RSA Conference in San Francisco, this year held May 6-9, is one of biggest and most anticipated cybersecurity events of the year. The DarkOwl team plans and looks forward to RSA each year; to see friendly and new faces alike, hear the latest trends, news and innovations in cybersecurity, share our latest product updates and offerings, and of course have some fun around San Francisco. This year, the team had a booth on the show floor, a private meeting space around the corner from Moscone Center to hold one-to-one meetings with prospects, partners, press, and clients, and for the first year ever, host a party with several of our customers and partners on Tuesday night!
“The Art of Possible”
The RSA Conference slogan, “Where the World Talks Security” is the perfect quick elevator pitch for what happens each year at RSA – thousands of security professionals from around the globe gather together to hear and discuss new and leading perspectives, innovation and best practices. The most memorable RSA moments can be found on their website here.
The theme of RSA this year was “The Art of Possible.” According to Dr. Hugh Thompson, Executive Chairman of RSAC and Program Committee Chair in his keynote speech describes the theme as “a phrase that, on the one hand, is meant to inspire hope, but it also serves as a warning. We should never underestimate what is possible by our adversaries.” It is a great point as over 40,000 cyber security professionals across 130 countries around the globe all gather at RSA.
DarkOwl Highlights
Representing the DarkOwl team, we had several executive team members, sales reps, customer success managers, and analysts present manning the booth and holding private one-to-one meetings. Of note, DarkOwl Chief Business Officer, Alison Halland, shared, “Great week of seeing new and friendly faces alike – tons of great conversations, especially at the booth which a welcomed change of pace – not just attendees looking for some freebies, but genuinely interested in what DarkOwl has to offer.” Magnus Svärd, Director of Strategic Partnerships, echoed that sentiment, “RSA this year was the busiest yet with a higher number of meetings compared to previous years. The names of the companies were top tier visiting the booth.”
Big shoutout to all our customers and partners that stopped by the booth to say hi, see the latest updates and provide feedback. These face-to-face conversations are invaluable to us as we work towards making darknet data relevant, actionable, and digestible for all our clients!
Showcasing Customers and Partners
This year, we were happy to host several sessions at our booth, highlighting the work that we do with different customers. We hosted OSINT Combine, Silobreaker, Authentic8 and Datastreamer. This was a great way to showcase how we work together. Below, we briefly summarize how DarkOwl works with each of these companies.
OSINT Combine
This collaboration empowers OSINT Combine’s clients with access to DarkOwl’s extensive darknet database, bolstering their open-source intelligence capabilities and enabling them to address complex operational requirements more effectively through training, software solutions, and consulting services. Read more.
Silobreaker
DarkOwl’s robust darknet data enables our customer, Silobreaker, to provide their customers enriched monitoring of deep, dark web and dark web adjacent sites to help identify risk at scale and drive better decision-making. Use Case here.
Authentic8
This partnership brings together the advanced technologies and expertise of both Authentic8 and DarkOwl to address the escalating challenges posed by cyber threats. By combining DarkOwl’s comprehensive darknet database and monitoring capabilities with Authentic8’s Silo cloud browser, which is known for its secure browsing environment, organizations will gain unprecedented visibility and protection against cyber threats surfacing on the darknet. Read more.
Datastreamer
With Datastreamer and DarkOwl’s combined solution, organizations can integrate dark web data without in-house engineering teams needing to maintain complex data pipelines. Furthermore, analysts can broaden coverage by merging additional web data including TikTok, Threads, news, forums and more. Previously raw unstructured data is federated for analysts to perform queries and real-time surveillance as easily as they would with structured data. Learn more.
Product Highlights
Ahead of RSA, the team put together several product highlights and updates to be able to share on the showfloor. Below, we outline a few of them, but a full blog of Q1 product highlights can be found here and a summary 1-Pager here. Curious about how any of these can help your use case? Contact us!
Access the Darknet Safely and Securely Directly from DarkOwl Vision
Last quarter the team released “Direct to Darknet” within Vision UI in partnership with Authentic8, a leading provider of cloud-based secure browsing solutions. This feature allows users to further investigate Vision UI search results on forums, marketplaces, and other Onion sites. This can be helpful for an investigation to view the original website, view images or advertisements that may be on the sites, take a screenshot for reporting, and more. By combining DarkOwl’s comprehensive darknet database and monitoring capabilities with Authentic8’s Silo cloud browser, which is known for its secure browsing environment, organizations will gain unprecedented visibility and protection against cyber threats surfacing on the darknet.
Collection Stats
Last quarter showed tremendous growth in data collection. The team had 5% growth quarter over quarter in added Tor documents, 27% growth in I2P documents, 31% growth in ZeroNet documents, 15% growth in records from Telegram, to highlight a few.
A Watchful Eye Evening
On Tuesday night, for the first time, DarkOwl hosted a happy hour after the show floor closed… and what a fun night! We’d like to extend a huge thank you to our co-sponsors, Doppel, OSINT Combine, and Socialgist. From networking with net new prospects, current customers, partners and everything in between, it was a great event and we hope that everyone that attended enjoyed their evening. If you didn’t get an invite this year, make sure to ask for invite next year! We would love to see you and look forward to hosting again!
Didn’t get a chance to meet with our executive team at RSA? Contact us to set up some time to chat!
In December of 2023, DarkOwl analysts released a blog answering the burning question of “What are Stealer Logs”. In another piece, DarkOwl analysts presented an overview of the different types of Information Stealers (Info Stealers) that are sold on the Darknet.
Now, DarkOwl would like to shed some insight into info stealers from an engineering perspective, to further explore the functionality, specific behaviors, and technical characteristics of this sophisticated form of credential theft.
Info Stealers infiltrate systems and compromise data primarily through social engineering attacks. Common tactics include but are not limited to:
Phishing Emails
Malicious Websites
Exploiting Software Vulnerabilities
Remote Access Trojans (RATs)
Removable Media Attacks
Drive-by-Downloads
Info stealers are very sophisticated forms of malware, and the complexity of the modular architecture allows them to often go undetected even by anti-virus software. While each type of info stealer does vary in its level of refinement, as they are still relatively new but rapidly evolving, this review will be focused on generalizing key elements commonly found in info stealers. Info stealers are known for their evasion techniques and for targeting what people want to protect, their private information, credentials, and financial data.
Info Stealers
Part of what makes info stealers so sophisticated are their complex modular architecture. A simplified overview of that architecture includes the following key elements:
Core Engine Module
Communication Module
Data Collection Module
Encryption Module
Exfiltration Module
Evasion Module
To understand what each of these modules are and their functionality within a stealer log we will review each term and look at a very basic version of the complex code that is used to design an Information Stealer.
Core Engine Module
This serves as the central intelligence hub of the info stealer and manages its functionality. The core engine drives tasks such as initialization and configuration of all the other modules coordinating their actions. It also initializes the malware, establishes communication with the command control (C2) server and houses the execution codes for the other five modules.
Below is a basic sample of what part of the code for a Core Engine could look like:
Keylogger – provides a basic framework for logging keystrokes
log_keystroke – this captures and logs keystrokes
save_logs – method used to save and send the logged keystrokes to a remote server
start_logging – acts as a place holder for when to start the keylogging process
Communication Module
This establishes and maintains communication with the C2 server, handles sending/receiving commands, transmission of stolen data, and maintains a covert channel of communications. Generally, this module will have some form of encryption in place to prevent the interception of the data that is being stolen as well as protecting the location of where the stolen data is being sent.
Below is a basic Communication Module code to demonstrate part of the module’s functionality:
request – this library is used to send a HTTP request to the C2 server
send_request – sends what is called a POST request to the C2 servers URL which generates a JSON response
handshake – initiates communication with the C2 server and contains information about malware versions, system architecture and contains the installation ID
execute_command – simulates the execution commands from the C2 server
exfiltrate_data – simulates the exfiltration of the stolen data
Data Collections Module
The responsibility of this module is to identify and harvest the data the threat actor is after once the system has been infected. The Data Collections Module can house a large array of submodules for specific forms of data the threat actor wants to collect. Common forms of data such as PII, financial data, device information, Geo locations, and personal photos would all require their own submodule to identify. In addition to the targeted data, the Data Collections Module also collects from numerus other sources such as browsers, system files, and apps installed on the device.
Below is a basic example to demonstrate the structure and functionality of Data Collections Module often found in info stealers:
keystroklogger – mentioned above in the core engine module
NetworkMonitor – captures network traffic (a placeholder) and sends it to a remote server.
DataExfiltration – mentioned above in the core engine module
If _ _name_ _ == “_ _main_ _”: – this creates a block instance of the three submodules are created, and separate threads are started to run their respective functions concurrently
Encryption Module
This provides cryptographic functionality and encryption keys used to communicate with the C2 server. As ironic as it seems the use of strong encryption algorithms (AES) is used to prevent interception of “unauthorized” access to the data that is currently being stolen. Only instead of protecting the device owner from the threat actor it is protecting the threat actor from the device owner, authorities, and aids in keeping the info stealer from malware detection.
Below is an example of one type of AES often used in info stealers:
EncryptionModule – methods for encrypting/decrypting data with the use of the AES algorithm
encrypt_data – imports plaintext data, encrypts it using AES, and outputs encrypted data as a “base64” encoding string
decrypt_data – does the reverse action of “encrypt_data”
if _ _name_ _== “_ _main_ _”: – generates a random encryption key
Exfiltration Module
This module handles the transmission of the stolen data once it has been encrypted. Exfiltration module formats the encrypted data into messages and sends them through the communications channel established by the communications module. This module often includes contingencies for when there are network interruptions, failed transmissions, and bandwidth issues.
Below is an example of the type of code that could be used in the Exfiltration Module:
ExfiltrationModule – this is a class that will provide a method to send the stolen data to the remote server
send_data – takes the stolen data as an input and sends it to the designated server URL
if _ _name_ _== “_ _main_ _”: – creates and instance of the exfiltration module with the URL of the remote server
data_to_exfiltrate – stolen data is sent to the remote server
Evasion Module
Just as it sounds this final module is responsible for the evasion tactics to evade malware detection by software and humans. Some common evasion techniques include polymorphism, obfuscation, and anti-debugging to hide the malware. This module acts as a chameleon as it continually adapts and evolves to remain under the radar. This is a highly scalable and adaptable to the various environments and target systems but below is a simple example of what the code could look like.
EvasionModule – defines the methods for simulating normal user activity while detecting virtualization/sandboxing and analysis tools
simulate_normal_activity – mimics typical user behavior, by opening files, browsing websites, or launching apps to hide amongst legitimate activity
detect_virtualization AND detect_analysis_tools – check for signs of virtualization/sandboxing and the presence of analysis tools
if _ _name_ _== “_ _main_ _”: – the EvasionModule class is created, and the evade_detection method is called to start the evasion process.
There is no doubt about it, information stealers are a formidable threat to cybersecurity on multiple levels. Info Stealers are sophisticatedly engineered to stealthily execute malicious intent. By studying the architecture, functionality, and technical characteristics through an engineering perspective, cybersecurity analysts can gain a deeper understanding of how to create effective countermeasures and create robust detection strategies.
Internet censorship is arguably a critical threat facing freedom of expression and access to information today. This is especially true for countries where access to information is restricted by governments or other controlling entities. For many countries around the world, controlling entities use various tools, techniques, and technology in order to control and restrict access to certain websites and publicly available content. The Tor Project’s response to such targeted censorship is WebTunnel.
In this blog, DarkOwl analysts summarize WebTunnel, not to be confused with TORTunnel, what it is, how it is implemented, and the impacts it has.
Released March 12th, 2024, WebTunnel is a bridge developed by the Tor Project that allows users to bypass censorship by disguising traffic to mimic encrypted web traffic. Essentially, WebTunnel helps users evade censorship by hiding traffic in plain sight. The bridge tunnels TOR traffic by wrapping the TOR connection in a websocket-like HTTPS connection, making traffic more difficult for tools, techniques, and technology to detect and block. The Tor Project designed WebTunnel to be easy to use and simple to deploy.
Key Features:
HTTPS Tunneling:
Uses HTTPS tunneling to mimic ‘normal’ HTTPS traffic
Obfuscation:
Uses obfuscation techniques to disguise Tor traffic
User-Friendly Interface:
Designed to be user-friendly and easy to use
Configuring a TOR browser to use the new WebTunnel feature is easy. Users simply navigate to the TOR Project bridges resource from any browser, select “webtunnel”, and copy the provided line. The user then simply opens the TOR browser, selects “add a bridge manually”, pastes the copied line, and restarts the browser. No further modifications or configurations are required.
Tor provides individuals with a means to protect and obfuscate online privacy and anonymity, enabling users to browse internet connected resources without potentially revealing personal or location data. WebTunnel has the potential to significantly impact censorship evasion by providing users with an easier, more effective and reliable means to access restricted content.
Impact
The availability of features like WebTunnel impacts corporate security and further extends the corporate risk surface. Corporate security policies and technology often lock down networks and devices to protect the organization. Anonymity driven tools and features often allows users to bypass corporate defenses to browse the totality of the internet both good and bad. While it’s fair to assess most users using privacy-driven tools to bypass corporate security policies, technology, and controls are likely not doing it out of spite or hostility towards the organization, these users often lack the guidance and information on why these tools and features should not be used to bypass corporate defenses.
Educate users on the risks bypass tools expose the organization to and why such tools are not allowed inside the corporate environment or on corporate devices. Allow staff to understand the potential impact and outcome. TOR is a tool neither good nor bad until assigned an action by the user. Encourage staff to include the security of the organization in their decisions.
The Islamic extremist group formerly known as ISIS (Islamic State of Iraq and Al-Sham) or IS (Islamic State), a designated terrorist group, came to prominence in 2014, formed from al-Qaeda linked groups, declared itself a caliphate and occupied territory in Iraq and Syria. IS is a transnational Islamic extremist movement that now has more widespread support today in parts of Africa and Asia than at the time of its formation in 2014. The group has been responsible for and inspired terrorist attacks throughout the world, killing and injuring thousands.
Figure 1: ISIS Flag
The group has remained active and strengthened despite losing most of its territory in 2019 and receiving less attention in Western media headlines. They have continued to operate in a clandestine fashion and continue to have operations in Iraq, Syria, Africa, Asia, and Europe.
When Hamas attacked Israel on October 7, 2023, IS saw this as an opportunity to increase their exposure and began to release propaganda to more mainstream media outlets. Although the groups are not affiliated, they share some common ideals. Western Intelligence chiefs have warned that the threat from Islamic extremists is increasing.
In this blog, DarkOwl analysts review recent terrorist attacks from IS and the groups activity on Telegram and Rocket.Chat.
Recent Attacks
In March 2024, the IS affiliated group Islamic State in Khorasan (ISKP) claimed responsibility for a deadly attack in Moscow. This came after they had conducted two bombings in Iran in January. The attack in Moscow targeted a concert venue, as had previously occurred at the Bataclan in Paris in 2015 and the Manchester arena bombing in the United Kingdom in 2017, highlighting a continued modus operandi.
Lone wolf attacks have also been reported. In October 2023, an individual claiming to be a member of IS, shot dead two Swedish football fans in a reported response to the burning of the Quran in Sweden.
France raised its domestic threat level, after a suspected Islamic extremist stabbed and killed a teacher and wounded three others at a school in the north of the country in October 2023. Authorities stated at the time that they believed this attack was linked to the Hamas attack in Israel. In reaction to this, France deployed 7,000 soldiers to the region. The terror alert remains at the highest level in France, having been raised after the attacks in Moscow. As France prepares to host the summer Olympics, and recently hosted the UEFA cup final, they are a prime target for IS attacks.
Figure 2: Propaganda released by ISIS highlighting its recent “successful” attacks on RocketChat and other chat applications
DarkOwl analysts have also observed IS propaganda which boasts about recent “successful” attacks. A staple of their weekly productions since 2016, the poster named “Harvest of the Soldiers” details the numbers of those killed and injured, property damaged, and vehicles destroyed. The most recent publication identified by DarkOwl analysts on a Rocket.Chat server, claimed 39 operations in a single week.
ISIS Propaganda on Messaging Apps
DarkOwl analysts regularly monitor Telegram and other messaging apps for extremist activity, identifying new channels, and monitoring for threats. As well as Telegram, DarkOwl have identified extremist channels on Rocket.Chat and a newer platform known as TeleGuard. These channels are mainly used to promote propaganda and radicalize new members rather than strategically planning operations and attacks.
Telegram
IS accounts are regularly banned from Telegram, this came after pressure from countries that claimed Telegram was a breeding ground for terrorist activity. However, this is one of the only topics that Telegram bans, with users regularly discussing criminal and right-wing extremist activity. Despite this, they are diligently removing IS linked channels, which are often shut down shortly after their creation. There are also channels on Telegram which purport to “hunt” IS related channels, presumably reporting these to Telegram for removal as they are discovered.
Despite this, Telegram channels reportedly controlled by IS members for disseminating propaganda continue to appear. DarkOwl analysts have observed invites to these channels being shared on other messaging apps that are not so quick to remove accounts allegedly associated with IS.
RocketChat
While they struggle with Telegram, this religious extremist group seems to have found a haven on Rocket.Chat. Rocket.Chat is a messaging app that was founded in 2015. It describes itself as a fully open-source communications platform which has been developed for organizations to enable team communications, discussion with other companies, and customers with privacy and security top of mind.
However, other users have also adopted this platform, including IS, where they can communicate securely. The group has multiple channels within a server for different topics, some of which are read-only and others with which users can chat together. Images, pdfs, and mp4s are commonly shared depicting recent operations, violent attacks, and other propaganda messages.
DarkOwl are increasing our coverage of this messaging platform to ensure that we are able to identify any threats that are being discussed.
TeleGuard
DarkOwl analysts recently identified a relatively new messaging app which is also being utilized by ISIS affiliated users to share propaganda and communicate.
TeleGuard is a messaging platform which has been developed in Switzerland, claiming to be developed with privacy in mind. The developers claim that all transmitted data is encrypted, data is located in Switzerland and there is no need to connect to a telephone number and no user identification data is collected. These anonymity features make the platform very attractive to those wishing to communicate about nefarious topics.
Figure 5: Official ISIS server on TeleGuard
DarkOwl analysts were recently invited to the above channel linked to ISIS. We will continue to monitor for new and emerging threats using this messaging platform.
As messaging apps become more focused on privacy and security, often encrypting all messages, they will continue to be a popular vehicle for terrorists and criminals to communicated. As some apps develop and become more discerning about what information should be shared on their systems, actors will move to other apps which are more sympathetic to their cause or simply do not care about what information is shared.
Threats Against the UEFA Cup Final
In early April 2024, through the monitoring of IS affiliated Telegram and Rocket.Chat channels and servers, DarkOwl analysts identified posts calling for lone wolf attacks at the UEFA Champions League Quarterfinal7 matches which were to take place between April 9 and April 17 2024.
Five identified images have been shared across Telegram channels and Rocket.Chat servers that pledge both official and unofficial support for the Islamic State. These images call for Islamic States supporters to target the four stadiums hosting the UEFA Champions League Quarterfinal Competition in Madrid, Paris, and London.
Figures 6 and 7: Images naming the stadiums to be targeted
More information was provided in another image which gave individuals instructions on how they should target the stadiums. The below image suggests potentially targeting the three entrances of the Emirates Stadium in London, England.
Figure 8: Image encouraging lone wolf IS sympathizers to strike the 3 entrances at Emirates Stadium in London
A further post aimed to invoke sympathy for the cause of the Islamic State and to “recreate the glory of the 2015 Paris” attack. Rhetoric of this kind heightens the threat to France, given previous attacks and upcoming events. It is a common tactic to evoke previous attacks and the “martyrs” they claim are associated with them.
Figure 9: Image encouraging sympathizers to target Stadion Parc de Princes in Paris
Meanwhile, another post also called for IS supporters to target these gatherings with IEDs (Improvised Explosive Devices) and “decoy devices,” again providing followers with ideas for how they could successfully target the event. These are tactics that could also be used at other events in the future.
Figure 10: Image encouraging sympathizers to target Santiago Bernabeu in Madrid
Fortunately, no attacks occurred at the Quarterfinal match or the subsequent Semi-Final. The final is due to take place on June 01 in London, England. Our analyst team continues to closely monitor ISIS primarily on Rocket Chat for any further threats or calls to arms, and will post any updates on our social channels: LinkedIn and X.
It is assessed that the threats at the UEFA Quarters were an attempt to obtain media headlines and to cause panic in the West. Analysts expect similar lone wolf calls to arms will emerge and increase as we approach 2024 Summer Olympics in Paris, France. France remains on high alert.
Counterterrorism experts have noted that IS does not always announce their targets. For instance, the attack in Moscow was not highlighted as a target prior to the attack, although western intelligence agencies did warn Moscow of a heightened risk. The appeal to target the Champions league appears more like a propaganda exercise, likely in part motivated to cause fear and spark a reaction from the West. However, these threats should not be underestimated, and caution is advised as lone wolf actors have been incited towards violence by these groups in the past and the lone wolf attacker is usually one of the harder targets for law enforcement to intercept.
Conclusion
Recent events have highlighted that IS and their affiliates remain active and deadly. While they continue to conduct attacks in many different countries, it is important that we monitor their communications to identify potential threats and targets, so organizations can be on alert.
As we reported last week, the popular data sharing dark web forum, BreachForums was seized by Law Enforcement. At the time of writing one of the clearnet mirrors was still up and pointing to a new Telegram channel promising to be back soon.
By 23 May, BreachForums was back with a new onion address, the administrators ShinyHunters announced the new site on Telegram. Initially only those who had previously had an account were able to enter. Whereas its predecessor had many open areas the new site required users to login before any information could be shared. However, a few days later registration was opened.
Many in the community have speculated that this new site is a honeypot from Law Enforcement and are avoiding it. However, ShinyHunters have been posting large leaks from well know organizations such as Ticketmaster which some have speculated is to increase interest in the site again.
Others have decided to start their own site. Well known threat actor USDoD, who often posted on the now seized BF, announced via Twitter that he would be launching his own site called Breach Nation to be launched in early July.
DarkOwl analysts will continue to monitor both the new version of BreachForums and any new sites which pop up to replace it.
May 16, 2024
At around 8am PST on May 15 2024, BreachForums (BF), the infamous dark web marketplace known for trading in stolen data was seized by the FBI. The FBI declared that the site had been seized in conjunction with international law enforcement partners. In conjunction they also announced that they had taken control of Telegram channels which were linked to one of the administrators, Baphomet.
Figure 1: Seizure notice on BF 05/15/24
However, this is not the first time this site has been subject law enforcement action, with two of its predecessors having been seized.
History of BreachForums
BreachForums is the third in the line of dark web forums which was set up to trade in stolen data. Threat actors would upload data relating to companies which was usually stolen through hacking activity but also though scraping and unintentional open access. The site was also used to sell access to others, with initial access brokers selling access to corporations for large volumes of money. Other services were also available as well as access to things like stealer logs and malware.
Figure 2: RaidForums Seizure Notice
The site which began this model was known as RaidForums, which emerged onto the scene in 2015 and quickly became one of the largest sites dealing in stolen data. The site was live until 2022 when the owner and administrator of the site known as Omnipotent, was arrested and charged with six criminal counts. Omnipotent turned out to be a 21 year old Portuguese national living in London named Diogo Santos Coelho who continues to fight his extradition to the US to be prosecuted. Ironically it was possible to identify Coelho’s true identify using the very breach data that he facilitated on his site.
Not long after the seizure of RaidForums an actor known as Pompompurin, who had been active on the site created a new forum which he named Breach Forums which would fill the gap which had been left by Raid. However the site did not operate for long, Pompompurin was arrested in March 2023 and a few months later the site was seized. The seizure notice included the avatar used by Pompompurin highlighting that he was a target of the investigation and likely how they had gained access to the sites backend. As part of the affidavit the FBI also confirmed that they had access to the BreachForums site.
Figure 3: BreachForum seizure notice June 2023
Pompompurin was exposed as Connor Brian Fitzpatrick, a 20 year old from New York State. He pled guilty to hacking and child pornography possession and was sentenced to 20 years supervised release.
The co-administrator of Breached with Pompompurin was known as Baphomet, he took control of the domain(s) in the period after Fitzpatrick’s arrest, however after a short amount of time he shut down the site claiming the FBI had access and it was not safe to use. A lot of back a forth between actors and across domains ensued, with warning not to trust new forums and leaks of BF users being circulated. Telegram was used heavily to communicate about the arrest and the possibility of a new site. However, Baphomet did later bring back the forum, reportedly partnering with a group known as Shiny Hunters, which were well known for selling stolen data they claimed to have obtained. Many in the community speculated that the new site was a LE (Law Enforcement) honeypot, but users continued to use the new site.
Latest Law Enforcement Activity
The latest iteration of BreachForums has been operating since mid 2023, operated by Baphomet. As well as being the administrator of the forum, he also maintained several Telegram channels relating to the forum, including on which was used to upload stolen data which was freely available to viewers of the channel.
Although the site was active for just under a year before it was seized some very high-profile breaches have been leaked to that site in that time including AT&T, 23&Me and T-Mobile. DarkOwl analysts have collected over 100 leaks from this site in the last year.
One actor who has been very active in recent weeks on the site and was also a moderator is known as IntelBroker who reports to be part of a hacking collective known as “CyberNi**ers.” (Redacted for sensitivity reasons). He has claimed access to data from corporations such as Hilton, Dell and Government access to the DOD, Canada and United Arab Emirates. As recently as May 15, he posted on BF claiming to have access to an Aerospace and Defense company, the site was seized shortly after.
Figure 4: Source: DarkOwl Vision
Last week he claimed to have data stole from Europol, specifically the EC3 group. Europol did confirm the data was from them although stipulated that no sensitive information was stolen. Some in the community have speculated that the release of this information is what led to Law Enforcement taking action against the site.
At the same time the BF site was seized a message was posted on a Telegram channel controlled by Baphomet, claiming that it was now under the control of the FBI. The same was true for a second channel also in his control. The post encouraged subscribers of the channel to report any information they knew to the FBI through a dedicated Telegram channel. DarkOwl analysts observed actors claiming that they had contacted the FBI and received a response although it is unclear if they were sharing any content of value.
Figure 5: Baphomet Telegram channel under control of the FBI
This marks one of the first times that the FBI have appeared to take action on the Telegram platform, presumably they have obtained credentials which allow them to control the channel rather than from cooperation with the owners of Telegram given the way the message was posted. This highlights the role that Telegram has with this underground community and how large numbers of actors are communicating.
Indeed, it was on Telegram that rumors started to circulate that Baphomet had been arrested. This was shared by several actors including Shiny Hunters and IntelBroker. Shiny Hunters also moved to make their Telegram channel private, meaning it could not be identified through a global search and only invited users would be able to see the content.
Figure 6: Telegram message from Shiny Hunters stating that Baphomet was arrested
We await confirmation from the FBI as to whether or not this is the case and who the individual behind the alias is. However, perhaps foretelling the arrest, the avatar of both Baphomet and Shiny Hunters was shown on the FBI Seizure notice behind bars.
Figure 7: Baphoment and ShinHunters Avatar behind bars on Breach Forum seizure notice
What Does the Future Hold?
Multiple Telegram channels have been very active over the last 24hrs with speculation about what has happened to the actors involved in BF and what sites should take its place. Two Breach Forums Telegram channels where data can be uploaded, and chat can be conducted remain active at the time of writing with documents being shared and rampant conversations held speculating on the arrest of Baphomet and the role of undercover agents on the site. There was also speculation about a site called Doxbin which seemed to go down at the same time, although operators are claiming to still have control of the domain.
A new channel was also created to share “news” and claiming they had warned that the site was an FBI honeypot the whole time.
Figure 8: Telegram Post claiming the forum was a honeypot the whole time
It is therefore clear that Telegram will have a role to play in whatever happens next for BreachForums and the users that make data available and purchase and download it.
There has also been speculation about what sites will fill the void left by BreachForums, with many existing forums being suggested as front runners. From the history of RaidForums to the current iteration of BreachForums it does seem likely that a successor will emerge whether that is a new or existing site.
DarkOwl analysts will continue to monitor the situation to identify what emerges.
Cybersecurity might has well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.
In this blog series, we aim to explain and simplify some of the most commonly used terms. In this edition, let’s dive into CVEs.
CVEs 101
CVE is an acronym thrown around frequently in the cybersecurity space. CVE stands for Common Vulnerabilities and Exposures. A CVE is a list of publicly disclosed cybersecurity vulnerabilities that are assigned a unique identifier called a CVE ID. According to the National Institute of Standards and Technology, CVE defines a vulnerability as “a weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability. Mitigation of the vulnerabilities in this context typically involves coding changes, but could also include specification changes or even specification deprecations (e.g., removal of affected protocols or functionality in their entirety).” When a security vulnerability is identified, it receives a CVE ID number. This identifier is used to monitor and reference the vulnerability in security advisories released by vendors and researchers, and have a uniform way in searching the same vulnerability across databases.
The concept of the CVE database originated in a whitepaper by co-creators Steven M. Christey and David E. Mann of the MITRE Corporation. The initial CVE list was publicly available in 1999, and continues to grow. There are currently over 247,000 CVEs and in the first week of 2024 alone, over 600 were cataloged. The system is maintained by the United States’ National Cybersecurity FFRDC, which is run by the MITRE Corporation and receives finding from the US Department of Homeland Security’s National Cyber Division.
Keeping a record of all CVEs allows security and IT researchers to coordinate efforts in prioritizing and resolving these vulnerabilities. To keep CVE records organized, there is a CVE Program dedicated to identifying, defining, and cataloging publicly disclosed cybersecurity vulnerabilities.
Not only are CVEs important for keeping track of vulnerabilities in a way that is repeatable, searchable and trackable, but they raise security awareness. Because CVEs are publicly documented, there is better awareness of potential threats and security concerns. Individuals and organizations have the ability to search vulnerabilities and take the necessary actions to secure their computer systems and networks. CVEs allow security professionals to stay up to date on the latest security flaws and vulnerabilities.
CVEs in the Wild
CVE-2023-34362: MOVEit Transfer
In 2019, the Cl0p ransomware gang shifted their focus to exploiting the MOVEit vulnerability to target victims starting in May 2023, and they carried on with this campaign throughout the summer. They exploited the SQL injection vulnerability known as CVE-2023-34362 in the MOVEit transfer system, which is extensively utilized for managing file transfer operations across numerous organizations. Cl0p’s exploitation of this vulnerability had significant repercussions for several prominent brands and companies, garnering substantial media coverage. It’s estimated that roughly 2,000 instances of the MOVEit vulnerability were exploited, affecting approximately 60 million individuals worldwide. These figures may be conservative due to under-reported incidents and efforts by affected entities to conceal the extent of network intrusions. Nevertheless, experts projected that the group stood to gain around $100 million from exploiting this vulnerability. If this vulnerability were to be left unaddressed, it could lead to significant data breaches, loss of sensitive information, and severe disruption of services.
Figure 1: Initial vendor alert on the newly discovered MOVEit vulnerability; Source: Community Progress
CVE-2023-22515: Confluence Data Center and Server by Atlassian
Last fall, the Ukrainian Cyber Alliance (UCA) used CVE-2023-22515, which involves Confluence, to escalate privileges and access Trigona’s confluence server. They gained insight into the infrastructure and published Trigona’s support documents, exfilled the developer environment and information pertaining to Trigona’s crypto payments, as well as the back-end of Trigona’s chat service and blog/leak site details. After collecting all the information, UCA defaced and deleted Trigona’s site. Open CVE’s provide danger to all, including the cybercriminals who use the impacted tools.
CVE-2022-42475: FortiOS SSL-VPN Vulnerability
Continuing their world-wide efforts to infiltrate government, military, and key sources of intel, China exploited an extant Fortinet vulnerability (CVE-2022-42475) in early February of this year. This was done to deploy a backdoor named COATHANGER and gain access to a network used by the Dutch military. This was the first time the Dutch have publicly attributed a cyber incident to Chinese actors. This vulnerability, along with CVE-2023-22515, emphasize the importance of maintaining good security hygiene and always updating computer systems to the latest version.
CVEs in DarkOwl Vision
Cyber Actors Discuss CVEs on the Darknet
Cyber criminals and hackers frequently discuss vulnerabilities on the darknet for various platforms. Discussions of relevant software and exploitability of specific CVEs can assist an organization in determining potential unpatched vulnerabilities. Figure 2 shows a forum discussion about an exploit for CVE-2022-30190, which is a Microsoft office vulnerability that hackers can leverage for remote code execution.
Figure 2: DarkOwl Vision search reveals an exploit based on CVE-2022-30190; Source: DarkOwl Vision
Figure 3 shows a post to a hacker forum on the darknet by the user known by the moniker, PresidentXS, that discusses an Azure vulnerability, CVE-2019-1306, “Azure DevOps and Team Foundation Server Remote Code Execution Vulnerability.” An attacker successfully exploiting this vulnerability allows for malicious code execution on an ADO service account.
Figure 3: Source: DarkOwl Vision
Posts and discussion threads like these examples in DarkOwl Vision are useful for reviewing comments, exploring applications, and use cases for the vulnerability specifically.
Tokenization
Based on feedback from our customers, CVEs are identified and tokenized within our indexed documentation collection. DarkOwl Vision UI users can search for results containing a specific CVE number, as well as for results containing any number of CVEs. CVE tokenization makes it easier to search for CVEs along side keywords or other entities such as onion domains or threat actor aliases.
Figure 4: CVE search in Vision UI; Source: DarkOwl Vision
Actor Explore
DarkOwl’s Actor Explore feature provides invaluable insights into cyber threat actors, empowering security professionals, researchers, and organizations with analyst curated information about threat actors, enhancing their ability to understand and combat cybersecurity threats effectively. Each actor profile in Actor Explore includes a detailed dossier, offering an in-depth overview of the threat actor and includes extensive information such as darknet fingerprints, targets, tools, CVEs, contact information, and more. Actor Explore connects this information to our other data sets, including leak sites, ransomware sites, alias, cryptocurrency, etcetera that actors are associated with. This wealth of data enables users to gain a profound understanding of the threat actors, their tactics, and the potential risks they pose.
A DarkOwl Vision user can also search in Actor Explore by CVE. This filtering option makes it easier to find and compare actors of interest.
Figure 5: DarkOwl Actor Explore result for Cl0p and the CVEs they exploit; Source: DarkOwl Vision
Figure 6: Example of CVE filtering in Actor Explore; Source: DarkOwl Vision
Resources
Keeping up to date on CVEs is essential to maintaining a secure IT environment. Below are a couple free resources available for tracking and researching CVEs.
CVE Tracker: A New Motional Open-Source Tool for Tracking Common Vulnerabilities and Exposures. View tool here.
To take investigations the next step, root cause mapping of vulnerabilities is best done by correlating CVE Records. Check out guidance from Mitre here.
To see DarkOwl Vision and our collection of CVEs in action, contact us.
Last month, DarkOwl participated in GISEC Global in Dubai, UAE, for the seventh year in a row! GISEC Global describes themselves as, “the leading gathering ground for the cybersecurity community worldwide.” It is the largest cybersecurity event in the Middle East and Africa. At the event, one can expect the top government dignitaries and cyber leaders, CISOs from major corporations, regional and international innovators and global experts from top cybersecurity enterprises from over 40 countries in the Middle East, Africa, and Asia. Attendees have the opportunity to network with over 3,500 delegates and hear from over 500 top Infosec leaders across multiple stages. GISEC attendees come together to lead cybersecurity transformations across sectors and nations to learn from over 300 hours of content to best to boost cyber resilience for a safer digital future.
“Embark on a thrilling journey through the largest cybersecurity exhibition, where cyber competitions collide with live hacks, revealing true stories and offering unprecedented access to the minds behind the code….”
Representing DarkOwl at GISEC Global was David Alley, CEO of DarkOwl FZE based in Dubai and Magnus Svärd, Director of Strategic Partnerships, based out of DarkOwl’s headquarters in Denver, CO.
The DarkOwl team remained busy over the three days manning the booth, meeting new prospects, visiting with customers and partners, and showcasing our industry leading darknet platform, Vision UI. The DarkOwl booth saw visitors from India, Pakistan, Kyrgyzstan, Iran, Singapore, Tunisia, Malawi, Lebanon, UAE, Oman, Seychelles, Singapore, US, Canada, UK, Sweden, France, Austria, and more – a truly international presence. Magnus stated, “Visitors to the stand were constant starting 30 minutes into the conference. Suddenly the time was 4:40pm and first day was about to end.” This sentiment was shared across the 3 days, and David shared, “Three really busy days – the busiest GISEC.”
In addition to networking and conversations at the booth, top minds of the space have the platform to share thought leadership, innovations, and the latest in the cyber security space. Speakers were present from all around the world, including the UAE, Argentina, Kenya, UK, US, Singapore, Estonia, Brazil, Oman, Turkey, South Africa, India, Switzerland, Vietnam, Philippines, Saudi Arabia, Ghana, Lebanon, and many more. Topics ranged from harnessing AI for security resilience, keeping up with high-tech cybercrimes, building a strong cybersecurity ecosystem at national level, to mastering risk with real-world insights and strategies, and so much more. In addition, there were halls dedicated to just trainings, meetings and hands on workshops. This is a major benefit of GISEC Global – the emphasis on thought leadership, sharing information and education.
DarkOwl Analyst, Steph Shample, joins Authentic8’s Needle Stack Podcast to discuss dark web research and all its facets. From AI and other trends on the dark web to operational security, learn how to turn on the light beneath the surface of the internet.
Key Takeaways
AI and other dark web trends
Operational security in dark web research
How to search an unindexed environment
The links to the podcast, YouTube Channel, and the transcription can all be found below.
Transcription
Jeff: Welcome to Needlestack. I’m your host, Jeff Phillips.
Shannon: And I’m Shannon Reagan. Today, we are talking to Steph S., Senior Intelligence Analyst at DarkOwl. Steph, thanks for joining us.
Steph: Hi, Shannon. Hi, Jeff. Thank you so much for having me and for having DarkOwl. We’re so excited to be here.
Jeff: Well, let’s start with that, Steph. Um, to kick things off, can you tell us a little bit about, uh, DarkOwl for those that don’t know?
Steph: Absolutely, we are the world leading data provider of the dark web, deep and dark web as well as dark web adjacent technology. So think telegram discord those chat platforms. Also, the markets and forums that you see frequently in the news ransomware victim blogs where they advertise. Other general markets that sell malware, drugs, animals on the dark web.
So, we have a mixed manual and automated collection to safely get that, scrape that information, and then put it in a very friendly user interface or an API if you need. That way you can enrich that information with ClearNet, information from social media, all kinds of different enrichment that you can do to best paint the picture of where your exposure is on What precautions and mitigations you need to take. So it’s just a fascinating company. Truly. It’s really cool.
Shannon: It is very cool. I think Jeff and I are pretty jazzed about dark owl. This might seem like a silly question to you. Um, but what is your perspective of why? Companies, you know, need dark web intelligence, if not maybe going into the dark web directly.
Steph: Yeah, I get that. And no, I truly stand by no silly, no stupid questions. A lot of people really only know the dark web as it pertains to ransomware, right? They see, okay, ransomware is being announced on here, but there is so much more and there always has been so much more on there. So the dark web is not indexable, right?
You can’t Google on it. So you really do have to know a little bit more navigation of where you’re going, what you’re looking for. Why you should have it is because everybody these days is very, very concerned about privacy. So we all want to be online and be connected and have that social aspect. But we also want to try to reduce, you know, what we’re leaking, what we’re exposing.
Unfortunately, with everything these days, um, you know, phishing, Ransomware social engineering. There are so many ways that malicious actors infiltrate an organization or an entity and then sell or monetize that information, or they do it for their own notoriety. You as an organization have got to be aware of what’s out there.
You can’t just Google yourself or your organization and find all of the threats. When you’re caught up in data breaches that are sold online and then cross sold on a market, right? To maximize profit, you’ve got to take a look at what actors are doing with their IP addresses, how they’re innovating and just making their operations more quick, more quick, uh, more efficient.
They’re streamlining them. You’ve got to have the dark web piece of information because they’re very open and talk a lot on there. They train on another. They share in addition to saying. Yeah. I’m going to move my C2 from this provider to that, right? Or don’t message me on this platform anymore. I view it as unsecure.
Let’s all move to telegram discord. You’ve got to keep yourself informed on the dark web. I respect and realize it is not for everybody, but if you do have a presence on there, if you have an incident, you really do need that piece of information or you’re seriously lacking a part of the picture. Follow
Shannon: up to that for those that companies that aren’t, um, kind of I’m going to be chatting more about that. Um, either they may be put into a dedicated effort to understanding the information that is out there on the dark web, either they don’t aren’t staffed with the right people to do it. They maybe don’t have the right tools to do it. What advice do you have for people that think this isn’t for me?
Steph: Sure, yeah, I would say, take a look, right?
Take a look at any dark web service provider. Start a trial, start a conversation, go install tor, right? It’s really easy to do that. Tor is open source. You can download it and just self teach, right? So many people these days want to spend so much time on social media or posting pictures or what have you. Great. But there is a way for self empowerment to go educate yourself, type, uh, type something into a tour browser, take a look at what. People are using the dark web for, and educate yourself, you know, and if you don’t want to do that, then maybe look on LinkedIn or other social media, or just contact a company who does have dark web coverage and truly educate yourself before you make that final decision of, meh, I don’t need this.
Jeff: By the way, for some of our audience, I like to, I don’t know if I like to do this stuff, but TTPs, right? Tactics, techniques, and procedures.
Steph: Yeah, call me out. I’m going to throw every acronym in the book at you tactics, techniques, and procedures. So, for instance, I’m an Iran analyst by trade and Iran was really big about using European VPNs in their malicious operations.
So they would use namely Germany and the Netherlands constantly abuse when the European Union started to crack down on that. They moved to. Japanese infrastructure. That is a tactic technique and procedure that I observed. And then we put out in the researcher community, like, Hey, be aware, you know, you’re going to start to shift.
Jeff: Thank you for that. Um, of course, uh, pretty hot topic these days on the OSINT front, um, is AI. I guess AI is a hot topic on every front, but in specific to us, can you tell us a little bit about any AI trends you’re seeing on the, on the dark web when it comes to AI?
Steph: Absolutely. Yeah. It’s just like you said, everyone’s like, I want AI, but they don’t really know what AI is, but they want it.
Actors have embraced it and are successfully using it. So one use case that we are seeing constantly right now, fishing templates, right? Um, AI is enabling them to write a little cleaner. So there’s not as many English mistakes, grammar mistakes, what have you. And then previously, you know, you can code and you can automate and do all the things to really streamline your operation.
So previously actors would only be able to get those templates to maybe tens or hundreds of companies or organizations that they were trying to infiltrate. Now with AI, you’re getting up to. Thousands, if not tens of thousands, so they can work faster, get more. And it’s harder to tell who wrote this. You know, usually.
The joke is, of course, the Nigerian prince, or you get this email that’s riddled with so many grammatical mistakes. You’re like, really? But now that’s no longer the case. It’s not as easy to tell. And that’s probably the forefront of AI right now and how malicious actors are using them. It’s increasing their operation space.
Shannon: When we were talking ahead of the call, you mentioned that you have a linguistics background, maybe related to, you know, the AI space, you know, that there is such an element of writing and language as part of that. How, uh, Does linguistics play a role in OSINT or, you know, threat intelligence?
Steph: Of course. I’m so glad that there’s a space for that, right? So I think in tech, in AI, whatever you wanna call it, cyber tech, what have you, there is this misconception that you have to be a hardcore programmer, ones and zeros, coding, all the things, right? That there’s no space for other people. And I want to dispel that myth so, so, so much. Linguistics, especially. So, I started translating, you know, of course, and then French and Spanish and saying, you know, this is what they’re doing, et cetera, et cetera. That is happening online, right? Yes. Technology and the Internet. A lot of is in English 80%. I’ll give you guys that. But think of now, if you have kids or little cousins, little nieces and nephews, right? Number one, how can you even understand what they’re saying in the tech jargon and neologism now take that and try to translate from a Spanish little kid or a Persian little kid, right? Or even a Persian actor. So, you have to really be able to understand the nuance of language. If they’re circum locating around an operation, you know, if they say, hey, I’m going to buy this video game from you on steam or a gaming platform. It’s 1400 dollars. Are you good with that? And you’re like, yeah, What kind of video game is 1400 right now? There’s someone malware, right? Gotta pick out the nuance of the language. Translation will never go away. Yes, automation will help it. We’ll streamline it, make it faster. But humans always need that niche and always have to analyze the language, analyze the sentiment.
Those very, very fine things that You’ve got to have a background of, and you’ve got to understand with AI, it’s coming into tune as well. So, you know, word clouds, for instance, it’s a really great way to capture. We have so much data from AI word clouds come out. And let’s say it’s a protest, right? Protests are taking place. So the word cloud comes back, and Berlin is in huge letters, whereas Munich and other cities are smaller. So, you know, it’s like, okay, well, how is this represented? Does this mean I should pay attention to it? Does this mean it’s an anomaly? Should I throw it out? There are so many different ways to involve linguistics translation and just divergent translation. Thinking into this field. So whatever your background is, welcome come and also learn another language because cognitively speaking, I can’t even espouse the benefits enough. I will nerd out with you on a separate podcast.
Shannon: As a former creative writing major, I will welcome you into those.
Steph: Foreign language, linguistics for life.
Jeff: That’s funny. Can I just be a wannabe? Cause you know, I don’t know. It’s a little late to learn a new language
Shannon: anytime.
Jeff: Well, you have, um, a lot of passion about shining a light on the dark web. Um, obviously it’s, so it’s great that you’re a dark owl. Um, do you think shining that light and, and putting out more dark web education can actually start to have an impact or mitigate some of the threats or the particular threat actors?
Steph: It’s a great question. Uh, we are seeing reflections of security and clampdowns shape actors and where they’re moving what they’re doing, how they’re communicating. So I do think that if we keep this up. Yes, absolutely. And public education for cyber cybersecurity, you know, your 2 year old has an iPad. Your grandmother’s on Facebook. The entire spectrum of humanity is tech enabled. We need to protect them. They don’t know if they’re exposing themselves. Then you’ve got the people who use the same password for their corporate account versus again, personal accounts. There’s a lot of education to do. And I say all that because passwords are sold on the dark web, right?
Repeatedly passwords are then put to paste sites and, and put monetized that data, They’ll just put it on a free pay site for other people to use in their operations. I do think it’s a slow process. It’s slower than we would want. And that is tough because tech is so dynamic and move so quickly, but we cannot stop trying to educate and elucidate and really raise the problems of, Hey, this is not going to [00:11:00] stop. This is happening in the background and you’ve got to pay attention.
Jeff: You know, follow up when we were talking earlier, you mentioned, I believe the way you portrayed it was that with all that focus and attention on the dark web that you’re seeing them start to migrate to other platforms and other venues.
Can you talk a little bit about that?
Steph: Absolutely. Yeah. So, you know, dark web, the. onion sites are markets and forums, and you can basically go on. I’ll use dread as an example. Dread is basically the reddit of the dark web, right? It’s the same thing threads, forums, advice, communities, like minded people. So, dread, you can go on there and just find something that, you know, I want to sell malware.
I am, I’m looking for this. I’m having trouble developing this part of it of my malware operation or this code or whatever. Um, so it’s really just essential to. Follow that and follow the actors and they have openly stated, you know, think of Alphabay and Silk Road, those markets that went down. Think of recent ransomware groups have also gone down, right?
You’ve been arrested, taken offline. Those groups are talking, they are sharing in telegram in discord. And then, of course, on talks, which is primarily used for ransomware comms, but it is growing in popularity. Talks is just a peer to peer messaging system. Direct messaging. They are using more opsec. They are saying, do not post on this forum.
We think there’s a law enforcement presence. Contact me on telegram. They are using more controls on Telegram. So you can shape a channel that only you, the admin can post and nobody else can. So we’re definitely seeing them paying attention to what’s happening in the security and law enforcement world and applying that to where they’re moving more secure messaging platforms, direct messages versus public.
Shannon: It is tough to, you know, it feels like an arms race, like that. You’re always, you know, we’re all just chasing each other around the internet.
Jeff: I like that we’re all just chasing each other around the,
Steph: it was awesome.
Shannon: I do wanna talk about tools in a minute, but with [00:13:00] the constant changes in technology and uh, keeping up with threat actors. Is there any advice that you have, particularly for training or, um, you know, recommended forums and platforms that, you know, like dread on the dark web for threat actors?
Like, where do you find the kind of, um, threat intelligence folks getting the most value out of information sharing among other professionals?
Steph: Absolutely. So the two main ones that have really emerged are task forces and trust groups, honestly. So let’s start with task forces. We realize that it’s got to be Government, private and academia has to all participate to best shape and fight the threats we’re facing.
So find someone who’s in your geographical area of interest, right? If you have an interest in China, if you have an interest in Russia, find groups there, use LinkedIn, use all of those and then it’s usually private signal groups, or maybe a private WhatsApp group and there’s a lot of, you know, just that are shared in their talk amongst practitioners and the task forces really bring all 3 perspectives of those industries that are necessary.
Trust groups are. I know this won’t be popular, but analysts are skeptical by nature. Hi. Um, you know, we don’t trust anybody, but when you have a trust group that starts up, so for instance, when Afghanistan fell in 2021 and they were using Snapchat as well as some other hidden, um, underground communications to avoid the Taliban, to get people out of country who were very much in danger, a trust group started up with that for, you know, Operations, getting people to safe houses, monitoring what the Taliban were doing on Twitter, as well as other places.
It was similar with when Russia invaded Ukraine. Okay, find analysts, you know, who has on the ground experience, who has language experience, who has tech experience, especially, you know. What are the Russians using? What are they going after? So task forces and trust groups are one thing. GitHub. I would suggest combing that left and right.
Then I also really want to highlight. There are quite a few really great open source organizations out there. You know, I follow China, so I need to understand how to get behind the firewall. If I can, how do I pick up information or open source information on WeChat, QQ, et cetera, um, the digital Sherlock program handled that.
They have a by area, um, by area of operation, AOR, uh, program that you can do for free. All you have to do is apply, state why you need it. So there’s a lot of free open source training. You can never go wrong with the SANS course. They just do it. Started a cybercrime one, which I’m super excited to take. It’s to 500 level, so I’m gonna wait on that. But yeah, , um, the tech. And then also, I’m not gonna shy away from things like Coursera or Udemi. There’s plenty of baseline foundational classes that you can do on there. You don’t need to say, be a coder yourself, but maybe you wanna understand why your malicious actor is doing what they’re doing on the dark web.
Take a while, one, understand what’s happening, an object versus a whatever. Right. Immerse yourself and use those free resources, YouTube, Coursera, Udemy, work training, trust groups to really flesh out an area and flesh out expertise and share information.
Shannon: That’s great. Okay. Aside from groups, what are, uh, some of the tools with the right know how that you think are really valuable to, you know, dark web threat intelligence understanding?
Steph: Big that, uh, when I first got started years and years and years ago, and it’s still around dark dot fail, type that in your, in your tour browser, honestly. This is a, I give anybody who’s like, I’m curious about the dark web, but I’m also afraid, right? Understood. There are risks. Dark. fail is, is like a how to, it’s like lower than a one on one course, right?
Basically it gives you every listing of, okay, here’s a popular market. This is its onion site because onion sites are now at 57 characters. If I’m not mistaken, they used to be 22. We can memorize that. And it’s not like a google. com or it’s not like a authenticate. com. The URL doesn’t make sense. The onion ones are obfuscated for a reason.
Dark. fail lists them, lists if they’re up and down, lists if they’re temporarily unavailable, gives you the mirrors or the clear net site equivalents. And then another one I really love is ransomlook. io. That’s, of course, for ransomware, but that site also is amazing. Open source, type that in your browser. It gives you every single ransomware group that’s out there, right? What their blog looks like, what are some of their latest victims is their server up and running. In some cases, where do they host their server? So there’s no perfect way to index the dark web. But there are starting points. Those 2 that I just named to really get you started. And then that curiosity will take…
Shannon: over. I think that’s great to just recognize, you know, even like a tool like dark L is that, you know, a lot of the work can be done for you, but you can still utilize, you know, the intelligence and the information.
Steph: Yeah. And go, you know, whatever your provider is. We like analysts love writing and blogging and be like, this is what I discovered, right?
Go check out blogs from any company that has a dark web focused. If you’re curious, if you’re curious, they have wonderful insight, wonderful how to’s. And then generally they keep it short and sweet, right? Because we’re all busy. We don’t have enough hours in the day. So we’re not going to give you a PhD level thesis of this dark web actor.
We’re going to give you the nitty gritty. Here’s some IOCs, here’s some mitigation, Good luck, right? That’s what we’re going to try to do. So
Jeff: yeah, IOC indicator of compromise. There’s my value. Acronym value. That’s my value. You’re a cyber security linguist, Jeff. Or a linguist. Well, Steph, thank you for joining us today. And thank you to dark owl for letting you join us today. That was great. Much appreciated. Uh, and thank you to our audience for joining us. You can view transcripts and episode info on our website, authentic8.com slash needle stack. That’s authentic with the number eight and be sure to let us know your thoughts on social at needlestack pod and to like, and subscribe wherever you’re listening today and please tune in again next time for needle stack.
Steph: Thank you guys so much.
Learn more about the DarkOwl and Authentic8 partnership here.
Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
A March 2024 email campaign targeting German organizations was possibly authored by initial access broker TA547 AKA Scully Spider. The script loads the Rhadamanthys infostealer, which can steal cookies, browser and clipboard information, and more system metadata. As the security community studied the malicious code that is used in the script, they noted a hashtag used in coding comments, along with very verbose comments, indicating that AI or a non-human entity possibly authored the code. Read article.
2. U.S. Treasury Sanctions Iranian Firms and Individuals Tied to Cyber Attacks – The Hacker News
The US Treasury sanctioned several Iranian individuals and front companies who have been targeting the US on behalf of the Iranian Government. Their operations used spear phishing and social engineering to target US military veterans, US defense contractors, and other US government entities. Full article here.
3. UnitedHealth confirms it paid ransomware gang to stop data leak – Bleeping Computer
United Health publicly admitted that they paid BlackCat/AlphV ransomware actors in February 2024 to prevent the sale of private healthcare data to criminal actors. Payment activity was confirmed by the public transaction on the blockchain as a Bitcoin payment to the wallet used by BlackCat ransomware gang was visible. Read article.
4. Indian Government Rescues 250 Citizens Forced into Cybercrime in Cambodia – The Hacker News
India’s government issued a public statement and update about the rescue of 250 Indian nationals who went to Cambodia under the pretense of employment but were then forced to participate in cybercrime. In what some dubbed “cyber slavery”, organized crime groups are luring people to Cambodia and other countries with false employment opportunities, and then forcing them to create thousands of social media accounts to use for various purposes, such as gambling, crypto fraud, romance schemes, and more. If the trapped individuals didn’t meet their quota of accounts created, the cybercrime groups denied them food and sleep. Other hotspots observed for this kind of activity include Myanmar, Thailand, and the Philippines. Read more.
5. DPRK hacking groups breach South Korean defense contractors – Bleeping Computer
Targeting technological information, North Korean hacking groups including Lazarus and Kimsuky used extant vulnerabilities to plant malware that sent data back to their cloud servers and was used by the North Korean government. One group accessed the account of an employee who worked with defense subcontractors, while another took advantage of an email server vulnerability. Read more.
6. US Health Dept warns hospitals of hackers targeting IT help desks – Bleeping Computer
The US Department of Health and Human Services issued a public warning this week, concerning social engineering techniques used by threat actors to go after IT desks of the health sector. In these operations, threat actors will call health organizations using a local number of the area they are targeting. They’ll provide details of the organization which are stolen, providing actual corporate ID and/or social security numbers procured in malicious cyber operations. By providing this real information to the IT department, they appear legitimate and then the helpdesk enrolls the threat actor device into corporate multi-factor authentication, allowing deep access to corporate information. Malicious actors then change ACH information regarding payments gain access to corporate email accounts and continue social engineering. Read more.
7. Russia charges suspects behind theft of 160,000 credit cards – Bleeping Computer
Six Russian individuals were recently charged by the Russian Prosecutor General’s Office. The men were charged with skimming 160,000 carss — using malware to steal credit card and other payment details – throughout the past seven years. The group didn’t use the stolen cards instead selling them on various dark web platforms for profit. Article here.
8. Cybercriminals Targeting Latin America with Sophisticated Phishing Scheme – The Hacker News
ZIP files are currently being used to deliver malicious files which appear as an invoice, targeting Spanish-speakers in LATAM. The files redirect the user to another domain, newly set up by the malicious actors. This redirection activates a script that then takes metadata from systems and checks for anti-virus software, collecting system information to use and further malicious operations. Read article here.
9. Scammers offer cash to phone carrier staff to swap SIM cards – SC Media
Cyber actors are cold-contacting employees of various US cell phone companies and offering them cash in exchange for their participation in SIM swapping operations. In SIM swapping incidents, actors fool a wireless carrier, such as Verizon or T-Mobile (who were both targeted in this latest campaign) into rerouting services to a device controlled by the criminals themselves. Once the “swap” is completed, the victims lose access to most personal accounts and personal data attached to the cell phone account is also stolen and used in other malicious operations. Read more.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
Cyber Insurance has become a hot topic in recent years. As DarkOwl has previously documented, frequent attacks against organizations mean that there is ever increasing demand for coverage which assists in reducing the negative financial impacts and risks of conducting activities on the internet.
One of the things that cyber insurance can cover is extortion payments associated with ransomware attacks. As ransomware attacks are expected to continue to increase during 2024, with more and more groups adopting double-extortion techniques, it is prudent for organizations to explore their insurance options.
However, insurance carriers are not immune from cyberattacks and can also fall victim to attacks and credential loss. As a third-party supplier, their data can also be exposed through the ransomware attacks of their customers. In this blog we explore this exposure.
Ransomware
The term “Insurance” appears in over 100,000 documents linked to ransomware activity in DarkOwl’s Vision platform. Ransomware groups such as CL0P, Medusa, BlackBasta and 0mega to name just a few have published documents from victims which include insurance information.
The Dunghill Leak group, published on their leak site details of a UK-based transportation company called Go-Ahead Group who they alleged they had obtained data from. They provided descriptions of the data as well as sample images of the documents. They claimed that this included details of insurance claims made by the company. One of the sample documents they provided appears to be related to medical insurance.
Figure 1: Stolen document from Go-Ahead Group
Insurance carriers and providers themselves are also not immune from ransomware attacks. The ransomware group BlackBasta posted information relating to an insurance marketing firm named LeClair. They provide marketing services to insurance brokers. All of the data relating to this organization was published on the leak site of BlackBasta and according to the site has been viewed over 3000 times.
Figure 2: LeClair sample data on BlackBast leak site
Another insurance provider, Delaware Life Insurance Company appeared to be a victim of the group Ransom House. All data relating to this organization was disclosed including a file tree of all documents obtained. The group claimed to have stolen 1.4TB of data from the organization as well as being able to download this is full they also provided proof which contains confidential documents, health records, and pricing information.
Figures 3 and 4: RansomHouse Leak site and proof of documents listed
The CL0p ransomware group, when posting data for one of their victims, a university, detailed that the victim had used their insurance company to negotiate. They stated that they were cheap and the negotiator was bad. Despite the claim that the university offered to pay $950,000 the full data was still leaked. This highlights how insurance providers interact with ransomware groups and their review of the activity.
Figure 5: Post on CL0p leak site from DarkOwl Vision
Leaks
Insurance companies can also appear in other types of data leaks, with information relating to the insurance provider appearing in leaks. This can include email addresses, locations, passwords, and names of employees.
The leak etenders.gov.za, of a government service in South Africa which documents tenders for government initiatives, included information relating to insurance providers including their telephone numbers and email address.
Figure 6: etenders.gov.za leak
Data purported to be from Farm Bureau Insurance – Tennessee was posted on the Telegram channel BF Repo V3 Files, a backup repository for data leaks from BreachForums, on January 20, 2024. Data exposed included full names, email addresses, physical addresses, phone numbers, vehicle information, and dates of birth. The leak appeared to include customer information and the cars that had been insured and the broker.
Figure 7: fbitn.com data leak
The naz.api is reported to be one of the largest credential stuffing lists released and was originally posted in September 9, 2023 on well known darkweb forum BreachForums. According to that post, the database was created by extracting data from stealer logs, and contains over 1 billion unique records of saved logins and passwords in users’ browsers. Infostealer logs are files produced when a trojan is installed on a system that collects information from the infected system.
Searching though this data, almost 700 results were identified which included the statefarm.com domain, indicating that these records likely belong to employees of StateFarm. The data included websites that the addresses had visited as well as the password associated with this account. These types of leaks could give threat actors access to accounts which may lead to a network intrusion and highlight why it is so important for organizations and individuals to practice good password hygiene.
Insurance Fraud
It would be remiss to review insurance on the darknet and not touch on insurance fraud. Although we do not always see the direct activity of fraud, we do see guides and tutorials being offered as well as documentation being sold that can assist an individual in conducting insurance fraud.
Figure 8: Guide for sale on the dark web
Posts on Telegram offer insurance documents for sale, likely to be used to conduct fraud operations.
Figure 9: Telegram channel Skimming Central
As well as actors claiming they are able to produce car insurance documents so individuals do not need to insure their cars.
Figure 10: Post on Telegram channel Bazaar Lounge
A post on the dark web marketplace nifheim.world offers insurance documents as well as other counterfeit documents.
Figure 11: Post on Nifheim.world
Conclusion
Although cyber security insurance is an ever growing business, adopted to protect organizations from the financial and reputational damage a cyberattack can cause, insurance companies themselves are not immune from the threat of cyber attacks. Whether it be data leaks, ransomware attacks, or the continued threat of insurance fraud, insurance companies too need to be vigilant to the threat of attacks to ensure they protect themselves and their customers. As insurance covers large swaths of our lives from our vehicles, houses, sentimental items and health they can hold sensitive information on their customers, it is therefore imperative that this data is secured.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
