TheDarkOverlord: This Week's Busiest Hacker

At OWL Cybersecurity, we routinely follow certain threat actors due to their tendency to proliferate data containing personal records (such as full names, phone numbers, and email addresses), confidential or otherwise compromising information.

One such entity - or potentially a collection of personas - is the now infamous threat actor known as "TheDarkOverlord," a hacker who regularly targets the digital records of medical clinics and healthcare-related affiliates which often contains hundreds of thousands of patient records. TheDarkOverlord has recently gained notoriety for hacking into Netflix and prematurely releasing the fifth season of Orange is the New Black. TheDarkOverlord has continued to stay busy this week, just yesterday going on to leak a large quantity of confidential health records, and, according to our research, potentially getting doxed themselves. 

Intelligence findings

tdo-1.png

TheDarkOverlord (otherwise known on social media as @tdohackr3 or @thedarkoverlord), has attained significant public notoriety for their prowess on the internet.

This past week,  they targeted Netflix, calling them the “loathsome giants” on Twitter, shortly before releasing the latest season of Orange is the New Black (OITNB), on the popular torrent website, The Pirate Bay.  

 
 

Netflix had teased a debut date of OITNB for June, but, unfortunately for them, TheDarkOverlord decided to take matters into their own hands. After Netflix and its affiliate third party vendor, the post-production company Larson Studios, Inc., refused to pay the requested ransom of 50 BTC (approximately $80,675 USD at the time of writing), TheDarkOverlord released links to 10 of 13 episodes.

Databreeches.net obtained a copy of the contract that appears to be between the CFO of Larson Studios and TheDarkOverlord. It is believed the origin of the security breach occurred at Larson, a post-production company that works with large networks like ABC, CBS, NBC, and Fox.

In another tweet, it was suggested that other studios and channels may be the next targets.

 
 

TheDarkOverlord addressed Netflix directly in a press release on the popular doxing website PasteBin.com, eluding to “others” on whom they allegedly have proprietary data and suggesting they may plan to hold this data for ransom in the future.

It didn’t have to be this way, Netflix. You’re going to lose a lot more money in all of this than what our modest offer was. We’re quite ashamed to breathe the same air as you. We figured a pragmatic business such as yourselves would see and understand the benefits of cooperating with a reasonable and merciful entity like ourselves. And to the others: there’s still time to save yourselves. Our offer(s) are still on the table - for now.
— TheDarkOverlord

The exploitation strategy

At this time, we do not have sufficient evidence to state the exact technical approach that TheDarkOverlord employed to attack Larson Studios.  However, initial research by OWL Cybersecurity analysts reveals several observations.

Larson Studios' commercial website was designed with Microsoft FrontPage 12.0, a more than 20 year old, discontinued "WYSIWYG" (What You See Is What You Get) HTML editor and Web site administration tool that was branded as part of the Microsoft Office suite from 1997 to 2003. This version of Microsoft FrontPage has over two dozen known and documented security vulnerabilities. Several vulnerabilities leverage the remote access nature of the web server, for example, a binary file transfer protocol (FTP) exploit that allows an attacker to run a binary file on any server running FrontPage extensions that supports anonymous writable FTP.

While the audio production data is likely stored on a different server, the use of antiquated and potentially-exploitable software may allow an attacker to upload a remote access trojan (RAT) or backdoor to the web server, for instance. The ultimate goal would be to gain unauthorized access to the network or the machine storing the OITNB episode files.

 
 Source: Matt Shannon’s DEFcon presentation on  FrontPage Extensions and How They Can Be Exploited to Hack the Web Server
 

The breaches don't stop there

TheDarkOverlord has historically used Twitter to bring attention to their efforts, often dropping vague hints to their over 8,000 followers such as, “It’s nearly time to play another round,” a couple of days before publicizing another data breach.  

As recently as yesterday they went live again, this time returning to their regular targets which have historically been medical organizations. Yesterday's release, published on the New Zealand-based cloud storage site mega.nz, contained over a hundred thousand medical records.  As part of yesterday's larger medical breach, TheDarkOverlord also re-targeted their old foe, Aesthetic Dentistry, who they had previously set their sights on (back in October 2016) and have since sought retribution from for "the way [they] were treated by [their] target.”

 
 

Is TheDarkOverlord the latest target?

Many of the recent comments directed to TheDarkOverlord on Twitter are related to the Netflix and healthcare breaches, and appear to call the threat actor out for not pursuing more significant targets, such as political or government organizations. This growing public animosity may have resulted in some serious consequences for the hacker, as it now appears that they may have been targeted themselves.

Posts by a guest user on PasteBin.com called “TheDarkOverlord Dox,” which have since turned up in our darknet database OWL Vision seem to contain personal information, including address and phone number, alternate user names, and PGP fingerprint for the well-known threat actor. According to the post, which has not been verified, the entity known as TheDarkOverlord is affiliated with a 44-year-old male from Glasgow, Scotland named Craig Bell.

While this information has yet to be confirmed, it is clear TheDarkOverlord has enemies as well as followers. The Twitter handle @tdoHack3r was trolled only days after by a Twitter account with a similar, yet distorted avatar, and the handle @thedumboverlord was established this past week.