness of TOR 

Some leaks are very large, particularly those that come from Ransomware attacks. This can pose issues in downloading the data, particularly if it is being shared via TOR. TOR is notoriously slow. Downloading large amounts of data over it is a challenge. It is not uncommon that downloading a ransomware leak with take weeks or months to achieve. However, threat actors do attempt to get around this challenge by providing download leaks to third party file hosting providers or making the download available via torrent.  

What DarkOwl Does with Leaks 

DarkOwl actively collects leaks which are freely available and makes these available to our customers to ensure they are able to monitor for any exposure that they might have. We seek to obtain leaks which contain data which is high value and is most likely to be used in ongoing attacks. We actively seek leaks which include PII and offer unique data which is not shared elsewhere.  

Furthermore, we seek to ensure that we collect leaks which a global in nature, not focusing on one geographical location. Every area of the world is at risk from data leak, and we seek to make sure we can support the protection of as many areas as possible.  

We also seek to collect leaks, where possible that are most important to our customers and will pursue leaks wherever possible that are requested. This includes ongoing monitoring of our vast dark web data to identify, as soon as possible, if and when a leak is made available.  

Recommended Remediation 

There are several steps that both companies and individuals can take in order to remediate the risk that is posed by data leaks. The following are examples of actions that can be taken.  

• Freeze your credit report 

• Create and maintain a strong password policy 

• Use of password managers 

• Active monitoring of exposure in leaks 

• Vigilant for social engineering and phishing attacks 

• Change passwords if included in a breach, or on a regular basis 

• Enable 2FA on all available accounts 

• Limit the amount of personal data that you share online, including social media sites and other sources

---

Curious to learn more about DarkOwl’s collection process? Contact us.

September 12, 2024

Earlier this month, Alison Halland, Chief Business Officer of DarkOwl, attended AFCEA/INSA Intelligence and National Security Summit in National Harbor, MD.

Alison and Kathy Hoffman represented the DarkOwl team at the Intelligence and National Security Summit hosted by INSA and AFCEA for a busy 2 days. The event describes themselves as “the nation’s premiere conference for unclassified dialogue between U.S. Government intelligence agencies and their industry and academic partners,” and had over 2,100 attendees this year.

AFCEA International is a non-profit organization founded in 1946 that supports its members by offering a platform for the ethical exchange of information. It is committed to advancing knowledge by addressing topics of importance to its members in information technology, communications, and electronics, particularly within the defense, homeland security, and intelligence sectors. The Intelligence and National Security Alliance (INSA) is a nonpartisan, nonprofit organization dedicated to fostering public-private partnerships that advance intelligence and national security priorities. INSA focuses on identifying, developing, and promoting collaborative solutions to national security challenges. With over 160 member organizations, INSA benefits from active involvement by leaders and senior executives across the public, private, and academic sectors.

In addition to the exhibit hall, attendees could participate in a number of speaking sessions and breakout sessions. During the plenary sessions, top agency and military intelligence leaders discussed strategic intelligence challenges, military intelligence priorities, and the state of the community, and during the breakout sessions, senior executives, technology experts, and thought leaders explored some of the most pressing issues facing the community. Speakers included leaders from the Federal Bureau of Investigation, In-Q-Tel, the Defense Intelligence Agency, the Central Intelligence Agency, Defense Innovation Unit, US Navy, U.S. Space Force and many more. Topics included issues such as AI and emerging technologies, China and CI security, space acquisition, and more.

One of the common themes throughout the conference is the agreed upon need for darknet data. What was once viewed as a “nice to have,” is no longer. Government agencies and companies alike are on the same page that the data DarkOwl can provide is invaluable. Due to the layer of anonymity it provides, the darknet is often a hub for illegal activity. However, investigating crime on the darknet and deep web poses technical challenges, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next. The technology DarkOwl leverages to scrape and index hidden digital undergrounds are key to the mission of obtaining proactive situational awareness for protection of the nation’s security initiatives.

DarkOwl Vision UI provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. DarkOwl Vision has been used to support local and federal police investigations, as well as work done in intelligence/fusion centers and federal agencies to uncover human trafficking, opioid selling, terrorism, security issues, and other illegal activity, making it the perfect tool for this audience to be able to dive into. Using our darknet search engine, investigators are able to collect intelligence without having to access the darknet directly, offering a layer of protection and improved case-building efficiency.

Our government applications span a wide range, encompassing the tracking of threat actors, criminal activities such as drugs and human trafficking, malware detection, monitoring hacking forums, and searching marketplaces for illegal or stolen credentials, personal identifiable information, and intellectual property. Utilizing DarkOwl Vision, our darknet search engine, investigators can gather intelligence on individuals or subjects of interest, extracting usernames, aliases, chatroom activities, and potentially incriminating information. This data is then employed to compile evidence and solve intricate crimes. Our passion, our focus, and our expertise is the darknet.

The DarkOwl looks forward to attending the Intelligence and National Security Summit next year!

---

Interested in meeting with the DarkOwl team? See where we are around the world the rest of the year here.

September 06, 2024

Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, and APIs. In this edition, let’s dive into brute force attacks.

Brute Force Attacks 101

A brute force attack is an attack that involves trying to identify all possible combinations (usually passwords) to find a match of the credential via trial and error until entry is gained. The goal is usually to gain access and then steal sensitive, proprietary or corporate information. While brute force attacks are not a new method used by hackers and cybercriminals, it is on the rise, as a once time-consuming method, advancements in specialized and automated tools have made these attacks more feasible against weak security systems.

According to recent reporting, brute force attacks increased by 74 percent between 2021 and 2022. Other recent reporting from Kaspersky maintains that the most common attack vector for all ransomware attacks continues to be via account takeover utilizing stolen or brute forced credentials. In addition, Verizon reports that over 80% of breaches caused by hacking involve brute force or the use of lost or stolen credentials.

There are several types of brute force attacks:

• Simple Brute Force Attack: attackers try all possible combinations without any shortcuts until the correct one is found.
• Dictionary Attack: attackers use a precompiled list of words and common passwords to guess the correct password.
• Hybrid Attack: attackers combine dictionary attacks with brute force methods. It starts with a dictionary list and then tries variations, such as adding numbers or symbols to the words.
• Reverse Brute Force Attacks: attackers start with a publicly known or leaked password password and try it against multiple usernames.
• Credential Stuffing: attackers test if historically exposed email addresses and password combinations are valid logins across multiple commercial websites. 
• Rainbow Table Attacks: attackers use precomputed tables of hash values for all possible passwords.

DarkOwl Vision Password Analysis

Last year, DarkOwl data scientists conducted a password analysis of all the passwords collected in DarkOwl Vision. 102,368,238 passwords were found that followed a yyyy-mm-dd format, and 13,223 with passwords with yyyy/mm/dd. While utilizing special characters like numbers is a good practice for password hygiene, the prevalence of users who incorporate a date into their password means that threat actors will leverage this to attempt to brute force accounts.

There are several password “cracking” tools readily available to hackers to conducting dictionary and brute force style password attacks. Some of the most popular tools include:

• John the Ripper
• Cain & Abel
• OphCrack
• THC Hydra
• Hashcat
• Brutus
• RainbowCrack
• CrackStation

Even the most sophisticated password crackers will need significant processing power and time to successfully break long, complex passwords. Unless an 8-character password includes numbers and symbols, the password can be potentially brute forced. The table below shows the time to needed to crack passwords of varying degrees of character length and complexity.

Brute Force Attacks in the Wild

Below are recent examples in the news of cyber groups reportedly using brute force attacks to hack accounts of individuals and organizations.

Ukraine arrests individuals who hijacked social media, email accounts

An organized crime group who operates throughout Ukraine had three members arrested by the Cyber Police of Ukraine. The suspects used brute-force to procure login credentials and then sell them on the darkweb for profit. Computers, phones, and bank cards were all seized from the residences of the people arrested.

Brute-forcing is not a sophisticated method of operation, but it is effective. Multi-factor authentication is a solid security step to take towards reducing the effectivity of brute-force operations. This incident also demonstrates how data from everyday activities such as login credentials from social media as well as banking, online bill pay, and more, can be weaponized. Actors take steps to steal this information and then gain financial profit from selling it, endangering personal accounts and digital hygiene for innocent people.

China’s “Earth Krahang” infiltrates organizations throughout 45 countries

Government organizations worldwide were the target of a two-year, Chinese state-sponsored campaign. Spear-phishing is employed to deploy backdoors while exposed internet-facing servers are also attacked, leading to a multi-pronged attack. The group uses open-source tools to build VPN servers and then brute-forces email accounts to procure passwords, focusing on compromised Outlook accounts.

Cisco cautions of increase in brute-force attacks targeting VPN, SSH services

Citing TOR exit nodes as the origin, Cisco issued a warning about broad attacks targeting Cisco VPNs, web services, and Mikrotik routers. The brute-force attempts use tunnels and proxies for anonymization. Patching is one of the simplest ways to offer protection against this method.

Successful attacks could result in locking users out of their accounts as well as provide unauthorized network access, enabling the theft of credentials, network metadata, and more damaging, sensitive information that could be used in other malicious operations.

Stealthy MerDoor malware uncovered after five years of attacks

A new Advanced Persistent Threat (APT) group named LanceFly is utilizing a custom, stealthy backdoor called “Merdoor” to target organizations in South and Southeast Asia since 2018. Methods for initial access are unclear, but Symantec has observed the group using methods such as phishing emails, SSH credential brute forcing, and others. Merdoor is put into “’perfhost.exe’ or ‘svchost.exe” which are both real Windows processes through DLL side-loading. The stealthy backdoor is persistent and can remain on devices between reboots. The backdoor establishes connection with a C2 server, from which it can be given instructions.

Brute Force Attacks in DarkOwl Vision

Cyber criminals and hackers frequently discuss vulnerabilities, tools techniques and procedures (TTPs), and on the darknet and darknet adjacent platforms. Below we share screenshots from DarkOwl Vision UI that highlight the use of brute force attacks. Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search darknet data. Vision provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information.

GitHub

The first two screenshots below portray a Russian language user sharing a link to a GitHub repository containing brute force attack source code for android devices on the well know Russian language darknet forum, XSS. The second image portrays the same information in its original format directly on the XSS forum.

Figure 1: XSS mention of Russian threat actor sharing link to brute force attack source code for Android devices on GitHub; Source: DarkOwl Vision

Figure 2: Brute force attack source code on GitHub; Source: Tor Anonymous Browser

In the screenshot below, threat actors discuss in a Discord channel a new scanning and brute force framework available on GitHub, praising the tools exceptional speed.

Figure 3: Discord channel showcasing a new brute force tool available on GitHub; Source: DarkOwl Vision

DarkOwl analysts also found darknet market posting offering brute force attack software in exchange for $500 USD worth of bitcoin. This poster claims that they have made $12,000 USD in 2 months using this software.

Figure 4: Darknet marketplace offering brute force attack method; Source: DarkOwl Vision

In addition, as we know, threat actors utilize the darknet and darknet adjacent sites to exchange information, best practices and ask questions. This is one of the reasons why it is so important to monitor this activity – we are learn about upcoming trends, what they are discussing and prepare for the attacks being planned. In the example below, an actor is asking the community how long they can expect a brute force attack to take.

Figure 5: Cyber threat actors discussing brute force attacks; Source: DarkOwl Vision

How to Defend Against Brute Force Attacks

Believe it or not, 98% of cyberattacks can be prevented with basic hygiene. Below are several tips to prevent brute force attacks and more in-depth password strengthening tips.

• Strong password.
• Lock accounts after a certain number of failed login attempts. This will limit automated guessing and automated tools.
• Limit the number of login attempts that can be made within a given period of time. This will limit automated guessing and automated tools.
• Monitor IP addresses for frequent login attempts.
• Use multifactor authentication.
• Use captchas to prevent bots from attempting to login.

Password Strengthening Tips

Everyone can follow some simple steps to ensure you employ robust password hygiene and reduce the risk of a password getting brute forced or exploited in a credential stuffing campaign.

• Use an automated complex password Manager like Lastpass, BitWarden, or 1Password.
• Don’t reuse passwords. Have unique password for every login and streaming service you sign up for.
• Choose passwords at least 16 characters in length.
• Include symbols and numbers for increased complexity.
• Avoid using passwords with dictionary words or names.
• Don’t use sequential numbers or the word “password”
• Don’t use the year of your birth or anniversary in your password.
• Turn on multi-factor authentication (MFA) for important accounts like financial and banking sites.

---

To see DarkOwl Vision in action, contact us.

September 03, 2024

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Russian ransomware gangs account for 69% of all ransom proceeds – BleepingComputer

According to new data from TRM Labs, Russian-speaking ransomware groups accounted for 69% of all cryptocurrency ransom payments in 2023. The total exceeded $500 million. LockBit, BlackCat, Black Basta, Cl0p, Play, and Akira were among the most dominant operations in 2023. While North Korea currently leads in cryptocurrency stolen through exploits and breaches, according to the most recent numbers Russia continues to dominate all other malicious activity involving cryptocurrency. Full article here.

2. Hackers posing as Ukraine’s Security Service infect 100 govt PCs – BleepingComputer

On August 12, Ukraine’s Computer Emergency Response Team (CERT-UA) reported that hackers impersonating the Security Service of Ukraine compromised over 100 systems belonging to Ukrainian government agencies. The attacks began as early as July 12 and involved the distribution of phishing emails posing as official communications from the Security Service of Ukraine. The emails included a link to a downloadable file titled “Documents.zip,” which, when downloaded, deployed AnonVNC malware. CERT-UA noted that the attack appears to have predominantly affected “central and local government bodies.” Read more.

3. U.S. DoJ Indicts North Korean Hacker for Ransomware Attacks on Hospitals – The Hacker News

On July 25, the U.S. Department of Justice (DoJ) indicted Rim Jong Hyok, a North Korean national, for his involvement in ransomware attacks against healthcare facilities in the United States. According to the DoJ press release, Hyok used proceeds from the extortion of U.S. hospitals to “fund additional computer intrusions into defense, technology, and government entities worldwide.” On the same day as the DoJ indictment, the U.S. Department of State’s Rewards for Justice program announced a reward of up to $10 million for information to help locate Rim Jong Hyok. Article here.

6. FBI disrupts the Dispossessor ransomware operation, seizes servers – BleepingComputer

On Monday, August 12, the Federal Bureau of Investigation (FBI) announced that it had seized websites associated with the Dispossessor ransomware operation, also known as Radar. The investigation was carried out by the FBI in conjunction with the U.K.’s National Crime Agency (NCA), the Bamberg Public Prosecutor’s Office, Bavarian State Criminal Police Office (BLKA), and the U.S. Attorney’s Office for the Northern District of Ohio. As detailed in FBI’s press release, the joint takedown successfully disrupted three U.S. servers, three U.K. servers, 18 German servers, eight U.S.-based criminal domains, and one German-based domain. Full article.

7. North Korean hackers exploit VPN update flaw to install malware – BleepingComputer

In a recent advisory, South Korea’s National Cyber Security Center (NCSC) warned that state-backed North Korean hacker groups Kimsuky (APT43) and Andariel (APT45)—previously linked to the Lazarus Group—have carried out campaigns against South Korean entities, notably in the construction sector. The hackers most recently exploited a VPN software update to spread malware. The NCSC attributes the campaigns to North Korea’s Reconnaissance General Bureau and believes the recent hacking activities have been carried out in support of Kim Jong-un’s “Regional Development 20×10 Policy,” an initiative aiming to modernize industrial factories over the next ten years. Read more.

8. APT41 Hackers Use ShadowPad, Cobalt Strike in Taiwanese Institute Cyber Attack – The Hacker News

According to Cisco Talos, an undisclosed government-affiliated Taiwanese research institute was the target of a cyber attack carried out as early as July 2023. The cyber attack has been attributed with medium confidence to the Chinese-based hacking group APT41 (also known as Double Dragon, BARIUM, Axiom, Winnti, Wicked Panda, Wicked Spider, TG-2633, Bronze Atlas, Red Kelpie, Blackfly, and Brass Typhoo). The campaign utilized Cobalt Strike and ShadowPad malware. Read article.

9. Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations – CISA

On August 28, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) released a joint Cybersecurity Advisory warning of ransomware attacks carried out by Iran-based threat actors against U.S. organizations. Targeted sectors have included healthcare, defense, and education. According to the FBI’s assessment, it is believed that a “significant percentage” of these operations are intended to “obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware.” As noted by BleepingComputer, the Iran-based hacking group “Pioneer Kitten”—which is believed to be tied to the Iranian government—has breached U.S. organizations and is “working with affiliates of several ransomware operations to extort the victims.” Read more.

---

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

August 29, 2024

Telegram’s CEO Pavel Durov was arrested by French police as he landed at a French airport in northern Paris on Aug 25, 2024, which was first reported by the BBC. Reporting indicated that he was arrested in relation to the messaging app, although it was initially unclear what the exact offense was. Early reports stated it was due to a “lack of moderation [and] failing to take steps to curb criminal used of Telegram.”

Figure 1: Pavel Durov; Source: BBC

Durov is a 39 year old Russian National who also holds citizenship in France, the UAE, and St Kitts. He founded the messaging app Telegram in 2013 after previously founding and creating the popular Russian social media app VK. Telegram has 950 million registered users worldwide. 

Telegram has long been criticized by law enforcement and security analysts for hosting extremist content, CSAM material, and other illicit content. It is renowned for not cooperating with law enforcement and has only been known to take action against ISIS affiliated channels in response to the terror attacks in France in 2015 – only after pressure – Durov had previously stated “IS would simply find another app if kicked off his, I don’t think we should feel guilty about this.”

However, further reporting did indicate that they were taking steps to remove Indonesian terrorist groups from the platform, but this was in response to the Indonesian authorities limiting the access to the app and threatening a total ban.  

Figure 2: Chat about history of Telegram; Source: DarkOwl Vision

Channels can be found on Telegram that sell illicit goods, share extremist rhetoric, and conduct financial fraud. 

More recently, the messaging app has been pivotal in both the war in Russia and Ukraine and the conflict between Hamas and Israel, with the app being used to spread propaganda, as a source of news as well as a hotspot for hacktivists and cyber attacks. Many argue it had been weaponized to share violent images, disinformation, and false narratives. 

After his arrest at Le Bourget Airport, flying from Azerbaijan, Durov was held for four days before appearing in court 28 August. Scant reporting/conspiracy theories have begun to circulate that Durov only flew to France at the invitation of President Macron.  

Durov was released from court and officially “placed under formal investigation as part of a probe into organized crime on the messaging app.”  Durov was required to pay 5 million euros to the French government, cannot leave French territory, and must visit a police station two times a week until the investigation concludes.

Durov’s arrest has received widespread criticism from Elon Musk, Edward Snowden, and the Russian Foreign Ministry as an attack on human rights and freedom of speech. Snowden called it “an assault on the basic human rights of speech and association.”

It does appear to be unprecedented for law enforcement to take action against the owner/founder of a social media platform and hold them accountable for what is posted by others on the site.  

Yesterday (28 August) it was reported that Telegram has repeatedly ignored outreach from the National Centre for Missing and Exploited Children (NCMEC) and the Internet Watch Foundation (IWF), who are dedicated to stopping the spread of CSAM (Child Sexual Abuse Material). Without joining these groups, they are not able to proactively identify and remove previously identified CSAM material.  

Other social media platforms like SnapChat, Facebook, Instagram, Threads, TikTok, Pornhub, and OnlyFans are all members of these organizations.

Yet, there is no legal obligation to join NCMEC for organizations outside of the US, although one could definitely argue a moral obligation. Telegram, along with Durov, is based in Dubai.  

Telegram continues to assert that they proactively moderate harmful content on the platform including child abuse material. The company insists that its moderation is “within industry standards and constantly improving.”

However, it does seem that Telegram’s continued reluctance to engage with law enforcement or other regulators to reduce the amount of illicit material on the site is the reason for the arrest.  

DarkOwl analysts located a copy of Durov’s official arrest record, the below highlights the charges against him. 

• Complicity – Administration of an online platform to allow an illegal transaction in an organized band, 

• Refusal to communicate, at the request of the authorized authorities, the information or documents necessary for the realization and exploitation of interceptions authorized by law, 

•  Complicity – Detention of the image of a minor of a child-pornographic nature, 

• Complicity – Dissemination, offer or making available in an organized tape of images of a minor of a pornographic nature, 

• Complicity – Acquisition, transport, holding, offer or disposal of narcotic products, 

• Complicity – Offer, assignment or making available without legitimate reason of equipment, an instrument, a program or data designed or adapted for the attack and access to the operation of an automated data processing system, 

• Complicity – Organized gang scam, 

• Association of criminals with a view to committing a crime or offence punishable by 5 years of imprisonment at least, 

• Money laundering of crimes or offences in organized gangs, 

• Provision of cryptology services to ensure confidentiality functions without a declaration of conformity, 

• Provision of a cryptological means not exclusively ensuring authentication or integrity control functions without prior declaration, 

• Import of a cryptology means that does not exclusively perform authentication or integrity control functions without prior declaration. 

Figures 7-10: Screenshots taken by DarkOwl analysts of Durov’s arrest record

It is clear from the levelled charges that Durov is being held accountable for supplying the means for criminals to communicate and operate on his platform, for the encryption the site provides and a lack of cooperation with law enforcement.  

Darknet Reactions 

Response on Telegram to the arrest has been swift. With most of the posts identified questioning why the arrest was made and asserting probably conspiracy theories about who was involved and what ties Telegram has.  

DarkOwl identified over 1300 mentions of Durov’s arrest. The bulk of the Telegram channels commenting on the arrest with negativity appeared to be primarily from right wing leaning political extremist channels. Some of the channel names that expressed outrage towards Durov’s arrest: 

• The Patriot Voice 

• God Wins! 

• QANON+ 

• Greek Trump Supporters 

Figure 11: Vision results for mention of Durov’s arrest; DarkOwl Vision

One user on another right wing leaning political extremist channel shared a link to a Russia Today article that focused on Elon Musk’s response to Durov’s arrest and the coinciding rise in popularity of the hashtag #FreePavel: 

Figure 12: Users share Elon Musk response to arrest; Source: DarkOwl Vision

Other channels have discussed the theory that as a result of the arrest, Telegram will be removed from at Apple App store and from individual’s devices. The post gave users instructions on how to prevent that from happening.  

Figure 13: Telegram Channel Massachusetts Unified 

Further chatter was identified which pondered why Telegram had been targeted for using encryption techniques when other messaging apps used the same.  

Figure 14: Source: DarkOwl Vision

Others commented that Durov was not arrested but kidnapped and that Telegram was to be muzzled.  

Figure 15: Source: DarkOwl Vision

Other posts indicate that Telegram is connected to the Deep State, run by the CIA and wondered if Elon Musk would be targeted next and if the Biden administration was involved in the arrest. 

Figure 16: Source: DarkOwl Vision

Unsurprisingly, given the nature of our collection efforts, targeting illicit activities, extremists and fraud, we did not find many posts which were supportive of the arrest within our data.  

Conclusion 

The arrest of Durov has cause debate among many regarding freedom of speech, responsibility of CEOs of social media platforms and their perceived requirement to cooperate with law enforcement requests and remove harmful or illegal material. This debate is likely to continue as the investigation into Durov continues.  

Many users on Telegram and other dark web sites have shown support for Durov, although much of the rhetoric seems to target the state and provides little evidence for the views.  

Whatever the outcome of the investigation, this will have ramifications for privacy, security, social media, and the individuals responsible for them. It is still yet to be decided what impact if any the arrest will have on the operations of Telegram going forward. It is unlikely that a platform as large with so many users could be removed but remains to be seen if they will change their stance on helping law enforcement and other organizations to crack down on illicit activities. What is likely is that no more Telegram members of staff will be traveling to Europe any time soon! 

---

Stay up to date with DarkOwl. Follow Us on LinkedIn.

Interview with DarkOwl’s Irina and Bianca

August 26, 2023

For the third year in a row, in honor of Women’s Equality Day today, August 26^th, the DarkOwl Marketing team interviews our Finance Controller, Irina, and Analyst, Bianca. Last year, we chatted with our Director of Client Engagement, Caryn Farino, and Senior Darknet Analyst, Steph Shample – that blog can be found here. Two years, we sat down with Chief Business Officer, Alison Halland, and Director of Technology, Sarah Prime – check out that blog here. DarkOwl is very proud of our women leadership and workforce and strives to continue to build a balanced workforce with the most talented and effective team possible.

Interview: Thoughts on Being a Women in Cybersecurity from Two Members of DarkOwl’s Team

To commemorate Women’s Equality Day, we sat down for a candid interview about working in the cybersecurity industry with two women from our team.

Editors Note: Some content has been edited for length and clarity.

Globally, 14,865 people took part in the 2023 ISC2 Cybersecurity Workforce Survey. Of this, 17% of the respondents were women. While this is a worryingly low figure compared to other sectors like the legal profession (53% women) and the accountancy sector (46% women), we took a deeper look at the data and discovered a number of positive trends, including women’s pathways into the profession, the roles they play within cybersecurity teams and the career path similarities with men in many areas.

Tell me about your background and your journey to where you are now – did you know you always wanted to be in cyber? 

Irina: I came from Siberia, which at the time was part of the Soviet Union. I moved to New Mexico, U.S.A., when I was 14 years old, speaking very little English and quickly improved my language skills and had to learn Navajo and Spanish. Moving to the U.S. was a major culture shock! But with perseverance I was able to acquire the confidence to integrate into the American way of life.  

No. I had no idea I would be in cyber security. My background is in finance, having studied to get my M.B.A. I love numbers, but I also have a great appreciation for cutting-edge technologies. 

Bianca: I didn’t know that I wanted to go into cybersecurity either. My academic background was actually in international relations, and while my focus wasn’t on cybersecurity, I had the chance to take classes on topics adjacent to cyber. Then, after graduation, I found myself drawn to cybersecurity quite naturally in light of an increase in cyber threat actor activity associated with global conflicts. Seeing the ways conflicts like the Russia-Ukraine war can prompt the emergence of more cyber activity really interested me in particular, given my international relations background.  

Has working in this field dispelled any misconceptions you had about your own abilities or interests? 

Irina: Well, no, it would be my answer. As I previously mentioned, I love new and exciting technologies and to be able to help make these companies function well gives me great satisfaction and is a privilege. I enjoy the challenge of using my abilities to work with areas that are outside of my usual expertise. I found that my ability to speak fluent Russian has helped me on numerous occasions, to go above and beyond my usual responsibilities. 

Bianca: As someone with an international relations background in this field, I would say yes. My background isn’t in coding or software development, and while I was in university that’s what I associated with cybersecurity. And now, being in it, I’ve realized that it’s a multifaceted field that ultimately requires a wide variety of skills, especially analytical skills and critical thinking skills. Many may assume that having a liberal arts background might not help you in the cybersecurity field, but, in reality, I think it provides the essential ability to think critically and solve problems and approach issues from multiple viewpoints. 

Can you both talk a little bit about your professional development? Have there been any specific courses or certifications that you would recommend for somebody trying to get into cybersecurity? And then for you, Irina, anything finance specific on top of that? 

Irina: I’m a finance person having an MBA, as I mentioned earlier, that’s my love and that’s my training. I wish to use this to help cybersecurity companies and other companies to succeed. I have no professional experience in the dark web, but I can help and enhance the use of their finances! 

Bianca: Well, I can’t speak to finance at all, so I’m glad you’re here!  

In terms of cyber, there’s, of course, Michael Bazzell’s work, which is an amazing resource for building out those foundational skills. He has a guide on leaks and breaches that’s very helpful for data collection specifically. But ultimately, what’s helped me the most is getting hands-on experience. I think that at the end of the day, no matter how many guides you read, nothing’s going to prepare you more than actually applying those skills in the real world. Before getting that experience, I would also say that it’s really helpful to have a mentor in the field who can provide tips and answer questions. There’s also a great resource called NatSecGirlSquad, which is a network of individuals that work in the broader security field, many of whom are in cybersecurity, so it’s a good way to connect with people. 

What’s it like being a woman in the cybersecurity industry? And Irina, you’re just not in cybersecurity but finance as well, another male dominated industry and profession. What are the challenges or advantages that you guys have experienced? 

Irina: For me, it’s always difficult being a woman in a man’s world. But I have found with time, my male colleagues grew to appreciate my understanding of not only financial world, but of their problems and be able to help solve these problems. 

Bianca: I have to say that I feel incredibly lucky being here at DarkOwl because I feel like, unlike the broader cybersecurity industry, it’s such an inclusive environment and there are women in leadership positions who serve as role models here. Unfortunately, the same can’t be said for the broader cybersecurity industry; I know recent data from ISC2 showed that at least three out of four cybersecurity professionals are male. So in terms of inclusion, cybersecurity is still behind as a field, even when compared to other male-dominated industries. 

How do you feel about the representation of women in cybersecurity, and have either of you seen it change since you started your careers? 

Irina: My experience with women in cybersecurity has very much been down to my enjoyable and productive relationships with women in DarkOwl, and I really feel ill equipped to comment on how the industry in general treats women. 

Bianca: Yeah, I can relate in the sense that as someone relatively new to the field, I can’t personally speak to how it has changed over the years. But looking at the number of women I know going into this field, it feels like we may finally be moving in the right direction, slowly but surely. And certainly, here at DarkOwl, we have a lot of women in leadership positions, and I think that makes a huge difference. You know, seeing women in public leadership positions really plays a huge role in challenging stereotypes and inspiring people to follow similar paths. 

And what steps do you think organizations can take to promote gender equality and inclusion in cybersecurity roles? 

Bianca: I would say definitely identifying, first and foremost, any gender pay gaps and rectifying those is a vital first step. And then also, harkening back to the point about women in leadership, ensuring that there are women in the field in public leadership positions. Again, it’s important to have those role models to challenge stereotypes and facilitate similar paths for current and future generations. I know that I wouldn’t have been able to enter this field without incredible female role models that inspired me and set the stage for other women to pursue similar paths. And that kind of representation is key to moving towards workspaces that are diverse not just in terms of gender, but also in terms of race, ethnicity, sexual orientation, etc. 

Irina: I think companies should allocate more resources for training and invest in women in cybersecurity to give the industry a broader perspective. I’m thrilled we have a new Board member, who is an accomplished woman joining DarkOwl’s Board. 

Bianca: That’s such a great point, it’s such an exciting development and really stands out compared to many cybersecurity companies. Most organizations in this field don’t have the gender ratio that DarkOwl has, and certainly not for leadership positions, so this is really such exciting news.  

What do we not understand about cybersecurity as a field in its job opportunities. And what does cybersecurity mean to each of you? 

Irina: To me cybersecurity means protection. This is protecting my family, my community and my country; protecting their identities, their finances, their privacy, their future. Job opportunities are massive as cyber terrorism is becoming a greater threat day by day. My concern is so many companies and organizations do not understand the threat in a sufficient way and do not allocate the necessary resources for cybersecurity. This is a major threat to our collective future. 

Bianca: I agree completely. I think that’s a great point–summarizing cybersecurity as being about protection. And I think a common perception among people who aren’t familiar with the field, myself included before I entered it, is that cybersecurity is this coding-heavy, technical field that doesn’t have room for non-technical skills. And of course, that’s not the case at all, right? Because what’s brilliant about cybersecurity is that it’s so interdisciplinary. Cyber threats don’t exist in a vacuum; so, for instance, having an international relations background and an understanding of global conflicts can shine a light on the calculus behind cyber attacks. Cyber threats are often situated in a geopolitical context, so having individuals who can approach them from that perspective and provide a 10,000-foot view can be valuable. So overall there’s really a wide variety of opportunities in the field, ranging from software development to analysis to, as Irina can speak to, finance as well. I think that’s wonderful. 

Are there any specific projects or accomplishments in your cyber careers that you’re particularly proud of? 

Irina: I have two specific accomplishments in which I take pride in. Salespeople can be very focused on acquiring new customers and not always spend time looking after them. I was proud to be able to save a valuable customer and help to expand the business opportunities with this particular client. To also build up new relationships, which to this day has been proven to be fruitful. And on my second project, in which I’m particularly proud of, was working with a government agency that required a top executive of DarkOwl to attend a critical meeting, and needed a lot of personal input to guarantee an entry Visa, so that this executive could attend the meeting. This relationship opened up new and exciting opportunities and to this day they come back to me for a rapid and constructive responses. 

Bianca: Broadly, I’d say that I’m proud to have the opportunity to help people. Going back to Irina’s point about cybersecurity being about protection, that’s what I’m most proud of, especially when it comes to protecting vulnerable communities. I went into this field because I wanted to try to make a difference, as small as it may be, and I feel like I’ve been lucky to have the chance to contribute to that in some way. But I think most of the time there’s really this… this sense of “there’s so much more to be done and I’m not doing enough.” Especially when we see how much hate there is on the deep and dark web, and even the surface web. Being exposed to that hatred every day is disheartening, on the one hand, but on the other hand, it serves as a constant reminder of why we’re in this field and why we do the work we do and the fact that there’s still so much work to be done. 

How can the cybersecurity community better support and empower women, especially those just entering the field? 

Irina: This is not my expertise as I’m a financial expert. However, I do feel women are highly suited to this industry as it involves a range of skills that can often fit into a broader skill set that is usually found with women’s education and experience. 

Bianca: Yes, as someone relatively new to the field, again, I have felt very welcomed and empowered here at DarkOwl. I think cybersecurity organizations and the community broadly can learn a lot from what DarkOwl has done. I’ve felt empowered thanks to being included in key conversations, feeling like my voice is being heard, and having supportive colleagues. Of course, I think, again, having female leadership across the organization has played a huge part in feeling supported, because it really is direct evidence of how much DarkOwl values all of its staff. I think those are all steps that organizations across the cyber security community can take to empower women, as well as providing training opportunities, as Irina noted.  

---

Follow us on LinkedIn to keep up with us!

August 23, 2024

Introduction

In the enigmatic world of cybersecurity, where the dark web lurks just beyond the surface of the internet, DEF CON stands as a beacon of insight and innovation. Held annually in the neon-lit heart of Las Vegas, this iconic convention is more than just a conference—it’s a high-stakes playground where hackers, cybersecurity experts, and technology enthusiasts converge in a whirlwind of creativity and intrigue.

For those navigating the murky depths of the dark web, DEF CON provides a crucial window into emerging threats, new technologies, and the shifting landscape of cyber threats. Whether you’re a experienced attendee or a first-time visitor, DEF CON offers an unparalleled glimpse into the future of cybersecurity and the thrill of digital exploration.

A Different Look and Feel

An ongoing joke within the DEF CON community is that “DEF CON is Canceled.” This year, the 32nd iteration of the convention, the joke almost became a reality. With just three months to spare, DEF CON Global Coordinators and Department Leads were scrambling to secure a new location after their long-time venue canceled.

DEF CON 32 found a new home at the Las Vegas Convention Center. This was a significant shift from the previous years where attendees roamed multiple casinos to find their desired villages or talks. This year, everything was housed under one roof – a major change that simplified navigation. Many villages and groups were housed in a large open space separated by curtains but still using loudspeakers. While not ideal, this setup did not dampen the laid-back spirit of the crowd, eager to quench their curiosity.

Another notable change in DEF CON 32 was the increase of minor attendees. What was once considered the “Frat Party” of cyber conferences is now adopting a more “Family Friendly” vibe. Various villages incorporated Capture the Flag (CTF) competitions and other contests for younger participants, including the dedicated DCNEXTGEN village.

The Experience for First-Time Attendees

What to Expect: Be prepared for an overwhelming influx of information.

Initial Impressions: DEF CON can be daunting for newcomers. The sheer volume of attendees, the sprawling layout, and the wealth of information can be overwhelming.

3 Essential Tips:

1. The line for Hacker Jeopardy IS worth it.
2. Don’t try to do everything your first year. Focus on the villages or talks that align with your current expertise or future aspirations.
3. Network actively. You might find yourself next to a fellow newbie or in line behind the CISO of a Fortune 500 company.

Insights from Experienced Attendees

Uniqueness of DEF CON: DEF CON serves as a melting pot for industry professionals and aspiring hackers. One experienced attendee shared; despite attending for many years, he still marvels at the opportunity to debate policies with influential figures he wouldn’t typically interact with in his role at a small cybersecurity firm in Arizona.

The Best of the Best: Experienced attendees at DEF CON often feel reassured knowing that those who speak at Official DEF CON talks are among the top professionals in the industry. At DEF CON 32, this included prominent figures like Jen Easterly, Jeff ‘The Dark Tangent’ Moss, InfoSec celebrities such as Neil ‘Grifter’ Wyler and Jayson Street, as well as Bug Bounty experts STÖK Fredrik and Joona Hoikkala (DEF CON 31). These six names represent just a small fraction of the distinguished individuals who attended DEF CON 32.

Must Do: The unanimous recommendation from experienced attendees was “DFIU” (Don’t F&*^ It Up) and not attend Hacker Jeopardy at least once.

Hacker Jeopardy

Despite many changes at DEF CON 32, Hacker Jeopardy remained a constant favorite. Attendees still enjoyed bouncing large and small beach balls during the wait for entry and during the show. Beer still flowed on stage for contestants (bananas for the one pregnant contestant), and Miss Kitty, a DEF CON staple, made her usual appearance. The crowd eagerly chanted “DFIU,” and opportunities to win elite swag abounded. Thankfully the categories, while comically titled, still showcased the skills needed to be a hacker…or poked fun at recent cybersecurity mishaps

Hacker Jeopardy celebrated its 30th birthday at DEF CON 32, drawing the largest crowd on record. The event featured star-studded teams, guest hosts, and a special appearance by Jeff Moss, who wished Hacker Jeopardy a happy 30th birthday.

The first night included a category dedicated to Darknet Diaries, with answers read by Jack Rhysider himself (while standing behind a privacy screen). The excitement peaked on the second night when Jeff Moss announced through a text message to ‘Grifter’, that for the first time, winners of Hacker Jeopardy would receive a Black Badge, granting them lifetime free admission to DEF CON.

Election Year Insights: A Hacker’s Perspective

Jake Braun – DEF CON Franklin Project –

DEF CON’s unconventional approach offers invaluable insights. Many villages compile data from contests and talks into reports on emerging trends and new vulnerabilities, often presented to government officials or find their way in front of Congress.

In the context of the 2024 U.S. election, the Voting Machine Hacking Village, spearheaded by Jack Braun, stands out. In 2017 Braun, former Acting Principal Deputy National Cyber Director for the White House, recognized the need for more than academic vulnerability testing of voting machines. By leveraging DEF CON’s hacking expertise, Braun created a village that ultimately led to the replacement of vulnerable voting machines in several states.

In 2024 at DEF CON 32 Braun and Jeff Moss launched “DEF CON Franklin”, focusing on creating “The Hackers’ Almanack” and organizing the “Franklin Cyber Volunteer Task Force.” Their goal is to harness the DEF CON hacker community’s skills to enhance the cybersecurity of critical infrastructures and K-12 school districts.

A Dark Web Perspective

4 Insights from DEF CON 32 for DarkOwl

1. Advanced Threat Detection Techniques

• Machine Learning and AI: DEF CON 32 highlighted the growing role of AI and machine learning in threat detection. Leveraging these technologies can improve DarkOwls ability to identify and categorize emerging brand threats in the darknet. Implementing advanced algorithms to analyze patterns and anomalies in our data can enhance predictive capabilities and automate collections.
• Behavioral Analysis: Develop models that focus on the behavior of actors within the darknet to enhance DarkOwls Threat Actor Profiling. This includes monitoring changes in patterns, language, and interaction dynamics that may signal emerging threats or new trends.

2. Enhanced Data Collection Methods

• Automated Crawling Tools: Sessions at DEF CON 32 emphasized the use of sophisticated crawling tools for more efficient data collection. DarkOwl is always striving to enhance or implement automated tools to better navigate the complexities of the darknet, such as handling various encryption and obfuscation techniques, that will improve the depth and accuracy of our data processing.
• Use of Open-Source Intelligence (OSINT): Combining darknet data with OSINT can provide a more comprehensive view for DarkOwls Darknet Risk Analysis. Incorporating data from open sources helps in cross-referencing and validating information found on the darknet.

3. Privacy and Ethical Considerations

• Ethical Collection Practices: The Policy Village at DEF CON 32 discussions often revolve around the ethics of cybersecurity practices. DarkOwl is passionate about ensuring that our methods of data collection and analysis adhere to ethical standards. This includes respecting privacy laws and obtaining data without compromising the security and anonymity of individuals. As well as displaying our data without exposing CSAM and SEIM.
• Secure Data Handling: As a leading provider of darknet data DarkOwl strives for robust data protection measures to safeguard the information we collect. Learning latest techniques for implementing strong encryption and access controls helps in maintaining the integrity and confidentiality of our data.

4. Improving Investigation Tools

• Enhanced Search Capabilities: The Recon Village at DEF CON 32 touched on the need for powerful search tools. Invest in or develop advanced search functionalities that allow for more nuanced queries and deeper insights which is easily applicable to darknet data.
• Focused Techniques: DarkOwls Data Acquisition services collect darknet data from various darknet forums, markets and blogs. At DEF CON 32 the Recon Village had a talk on “Tapping the OSINT potential of Telegram”. This is by no means a new concept at DarkOwl, however, some of the new Telegram features and updates presented during this talk highlighted new avenues for DarkOwl to explore to enrich our data collections.

Relevance to Dark Web Professionals

Most DEF CON villages relate to dark web activities. Not all dark web actors are lurking in basements; some are active professionals analyzing and exploiting network vulnerabilities. DEF CON offers valuable insights into these activities.

While dark web markets are rich in digital information, they also feature physical items that require traditional methods to obtain. This is why villages focused on physical security, like Lock Pick and Physical Security Villages, are so valuable. They provide more than just thrilling experiences; they offer practical skills that are applicable in various security contexts.

Conclusion

As we emerge from the shadows of DEF CON 32, it’s clear that the conference offers far more than a glimpse into the future of cybersecurity—it provides a roadmap for navigating the complex and ever-evolving landscape of the dark web. The insights and innovations unveiled at DEF CON 32 empower us to refine our strategies, enhance our tools, and approach our mission with renewed vigor. For those of us on DarkOwl Darknet data collection team, these revelations are not merely academic; they are actionable strategies that can redefine how we detect, analyze, and respond to emerging threats against our clients.

In a realm where information is power and the stakes are high, staying ahead of the curve is imperative. DEF CON’s blend of cutting-edge technology and real-world application strengthens our abilities to turn the dark web’s complexity into a manageable and insightful asset.

---

Check out where the team will be next! Upcoming Events.

August 21, 2024

DarkOwl analysts are monitoring deep and dark web actors for mentions of the Democratic National Convention being held this week at the United Center and McCormick Place in Chicago from August 19-22. Analysts have observed an increase in chatter pertaining to the DNC, with numerous extremist channels, boards, and forums discussing the convention and in many cases amplifying misinformation pertaining to the DNC and planned protests.

Notably, since the start of the DNC on August 19, DarkOwl has located false claims of “chaos” erupting at the convention, often in conjunction with Islamophobic rhetoric directed at pro-Palestinian protesters. Multiple individuals and groups on the deep and dark web are contributing to fueling fear and panic by misrepresenting protests scheduled to be held throughout the week and exaggerating risks. Far-right, white supremacist groups are actively amplifying this rhetoric by spreading misinformation claiming that an “insurrection” and “civil war” is occurring in Chicago this week. In contrast to these false claims gaining traction online and being promoted on the dark web, the protests held on the opening day of the DNC remained predominantly peaceful.

In addition to protest-related chatter, according to open sources, on August 20, bomb threats mentioning the DNC were reportedly received by four Chicago hotels hosting convention attendees. Police are investigating and several dark web channels have since picked up on the news, sharing the headline. The incident comes amid an increase in false bomb threats and swatting incidents targeting a variety of facilities over the past two years.

Ultimately, at this time, DarkOwl has not located any credible threats directed at the DNC, but is continuing to closely monitor threat actors for concerning rhetoric. The DNC has been designated as a “National Special Security Event,” and the U.S. Secret Service is responsible for securing convention venues with assistance from the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), Federal Bureau of Investigation (FBI), and other agencies. Chicago residents have been encouraged by emergency officials to subscribe to DNC alerts by texting “DNC” to 226787. 

---

DarkOwl will continue monitoring darknet activity around the upcoming election. Follow us on LinkedIn to keep up with the latest!