Cybercriminals who see the most return on their cybercrime-related activities can also suffer the greatest consequences at the hands of law enforcement. Despite the anonymous nature of the darknet, law enforcement has developed sophisticated tools and procedures to take down the most notorious criminals who operate on the darkest corners of the internet.
Major cybercrime arrests of 2022 show insights into the operations and true identities of several noted cybercriminals. This includes individuals involved in sophisticated illicit cyber activity from as young as age 15, business entrepreneurs who were virtually unknown in the darknet community, and whom no one suspected, to those who committed the crime a decade ago. DarkOwl analysts round up some of the most notorious arrests of 2022.
The case of Diogo Santos Coelho, aka omnipotent, highlights the importance of OPSEC (operational security) and illustrates that many notorious cybercriminals, or hackers can be very young. On Tuesday April 12, 2022, the United States Department of Justice announced the seizure of RaidForums and unsealed criminal charges against Diogo Santos Coelho, RaidForum’s alleged administrator. He was arrested on January 31 in the United Kingdom. The six-count indictment against Coelho chargedhim with conspiracy, access device fraud, and aggravated identity theft. The FBI allege that he was the administrator to RaidForums from around January 2015 to January 2022.
RaidForums was a popular online marketplace known for providing leaks and breaches for sale or sometimes for download, either via credits accrued on the site or for free. These leaks could include powerful personal identifiable (PII) and financial information, ranging from social security numbers to credit cards, and would be used by criminals to commit fraud as well as accessing company networks. RaidForums was taken down in Operation TOURNIQUET, which was a joint operation with Europol, the United States, the United Kingdom, Sweden, Portugal, and Romania. Similar key cyber operations and law enforcement agencies involved in darknet takedowns can be found in DarkOwl’s interactive timeline.
Court documents show that Coelho used the names OMNIPOTENT, DOWNLOADING, SHIZA, and Kevin MARADONA. OMNIPOTENT and DOWNLOADING were used on the RaidForums site. In addition to being an administrator, the indictment shows he also provided a middleman service for buyers and sellers on the site. Searching inDarkOwl Vision, it appears that there is no honor among fellow thieves on the darknet, as Coelho was then subsequently doxxed.
According to DarkOwl’s darknet glossary, a dox is to publicly name or publish private information (PII) about an unwitting target. Doxxing can be used as a form of aggression between conflicting groups, such as when 22 members from Trickbot were doxxed as part of the Russia-Ukraine cyberwar by a pro-Ukrainian affiliate. Other times it is to express political opinions.
Figure 1: Screenshot of Omnipotent Doxx; Source: DarkOwl Vision
As seen in Figure 1, the name on the account is “Kevin Maradona.” Using DarkOwl Vision email lexicon, the email didi-lover[@]hotmail.com is in a document linked to omnipotent[@]raidforums.com, Kevin Mardona, and his address. It is not known exactly the techniques that law enforcement used to identify Diogo Coelho, however, personal information such as emails, aliases, and addresses all help investigations. Law enforcement were able to seize three domains which hosted the RaidForums site, leading to further investigations.
Not only did Diogo Santos Coelho establish arguably the most popular online marketplace to illegally buy, sell, and trade highly sensitive information from around the world, but he started this site when he was only 15 years old.
Ilya “Dutch” Lichtenstein and Heather Morgan (aka “razzlekhan”)
The indictments against Ilya Lichtenstein and Heather Morgan of New York were ones that no one, except perhaps the IRS, saw coming. Both were known in the business world and involved as entrepreneurs in startups. Morgan even had an online rapper persona, Razzlekhan. The couple was arrested in New York and charged with Money Laundering Conspiracy and Conspiracy to defraud the United States. The indictments stem from their alleged attempts to launder $3.6 billionin stolen bitcoin from the Bitfinex exchange hack.
It is alleged that Lichtenstein and Morgan moved the funds through multiple transactions to different accounts across separate platforms to try and hide the paper trail. U.S. law enforcement successfully traced the stolen bitcoin via the blockchain to several accounts owned by Lichtenstein and Morgan. Lichtenstein kept the addresses and keys in cloud-storage which law enforcement was able to decrypt and discovered a file with 2,000 cryptocurrency addresses and the private keys to each. A federal magistrate judge in New York ruled that Morgan and Lichtenstein be released on bond for $3 million and $5 million respectively. However, the Chief U.S. District Judge ruled that Morgan may return home to New York “under strict conditions” but that Lichtenstein must remain in prison in the District.
Figure 2: Picture of Heather Morgan who called herself a cold-email expert; Source: Forbes.com
Sebastien Vachon-Desjardins
NetWalker Ransomware group primarily targeted healthcare and education institutions as well as other sectors such as law enforcement, companies, and emergency services. Most well-known for taking advantage of the global COVID-19 pandemic to leverage targeted attacks against their victims, NetWalker distributed pandemic-related phishing emails to target healthcare institutions already pushed to their max by the global health crisis.
In January of 2021, the Department of Justice announced the successful disruption of NetWalker ransomware group as the result of an international law enforcement operation. Law Enforcement were able to seize almost $500,000 andCanadian national Sebastien Vachon-Desjardins was charged with wire and computer fraud, “intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer arising from his alleged participation in a sophisticated form of ransomware known as NetWalker.” In March of 2022, the Department of Justice announced Sebastien Vachon-Desjardins’ extradition and the seizure of $28,151,582 of cryptocurrency after executing a search warrant.
Conspiracy to commit computer fraud and wire fraud, intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer arising from his alleged participation in a sophisticated form of ransomware known as NetWalker.
On October 3rd, 2022 Sebastian Vachon-Desjardins was sentenced to 20 years in prison (following his extradition to the U.S.). He agreed to give up $21.5 millionas part of a plea agreement. He is believed to have been a key active affiliate for the ransomware NetWalker group and is rumored to have close affinity with the hacking group REvil.
Information from the seizure of NetWalker’s backend servers in Bulgaria highlighted the true number of victims exploited by the group. The FBI reports that 115 victims filed a report, however, the true number of victims is likely between 400 to 1,500. In the words of U.S. Attorney Roger B. Handberg, “the defendant in this case used sophisticated technological means to exploit hundreds of victims in numerous countries at the height of an international health crisis.”
Figure 3: Screenshot from NetWalker’s darknet blog; Source: DarkOwl Vision
Mark Sokolovsky (aka “photix”, aka “raccoonstealer”, aka “black21jack77777″)
On October 25, 2022 a grand jury unsealed indictment charges against Ukrainian national Mark Sokolovsky due to his alleged role in Raccoon Infostealer as a core member. Raccoon stealer is a prolific infostealer which functions using a malware-as-a service model. Raccoon stealer is available for purchase for around $200. Customers (typically cybercriminals) receive access to a control panel with the most recent version of the malware, could work on infected systems in real time, and see the stolen data such as logins and credentials and interact with the ransomware.
Information stealers such as Raccoon are a type of infostealer malware, also known as a Trojan or a remote access tool (RAT), that is designed to steal sensitive information from victims’ computers or devices. Once infected, Raccoon typically operates in the background, while it systematically searches for and collects a wide range of data from the compromised system. This data can include login credentials, credit card numbers, social security numbers, banking information, and other types of personal and financial data. Raccoon may also capture screenshots, record keystrokes, and log other user activity to further gather information. This data is collected and leveraged for fraud and exploitation such as identity theft or the draining of bank accounts. At the time of the indictment, the FBI found over 50 million unique credentials and pieces of identification taken with the stealer’s help.
Sokolovsky is charged with one count of conspiracy to commit computer fraud and related activity in connection with computers; one count of conspiracy to commit wire fraud; one count of conspiracy to commit money laundering; and one count of aggravated identity theft.
Figure 4: Mark Sokolovsky leaving Ukraine and avoiding mandatory military service, taken at the Polish border; Source: KrebsOnSecurity.com
James Zhong
The Silk Road was notoriously one of the first well-known and most used darknet marketplaces created by Ross Ulbricht, a.k.a Dread Pirate Roberts. The marketplace was shut down by law enforcement in 2013. However, billions of dollars were unaccounted for despite the site’s seizure. In November of 2022, the Department of Justice announced they found $3.36 billionworth of Bitcoin that had been stolen from The Silk Road around 10 years before. It was hidden in a popcorn tin in a bathroom closet along with Casascius coins and bars of precious metals. $661,900 in cash was also seized.
The announcement from the Department of Justice read that in 2012 Zhong made 9 accounts on The Silk Road and triggered over 140 transactions “to trick Silk Road’s withdrawal-processing system into releasing approximately 50,000 Bitcoin from its Bitcoin-based payment system into Zhong’s accounts” which he then put through cryptomixersand moved to various accounts to cover his tracks. Zhong gave up 1,004.14621836 Bitcoin to the government. He pled guilty to one count of wire fraud.
Figure 5: The popcorn tin where the criminal proceeds of James Zhong was found; Source: Department of Justice
Figure 6: Some of the physical Bitcoins (Casascius coins) and other items seized by law enforcement; Source: Department of Justice
Paige Thompson (aka “erratic”)
The case of Paige Thompson highlighted the potential grey area between a white-hat hacker and a cybercriminal. The former Amazon employee was responsible for a major breach in 2019 when she downloaded and posted to the darknet the personal information of more than 100 million Capital One users. The data included 140,000 social security numbers and 80,000 bank account numbers.
Figure 7: Paige Thompson, alias “erratic” posting on a forum the Capital One data; Source: DarkOwl Vision
Prosecutors said Paige Thompson exploited misconfigured web application firewalls to get credentials stored by customers with a Cloud Computing Company, access sensitive data and use the servers to mine cryptocurrency. Her lawyers argued that her actions fall under the category of a white-hat hacker, as she was scanning for online vulnerabilities and probing what they exposed. The Federal Government contends that she had no intention to disclose the vulnerabilities and wanted to use the stolen information for her own gain.
She pled not guilty for violating the Computer Fraud and Abuse act. She was found not guilty of identity theft and access device fraud but was found guilty of wire fraud, damaging a protected computer, and five counts of unauthorized access to a protected computer. Capital One paid $80 million to regulators and $190 millionto the people whose sensitive information was exposed.
Conclusions: Law Enforcement is Never Far Behind
Cybercriminals who commit large crimes are likely to attract the attention of law enforcement. However, the illicit cybersphere is so decentralized that it would take many, many years for law enforcement to track down every cybercriminal.
To help facilitate these efforts, law enforcement agencies have developed sophisticated tactics to attribute online crimes to people even if they are working in an anonymous environment. Using darknet search and monitoring services such as DarkOwl is one such tactic favored by law enforcement as it allows investigators to gather evidence and follow leads over time in order to build a robust case.
To learn more how DarkOwl can aid in cybercriminal investigations, contact us.
Over the past few years, there has been an increase in global cyberattacks, with reports indicating that overall attacks were up 38% in 2022 from years previous. In the USA alone there was a 57% increase, while the UK experienced a 77% increase in cyberattacks. Many of these attacks result in data breaches and ransomware attacks, which cost organizations time and money, as well as long term negative effects such as loss of reputation.
On top of this, the average cost of a data breach has reached a record high of $4.35 million. The cost of a ransomware attack is $4.54 million, on average, not including the cost of a ransom payment. With cyberattacks on the rise, organizations need better intelligence to enable them to model risk and take mitigating actions, particularly small businesses which are three times more likely to be a target of a cyberattack.
Darknet data is a key source of insight into criminal and other nefarious activity. The darknet—or dark web as it is also referred to—is a layer of the internet that cannot be accessed by traditional browsers. Sensitive corporate information is regularly leaked or sold on the darknet. These sets of darknet data can be used to identify cybersecurity threats and calculate organizational risk. Understanding risk enables an organization to better be prepared for potential threats.
Cybersecurity Risk
Cybersecurity risk can be most simply described as the amount of potential the risk your organization faces against a cyberattack. The possibility of a cyberattack feeds several different corporate risk calculations. One of the biggest threats of a cyberattack poses is the loss or public exposure of data, which presents a significant risk to a company’s brand and reputation.
Stolen and leaked intellectual property can pose a significant risk to a company’s profit/finances/bottom line and competitive edge. In addition to loss of data, there is a direct risk to executives and key leadership from phishing attacks and stolen credentials. If the direct risk within a company wasn’t enough, there is also an indirect risk through third-party vendors and suppliers. To better map out cybersecurity risk, organizations need to model risk.
The figure above shows a generic risk model and the relationships between the components. In organizational risk calculations, threat includes anything that can cause harm to the organization. This includes threats from natural disasters, significant hardware or backup failure that triggers a disruption in services or production, and cybersecurity attacks by external malicious entities. Threat calculations are often tied to scenarios with likelihoods of occurrence that involve an adversary’s intent, capability, and targeting. To effectively model risk, organizations need to (1) model internal threats, (2) model external risk from third parties, and (3) determine the likelihood of specific scenarios. The risk is then calculated from a combination of impact and likelihood.
DarkOwl Data
DarkOwl provides a variety of data to model risk and threats to an organization:
Leaks/Data Breaches: Leaks, or data breaches, are aggregate data files of information obtained without the owner’s consent. This can consist of internal email records, usernames and passwords, personally identifiable information (PII), financial records, and more. Leaks are often sold for profit on the darknet, though they are sometimes posted and leveraged by criminal actors for means other than financial gain.
Dark web search data: Vision UI provides access to a variety of darknet and deep web resources. Additional capabilities enable the user to search for cve’s, construct searchblocks, etc. The platform provides the ability to fully customize darknet searches based on individual priorities and focus areas. Approximately 10-15 million pages/targets are crawled daily, with updated content becoming accessible to users in near-real time.
Entities: In addition to being able to search all collected darknet data, DarkOwl extracts entities such as IP addresses, credit card numbers, bank identification numbers, crypto addresses, email addresses, and credentials. This enables an organization to search specifically for relevant entities, such as server IP addresses and email addresses.
Group data: Vision UI enables a user to search for groups. Groups include chan, ransomware, forum, market, and paste data. Ransomware and forum data are particularly useful for determining organizational risk. Discussions of relevant software and exploitability of specific CVEs can assist an organization in determining potential unpatched vulnerabilities.
Telegram and Chat Platforms data: Telegram and other chat platforms data consists of encrypted, semi-encrypted, and open-source chats. DarkOwl has over 400 thousand telegram chats. Discussions between threat actors can be found on these chat platforms.
DarkSonar: DarkSonar is a risk metric based on darknet intelligence and measures an organization’s credential exposure on the darknet. It provides a relative risk rating for an individual email domain. The metric is based on email exposure using three parts of email entities: unique plaintext credentials, unique hashed credentials, and total unique email address volume with no credentials.
DarkOwl’s data can assist an organization with threat modeling, managing third party risk, and potentially predicting the likelihood of an attack.
Threat Modeling
Identifying threats involves creating threat scenarios consisting of threat events exploits caused by threat sources which exploit vulnerabilities which are weaknesses in systems. Vulnerabilities can be internal, such as an unpatched server or poor employee awareness, or external, such as a third-party vendor.
Threat vectors refer to the vulnerability pathway that cyber attackers take to gain access to an organization’s network. Regardless of the actor or the motivation, they will utilize one or more threat vectors to gain access to a system. Below, Table 1 gives a list of common threat vectors used by an adversary. Also included are the associated solutions that DarkOwl data offers to help to model risk and mitigate damage for each of these different threat vectors.
Table 1: The Most Common Threat Vectors
Threat Vectors
Statistics
DarkOwl Data
Phishing Emails
– 61% increase in rate of phishing attacks in the six months ending October 2022 compared to the previous year and attacks are getting more sophisticated. – 90% of IT professionals believe email phishing is the top cyber threat to their organization due to sharp increase in email phishing. – 92% of malware was delivered through email in 2021. Phishing emails in particular were responsible for 90% of 2021’s data breaches.
– DarkSonar: Risk Signal – Entities: Emails, Credentials
Third Party Vendors/Supply chain
– 48% of organizations deem third-party relationship complexity as their main problem. – 54% of businesses do not vet third-party vendors properly and do not have a complete list of all the third parties who have access to their network. – 59% of companies experienced a third-party data breach. Only 16% say they effectively mitigate third-party risks. – 65% of firms have not identified the third parties that have access to their most sensitive data.
– DarkSonar: Risk Signal
Weak or compromised login credentials
– 80% of hacking incidents caused by stolen and reused login information. – 82% of data breaches involves a human element, including phishing and the use of stolen credentials.
– DarkSonar: Risk Signal – Entity Emails: Credentials
Brute Force Attacks
– Brute force is the most widely used initial vector to penetrate a company’s network. – Brute force attacksincreased from 13% to 31% in 2021. – Over 80% of breachescaused by hacking involve brute force or the use of lost or stolen credentials.
– Vision UI: Company mentions – Entity Emails: Credentials: available data for credential stuffing for brute force
Unpatched vulnerabilities
– 60% of breach victims admitted they were breached due to an unpatched known vulnerability where the patch was not applied. 62% claimed they weren’t aware of their organizations’ vulnerabilities before a breach. – 75% of attacks in 2020 used vulnerabilities that were at least two years old. – 84% of companies have high-risk vulnerabilities on their external networks, more than half of these could be removed simply by installing updates. – 87% of organizations have experienced an attempted exploit of an already-known existing vulnerability.
– CVE Mentions: for relevant software and combination CVE mentions for 0-days – Forum data: discussions of malware development
Cross-site scripting (XSS)
It is estimated that more than 60% of web applications are susceptible to XSS attacks, which eventually account for more than 30% of all web application attacks.
– Entity IP addresses – CVE mentions: for exploitable web server vulnerabilities
Man-in-the-middle (MITM)
Nearly 58% of all posts on criminal forums and marketplaces contain banking data of others collected by MITM or other attack types.
– Vision search: company mentions – Entity IP addresses – Forum data
DNS Poisoning
A six year study of DNS data showed that DNS spoofing is still rare, occurring only in about 1.7% of observations, but has been increasing during the observed period, and that proxying is the most common DNS spoofing mechanism.
Entity IP addresses
Malicious Apps/Trojans
46% of organizations have had at least one employee download a malicious mobile application which threatens their networks and data.
DarkSonar: for phishing attacks which often include links or attachments of malicious apps/trojans
Vision Search: searchblocks for insider targeted searches
Examples
Email Exposure
DarkSonar provides a metric to chart an organization’s relative risk ratio over time. To demonstrate this, we have included several case studies using actual organizations that experienced cyberattacks. The example below looks at AMD, who publicly announced that they experienced a cyberattack in June of 2022 (as illustrated by the dotted line).
Figure 2: DarkSonar exposure for AMD over time
Figure 2 above shows that DarkSonar detected an elevated risk signal for AMD from January to April. This figure shows an elevated risk from January to April of 2022. An elevated score indicates that the exposure on the darknet has dramatically increased, which translates to higher risk. In this example, DarkSonar forecasts the attack that ultimately transpired with an elevated signal in the months preceding the incident.
Entity Explore
Entity Explore provides information about entities in DarkOwl’s entity database. Using the Entity Explore or the Entity API allows an organization to see all emails, IPs, credit card and bin numbers, and crypto addresses. Additionally, when viewing emails, all plaintext and hashed passwords can be sorted and analyzed. For financial institutions, credit card numbers and bin numbers provide a notion of financial exposure for their risk calculations. Organizations can also search for IP addresses of their sensitive infrastructure points to determine if and how those IP addresses are being discussed on the darknet.
The example below looks at Entity results for Honda.com and illustrates how a company can use Entity Explore to assess their credential exposure within Vision UI.
Figure 3: Email Entities for honda.com; Source: DarkOwl Vision
Vision Searches
Additionally, DarkOwl Vision UI provides tools to focus an organization’s search of darknet content. Group searches enable an organization to focus on forums and ransomware sites. Similarly, queries can focus on specific sources, such as telegram content. Search blocks provide terms that can be used to focus on insider attacks and exclude results from search engines.
After a recent product update, Vision now allows users to more easily search for specific CVEs. This enables an organization to find discussions of exploiting vulnerabilities relevant to software they run on their network. Figure 4 shows a forum discussion about an exploit for CVE-2022-30190, which is a Microsoft office vulnerability that hackers can leverage for remote code execution.
Figure 4: DarkOwl Vision search reveals an exploit based on CVE-2022-30190; Source: DarkOwl Vision
Manage Third Party Risk
As per the data shown in Table 1, third-party vendors pose a significant risk to businesses of all sizes. Most organizations don’t even know who has access to their sensitive information. This is in part due to the fact that, typically, an organization does not have adequate insight into the types of protection mechanism a third party takes to protect their data.
To fill in this gap, DarkSonar provides an organization with a risk metric for their third-party vendors based on email exposure on the darknet. This enables an organization to better understand the risk of a third-party.
Figure 5: Example of a third-party vendor attack, where the Cancer Centers of Southwest Oklahoma’s data was compromised through third party cloud provider Elekta. While Both companies exhibit an increase in their DarkSonar signal, Elekta’s is elevated higher 5 months prior to the attack.
Figure 5 gives another case study example of how DarkSonar can be used to forecast a third-party attack. In this case, the Cancer Centers of Southwest Oklahoma’s third-party cloud-based storage provider, Elekta, was the victim of a data breach in April 2021.
During the attack, unauthorized personnel accessed the protected health information of 8,000 oncology patients from the Cancer Centers of Southwest Oklahoma. While both companies experienced an increase in DarkSonar by the time of the attack, the third-party vendor, Elekta, was elevated higher for longer prior to the attack.
Help Determine the Potential Likelihood of Threat with DarkSonar
Calculating organizational risk is a combination of the likelihood of a threat and the adverse impact it may have on your organization. Overall, DarkSonar exposure signals can help to indicate when the likelihood of a particular attack increases. In fact, in a study of 237 publicly disclosed data breaches and ransomware attacks from 2021 and 2022, DarkSonar was shown to have an elevated score within several months for 74% of the attacks.
Given that such a large percentage of cyberattacks start with an email, DarkSonar can be particularly beneficial to an organization in determining the likelihood of an attack.
Conclusions
Darknet data includes a variety of information relevant to organizational risk. Utilizing DarkOwl’s data sources enhance an organization’s ability to understand threats posed to their organization, manage third-party risk, and potentially determine the likelihood of a threat. Modeling risk enables an organization to both understand their weaknesses and take mitigating actions to protect their organization from loss of data, profits, and reputation.
Contact us today to learn how to monitor your darknet exposure.
Last year, we covered some emerging trends around tax fraud that our analysts found on the dark web. This year, we’re continuing that theme by highlighting some of the most recent content our analysts found in DarkOwl Vision ahead of tomorrow’s Tax Day.
Read on to see examples of the various forms of tax fraud being proliferated on the the darknet, deep web, and adjacent platforms such as Telegram.
Note: In each example, a screenshot is provided that captures the listing in its original source location, followed by a screenshot of the result as it appears in DarkOwl Vision, our searchable database of darknet content.
Recent Marketplace Listings Aimed at Tax Fraud in DarkOwl Vision
Example Listing: Telegram
Posted on April 4th, 2023 – The Telegram shop FixCombo MarketPlace has numerous recent listings for tax fraud products such as tax returns.
In this example, an advertisement points fraudsters to another Telegram channel that allegedly sells W2 forms as part of its various product listings. In many of these listings, the offers include other associated information to enable criminals to commit digital identity theft, including sensitive information such as Social Security Numbers, Drivers Licenses images and information, past tax returns, W2s, and more.
Figure 1: Screenshot of Listing for PII to Commit Tax Fraud on FixCombo Marketplace (Source, Telegram)
Figure 2: Screenshot of Listing for PII to Commit Tax Fraud on FixCombo Marketplace (Source, DarkOwl Vision)
Example Listings: Dark Web
Posted on March 16, 2023 – Nemesis Market is a dark web onion site that requires authentication to gain access. This marketplace has become more popular in recent months – likely as a result of users seeing a new outlet after other well-frequented marketplaces continue to be taken down via law enforcement operations, such as that of Hydra Market during the summer of last year.
In this example, the vendor “Equifax” is selling a 2023 tax fraud product, including all associated PII needed to file illicitly file on tax return another behalf, for $69 USD.
Figure 3: Screenshot of Tax Fraud Listing on Nemesis Marketplace on Tor (Source, Tor)
Figure 4: (Continued) Screenshot of Tax Fraud Listing on Nemesis Marketplace on Tor (Source, Tor)
Figure 5: Screenshot of Tax Fraud Listing on Nemesis Marketplace on Tor (Source, DarkOwl Vision)
Posted on March 25, 2023 – This listing for Australian tax return fraud tutorials was posted on the authenticated hacking forum, CryptBB. The well-known onion site is predominantly used by English language speakers, and is a darknet site popular among competent hackers, carders and programmers. Many also consider this forum to be a a good place to develop one’s darknet persona and to learn how to improve one’s hacking skills.
In this example, the tutorial was posted alongside a download link, which could be a secondary motive for the vendor – i.e. to install malware on those looking to seek to download the tutorial.
Figure 6: Screenshot of Country-Specific Tax Fraud Mechanisms on Dark Web Market CryptBB (Source, Tor)
Figure 7: Screenshot of Country-Specific Tax Fraud Mechanisms on Dark Web Market CryptBB (Source, DarkOwl Vision)
Example Listing: Deep Web
Posted on March 7, 2023 – This posting on the deep web site XSS is for a 2023 – 2024 “Tax Refund Method Tutorial.” Certain sections of the forum requirement payment via escrow services in order to receive full access.
XSS is considered to be one of the most popular deep web hacking forum among Russian cybercriminals.
Figure 8: Screenshot of Tax Refund Tutorials on the Deep Web (Source, XSS)
Figure 9: Screenshot of Tax Refund Tutorials on the Deep Web (Source, DarkOwl Vision)
Fraud is one of the most common motivations for crime on the darknet, and comes in many different varieties. To dive deeper, our analysts highlighted some other methods used to commit fraud in a webinar that you can watch on demand.
Read on for highlights from DarkOwl’s Product Team for Q1, including new product features and collection stat updates!
Data and Product Updates
New Search Templates and Search Blocks:
This quarter, the DarkOwl Team added 14 new search templates using new chat operators. Refreshed search templates to incorporate new query structures that leverage our tokenization options.
Several of the new template additions make it easier to search for leaked passports by adding regex templates for passports from unique countries. We also added several other that make it easier to find aliases via member page URLs and profile titles.
Our product team also added several new search blocks – including an updated block for “attack chatter”. Others enhancements include a better search for company/organization information, and other blocks that utilize frequently used hacking keywords.
CVE Tokenization:
Based on feedback from our customers, CVEs are now being identified and tokenized within our indexed documentation collection. Users can now search for results containing a specific CVE number, as well as for results containing any number of CVEs.
CVE tokenization will make it easier to search for CVEs along side keywords or other entities such as onion domains or threat actor aliases.
Chat Channel and Usernames: We’re making it easier to find channels and usernames in chat platforms.
We are excited to announce a new utility that will provide additional user and channel metadata for our chat content, and enhance searching based on that information. For all of our chat content, our team was able to identify consistent components such as channel names, and make filterable fields for these entities.
Now, when you use any of these new tokenized chat fields, Vision is able to correlate that search to that entity. In other words, Vision will know to look for a username or user ID, not just a keyword. Applicable entities include usernames, channel names, UserID (numeric), channel ID (numeric).
This can be particularly helpful in trying to identify users who use multiple aliases. For example, In Telegram, Usernames can change, but UserIDs are persistent—so it can help you find different aliases for the same user. The screenshot below shows an example of a user that is associated multiple usernames, identified via their Telegram UserID.
This new feature enables you to associate UserIDs with usernames on platforms such as Telegram, enabling analysts to uncover multiple aliases associated with the sake UserID.
Feature refreshes and user customization options:
The DarkOwl Product team has also added several Exclusion Options to the Research Quick Filter Tool. These exclusion options, particularly the Search Blocks, are frequently recommended query additions by Product Support, to help reduce noisy results. These are all Starter Search Blocks—you can see their content on the Search Block page. While we were at it, we also removed extra space on this menu, to make it shorter.
The most popular exclusion parameters including popular exclusion search blocks (directory sites/wikipedia mirrors) and zero hackishness results.
We also enabled a new preference option for users to change their default landing page views so that users can choose where to begin their workflow based on their dashboard of preference.
Collection Stats and Initiatives
This past quarter showed tremendous growth, due in part to advancements in our crawling technology and focus on emerging areas of activity.
Highlights
This quarter we added 340 new chat channels, 25 chat servers, and 5 unique data leaks at therequest of customers. Most of these our team was able to obtain and index within 24 hours of the incoming request.
Our chat platform collection continues to grow. Currently, we have coverage of 2003 in channels and 233 servers across multiple chat platforms.
Overall we’ve, added close to 100 new data leaks since the beginning of this year, including a number that are comprised of StealerLogs, which are becoming an increasingly popular threat vector.
Entity Numbers
As of the beginning of Q2 this year, DarkOwl Vision has indexed the above number of critical entities.
Notable leaks added in Q1:
Twitter Breach
In January, the user data for approximately 200M Twitter users was leaked on BreachForums. The data contains user account metadata such as email addresses, screen names, first and last names, number of followers, and account creation date. When analyzed, the leak includes 461,943,786 emails (total); 215,251,326 are unique.
After Twitter refused to pay 200,000$ after hackers breached their networks in December of last year, posted on Breach Forums.
Data from Deutsche Bank Breach
In March, the threat actor ‘Alliswell’ advertised 60GB of Deutsche Bank data for sale “to the highest bidder” on a BreachForums thread on March 13, 2023. The actor listed several samples in the post. This sample in DarkOwl Vision includes three files: capital.markets.00565489.dat (a public SSL cert for Citibank Switzerland), interpol.00454378934.data.report.003834923 (a public SSL cert for Interpol), and DataBank.sql (a SQL table of bank names, indexed in 11 parts).
The full leak, which is reportedly 60GB large, is not publicly available at this time. Note: DarkOwl does not purchase illegally obtained data
Result from DarkOwl Vision from Deutsche Bank Leak that appears to contain interbank transfer document that records a cash transaction from one bank to another.
BidenCash Market Credit Card Dump
In late February, the darknet carding shop BidenCash announced its one-year anniversary. To commemorate the event, the administrators of BidenCash shared a text file of 2.1 million compromised credit cards for free. DarkOwl’s crawler picked up the posting almost immediately, and it was indexed and available to all users within hours.
The BidenCash Market Credit Card Dump contains a wealth of associated PII including CVV numbers, and card holder’s full names and addresses.
Other Highlights and Coming Soon
Another noteworthy update from this past quarter includes our engineering team’s improvements on our ability to circumvent bot preventions measures to gain and maintain access to authenticated sites.
We’re also actively staying on top of the ransomware ecosystem and have added several new groups emerging on the scene. In just the last week, we’ve added coverage of ransomware groups such as Darkbit101, Money Message, Abyss, and Dark Power.
Posting from the ransomware group Abyss that lists multiple recent victims and their compromised data.
Posting from the ransomware group Dark Power that lists multiple recent victims and their compromised data, as well as victims whose data is pending – likely depending on whether or not they pay the ransom demand.
We will continue to expand our chat platform coverage, as we see more and more threat activity occurring on these platforms.
On the horizon
Stay tuned for an exciting announcement from the DarkOwl team! We are about to launch a whole new product that is a first-of-its kind relative risk rating based on darknet exposure. To get a preview of this new release, schedule a time to speak to one of our team members.
Last week, DarkOwl participated in FIC, The International Cybersecurity Forum, in Lille, France for the first time. FIC is in their 15th year and describes themselves as, “the leading event in digital security and trust.” FIC claims that their uniqueness in the European cybersecurity event market is that they bring together the entire cybersecurity ecosystem – end consumers, service and solution providers, law enforcement, state agencies, universities and consultants. Their mission is two-fold: face the operational challenges of cybersecurity and contribute to the building of a digital future that is in line with European values and interests. This enables attendees and sponsors alike to get the full picture of the state of cybersecurity in Europe and learn and hear from the best in the field. Attendees are able to meet with both end-users as well as solution and service providers, and discuss the operational and strategic issues of cybersecurity.
“In Cloud We Trust?”
The theme of FIC 2023, was “In Cloud We Trust?”. Notice the question mark – the adoption rate of the public cloud in Europe is only 40%. Given this, the market potential for suppliers and the potential gains for end-users is astronomical- making this a very attractive market. The choice of solution for the end-users is not easy. The basics of the public can be thought of as using someone else’s computer to host and hold your most important business assets. This is where trust comes in – another key word and point of FIC. FIC makes the point that we are often forced to trust by default. The opportunity to meet end-users face to face and built relationships helps combat this. 70% of European data is stored and processed outside of the continent, mainly in the United States. Given the geopolitical landscape, trust is more important than ever.
To build relationships and trust, and share the value and essential need of darknet data for any cybersecurity posture, David Alley, CEO of DarkOwl FZE based in Dubai and Magnus Svärd, Director of Strategic Partnerships, based out of DarkOwl’s headquarters in Denver, CO, represented DarkOwl at FIC.
In addition to networking and conversations at the booth, top minds of the space have the platform to share thought leadership, innovations and the latest in the cyber security space. Speakers were present from all across Europe and the world: France, Estonia, Netherlands, Belgium, Sweden, Ukraine, United States, Pakistan, and more. Topics ranged from ZTNA and VPNs, Operational Technology and the Internet of Things, EDR Detection Mechanisms, Human Risk Factors, Infostealers and Hackers in Disguise, OSINT Casics, Cyber Threats in War Time, Detecting Sophisticated Email Phishing Attacks, and many more. Many of the presentations throughout the three days were not just thought leadership, but also practical presentations – showing the “how to.”
David and Magnus kept busy on the show floor throughout the event meeting new prospects and showcasing our industry leading darknet platform, Vision UI, and meeting with several current clients and partners. With many current clients present, the DarkOwl team was able to spend time understanding how we can best optimize and elevate our current partnerships and how we can continue to provide the most value as their darknet data provider, focusing on continuing to build up our customer relationships and building trust. The DarkOwl team is confident there will be many follow ups and successful connections coming from our participation at FIC and looks forward to The International Cybersecurity Forum in 2024.
Update: The Genesis Market Onion site is still online, however there has been no new listings or activity since early Friday the 7th.
April 06, 2023
In the last 36 hours, the United States Federal bureau of Investigations has announced the seizure of the criminal forum Genesis Market in an internationally coordinated effort dubbed “Operation Cookie Monster.” Our analysts detected the disruption in Genesis Market at early afternoon Tuesday April 4th, which is consistent with other accounts who also saw the popular marketplace replaced with the law enforcement landing page at that time.
Figure 1: Screenshot of the landing page of Genesis Market on the Surface Web after its seizure on April 4th taken at 12:30pm MST (Source, Genesis Market Surface Web)
Much reporting has focused on the arrest of at least 100 known users of Genesis Market on the surface web (or “clearnet”), and few outlets have discussed the fact that darknet mirrors of Genesis Market are still online.
Figure 2: Login portal to Genesis Market on Tor, which is still live at time of publication (Source, Tor – Genesis Market)
DarkOwl Vision analysts detected the seizure notification of Genesis surface web domains just after noon MST on April 4th, though it is possible the seizure took place in the hours preceding. As pictured above, the message displayed a large banner and included the logos of the various international organizations they coordinated with to execute this operation.
The declaration from the FBI states that the marketplace’s domains have been compromised in part due to a warrant administered by the United States District Court for the Eastern District of Wisconsin.
Interestingly, they end their message with a solicitation to readers of the notice to contact them if they themselves have ever been active on the illicit marketplace. The language and nature of the message suggests the FBI are still actively pursuing evidence to further their case in taking down the entirety of Genesis Market – including its darknet mirrors.
Figure 3: Closing message of the FBI’s statement posted on Genesis Market and to the DOJ press office (Source, Genesis Market Surface Web)
On Telegram, Arvin Club specifically mention that it was only the clearnet domains of Genesis Market that had been taken down (pictured below).
Figure 4: Arvin Club post specifying that all official clearnet domains of Genesis Market had been taken down (Source, DarkOwl Vision)
Quick Background on Genesis Market
Genesis Market is a well known darknet exchange that specializes in the sale of identity and account-takeover tools – which, in the case of this forum, primarily means the sale of compromised personal devices via the use of malware. When a buyer obtains a “bot” from Genesis Market, they are actually purchasing persistent remote access to an unsuspecting victims computer.
Figure 5: Screenshot of a dashboard from Genesis Market on Tor, which is still live at time of publication (Source, Tor – Genesis Market)
The goods described as “bots” on Genesis’ site frequently include cookies and related user logs, which in part explains the name “Operation Cookie Monster.” On a typical day, upon logging in, a user’s dashboard would look something like the above example. These advertised bots are tied to an actual human’s unique personal device.
Is it common for surface web domains to be seized, but not the onion mirror?
We asked our analysts about this potential scenario and they indicated that yes, this could be possible in a number of scenarios, including:
A) The onion mirrors are hosted on a different server that’s not subject to the warrant
B) Law Enforcement might want to run the onion service as a honeypot for a bit to catch those with higher OpSec
C) This is all an elaborate ruse
Given the official statements that have been subsequently released by law enforcement, it is unlikely that this is anything less than an official operation – making option C a very unlikely scenario. In any case, chatter on telegram posed a number of opinions reflecting that of our analysts above. This includes speculation about the seizure’s legitimacy, and the possibility of exit scams.
The screenshots below demonstrate the variety of reactions users had – including instructions and warnings urging others to take the situation seriously:
Figure 6: Users on Telegram discuss the legitimacy of the FB takeover by pointing out technical flaws such at mobile-friendliness of their seizure posting (Source, DarkOwl Vision)
Figure 7: Users on Telegram speculate that the FBI seizure is a rouse and/or an exit scam (Source, DarkOwl Vision)
Figure 8: Users on Telegram continue to express confusion on the situation, and offer advise on how to minimize financial osses from potential exit scams (Source, DarkOwl Vision)
Recent Activity Suggest Business Is Continuing as Usual On Genesis Market on the Darknet
Figure 9: Screenshot of Genesis Market Listings at 1:45 PM MST on April 5, 2023 (Source, Tor – Genesis Market)
At 1:45 MST on Wednesday the 5th, it appeared that activity had come to a halt on Genesis Market – with only one new bot being added in the last 24 hour period when the screenshot was taken. However, only a few hours later at around 4pm MST, this number rose back to 241 new bots offered for sale.
Figure 10: Screenshot of Genesis Market Listings at 4:00 PM MST on April 5, 2023 (Source, Tor – Genesis Market)
According to our analysts, Genesis does tend to go for periods of time without adding or updating content under regular circumstances. And, from our observations, there is often little to no activity over the weekends – so a 24 hour period with no new bots isn’t unheard of.
Based on new bot advertisements alone, one could claim it is business as usual for Genesis Market users on the darknet. However, given all of the press surrounding this matter, we speculate that the number of people actually buying from Genesis has dropped.
Future of Genesis Market
Regardless of when the dark web domains for Genesis Market inevitably come offline, the fact remains that users on the dark web will only relocate to buy or swap liminal assets such as the digital fingerprints Genesis was known for. Some chatter in private dark web sources indicate that the FBI seized the surface web domain name registrars & servers but did not actually get the web host which is why it’s still online on tor. Others are sure the persistence of the dark web criminal forum can only be explained by it being an exit scheme or a Law Enforcement honeypot.
As to what comes next, chatter suggests users of the popular marketplace may relocate to 2easy or Russianmarket.
Figure 11: Users on Telegram discuss potential relocation options should Genes Market be truly compromised (Source, DarkOwl Vision)
Stay tuned for more developments as our analysts consider to monitor this matter.
Contact us to see if your company’s name or credentials have been mentioned in high-risk places such as forums or marketplaces on the dark web.
In 2022, GitGuardian scanned a staggering 1.027 billion GitHub commits! How many secrets do you think they found?
This webinar details the findings of The State of Secrets Sprawl from GitGuardian, the most extensive analysis of secrets exposed in GitHub and beyond! Speakers Mackenzie Jackson, Security Advocate at GitGuardian, Eric Fourrier, Co-founder and CEO of GitGuardian, Mark Turnage, Co-founder and CEO of DarkOwl, and Philippe Caturegli, Chief Hacking Officer of Netragard, dive into the leaks in public GitHub repos, trends such as Infrastructure-as-Code, AI/ChatGPT mentions, and even investigate how leaked secrets move from GitHub to be sold on the deep and dark web.
Check out the recording or transcription to see the most significant trends observed in 2022, what to make of them for the future of developer security and get some practical tips on effectively managing and protecting your secrets.
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Mackenzie: Hello everyone. I’m very excited to be with you all today. Today is all about our State of Secret Sprawl report. I’m going to present some high level findings that we have in the report. Then I’m excited to say that our CEO is here with us today. He’s going to be joining us and he’s going to answer some questions rounding with the facts and how we found what we found in the report. Then we’ve got the CEO of DarkOwl, another fantastic company. We’re going to be talking about secrets on the dark web and other areas of the dark web. You may notice that DarkOwl participated in our report if you’ve read it this year – so we’ve got some more facts than just from GitGuardian. And then finally, we have a hacker with us to give us the hacking perspective. We have Philippe, who is from Netragard, and Philippe is the Chief Hacking Officer. Netragard is a company that does lots of services, but one of their services is pen testing. So Philippe gets paid to hack into systems and he’s gonna tell us how he finds and uses secrets to hack into everything.
Report Findings
Let’s get straight into it. What are secrets? What are we talking about?
So, secrets are digital authentication credentials. It’s a fancy word for saying things like API keys, other credential peers, like your database credentials or your unit username and password, security certificates. There’s a bunch more, but these are kind of the crux of what we’re talking about. These are what we use in software to be able to authenticate ourselves, to be able to ingest data, to decrypt data, to be able to access different systems. So these are our crown jewels. What we’re talking about today is how these leak out from our control into the public and into our other infrastructure.
So what did we find in our report? So the State of Secrets Sprawl is a report that we have been doing since 2021 and it outlines essentially what GitGuardian has found throughout the previous year of scanning for secrets.
One of the main areas GitGuardian looks for secrets is on public GitHub repositories. GitHub is a pretty massive platform. There’s millions and millions of developers on GitHub and billions of code, billions of lines of code and billions of commits that get added every single year into this huge data of source code. We scan all of it every single year to actually uncover how much sensitive information is being leaked on GitHub. And we also have some statistics about other areas, but we’ll start off with what we find in GitHub.
So last year we scanned over 1 billion commits throughout the entire year of 2022. So a commit is a contribution of code to a public repository in GitHub. That’s what we’re classing as a commit. If you’re not familiar with the terminology, you can think of it like uploading code. This happened a billion times last year in 2022. So that’s a huge amount of developers. There’s 94 million developers on GitHub and 85 million new repositories. So the numbers on GitHub are pretty astounding. HCL Hashicorp Configuration Language is the fastest growing language on GitHub. This is interesting because this is an infrastructure as code language. So this is actually kind of bringing about infrastructure as code brings about new types of secrets.
We have released our report, so some of you may have already seen this, but we found 10 million secrets in public GitHub last year. This is an absolutely huge number. So what we’re talking about those API keys, so it’s credentials, we found 10 million of them in public. So it’s a pretty astounding number. And we’re going to break down exactly what we found in this report. But essentially what you need to know is that this increased by about 67%, and this is pretty alarming because the increase in volume rose by about 20% last year. So the volume went up by 20%, but we still found much more than 20% extra secrets this year. Last year we found 6 million. Now the only area that may explain some of it is that we expanded our detection, but not nearly enough by this amount. So it shows that the problem is really growing, which is quite alarming.
So this is the kind of evolution that we found.
And there’s a couple of things on that really stand out for me. The number one thing for me is the “1 in 10” that you see at the right. What does that mean? So there was 13 million unique authors that committed code last year. 13 million developers pushed code publicly last year. So if you’re wondering why this is so far off the 94 million at GitHub claim, that’s because not all users push code actively and then push code publicly. They may be pushing code privately, but we are just talking about public contributions. Public commits 1 in 10 lead to secret, 1 out of 10 developers that push code publicly lead to secrets. To me, this is the most alarming statistic this can finally put to bed – that it’s not just junior developers doing this. And there’s other evidence that we have around that. So this shows that it’s a really big problem and something that’s going to happen to a lot of us.
We also can see that about five and a half commits out of a thousand exposed at least one secret. And so this is the biggest oranges to oranges comparison that we had to last year. And it showed that number increased by 50%. So the total number increased by 60%, but an oranges to oranges basis, it’s increased by about 50%. So pretty alarming statistics.
Now this is a slide here. What countries leaked the most secrets?
This slide to me, doesn’t show what it appears to show – this slide doesn’t really show that India is the worst country for leaking secrets. This slide shows that probably India, China and the US have the biggest populations and they’ve got strong developer bases. So I think we can take this with a grain of salt. We can see that this is actually in line with what we’ll see with large engineering populations. If you’re wondering why China isn’t number one based on just that, that’ll be the largest population; there’s GitHub alternatives in China that are commonly used. So that’s probably explains that. So this more shows the frequency of use.
What type of secret leaks the most? The largest leaker is data storage keys. Next on the list is cloud provider keys, then messaging systems, and then private keys.
So we have specific detectors and generic detectors. So a specific detector is like for a cloud provider would be like AWS GCP. And then we also have detectors that catch what’s left over, which we know that this is a secret, but we don’t know what exactly it is for. This will be like a username and password. So we don’t know what system this username and password actually gives access to, we’re confident that it’s real, but we don’t have the additional information from that. And so we have different types of generic detectors. So generic password is a number one generic interview string, but we also have different types like usernames and passwords coming in at 2.8%. So pretty big jumps in there.
What name of file would commonly leak secrets? The biggest leaker that we have is env files. This is the most sensitive file and this is one that can be prevented easily with a .getignore file. We shouldn’t be letting env files in our repositories. And if we are looking at unique detectors, the number one detector that we find is the Google API keys. Next to that we have RSA private keys, generic private keys, cloud keys, Postgres, SQL and then we also have GitHub access tokens.
Secrets with Eric Fourier, CEO and Co-Founder, GitGuardian
Mackenzie: Eric, I’m gonna dive straight into some questions here. One of the things that I know a lot of people are interested in is how did get GitGuardian start and why did you start scanning public GitHub for secrets and other areas? How did this all kind of come about?
Eric: Yes, it’s a great question. I’m a former engineer and data scientist. So my background is more data science and data engineering. You can see it in the report – we share a lot of data analyzed, tons of data. As a data scientist that was used to work a lot with teams of data centers, and we use a lot of the cloud and the cloud’s keys to connect to the service, to be able to manipulate data and provide statistics on it. And actually in my time there, I was like, uh, really? I really saw the problem of credential leaks for example, AWS Secrets in Jupyter Notebook just to connect to your pipelines. And I was like seeing a lot of credential leaks and we said that essentially this is definitely an issue and could we train some algorithm and try some models to resolve this issue at scale? GitHub was actually a fantastic database of source code where I could train this model to detect secrets. And it started just like, I would say as a simple side project to see what we could find on GitHub. And it started by just analyzing the full realtime flow of commits on GitHub, starting with a few detectors with AWS and Twilio at the time and the first model built to find 300, 400 secrets a day.
Now you can see it’s way more, it’s more like 4,000 – 5,000 a day. After that everything went really quickly, we released pro-bono alerting. So this idea of, at each time we were able to find the key on GitHub, we send an alert to the developer saying, you basically click the secret here on public git. And after like, we received really good feedback from the community, created a free application for the developers and after monetize with product for enterprise. We continue with this product-led growth approach and trying to help the developer to provide secure code and start it this way and continuing on this path.
Mackenzie: Let’s talk about the report a little bit more. What has led to this increase in secrets leaking? We’re seeing it every year, and it’s not by like a marginal amount where it could be some small factors. Do you have any ideas or insights into why we are seeing this problem persist and keep going?
Eric: Yeah, it’s a combination of multiple elements. First, a few that’s highlighted in the report is there are more and more developers on GitHub. So we are scanning more and more commits. We have analyzed and scanned 20% more commits this year than last year. But as you said, it’s not just increase of the commits we are scanning – it cannot explain the number of sequences we’re finding. So on the other side, we’re also improving our sequence detection engine, meaning we are adding new detectors or detecting new types of sequences, but also improving our existing detectors. So our ability to detect sequences and trying to keep the precision with high meaning, not detecting too many false positives. So we always try to, especially on public data, keep a precision rate of 70%. I would say it’s really important in all security products to not flood the security team with too many false positives, because after, they just don’t look at the alerts anymore.
I will say, the third point is, even with that, the problem is not going away. You can find multiple ways to explain it; more and more developers on the market that don’t know Git, so need to learn. You can see in the report that there is no obvious correlation between seniority and the amount of sequence leak, but still, it can be the growth of the developers and the growth of junior developers can also explain why secrets are still leaking. I would say the issue is definitely not solved on the public side and on the internal side.
Mackenzie: Being completely honest, I expected the number to remain the same. I was even slightly expecting it to go down this year because there are some initiatives and the problem we’ve kind of become a bit more aware of it. So I was quite surprised to see that actually, we took another big jump up. So for you, was there anything that stood out in the report when it all got compiled that was surprising to you? You’ve been scanning public GitHub for longer than any of us, so does anything surprise you at this point? Or was there something in the report this year that was, that still continues to surprise you seven years on?
Eric: I really like the fun facts. I’m always amazed by the correlation of the number of secrets we find, the number of secrets leaked and the popularity of API vendors and providers that we had. We have this really different statistic with open API key to connect program fit to chatGPT that went from, we were like finding maybe 100 a week in early 2022, and now we are finding more than 3,000 secrets a week. So it jumped 30 times more than one year ago. I think it’s just past like Google API key, and you can see it, it’s really correlated with a trend of open AI right now with developers and in the tech in general.
The other thing, the number of leaks actually that are correlated to the user of a secret. So I think it’s amazing to see that in a lot of the past leaks; Okta, I should look at Okta, Slack and all the ones that are in the report, it’s at some point, it’s secret is not the starting point of the attack, but at some point a hacker is able to find a secret to leverage the attack and do lateral movement.
I’m also amazed by some vendors that when they have those code leaks, just try to minimize the incident. And for us as scanning the open source code, we definitely know that if a company is leaking its source code, they will also leak secrets, and so they will leak PII. So just declaring that leaking source codes is not bad because it’s not confidential information is a little bit, I will say maybe naive. It just shows that we have still a lot of education to do.
Mackenzie: That segues me into my final question for you. You talked a little bit about education this year. This is a two part question. What can we actually do about leaked secrets from an organization, so what can an organization do? And two, what can we as a community at whole, what can we as developers and community, what can we do to try and keep this problem, well prevent it from getting worse and potentially maybe one year, the number of secrets going down even?
Eric: So I think now we, especially if it’s publicly leaked on Git, when you reach the certain size of developers, what was a probability of leaking secrets becomes, I will say more of a certitude. So it means you will leak secrets and you are just waiting for it to happen. So you definitely need to put some mitigation in place, and especially after, I will say internal, when you look at more secrets in internal repos, we find way more secrets in internal repos than public repo. It’s a big challenge for our companies- the remediation, so how we are able to detect all the secrets, but after how you remove it from source code. I think in the industry and technology point of view, it’s really interesting. There is some stuff happening right now with, especially for passwords, trying to replace passwords pass keys. These initiatives are great, but they would take years even dozens of years probably. And it’s more like design for password identification than API keys and machine to machine identification. So, I will say API keys and Sequel 12, you have the rise of sequence managers, like Vault are trying to push protectionary measures such as dynamic key rotation, which are great.
To generate these dynamic tokens, you need long lift tokens that, we all know that developers hate regenerating token and generating this short lift token, and they prefer to use long lift token and install them once in their environment. So there are solutions, really promising on this side with them on the technology side. So on the detection side, I think a lot of work has been done. Looking at some API providers, they have been like doing some rework to prefix the key so it’s easier for a detection company like us or the vendors to detect them. It can be actually a little bit also controversial because it means that it’s also easier for attacker to detect them.
So maybe it could be interesting to work on some other way to do it. Maybe like signatures that are only known by different teams and stuff like that. I think there is definitely some innovation, but still can improve. I think we can do better. I think the big focus now, you have a lot detection is becoming more and more performant on the type. And it’s really, I will say a big, big target or goal for companies is prevention and remediation. So how I make sure that there is no more secrets entering in my code base and that the historic secrets get removed and I achieved this zero secrets in code. And yet it is a big challenge here is how to do mitigation at scale.
So you can use shift left and pre-commit for developers, educating developers, and really try, especially for large companies to remediate at scale. And it’s a big challenge, and we have seen it with our customers and it’s definitely something we are pushing for. It’s really this maturity for us as a vendor has shifted from being able to detect, and it’s always really important to be able to detect secrets. But now it’s really how we can remove all these secrets from the code base and make sure that we have no more secrets in code.
Mackenzie: It’s interesting you’re talking about the problem shifting from it being difficult to detect them and now it’s difficult to remediate them.
Eric, I am going to thank you so much for joining us now.
So we are gonna move on to our next speaker now. We have Mark Turnage, who is the CEO of DarkOwl.
Eric: Thank you. Very nice to be here. Thanks for having me, Mackenzie.
Role of the Darknet in Secrets with Mark Turnage, CEO and Co-Founder, DarkOwl
Mackenzie: Mark, can you tell me a little bit about DarkOwl as an organization and how you fit into this discussion today?
Mark: DarkOwl’s about five years old. We are a company that extracts data at scale from the darknets, and I use darknets as a plural. I’ll come on to that. The reason we do that is, we’ve accumulated what’s probably the world’s largest archive of darknet data that’s commercially available now. Why is it important for someone to do that? It’s important because many of the secrets that we’re discussing in this report and that we are discussing here today are available for sale or for trade, or oftentimes just for free in the darknet. And any organization trying to assess risk and trying to assess where their risk lies, has to have eyes on the darknet, across the darknet to be able to see where their exposure might be. And we provide that for our clients. Our clients include many of the world’s largest cybersecurity companies, as well as governments who are monitoring the darknet for criminal activity.
As you can see on this slide, we provide that data through a number of different means to our clients.
Mackenzie: You said darkwebs, plural. What is the dark web and how has it evolved to perhaps what I might have thought about it ten, five years ago?
Mark: That’s a very good question, because different people refer to dark web or darknet, as very different things. Traditionally, the darknet, originally referred to the Tor network and was originally, ironically, set up by the US government as a secure communication platform. But the key defining feature of any darknet, including Tor, which survives to this day, is the obfuscation of user identities, but the ability to continue to communicate in spite of the fact that a message or an email or a communication can be intercepted by somebody sitting in the middle, but still cannot tell who the users are. So, obfuscation of identities makes it an ideal environment for criminals to operate in.
This slide right here is actually a very good representation of that. When we talk about the darknet, we’re talking about the bottom of the slide. I mentioned Tor, I2p, ZeroNet. There are a range of other darknets that have grown up and these are places they generally require a proprietary browser, which is easily available to get access to. And these are places where people can go and congregate and discuss among themselves and trade data and sell product and sell goods, where the user identity is obfuscated.
The reason why your question is a good one is that people oftentimes confuse the darknet with the deep web, or even some high risk surface websites or messaging platforms. So right directly above it on this slide, you see the deep web, there are a range of criminal forums, marketplaces that exist in the deep web. We watch those as well. Everything in red on this slide we collect data from. And then there are high risk surface sites, particularly pay sites where data is posted from the darknet. Increasingly, and this is a real significant trend in our business, increasingly hackers, activists, malicious actors are turning to direct messaging platforms, peer-to-peer networks. The most active of those right now is Telegram. And so we collect data from those sites as well. Going back to the original comment, having eyes on the data that is in these environments is critical for any organization to understand their exposure.
Mackenzie: Putting this in context with the report that we released, how do these secrets and other credentials and areas end up on the dark web? And if a credential was in public GitHub, for example, is it possible that that will end up in the dark web for sale, for free?
Mark: Yes, absolutely. And so the first question is how do secrets make their way to the dark web? We estimate that well over 90% of the dark web today is now used by malicious actors. So activists, ransomware operators, oftentimes nation states or actors acting on behalf of nation states in the darknet sharing secrets, trading secrets, selling secrets, and it is the core marketplace for this type of activity that goes on. In the GitGuardian report, you see this very clearly. When you look at the range of statistics, many of those API keys, many of those credentials, certs, IP addresses, known vulnerabilities, code is put into the darknet, either for sale or oftentimes you will see actors simply share their secrets or share a portion of their secrets for free in order to effectively gain a reputation or gain points on a site to then be able to sell data at subsequent point. So there’s an enormous amount of data that is available in the darknet. If somebody just goes in there and sees it, the challenge without a platform like ours is to search the darknet more comprehensively and say, I’m looking for a specific API key, or a type of API key. And I want to see where these are appearing. Without a platform like ours, you don’t have the ability to do that.
At the bottom you see some of the statistics that exist in our database. We’ve taken in the last 24 hours, 8.4 million documents out of the darknet, at latest count as of yesterday, we have 9.4 billion credentials. 5 billion of those have passwords associated with them in our database. And obviously, you know it is stunning actually how much data is both shared and then re-shared in the darknet, so we have access to that. It is staggering the scale of what’s going on here, I’ll just pause and say one more thing, which is the darknet and the use of the darknet by these actors is growing more darknets are being set up, more data is being shared. This goes to your point, Mackenzie with Eric, how do you actually, how do you mitigate this? We’re seeing more and more data, not less and less data, available.
Mackenzie: I’ll ask you one more before I bring on our next guest. Are you seeing any other trends in the dark web that we should all be kind of aware of or should know about?
Mark: Well, I mentioned one which is the increasing shift to peer-to-peer, messaging platforms like Telegram, discord and so on. Another trend that’s been very interesting over the last 24 months is the impact of the Ukraine War on the darknet. Criminal groups on the darknet split apart as a result of the Ukraine war and spill each other’s secrets into the darknet. So ransomeware gangs in particular have split apart, some backing Russia, some backing Ukraine, and shared each other’s secrets. And what is really shocking is to be able to see their inner workings of how these criminal gangs operate. And so all of that is available as well on the darknet. But it affects what we’re talking about here today because many of the ways that code repositories are publicly available secrets are then exploited, they’re exploited by these very gangs. And you will see discussions about this vulnerability. Here’s a set of a AWS keys that we can use to get access to certain types of networks. You can see those discussions in realtime unfold on the darknet.
Mackenzie: Well, it’s very alarming. Mark, thanks so much for being here.
Secrets in the Hand of a Hacker with Philippe Caturegli, Chief Hacking Officer, Netragard
Mackenzie: So we have another guest here; we’ve brought on a hacker, Philippe.
Alright, first question; could you explain a little bit about what you do and what’s Netragard do and what you do as the Chief Hacking Officer at Netragard?
Philippe: So, we hack our customers. We get paid to hack our customers. Basically penetration testing is attack simulation. So, we’ll use the same tools and techniques and procedures as attackers or black attackers would use. The only difference is that at the end we write a report that we publish to our customers instead of selling money or publishing the information that we see on the internet.
Mackenzie: But from all that, you basically operate the same way a hacker would.
Philippe: Exactly the same, same method, technique, exactly the same way. And it goes both ways. So we simulate some of attacks that we see in the wild from attackers, but we’ll also try to come with novel techniques, or attacks that are then being mirrored by the bad guys.
Mackenzie: So with that in mind, how is it that hackers actually see secrets? We talked about them being on the dark web, we’re talking about them being in public. How do you discover them? How do you use them?
Philippe: I like to say that the internet never forgets. So everything that gets published on the internet, whether it’s voluntarily or not, a hacker will find it and try to exploit it. So it’s just, it’s not a matter of if, it’s a matter of when, it’s just a matter of time when it’s going to be discovered by an attacker as long as it published. So a few years back we used to have a few script and monitoring some of the dark web and trying to find some secrets and using googledocs to find those secrets. But nowadays there’s companies like GitGuardian or DarkOwl, that does a way better job than us at finding those secrets. So typically we actually use those platforms to find the secrets. The goal of the pen test is not necessarily to just find the secret, but it’s to show what we can do with the secrets or go beyond identifying the secrets, but it’s to exploit it and go beyond that.
Mackenzie: This is something that a lot of people have questions about too – Is that okay if I leak a Slack credential, for example, is it really a threat?
Philippe: Absolutely. Slack is one of my favorite keys to be leaked because it’s plenty of information that are not necessarily public, but that we get access to, by just having one API key. I’ll give you one example. In one of the tests, we actually found an API key for a Slack user. Used this key to actually start monitoring everything that was happening on the Slack for these customers, all the channels. There’s a nice API for Slack that’s called “realtime messaging”, so you can actually get all the messages in real time. Then we just sat there for like a week waiting for developers to share secrets or secrets to be shared. We didn’t stop here. We didn’t wait for a week. We were doing some other tests and attacks. I remember at some point we managed to compromise one employee his workstation. The IT security team discovered that we compromised this workstation through some alerts, and they started to do the investigation. And the way they did the investigation was ping the guy on Slack and say, “Hey, can you join this WebEx and share your screen so we can look at your computer?,” because the user was remote. Of course we had access to Slack, so we joined the WebEx meeting, and we sat for six hours looking at our customers, doing the investigation, like the incident investigation and trying to find what we’ve, compromised. So yeah, I start stopping at getting the keys to go all the way there and try to identify all the possible improvement that our customers could do to prevent it. Secrets are going to happen, but what can you do to lower the impact if it’s going to to happen? Can you detect it quickly and even if it’s leaked and it’s being exploited, how far can the attacker go, can they compromise everything from there, can they get access to more secrets or can they be stopped?
Mackenzie: Could you give us some examples of some attacks that you’ve done where you’ve actually, used secrets and how you’ve used these in real life attacking exploits?
Philippe: A few examples. This one, it’s pretty common: store on a web server, hoping that nobody would find it, or for some reason they share it. This was just reports, so it’s just a matter of finding it by browsing to this slash report, we could find all these documents. What was interesting in this document is that it was actually a configuration file. So that was a telecom company, and that was a configuration follow of their customer’s routers, including passwords and keys and all that. You can ask the question, is this a problem of misconfiguring the server or the developer or whoever? I came up with the ID to share the reports in a public website with secrets. I would argue that’s not even the configuration of this web server. The name of this file could have been found. It’s just that it was easier that the data listing was enabled, and we could find the files. But otherwise it’s just a matter of time to just try to enumerate and, and get those files. So anything that is on the internet, on a server that is exposed to the internet, should be considered public, whether it’s hidden somewhere or not, an attacker will find it at some point.
Then we can find things like this, these are my favorite, plenty of tools used by developers. This one again, was trying to hide it into a secret folder somewhere on the website. These are tools that are used by developers to try to debug their software or programs. These are my favorite cuz there’s not even a security. It’s just like we’re able to send queries straight into the database. We don’t even have to exploit any vulnerability. They give us access to all their internal tools.
The typical SSH key that we find on servers directly. One of the main differences between the tools like GitGuardian and publishing keys on GitHub and the work that you guys do is, it gets detected pretty quickly so it gets burned. I say burn, it’s like somebody’s going to exploit it within minutes of being published on GitHub. I don’t know if you have some statistics on that and how quickly the key goes from being published to being exploited. From our perspective as pen testers, it’s not as useful as it used to be because there’s now, there’s so many attackers or criminals monitoring this and exploiting it within minutes. The difference between us doing a pen test and the bad guys is that the pen test is in the point in time. So we have to be really lucky that a developer is going to publish a key or secret during the time of the pen test. But once the pen test is done, the attackers won’t stop. I mean, they are scanning the internet all day long and looking for things to exploit. The other difference between the pen test and the bad guys is the pen test is targeted to our customer, whereas the bad guys or the attackers, most of these attacks are opportunistic. So whatever secret they’re gonna find, they’re gonna go after the company that leaks the secrets, whether they purchase a pen test or not. That doesn’t matter to them. So that’s the main difference.
So when we can find secrets like this that are not published in public repository, they have a much longer lifespan and they can stay on the server for years without anybody noticing it. A few years back, there was AWS keys that would be leaked even on GitHub we could use, now within seconds they get disabled by AWS, which is good thing, but the reason they did this is because attacks were exploding. So anything that we can find that it is not publicly available, that’s why the dark web and the things that DarkOwl has, is also useful. Things that are still on the internet, but nobody really knows about it – it’s a lot more valuable because the lifespan of the value of this information is much greater.
So for this one, that was pretty easy. SSH key, just give us access to the kingdom. It’s just a misconfiguration and it turns out that they actually configure the web server through the directory and then we could get access to the SSH key. So from there, that’s my favorite kind of of misconfiguration, cuz there’s almost nothing to exploit. I mean, the exploit is just trying to find this misconfiguration or we have the key, we don’t even have to find like a crazy zero-day exploit of inability, use the key and we get in the server and then from there try to move on to other targets.
Mackenzie: That’s super interesting. We’re getting close to running out of time, so I am going to invite everyone back onto the stage and run through some questions.
Questions and Answers
Mackenzie: I’m assuming this one here is for GitGuardian and Eric, “Can different platforms be covered by your tooling, like GitLab, JIRA, Notion, slack, et cetera?”
Eric: That’s a great question. So we have a, actually, we have a CLI that is able to scan other platforms like dock images, S3 buckets. But like native integration, we still have all the VCS or GitLab, Azure, DevOps, and GI buckets. So because what we find in our analysis is most of the secrets are leaked on VCS right now, I think that the tough part is we need the remediation and if you succeed to remove all the secrets that would be great. But definitely there are sequences leaking in other platforms and it’s definitely a problem to tackle.
Mackenzie: The next question is for Mark. This one’s actually referring to dark web currencies. This question was asked when you were talking about the fact that they leak it for credit, for social credits – is there kind of level to this? So the question exactly is “would it mean that you would have to leak information to gain reputation, to gain access to, higher levels of secrets?”
Mark: That’s absolutely correct. I compressed my comment into a very short period of time, when I say credit, I mean reputation on a platform and oftentimes users have to share information in order to get to another level to get access to even more rarer types of data. So that’s absolutely right. When I talk about social credit or credit, I’m talking really about reputational credit.
Mackenzie: I guess this one here is for everyone. “What is your opinion on encrypted secrets? Does it produce a lot of positives by secret scanning tools? Does this make it more difficult to find from the dark web or exploit? Or can we uncover this, encrypt these encryptions when we encrypt credentials?”
Mark: I want to make sure we’re talking about the same type of encryption. Oftentimes credentials that are put in the darknet will have hashed passwords associated with them. And we can see that and we can detect that as a hash password, and we can actually classify that as a hash password. Clearly it’s gonna generate a lot of false positives by scanning tools. I think that’s just part and parcel of it. We’re getting better at understanding what those are and how, and categorizing that set of data. But I’ll defer to Eric as to whether or not they have an effect in terms of your scanning tools and do they result in false positives?
Eric: Yeah, so it’s, yeah, it’s a great question. So I will say for us, hashed credential is not considered as a secret. Now if it’s a non-encrypted credential, like for example, a certificate or SSH key, if the encryption is weak and it’s breakable, I definitely think it’s a leak. I don’t think it’s so common in term of frequency. So you find way more like actually private key and encrypted key exposed on GitHub. I will say it’s definitely a subject. Definitely we need to filter by, if we take all the unencrypted credentials, there will be way too many false positives. If we segment to those that that are weak encryption and that are currently, and that we can break with algorithm, it’s definitely doable.
Mackenzie: I have a question here for Philippe; “How much do secret volts actually keep hackings from accessing secrets? You know, how would you try and hack a company that uses as a secrets manager?”
Philippe: It’s actually pretty efficient, but with the caveat that because it contains so many secrets, it becomes the first or the primary target. So we had some examples where we had some customers using Vault. Sadly they were not using it the right way. So the root key was in the environment viable. So as long as we managed to compromise one of the server and get route access, then we had the key. And then from there, the impact is even worse because now we are not like stuck to just this one server, but we have access to all the keys from all the vault, and that was the root key. So not only did we have access to one vault, but we have access to all the vaults of all the customers. So there are pros and cons as long as it’s properly implemented and used, it’s very efficient. The problem is sometimes it’s not well understood and just having this key environment viable, gives you the key to the kingdom and it’s like the primary target for an attacker to go after this vault. So it’s good if it’s well used.
And to go back, just to the previous question about the encryption, from an attackers perspective, it depends how the encryption is used. Quite often we see that the secrets are encrypted, but the key, the encryption key is sold with the secret. So it’s like pretty much useless. Let’s just make it out to detect, but it doesn’t bring any value because an attacker will have access to the system and be able to decrypt those keys.
Mackenzie: What’s the difference between a data loss prevention tool, to sequence detection; and can it be compared?
Eric: I will say that GitGaurdian solves a part of the data loss prevention world. So we are really focused on sequence on public data. Our main focus is really more code security, so trying to improve the overall generation of code starting with SQL detection. But DLP is a way bigger world. I think Philip has spoken about it is really about finding open server in the wild, servers that will contain sensitive documents. You have also the dark web and the deep web as Mark mentioned. I will say it’s trying to solve the problem of, what’s my digital footprint on the public and deep internet and how can an attacker use it? And I will say a sequence on GitHub is a portion of that, that’s actually really effective and that you should consider, but it’s a fraction of the space.
Mackenzie: Do we see any correlation between cloud provide usage and leaked secrets?
Eric: There is definitely a correlation between the number of secrets leaked and the popularity of cloud providers. It’s just sometimes you can have outliers. So if somebody decides to try to publish 1 million keys, you have some people that have funny behavior on public details that can actually create some abnormality in the statistic. But yeah, usually it’s really correlated. So you see AWS first after Azure, as after GCP.
Mackenzie: Mark, do you guys see insights like this for what tools are kind of becoming most popular and I guess we can extend us beyond cloud providers into and what you’re seeing in leaks?
Mark: There is a direct correlation between volumetric usage and the amount of data that gets leaked because they’re bigger targets. So if you have a bigger target and they’re being hit by more people and more data is being extracted, or more leaks are being extracted and that data makes its way, obviously the size of the particular target makes a difference in terms of the correlation in what we see. The exception to that is the occasional random, popular, small site that gets attacked.
Mackenzie: Thank you very much. Thank you.
About GitGuardian:
GitGuardian is helping organizations secure the modern way of building software and foster collaboration between developers, cloud operations and security teams.
We are the developer wingman at every step of the development life cycle and we enable security teams with automated vulnerability detection and remediation. We strive to develop a true collaborative code security platform.
About DarkOwl: DarkOwl uses machine learning to automatically, continuously, and anonymously collect, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. Our platform collects and stores data in near realtime, allowing darknet sites that frequently change location and availability, be queried in a safe and secure manner without having to access the darknet itself. DarkOwl offers a variety of options to access their data.
Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
1. New MacStealer macOS malware steals passwords from iCloud Keychain – Bleeping Computer
A new information stealer named MacStealer targets Mac users specifically. The stealer can take credentials that have been stored in the iCloud Keychain, web browsers, crypto wallets, and other sensitive files. It is being sold for $100 as malware-as-a-service and was first spotted by Uptycs analysts on a darknet forum. It works on macOS Catalina up to Ventura. MacStealer is distributed as an unsigned DMG file with the goal of tricking the user into executing it on their machine. Then the malware will gather passwords, put them in a ZIP file, and send them to a C2 controlled by the actor who will notify them by Telegram channel. Read full article.
2. FTC says online counseling service BetterHelp pushed people into handing over health information – and broke its privacy promises – The Federal Trade Commission
BetterHelp offers online counseling services. Health information, especially mental health information, is of utmost importance to keep confidential. According to the Federal Trade Commission (FTC), BetterHelp pushed people to take an Intake Questionnaire which prompted them with questions about sensitive health information of which they could not move in the questionnaire until those questions were answered. Read more.
3. Multiple Hacker Groups Exploit 3-Year-Old Vulnerability to Breach U.S. Federal Agency – The Hacker News
An old security flaw in Progress Telerik was used by multiple threat groups to break into “federal civilian executive branch (FCEB) agency’s Microsoft Internet Information Services (IIS) web server.” The security flaw exploited used a .NET “deserialization vulnerability affecting Progress Telerik UI for ASP.NET AJAX.” CISA, the FBI, and MS-ISAC (Multi-State Information Sharing and Analysis Center) disclosed the information in a statement and the bad actors had access November 2022 to early January 2023. The CVE that was exploited, CVE-2019-18935, is commonly exploited by threat actors and has been used by the group Praying Mantis. Read more.
4. BidenCash market leaks over 2 million stolen credit cards for free – Bleeping Computer
A darknet marketplace, BidenCash, known for its carding data has released a free database of 2,165,700 debit and credit cards to celebrate its 1 year anniversary. According to researchers from Cyble, 2,141,564 are unique and the other thousands are duplicates. The data released contains information that make up fullz – which are typically financial information that is leaked with subsequent personal information (PII) such as address, email, etc. and can be leveraged by cyber criminals for sophisticated social engineering, phishing, or other attacks. Free credit cards leaks for promotions for users is a marketing technique that has been used by BidenCash before. Read full article.
5. Silicon Valley Bank collapse poses challenge for cybersecurity defenders, firms – The Washington Post
The collapse of Silicon Valley in mid March quickly became a new playground for cyber criminals and cyber attacks, as we have seen time and time again that hackers and cyber criminals often wait for tragedy to hit before striking. This the perfect scenario for a financially motivated threat actor. This article outlines those that should be concerned and the scams to be watching out for. Read here.
6. Cybercriminals Targeting Law Firms with GootLoader and FakeUpdates Malware – The Hacker News
GootLoader and FakeUpdates (SocGholish) are two malwares that have been used in separate threat campaigns to target 6 law firms this January and February. GootLoader has been around since 2020 and can deliver Cobal Strike and ransomware. Threat actors compromised WordPress sites and added new posts which included “business agreements” that when downloaded gave GoodLoader. SocGholish uses sites commonly used by law firms to carry out watering hole attacks. This malware strain does not deliver ransomware. Both attacks show the trend of browser-based attacks growing in popularity as an infection vector and starting to compete with the traditional method of infection via email. Read more.
Dero is a cryptocurrency advertised as a more secure currency than Monero. However, it has recently been the target of a cryptojacking operation. In this attack threat actors target vulnerable Kubernetes container orchestrator infrastructure that have exposed APIs. Read more.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
Threat actors get crafty with their phishing scam techniques, which is no laughing matter.
April 01, 2023
Diving into Phishing Trends by Categorizing Phony Emails
To learn more about trends in the phishing and spam email landscape, our analysts created accounts for fake email addresses that were posted on the darknet. These addresses were mainly sourced from combolists, which are large batches of credentials that typically came from a variety of different breaches or otherwise illicitly obtained methods.
Over the course of the year, 1,407 emails were sent to these email addresses. Given the context they were found in, these emails likely only exist to be used by threat actors much like other combolists that are posted on the dark web. That is, to be run through a credential stuffing tool to find successful email/password combos and commit account takeover, or to target the addresses with malicious phishing emails.
To demonstrate examples of the kinds of dubious emails our analysts received, we ranked them by most popular to least popular and assigned them with the following categories: Personally Identifiable Information (PII) Stealers, Fraud, Malware, and Spam.
Read on to see what type of scam and spam emails were the most popular amongst threat actors over the past year, and to see what key trends our analysts observed in the world of phishing.
1. Sales Spam (26%)
Type: Spam
Of the 1,407 emails, a whopping 365 of them were generic sales spam with no clear motive. This suggests the reason for sending them was unlikely to be to commit fraud.
365 of the emails were sales/personal services spam
2. Survey Scams (17.5%)
Type: PII Stealer, Fraud
Most of these emails invited the recipient to take a survey to win a gift card to popular stores like Walmart, Ace Hardware, and so on. This can be used to gather personal information from the target to execute more refined spearphishing in the future, or leveraged for account takeover.
245 of the emails were survey scams
3. “I hacked you” Scams (16.8%)
Type: Fraud
“I hacked you” scams typically contained some sort of variation of threat such as “I caught you on webcam” – with the sender threatening to release “footage” or encrypt the recipients computer unless they pay a Bitcoin ransom. There were a significant higher number of emails in this category than observed in previous years.
237 of the emails were “I hacked you” scams
4. “You’ve won free stuff” Scams (7%)
Type: Malware
97 of the emails claimed that the recipient had won some type of reward, including reward points, commercial goods, rebates, and so on. Once the target clicks the link or opens the attachment to claim their “free stuff”, they end up installing ransomware instead.
97 of the emails were “you won free stuff” scams
5. Phone Scams (6.8%)
Type: Malware, PII Stealer
Designed to get around endpoint security, fake invoice for software subscriptions with a real toll-free “customer assistance” number. Once the victim calls, the operator usually attempts to social engineer them into revealing PII, or trick them into installing ransomware. Overall, we saw a big uptick in these compared to previous years – with many leveraging big names such as Geek Squad, McAfee, and Norton.
96 of the emails were phone scams
6. “Generic” Scams (4.8%)
Type: PII Stealer, Fraud
A significant portion of the email data set fell into the category of “generic” – including scams and “advanced fee” schemes. These are mainly weaponized to steal personal information and commit financial fraud or identity theft.
68 of the emails were of the old-school variety, such as 419 scams
7. Counterfeit Spam (4.1%)
Type: Spam, Fraud
These emails advertise below-market rates for high-end brands that are ultimately for counterfeit goods. Of the 58 sent to our analysts, most advertised for well-known luxury brands such as Louis Vuitton and Ray-Ban.
58 of the emails were counterfeiting spam
8. Junk Car Scams (3.7%)
Type: Fraud
“We’ll buy your car” scams continue to be pretty consistent in popularity – though they may not be reported about as often as some of the other categories on this list. For further reading on this topic, our analysts suggest this resource that outlines 5 common scams for prospective call sellers.
53 of the emails were junk car scams
9. Fake Lawsuit Scams (3%)
Type: PII Stealer
“You could be eligible for compensation” – these types of infostealers usually falsely claim the victim could be eligible for compensation if they participate in a phony lawsuit.
42 of the emails were fake lawsuit scams
10. Elder Abuse Scams (2%)
Type: PII Stealer, Fraud
Our analysts identified 28 emails that were directly targeting seniors. Most of these could be identified by keywords such as “senior”, “55+”, “timeshare”, “retirement”, and “over 60”. This suggests that not only is this attack vector still as popular as ever, but that actors are being quite blatant in their marketing towards this demographic.
28 of the emails were scams targeting seniors
11. “Cheating” Scams (2%)
Type: Malware
Many of these emails touted a tool that claimed it could enable the recipient could see or verify the (likely) phony claim that their spouse or partner is cheating on them by installing spyware on their computer.
28 of the emails were “cheating” scams
12. Fake Notifications Scams (1.6%)
Type: Malware
The 23 emails that fell in this category included phony alert emails claiming that the recipient had unread notifications from popular services such as Tinder, Reddit, Whatsapp, and LinkedIn. Popular subject lines contained some variation of “12 unread messages” or “You’ve matched with someone”, etc.
These emails were consistent with the typical invoice scams that have been popular in past years. They are typically blasted out to businesses or email addresses that look like the might be accounts payable, office managers, or other administrative invoice and include a “real” invoice for nonexistent goods or services.
19 of the emails were fake invoice scams
15. CCW/2A Spam (.7%)
Type: PII Stealer
This type of scam is not one that our analysts have observed very often, if at all, before this analyses. These phishing emails mainly offered assistance in obtaining concealed carry permits. Most likely, this is a PII stealer scheme.
10 of the emails were CCW/2A spam
16. Unclaimed Assets Scams (.5%)
Type: PII Stealer, Fraud
Many of the unclaimed asset scam emails claimed that the recipient was entitled to property from either inheritances, or from unallocated government holdings. In the example below the sender broadens the asset to “unidentified property” – making the chances that a target might think it could apply to them more likely.
Given that this data set included two tax seasons, it was surprising to see how few IRS scams there were. Specifically, our analysts found the lack of specific “IRS” and “tax/taxes” keywords in emails’ subject lines to be significant.
3 of the emails were IRS scams
19. Other Malware (.2%)
Type: Malware
These emails contained malicious links that were likely ransomware. Their phishing pretexts didn’t fit into any of the other categories.
3 of the emails contained malware but didn’t fit into any of the other categories above
Further Observations
Sales spam still dominates, and phone scams are on the rise
After categorizing and ranking these emails, our analysts made note of several key observations:
IRS Scams are down – Tax fraud phishing campaigns that specifically mention taxes or the IRS are way down from previous years. This is likely due to IRS messaging and warnings, which seem to have done their job in at least deterring actors from using this method so heavily.
Phone Scamsare are more popular – Phone number malware campaigns, designed to get around endpoint security, are becoming more prevalent.
Less emails marked as “High Priority” – Of all the emails, only 4 were marked as “High Priority,” which is a shift since previous years. In the past, this was a common tactic to create a sense of urgency and improve open rates.
“I hacked you scams” proving to be lucrative – We saw a huge uptick in this type of email over the past year. In this type of scam, the sender usually blasts emails out to massive list and might only get money back from one or two people. Their uptick in popularity indicates that the financial reward from even just a handful of victims is lucrative enough to incentivize more threat actors to use this method.
Never ever open email attachments – While only 7.53% of analyzed emails had an attachment, every single one of those contained malware. The takeaway? Assume that all attachments are malicious unless you are able to verify otherwise in a safe sandboxed environment.
Research indicates that the most successful attack vectors include exploitation of email credentials, either via phishing attacks or account takeover. Take control by gaining situational awareness of your companies darknet exposure by contacting us here.
Ransomware groups continued to be a major threat over the past year, causing significant financial and reputational damage to their victims. Their evolving tactics and strategies make it increasingly difficult for organizations to defend against their attacks. However, with increased awareness and investment in cybersecurity, governments and businesses can work together to protect themselves from this growing threat.
Despite the number of reported ransomware complaints decreasing in 2022, the victim payouts have increased. The IC3 estimates that from 800,944 complaints the potential loss is around $10.2 billion. Ransomware continues to run rampant with around 33% of organizationsglobally being a victim of ransomware, indicating that the groups are becoming more confident and targeted.
The overall increase in victim payouts could be partly due to the ways ransomware gangs have changed their operations. In 2022, ransomware groups deployed more backdoors – which allow for remote access. They also began to favor extortion, typically through ransomware or business email compromise. Europe saw 44% of these extortion cases.
According to IBM’s X-Force Threat Intelligence Index, the manufacturing industry was the most extorted in 2022. The FBI’s IC3 (Internet Crime Complaint Center) received the most ransomware attack complaints from Health Care and the Public Health sector; a trend DarkOwl has seen reflected in the victims of the groups detailed below.
In this roundup, DarkOwl analysts take a look at the some of the largest ransomware and ransomware-as-a-service (RaaS) gang activity from 2022, and introduce several new and emerging groups that DarkOwl has observed actively operating on the darknet today.
Review of Active Ransomware Groups in 2022
LockBit
LockBit has been one of the most active ransomware groups this year, claiming to have targeted 436 organizations in just the later half of 2022. The group released LockBit 3.0 with new capabilities making it harder to identify in June 2022 and notably started their own bug bounty program. After a LockBit attack on SickKids hospital, LockBit blamed one of their affiliates, released a decryption key for free, and apologized saying the attack went against their policy.
Black Basta
A newcomer that rose to prominence in April 2022 with their attack on the American Dental Association is Black Basta. This group also has possible ties to other ransomware gangs such as Conti, REvil, and Carabank (Fin7). They specialize in double extortion and have been seen outsourcing tools with the use of initial access brokers, Qakbot, and Cobalt strike.
Black Pasta has been observed using the darknet to request login credentials for initial access. Their malware and victim selection suggests they are sophisticated Ransomware actors.
Figure 3: User Black Basta posts in a Darknet forum for corporate access; Source: DarkOwl Vision
Hive
Hive ransomware was first observed in June 2021 and uses an affiliate RaaS model. Unlike some other groups who claim a moral code, Hive has repeatedly targeted healthcare organizations and threatened to leak patient information. As of March 2022, 125 healthcare organizations had been targeted by Hive.
Hive’s original ransomware was written in GoLang – but, in 2022, they switched to Rust. The switch improved their method of encryption, among other advantages.
In January 2023, the Hive operation appeared to have been shut down with a seizure banner appearing on their site detailing a multi-country law enforcement operation. Law enforcement had access to Hive’s computer networks ahead of the takedown and were able to help those who would have been victims.
The Conti Ransomware group going into 2022 was one of the most active and prolific RaaS groups. At the outset of the Russian invasion of Ukraine, Conti was one of the first to announce its support for the Russian government after which their ransomware source code and other sensitive data including PII and private communications between actors was leaked. In late May 2022 Conti shut down their official Tor website, Conti News, and the service site for their negotiations went offline. However, reporting indicates that the group hasdispersed and not disappearedwith some members joining other ransomware groups such as BlackBasta, BlackByte, and Karakurt. However, it is possible that Conti may reappear under a different name in the future.
BlackCat
The BlackCat Ransomware group (AlphaV) who first appeared in later 2021, is thought to have infected more than 60 victims in its first 6 months of operation. The groups are reported to be connected to BlackMatter/DarkSide, with the FBI reporting that many of the developers and money launderers in the group originated from Darkside. BlackCat were the first group to use Rust in their attacks before it was adopted by Hive. BlackCat were one of the first groups to create a public data leaks site and in 2022 they created a search feature for their indexed stolen data to put more pressure on organizations to pay their ransom. LockBit later followed suite. They continue to be active in 2023.
New or Emerging Ransomware Groups
DarkOwl has identified several emerging ransomware groups that are presently active on the dark web. Each of the new ransomware gangs below rose to prominence in 2022 and continue to be active into 2023.
0mega
The 0mega Ransomware group was first identified in May 2022, targeting organizations worldwide with double-extortion techniques.At the time of writingno sample has been identified and analyzed for the 0mega ransomware variant. The ransomware demands are customized to the victim, and victims are required to upload the demand to access the TOR payment negotiation site. The 0mega leak site on TOR currently has 3 victim companies listed with links to download the data. The site was last updated 2023/02/11.
0mega’s operation appears to be organized and is a group to look out for this year.
Figure 5: 0mega Data Leak Site; Source: Tor Anonymous Browser
BianLian
BianLian has had infrastructure since December of 2021 and tripled their infrastructure in August of 2022. Their victims include health services, information technology services, education, and construction companies. They have created their own toolkit with their ransomware written in Go, and have been seen using living off the land techniques and can establish a backdoor for persistence. BianLian currently offers an I2P mirror complete with instructions for how to install.
Avast recently released a free decryptor for the currently known BianLian ransomware strain. This could explain why recently BianLian has not been encrypting victim’s data, instead focusing on extortion. The group will need to stay ahead of researchers’ decryptors this year to continue targeting victims successfully.
Figure 6: BianLian Data Leak Site; Source: Tor Anonymous Browser
Daixin
The Daixin ransomware group is known for targeting the health sector, leading CISA to issue a cybersecurity advisory to this sector in October 2022. The group have been active since June 2022 and built their ransomware from leaked source code attributed to Babuk Locker. In early 2023, their Tor leak site had 8 victims listed with details of what documents have been obtained by the group.
The Daixin Team encrypt the servers relied on by healthcare organization, which means they can halt key services increasing the likelihood of a payout and can also exfiltrate PII, creating a further revenue stream as this data achieves higher prices on dark web marketplaces. However, consistently attacking healthcare organizations has drawn the attention of law enforcement which could mean they are on the verge of disruption. Nevertheless, due to its profitability, the Daixin team will likely continue targeting this sector. The health sector should be wary of Daixin.
Figure 7: Daixin Team Tor Site; Source: Tor Anonymous Browser
Royal
Royal first materialized in January of 2022 and is believed to be made up of actors previously associated with Conti, TrickBot, and Roy/Zeon malware (the group was originally named Zeon). Unlike some other groups, Royal does not provide its ransomware as a service and they do not make their code available to affiliate actors. Recently they have released a malware variant which preys on Linux systems. The group is known for using call-back phishing tacticsimpersonating food delivery or software providers.
Royal’s Tor page begins with a contact form, requiring the user to submit an email address. It also has search bar functionality to identify victims. Royal currently has around 58 victims for 2023 listed on their site, the highest of any group reviewed in this article. Royal will upload samples of data to this site to prove their legitimacy to their victims. If the victim refuses payment, 100% of the stolen data will then be uploaded to the site. Some ransomware gangs will remove victims’ information from their site if they pay the ransom. Therefore, the number of victims shown does not always reflect the true number of victims targeted.
Figure 8: Royal Ransomware Tor Site; Source: Tor Anonymous Browser
Although Royal ransomware has emerged recently, researchers believe the actors running the group are sophisticated and experienced. DarkOwl analysts assess Royal will continue to grow into an even greater threat in 2023.
Final Thoughts
Ransomware is an ever-evolving threat ecosystem. Some groups are driven by political motivations, but most attacks are for financial gain. Ransomware groups use the darknet and darknet-adjacent sites to negotiate with victims, spread their personal brand, and develop or purchase new, sophisticated technology to thwart cyber defense teams. Advances in cyber defenses have prompted some groups to focus on data extortion, pressuring companies with the valuable private data they have stolen rather than encrypting networks.
Despite the successes of cyber defense teams in 2022, ransomware gangs will be keen to develop different tools and tactics to better evade security measures. Additionally, ransomware attacks are underreported – around 75% are never reported. Even when law enforcement successfully shuts down a ransomware operation, the group is likely to rebrand or the members will simply disband and work for other ransom groups. Given some entities are still willing to pay, ransomware will remain a threat because of potentially massive financial rewards.
DarkOwl Vision allows organizations to monitor these ransomware groups on the darknet, to identify more information about their tactics, techniques, and procedures and the sectors they are targeting. DarkOwl analysts continuously monitor the darknet to identify emerging new groups and who the most recent victims are to best track and predict potential attacks.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
