DefCon has been around for 3 decades and is the one of the oldest hacker conventions and one of the largest globally. DefCon 31 was a great gathering, as always. While a lot of people figured this year would be all and ONLY about AI, there were plenty of other topics covered in depth. AI did have its own village, though, along with the voting, industrial control systems (ICS), red/blue team, mis/disinformation, social engineering, and many more, to allow for hands on experience in the most crucial areas of cybersecurity.
The DarkOwl team sent a number of analysts from our Darknet Services analyst team to advance their skills, keep up to date with the latest trends and topics, and of course practice their skills. This blog outlines some highlights from this year’s event, from our analysts eyes.
Highlights
PyRDP
Remote Desktop Protocol (RDP) has always been an entry vector for attacks, namely ransomware. A pair of brilliant scientists from a Montreal organization, GoSecure, set up a RDP honeypot (PyRDP) to attract malicious actors to use it to study them. They studied actors for 3 years as the criminal actors used their platform in operations. PyRDP is open source and available on GitHub.
Using this tool, researchers and professionals can obtain actor credentials, operating system details, browser information, languages spoken, and more. The scientists openly stated they released this tool for free to put a dent in the current ransomware epidemic. DarkOwl analysts will implement PyRDP in operations where appropriate to do our part to reduce the ransomware epidemic.
RDP is a human process, and more targeted than some processes in cyber. While many parts of the criminal ecosystem can be automated and left to a machine, RDP and the actions to comb around a computer and its filesystem, exfil those, and then move on, all require humans.
Given the political climate and current world events, censorship online was a big topic. Russia, China, and Iran are all building their own internet, separate from the world grid. Additionally, these countries have their own apps equivalent to the western Facebook, Twitter/X, and Reddit. These apps are heavily promoted in the countries of concern to get a solid user base, making the transition from western apps to these authoritarian controlled and monitored apps easier. Russia’s Facebook equivalent is Vkontakte (VK), China has several platforms (Douyin in country is what TikTok is in the US), and Iran has iGap, which is a WhatsApp equivalent (these examples are not an exhaustive list). These efforts coming to fruition mean more isolation under authoritarians, and citizens who deal with lack of availability to information and education, truth, and global resources.
Interestingly enough, this panel couldn’t come to a resolution for this problem of censorship. It’s a tough issue which (like the rest of all things cyber) requires public and private partnerships (PPP) to effectively keep a society or country from becoming completely isolated from the world. The panel did highlight that sanctioning companies and individuals is not effective. If you turn off an internet service provider (ISP), such as Russia’s ROSTELECOM, this contributes to the malicious efforts to isolate – the citizens of Russia also lose access when you cut an ISP, so, this is quite damaging.
An interesting suggestion was to target individuals, including individual netblocks, versus taking an entire ISP offline. If you take only part of ROSTELECOM offline, and you are more precise, this does exert pressure on the malicious entity while preserving the access of individual residents of a country.
There is also a new treaty in progress attempting to combat cybercrime. The United Nations (UN) is negotiating this effort to try and assist with country and border agnostic policies to fight cybercrime while preserving digital rights and freedom, as well as internet access, more effectively to countries under authoritarian regimes. A timeline of the effort can be found here. DarkOwl analysts will monitor this developing cybercrime initiative by the UN for impacts in the space and see how they play out geopolitically. The last plea from this panel was that universities need to host TOR nodes to provide more access to TOR worldwide, as authoritarian and censorship creep continues.
NFC Over Point-of-Sale Systems
Near field communication (NFC) is what powers all the contactless payment systems coming into banks and retailers today. The technology uses radio waves to conduct encrypted data to point of sale (or other appointed) devices. With any growing technology, there is a risk for fraud and abuse, which is what this talk spoke of. This is true of NFC payments, even though the data is encrypted.
Website HappyATMs[.]com sells parts that facilitate NFC for Point-of-Sale (POS) systems, vending machines, and of course ATMs, as does eBay. This means that malicious actors can buy these parts and use them in everyday efforts to steal data and finances. The vending machine pictured to the left was not part of this talk, but it was an exercise on the main floor to hack it. So the concepts continued and were reinforced all over Def Con – pretty cool!
Data from NFC can be intercepted – if a criminal positions themselves in range of the two devices, they can intercept the transmitted signals as well as record the data. This means financial details, PII, credentials, and more sensitive information used to conduct NFC transactions can be stolen and used maliciously. Actors can resell personal data, drain money from accounts, or impersonate the person from whom they intercepted the data.
NFC tags can also be manipulated, which leads to the distribution of malware. Criminals can create fake NFC tags or work with existing ones to distribute hidden payloads. If the unsuspecting person scans the NFC tag, the malware is downloaded and installed in a flash and can also steal personal information.
All the information procured by a malicious actor can be cloned, so they can use sensitive data they stole (or copied) to bypass security and MFA, impersonate someone else, and again steal sensitive data.
DarkOwl analysts can now track the models of ATMs, POS systems, and other hardware that have open vulnerabilities, and monitor talk for it on the DDW, Telegram, and Discord. We can also setup mentions of any actor using happyatms.com to track purchase data and build out the bad actor network. This was an enlightening talk that gave a lot of insight into current financial fraud and theft TTPs, which are always changing. Really happy I caught this one.
Random Bits and Bytes
Growing Up Next Door to Russia
Mikko Hypponen’s talk on “Growing Up Next Door to Russia” was pretty spellbinding – ending with standing room only. He (IMO) took his life in his hands by outing and including pictures of very, VERY recent Russian cyber actors who had been sanctioned. You KNOW they, their associates, their family members, were there in Vegas. It was very brave of him to call out the recent actions and cyber activities of these actors, highlighting their disruption to daily life and contributions to global cybercrime campaigns. Definitely recommend checking out his book, If It’s Smart, It’s Vulnerable, as well as his podcast, Cyber Security Sauna.
Current Hacking Trends
One-Drive hacking/emulation to gain access to all Microsoft accounts.
Weaponizing plain text.
Tap to pay cards and RFID hacking.
Biohacking and how to hack implanted NFC/RDIF implants.
Current Social Engineering Trends
“Old College/High School Friend” is the current phishing technique.
Company Swag – using swag to gain access to secure locations – importance of using different designs/styles for internal swag vs external swag.
Final Thoughts
Speaking of swag, the plushie Onion from the TOR vendor booth was a huge hit and highlight! 😀 Always eager to pass on giveaway ideas to the DarkOwl Marketing team and happy to report that they loved this too.
With all of the thought-provoking topics, trends, games, challenges and speakers throughout the week, the DarkOwl analyst team looks forward to diving into some of these topics and contributing to the research and conversation. The possibilities are endless! Make sure to sign up for emails to get the latest research first straight to your inbox. Looking forward to DefCon 32 already.
Interested in learning what our darknet analysts do for our customers? Contact us.
The DarkOwl team was happy to attend Black Hat USA in Las Vegas last week – another busy week in the books! Every year during the hot Vegas summer, information security professionals from around the world gather at Black Hat, collecting plenty of swag along the way, for one of the most internationally recognized cybersecurity event series focusing on the most technical and relevant information in security research. Black Hat is also known for a week full of insightful presentations, skill-enhancing workshops, product demonstrations, and chances for lots of networking. There really is something for every attendee.
This year followed the same trend, featuring an impressive lineup of training courses and presentations. These covered a wide array of topics, including: discovering new vectors to gain remote and root access in SAP enterprise software, using resources to defend non-profits, large language models, software supply chain risks, cryptanalysis, risks of AI risk policy, physical attacks against smartphones, cryptographic exploits and so much more.
DarkOwl Highlights
Members of both our executive team as well as our darknet intelligence analyst team attended to have meetings with clients, prospects and partners as well as make the most of walking the show floor and attending the talks throughout the week. You may have seen CEO, Mark Turnage, CBO, Alison Halland or Steph Shample, Senior Intelligence Analyst around!
The DarkOwl team remained busy meeting prospects and clients alike and showcasing our industry leading darknet platform, Vision UI, which allows users to search and monitor the most comprehensive darknet dataset. Due to the layer of anonymity it provides, the darknet is often a hub for illegal activity. However, investigating crime on the darknet and deep web poses technical challenges, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next. DarkOwl Vision UI provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information.
With many current clients present, the DarkOwl team was able to spend time understanding how we can best optimize and elevate our current partnerships and how we can continue to provide the most value as their darknet data provider. The team also enjoyed some team bonding time, a nice plus when traveling to events with so much of the workforce remote! We look forward to the many more events all over the globe this year – you can check out where we are going to be next and request time to chat here.
Darknet Services
In the lead up to Black Hat, DarkOwl announced Darknet Services, our latest offering which allows customers to advance their darknet investigations and monitoring with DarkOwl analyst expertise. Our tailored, customizable darknet services enable customers to leverage our in-house expertise to save time, keep their employees safe, and fulfill the need for actionable threat intelligence. Accessing and analyzing data from the darknet is challenging, even for the most experienced of analysts. DarkOwl is the darknet expert, with access to the largest database of darknet content.
Key features and benefits of DarkOwl’s Darknet Services include:
Comprehensive Darknet Visibility: DarkOwl’s extensive monitoring infrastructure constantly scans and indexes darknet, deep web, and high-risk surface net data, ensuring comprehensive visibility into evolving threats and malicious activity.
Actionable Threat Intelligence: Leveraging machine learning and human analyst expertise, DarkOwl transforms raw data into actionable intelligence, providing organizations with precise insights to identify emerging threats, assess risks, and enhance their cybersecurity posture.
Darknet Investigation Support: DarkOwl’s expert analysts offer enhanced support to organizations in investigating incidents related to the deep and darknet, providing critical insights into threat actors, their tactics, and potential vulnerabilities to a company, VIP or brand.
If interested in learning how we can be an extension of your team, contact us!
Interested in meeting with the DarkOwl team? See where we are around the world the rest of the year here.
With just a few keystrokes, a malicious actor can gain access to a network, determine the scope and worth of information available, and then steal and encrypt the data, preventing access to it. Organizations have hopefully prepared themselves for these kinds of cyber incidents, known as ransomware attacks, by having an up-to-date system backup from which they can restore data and continue operations. Despite business continuity suggestions and planning advice, backups are still not a regular entity despite how common and how popular ransomware attacks have become in the past decade. Even changes from one year to another witness more stealth movement and larger impacts in the ransomware ecosystem.
Ransomware’s explosion has been sustained for years. As tech advances, so do the actor tactics, techniques, and procedures (TTPs). Heading towards the final quarter of the year, it is imperative to explore the 2023 mindset of ransomware actors: They are pursuing “target rich, cyber poor” industries that will make them money by selling data, exploiting the victims they target, the partners and third-party services linked to the victims, and infiltrating supply chains. While double-, triple-, and quadruple- extortion practices are still around, actors are also adapting/changing their encryption processes to better emulate protective services such as anti-virus and file scanning software to blend in and provide no red flags to technical and cyber practitioners. This allows for a long-term, stealth presence in networks which facilitates lateral movement to collect as much information as possible.
Ransomware is quickly evolving, and it is imperative to pay attention to its trends and try to get cyber practitioners, government, law enforcement (LE), Computer Emergency Response Teams (CERTs), and more collective bodies to take strides towards prevention and disruption of ransomware groups. With the use of artificial intelligence (Al) and internet of things (IOT) growing, the attack surface is larger than ever and must be addressed. Private and public partnerships (PPP) are one of the most effective ways to share intelligence and indicators of compromise (IOCs) to combat ransomware as the holistic problem it is.
Multi-extortion layers and techniques are more common, and this is expected to continue throughout all ransomware operations
As groups are caught by law enforcement or shut down to preemptively avoid legal actions, they are recruited into other groups and share expertise, tools, and TTPs
2022 Compared to 2023
Ransomware is a cybercrime phenomenon impacting every industry, large and small. Additionally, there is a “hacktivist” angle to ransomware incidents, accompanying the criminal faction. Fringe groups are using the easily available ransomware as a service (RaaS) market to procure simple ransomware kits and then go attack. The 2022 Conti leaks showed the world that ransomware organizations are operating more like businesses than criminal groups, well-funded and organized. Furthermore, after Conti’s decline, more organizations are witnessing splinter groups and “copycat” actors, working together to have a maximum impact spreading ransomware and gaining profit and data.
January 2023 saw the highest number of ransomware incidents ever reported for the month of January, with 33 reported incidents. The unreported incidents must also be considered: Organizations often choose to keep cyber incidents private, and malicious cyber actors don’t keep the most trustworthy stats and data. In July of 2023, data emerged demonstrating that 2023 is on track to be the most active ransomware year per reported incidents. According to some reviews, actors have already made ~$450 million dollars up to June 2023, and are on track to make approximately $900 million dollars if the rate of attacks continues through the second half of the year.
Ransomware incidents are expected to continue at a high pace, especially as hacktivists all over the world side with their chosen nation, government, or ideoloqv and then proceed with the intent to attack an organization who differs from the chosen ideology. This is in addition to technology trends like cloud computing and the IOT space increasing access points and increasing the overall attack surface area, allowing malicious actors more opportunities to enter a network. Available payment data for 2023 also indicated that ransomware is the only criminal market that saw an increase in profit while scamming, malware, and fraud operations all witnessed a decline in profit and revenue.
Changes in TTP: Extortion at Entry Level
Much like the cybersecurity industry changes and adapts to protect and defend, ransomware actors also change and adapt to remain effective and profitable. A focus on continued extortion techniques, higher profitization and a surprising change to encryption practices all emerged in 2022 and 2023 and are expected to continue throughout 2023 and into 2024.
Traditional ransomware incidents involve unauthorized access to a system where actors steal sensitive data, encrypt it, and demand money from the victim for restored access. There is a new level of harassment implemented by ransomware actors, making their attacks multi-layered and more impactful: Extortion.
Double, Triple, and Quadruple Extortion
With double extortion, ransomware actors conduct a traditional attack and encrypt data. However, if an organization restores their data from a backup and does not pay the ransom, the actors then threaten to sell it on criminal forums, sell it through a bidding process, or permanently prevent access to the stolen data if there is no payment. This way, the reputation of the organization still suffers when it is revealed there was a security incident. Actors demand payment to keep quiet about the incidents if the organization can salvage data access on their own.
As of June 2023, Base ransomware gang operated a prolific double extortion ransomware campaign. They listed victims from the legal, pharmaceutical, medical, agricultural, and many other sectors on their website:
Figure 1: Source: Base8 ransomware’s onion site
Demonstrating the continued organizational efforts of ransomware groups, 8base also offers their contact information, a FAQ section, and a detailed rule section for their victims. This continues to prove the developing professional and organizational caliber of ransomware groups, which was previously revealed as Conti’s efforts and business acumen was detailed in 2022:
Figure 2: Source: Base8 ransomware’s onion site
Figure 3: Source: Base8 ransomware’s onion site
8base’s operations reveal another trend: A pivot from procuring personally identifiable information (Pll) operations only, and going after blueprints, sensitive documents of physical layouts for buildings, and those related to critical infrastructure and key resources (CI/KR). Ransomware is no longer just about getting and selling Pll; now, more sensitive documents are stolen and sold on DDW forums. This is a hybrid security issue, both physical and digital. Ransomware gang Cl0p, who has made headlines in 2023 for penetrating hundreds of organizations, is also a prolific double extortion group.
With triple extortion, the same process occurs as above, with the added threat (the third layer of extortion) including a distributed denial of service (DDoS) attack to the ransomware threat. The DDoS ensures an extra level of chaos and prevention of services while sensitive data is also stolen and encrypted. Ransomware groups Killnet, Avaddon, and Darkside are some examples of triple extortion ransomware operators. Extortion became quite popular during the Covid-19 pandemic, and criminal forums on the darkweb started to sell and offer extortion services and software to further ransomware operations.
A 2022 post on criminal market XSS offers triple extortion software for purchase:
Figure 4: Source: DarkOwl Vision UI
Quadruple extortion entails everything above, with the addition that ransomware actors threaten to directly contact partners or other customers of the organization, threatening the reputation as well as adding the risk of legal action against the entity that was breached. BlackCat and the now defunct DarkSide ransomware gangs were some of the noted users of quadruple extortion in their operations.
Stealers, RATs, and Ransomware
Infostealers take information from web browsers, chat platforms, email clients, cryptocurrency wallets, and more applications. Similar to ransomware, they have exploded in popularity among the criminal underground. Like all malware, infostealers vary in capability but focus on procuring tons of personal data to sell, use, and reuse in malicious operations.
RedEnergy, a new Stealer-as-a-Ransomware technology, steals information from various web browsers while also facilitating ransomware activities. The entities behind RedEnergy use publicly available LinkedIn pages to target the oil, gas, and telecom sectors. After users click on a link that they expect to provide a typical browser update, RedEnergy exfiltrates data over FTP, and then encrypts the data and demands a ransomware payment.
The combination of stealers and ransomware follows a similar combination of RATs and ransomware, which emerged in the wild in 2022. A September 2022 post on criminal market AlphaBay discusses how a RAT can be used as a triple threat in cyber operations:
Figure 5: Source: DarkOwl Vision UI
A June 2023 post on criminal market XSS details the use of ShadowVault stealer, which specifically targets Mac operating systems and can be used in Chrome, Edge, Brave, and other browsers:
Figure 6: Source: DarkOwl Vision UI
Cybercriminals are constantly evolving and combining malicious tools to procure as much information as possible from organizations while then attaching reputational damage onto the end of their operations by subjecting their victims to ransomware. The criminal underground forums facilitate the combination of tools and the advanced implementation of criminal processes to impart maximum damage to victims.
As of July 2023, the financially motivated cybercrime group FIN8, active since 2016, is now using variants of ransomware in its activities. FIN8 originally started targeting point-of-sale (PoS) systems using malware specific to PoS theft in the retail, restaurant, entertainment, and hospitality industries. Now, however, researchers have identified backdoors purportedly authored by FIN8. This additional combination of a general cybercrime group TTP combined with ransomware demonstrates that FIN8 is dedicated to maximizing their impact and profit. They also show a continued dedication to remaining undetected and updating and authoring their customized tools, all while dabbling in ransomware.
A Club IO post from September 2022, detailing FIN8’s possession of White Rabbit ransomware:
Figure 7: Source: DarkOwl Vision UI
Reduction in Using Encryption
Actors proficient in ransomware also know that encryption is a time-consuming process. Both encrypting the stolen data and then decrypting, if/when the victim chooses to pay, are costly in resources and the flow of operations. For this reason, some ransomware groups are now practicing intermittent encryption, where only small portions versus the totality of a file are encrypted. Encrypting only select portions also helps evade security tools on a network. When only parts of a file are encrypted, this emulates legitimate software practices, and there are no flags or processes on the network that stop the activity. In some instances, ransomware groups have completely forgone encryption. Karakurt, who emerged from Conti after the latter disbanded, commonly operates this way.
Future Predictions
When the pro-Russia Conti ransomware group suffered a leak in 2022, it revealed an organized group of actors operating very much like a business. Emerging ransomware groups are following this business-plan setup, establishing organized points of contact, liaisons between ransomware group operators and victims, authoring rules of engagement, and working within stringent timelines. Researchers and everyone in cybersecurity were able to learn from the leaks and inform future cybersecurity tools, processes, and potentials.
Conti’s internal chats, leaked by a disgruntled employee, revealed a professional setup replete with:
Interviews to hire the right personnel
Russian government involvement and funding
Feature developments (for both deploying and improving their ransomware effectivity)
A control panel for monitoring Conti operations, victims, and payment status
Templates for phishing emails to use in operations
Not only are ransomware actors setting up formal, almost corporate like operations, but they are also recruiting from now-defunct groups, as well as sharing TTPs between one another to help maximize the impact of their operations. Furthermore, there are segregated “branches” of ransomware. For example, some researchers and analysts deem Karakurt the “Extortion” arm of ransomware, as that is a specialty of Karakurt.
In addition to ransomware operations continuing to focus on stolen personal information and data, automation, and the advent of Artificial Intelligence (Al) are both expected to facilitate ransomware groups further streamlining their activities. Several ransomware groups already use scripts and automation to scan for vulnerabilities and entry points to a network; this allows ransomware efforts with few personnel and minimal resources to identify appropriate targets which can easily be made into victims and earn them revenue with an attack.
Ransomware groups are also branching out from focusing purely on Windows operating systems and moving towards attacking Linux based systems. This demonstrates a new sophistication when outlining attacks and identifying potential victims. Now that Linux based operating systems are in the crosshairs, this allows for entry into attacking both IOT and container orchestration platform, such as Kubernetes, greatly expanding the attack surface.
Conclusion
Ransomware is an efficient criminal operation yielding high profit for minimal work. Due to pseudo-anonymous technology, using the dark web for ransomware operations and cryptocurrency for payments, as well as email and VPN services that do not track physical location, ransomware groups will continue their activities because the risk of punishment is minimal, and the operations are profitable. The lack of prosecution coupled with the increase of the attack surface ensures continuous and robust ransomware operations. Critical infrastructure, academic, technology, and government sectors must all raise awareness and assist in protection from ongoing ransomware campaigns.
Interested in learning how DarkOwl can help get ahead of potential attacks? Contact us.
The darknet is used by a wide range of groups and individuals but is most well-known for its use by threat actors. The darknet is a haven for illicit activities many of which can pose a direct threat to organizations and individuals with stolen data being made available for purchase, access to illicit goods, and hacking activities as well as forums being used to discuss all manner of topics from extremism to CSAM to hacking practices and education.
For individuals who are not familiar traversing the darknet it can be a daunting task to search for threats and risks to an organization. DarkOwl’s team of expert analysts are able to conduct these investigations on behalf of customers identifying mentions of organizations as well as data relating to them that may be exposed. Our customizable service options allow customers to leverage our in-house expertise to save time, keep their employees safe, and fulfill the need for actionable threat intelligence.
The below example reports are samples of what the analyst team researches and reports on for darknet services clients.
Binge-O-Rama Darknet Exposure
Here we provide a sample report of an exposure analysis from the darknet, demonstrating the types of information that can be found with analyst comments. This is a fictional report created for example purposes only, the company name is fabricated and any information relating to real organizations or entities is redacted or unintentional. Any similarities to real entities are purely coincidental.
Threat Actor Analysis: SiegedSec
The darknet is a breeding ground for emerging threats, providing insights into evolving techniques, vulnerabilities, and attack vectors. Darknet data assists in identifying key individuals involved in cybercriminal activities, tracking their digital footprints, and uncovering connections to other criminal acts. This information aids in the apprehension of criminals, the disruption of illicit operations, and the prevention of future crimes. It can also assist organizations in understanding the threats that are posed to them by appreciating the motivations that threat actors have and who they are targeting and for what reasons.
DarkOwl analysts regularly conduct in-depth research into prominent threat actors and their operations. As part of DarkOwl’s Darknet services we can provide summaries of threat actors activities, their digital footprint and targets.
Here we provide a sample report examining recent activity by the groups SiegedSec. You can also check our threat actor spotlight blog on SiegedSec here.
Check out DarkOwl’s Darknet Services to see how your company and investigations can benefit from expert darknet analysts.
Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
1. Evasive Meduza Stealer Targets 19 Password Managers and 76 Crypto Wallets – The Hacker News
Cybercrime and cybercriminals continue to evolve and get more creative. Early July, researchers found a newly created Windows-based information stealer going by the name of Meduza Stealer that is designed to evade detection by software solutions. Read full article.
2. Beware of Big Head Ransomware: Spreading Through Fake Windows Updates – The Hacker News
One new developing piece of malware, Big Head, is being used to trick Windows users into installing an update while encrypting files on the victim’s computer. The majority of victims have been in the U.S., Spain, France, and Turkey. It deploys three encrypted binaries, with the “archive[.]exe” binary allowing for communications over Telegram. Read more.
The ransomware group “BlackCat” (aka ALPHV), has been found running malvertising campaigns. They try to get their victims to click into fake pages that look nearly identical to the real WinSCP file-transfer application for Windows and then push their malware. Their goal is to get IT professionals and admins to be their victims so they can then get access to corporate networks. Learn more.
4. Chinese Hackers Use HTML Smuggling to Infiltrate European Ministries with PlugX – The Hacker News
In early July, a chinese nation-state group was found targeting European Foreign Affairs ministries and embassies with HTML smuggling techniques (given the name SmugX). Their goal was to deliver the PlugX remote access trojan on compromised systems. Read full article.
5. Chinese APT41 Hackers Target Mobile Devices with New WyrmSpy and DragonEgg Spyware – The Hacker News
The China-linked nation-state actor, APT41 (aka Axiom, Blackfly, Brass Typhoon, Bronze Atlas, HOODOO, Wicked Panda, and Winnti) is known for their strains of Android spyware called WrymSpy and DragonEgg. They have been active since 2007 and are known to conduct intellectual property theft. Read more.
6. Deutsche Bank confirms provider breach exposed customer data – Bleeping Computer
On July 11, Deutsche Bank confirmed that one of their services providers had experienced a data breach that exposed customers’ data – likely a MOVEit Transfer data-theft attack, related to CL0P’s ransomware wave of MOVEit attacks. Read full article.
7. HCA confirms breach after hacker steals data of 11 million patients – Bleeping Computer
HCA Healthcare stated that they experienced a data breach which affected 11 million patients. A threat actor leaked samples of the stolen data on a hacking forum and began selling the data of patient records that had been created between 2001 and 2003. Read more.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
The internet is a vast realm that extends far beyond the surface web we commonly explore. Beneath the surface lies the darknet, a hidden network that poses significant challenges but also holds immense potential for open-source intelligence (OSINT) investigations. In this blog post, we will delve into the importance of darknet data in OSINT investigations and how it expands the scope of information available to researchers and analysts.
OSINT 101
OSINT allows access to a vast amount of openly available information from diverse sources such as social media platforms, news articles, blogs, public records, academic publications, and more. This wealth of information provides investigators, researchers, and analysts with a comprehensive understanding of a particular subject, individual, or organization. By harnessing OSINT techniques, one can obtain valuable insights, uncover patterns, and make connections that might have otherwise remained hidden. DarkOwl analysts are able to combine the power of traditional OSINT investigations with darknet intelligence providing organizations with a more robust picture to help them protect themselves in the cyber landscape.
Darknet 101
The darknet, also referred to as the dark web, is a layer of the internet designed specifically for anonymity. It is more difficult to access than the surface web or the deep and is accessible only via using specialized software or network proxies – specifically browsers supporting special protocols. Users cannot access the darknet by simply typing a dark web address into a web browser. Adjacent to the darknet are other networks, such as instant messaging platforms like Telegram and the deep web (non-public web).
Due to its inherently anonymous and privacy-centric nature, the darknet facilitates a complex ecosystem of cybercrime and illicit goods and services trade. The dark web is a thriving ecosystem within the global internet infrastructure that many organizations struggle to incorporate into security posture. Still, it is an increasingly vital component for organizations with forward-thinking strategies.
Why Incorporate Darknet Data into OSINT Investigations?
As stated, the darknet serves as a sanctuary for illicit activities, providing a veil of anonymity for cybercriminals, hackers, and individuals seeking to engage in nefarious endeavors. OSINT investigations that incorporate darknet data can unveil hidden information, shed light on illicit operations, and expose criminal networks. By venturing into the darknet, investigators can access forums, marketplaces, and communication channels used by cybercriminals. This enables the collection of valuable intelligence related to cyberattacks, data breaches, drug trafficking, human trafficking, money laundering, and other illicit activities.
However, investigators need to have access to the right sites, with many requiring high levels of authentication and the need to interact with threat actors. Navigating the darknet(s) can be frustrating and challenging for any OSINT or darknet investigator. DarkOwl analysts have extensive experience working within the darknet, collecting data and can leverage this to assist with darknet and OSINT investigations across a broad spectrum of areas.
The darknet is a breeding ground for emerging threats, providing insights into evolving techniques, vulnerabilities, and attack vectors. Integrating darknet data into OSINT investigations helps enhance threat intelligence capabilities and enables proactive risk assessment. By monitoring darknet forums and marketplaces, analysts can identify discussions surrounding new hacking tools, zero-day vulnerabilities, exploit kits, and malware. This information is invaluable for cybersecurity professionals seeking to fortify their defenses, mitigate potential risks, and stay one step ahead of cybercriminals but don’t always have access to that data themselves. Darknet data empowers organizations to better understand the tactics and strategies employed by threat actors, ultimately strengthening their security posture.
Real-World Examples
Identity theft and fraud have become pervasive in the digital age, causing significant financial and reputational damage to individuals and organizations. Darknet data plays a crucial role in unmasking stolen personal information, fraudulent activities, and the sale of compromised data.
Below we see an example of threat actors on the popular Russian forum XSS discussing the use of TinyNuke malware and ways to solve issues.
Figure 1: Users on XSS forum discuss malware tools; Source: DarkOwl Vision
OSINT investigations involving the darknet allow researchers to monitor underground marketplaces where stolen credentials, credit card information, and personal data are bought and sold. By obtaining and analyzing this data, investigators can identify compromised accounts, detect patterns of fraudulent activity, and alert affected individuals or organizations. This proactive approach assists in mitigating the impact of identity theft and fraud, protecting individuals’ privacy and preserving the integrity of businesses.
Law enforcement agencies and intelligence organizations rely on darknet data to augment their investigative capabilities and dismantle criminal networks. OSINT investigations that encompass the Darknet provide critical leads, actionable intelligence, and evidence.
Below we see threat actors sharing Fullz information for sale on the darknet, this is darknet slang for all identifying information. This can be used by others to conduct identity theft and fraud.
Figure 2: Identifying information being sold on Darknet which can be used for identity theft; Source: DarkOwl Vision
Darknet data assists in identifying key individuals involved in cybercriminal activities, tracking their digital footprints, and uncovering connections to other criminal acts. This information aids in the apprehension of criminals, the disruption of illicit operations, and the prevention of future crimes. Darknet data is a valuable asset in combating terrorism, organized crime, human trafficking, and other serious offenses.
Below we see an example of real-world information being released on the darknet relating to a threat actor. This individual was the administrator of RaidForums, a popular site selling people’s personal data. His true identity was revealed and he was later arrested by law enforcement.
Figure 3: Identifying information about threat actor on RaidForums; Source: DarkOwl Vision
Final Thoughts
As the digital landscape expands, the inclusion of darknet data in OSINT investigations becomes increasingly important. The darknet acts as a hidden realm where cybercriminals thrive, but it also offers a wealth of information that can be harnessed for the greater good. By venturing into this enigmatic realm, researchers and analysts can uncover hidden activities, enhance threat intelligence, unmask identity theft and fraud, and support law enforcement and intelligence operations.
Integrating darknet data into OSINT investigations strengthens our ability to combat cybercrime, protect individuals and organizations, and maintain a safer digital ecosystem.
However, it is important to note that accessing and navigating the Darknet comes with legal and ethical considerations, and it should only be done by trained professionals and in compliance with applicable laws and regulations. DarkOwl analysts are able to navigate this area providing added resources to teams, expert knowledge and compliance.
Contact us to learn how to put our darknet expertise to your use.
While ransomware attacks have continued to grow in 2023, the recent attacks leveraged by CL0P against the MOVEit file transfer software have garnered much publicity. Additionally, the zero-day exploit against the MOVEit software has led to huge data theft and extortion attacks.
On June 7th, CL0P began posting the names of the victims they had successfully targeted. By July 11th, they had listed 140 companies which had been compromised. These companies were from a variety of industries as illustrated in Figure 1. These attacks highlight the risk posed to organizations through third parties who have access to sensitive information relating to some of their clients.
Figure 1: Breakdown of industries targeted by CL0P
DarkOwl’s DarkSonar risk signal can be used to forecast cyber threats to an organization by measuring the relative risk rating for an individual domain. Additionally, organizations can measure the risk of third parties who have access to sensitive data. An elevated signal is a cause for concern as it shows a dramatic increase in relative risk, providing warnings of potential threats. We tracked DarkSonar in the weeks and months leading up to the attack for all 140 company domains to see if there was an elevated signal. The results are shown in Table 1. Of the companies attacked, 10% had no email exposure. Of the remaining companies, we found an elevated signal (≥1) within the 4 months leading up to an attack for 67% of the organizations. In addition, 94% of organizations had a signal that was trending upwards.
Elevated Signal (≥1)
Signal Trending Upwards
All Attacks
60%
84%
All Attacks for Domains w/ Email Exposure
67%
94%
Table 1: True Positive rates (positive accuracy) for elevated signals and upward trending DarkSonar signals
A prior independent third-party analysis of DarkSonar showed that a trending upward signal is also a significant indicator of risk. Thus, we explored not only an elevated signal prior to the attack, but also an upward trending signal. We calculated the trend line in the 4 months leading up to the attacks to determine the number of upward trending signals. For the companies with an elevated signal or an upward trending signal, we saw a true positive rates between 84% and 94%.
Breaking down the results across the industries with the most attacks, we see the positive accuracies shown in Figure 2. While this requires further analysis, it does point to some industries where DarkSonar may have the potential to be a higher indicator of risk.
Figure 2: Positive accuracy across the main industries
To learn more about how DarkSonar may predict future attacks on your organization, contact us.
Review of CL0P’s Zero-Day Exploit Against MOVEit
Original Post: July 25, 2023
Ransomware attacks continue to grow in 2023, with the number of attacks taking place this year surpassing those at the same stage last year. One of the most successful groups this year has been CL0P which leveraged a zero-day exploit against MOVEit, a managed file transfer software which has led to huge data theft and extortion attacks.
Figure 1: Initial vendor alert on the newly discovered MOVEit vulnerability; Source: Community Progress
CL0P have been active since early 2019 conducting both ransomware and extortion attacks, highlighting the fact that they are financially motivated. They have been known to make large scale demands to release data, in 2020 they became one of the first ransomware groups to demand over $20 million. While law enforcement activity has identified some members of the group, they continue to be active.
DarkOwl analysts have been actively monitoring CL0P, and the leak site to which they post victim data. On June 6th, 2023, they claimed responsibility for the use of the privilege escalation vulnerability in the MOVEit Transfer. In their post they threatened to post the stolen data if victims did not pay an extortion fee and also provided instructions for how to make payments. Security researchers have indicated that CL0P are likely to raise $75 million from their extortion attacks.
Figure 2: Instructions on making payment; Source: CL0P blog
On June 7th, they began posting the names of the victims they had successfully targeted. As of July 24th, they have added 187 victims’ names, however a number of other organizations have indicated that they are also victims of the attack. The group appears to be slowly releasing names, holding back those which could be considered more high profile. It is not currently clear how many organizations they were successfully able to compromise. The group have been teasing new victims and also what data will be included in the document leaks.
Figure 3: Teasing data threatened to be released; Source: CL0P blog
As of July 24th, only 11 victims have been removed from the leak site, which would suggest that they paid the extortion fee or are currently in negotiations with the threat actor. Full data has been provided for 21 victims and partial data has been released for a further 65. DarkOwl’s assessment of the victims indicates that the industry most impacted by this attack is finance.
Although some government and law enforcement agencies have self-reported as victims of the MOVEit campaign, no victim data has been provided. CL0P issued a notice on their website indicating that although they have successfully targeted government and law enforcement sites they will not be releasing this information as their intentions are purely financial in nature.
Figure 4: CL0P’s notice that they are not interested in government data; Source: CL0P blog
However, it does seem that CL0P may have fallen victim to too much success. Their leak site appears to have been overwhelmed by the amount of media attention they have received. The site has regularly gone down, there is often a queue to enter the site, and the download of data is very slow, offering an advantage to the victims that means it is not easy for people to download the information which has been stolen. It could be argued that it is not worth paying the extortion fee if no one can access the data. This could be why so few victims have been removed from the site.
Figure 5: Waiting page; Source: CL0P blog
Perhaps as a result of this issue on their darknet site, coupled with known slowness on TOR, the group have started releasing some of the data on clear websites. It is not yet clear if that will make the victim data more readily available.
The MOVEit attack has also highlighted the risk posed to organizations through third-parties, high profile consultancy companies have been included in the CL0P leaks, which are likely to contain information relating to some of their clients. Some of the reported victims, which have not yet appeared on the list use vendors that are known or have been reported to be breached.
Below is an example of a media item discussing a vendor breach that affected other organizations:
DarkOwl collects data released by ransomware groups in order to identify what information has been released, what victim data has been present and what risk it may pose to the organization. As well as the named victims, this data can also include large amounts of third-party data. It is therefore important to access this to enable searches for mentions of all organizations. DarkOwl can help your organization be alerted if their information appears in any of the data that we collect and further, how to turn that data into actionable threat intelligence.
The DarkOwl team had a busy week all over the world last week, from the Washington DC area to India. Alison Halland, Chief Business Officer of DarkOwl, kicked off the week with our first ever hands-on training of DarkOwl Vision and ended the week by attending AFCEA/INSA Intelligence and National Security Summit in National Harbor, MD. Meanwhile, Mark Turnage, CEO of DarkOwl, attended the G-20 Conference on the “Crime and Security in the Age of NFTs, AI, and Metaverse” under the G20 in Gurugram, Haryana, India. This blog highlights those events and key takeaways and summarises each.
On Wednesday, Alison hosted “Explore the Darknet with DarkOwl” at the Carahsoft headquarters in Reston, VA. Attendees got access to DarkOwl Vision and got to conduct hands-on searches during a Scavenger Hunt. DarkOwl’s industry leading Vision UI provides access to the largest commercially available database of darknet content in the world, without having to access the darknet directly, so you can take action to prevent potentially devastating cybersecurity incidents. After an afternoon of learning about the darknet and diving into it, attendees enjoyed networking during happy hour. The team is excited to do more of these intimate in-person trainings, make sure you don’t miss the invite to our next one!
The Intelligence and National Security Summit
Alison and Steph Shample represented the DarkOwl team at the Intelligence and National Security Summit on Thursday and Friday. The event describes themselves as “the nation’s premiere conference for unclassified dialogue between U.S. Government intelligence agencies and their industry and academic partners,” and was celebrating their 10 year anniversary this year. In addition to the exhibit hall, attendees could participate in a number of speaking session and breakout sessions. During the plenary sessions, top agency and military intelligence leaders discussed strategic intelligence challenges, military intelligence priorities, and the state of the community, and during the breakout sessions, senior executives, technology experts, and thought leaders explored some of the most pressing issues facing the community. Speakers included leaders from the Federal Bureau of Investigation, the Defense Intelligence Agency, Defense Innovation Unit, US Navy, U.S. Space Force and many more.
Due to the layer of anonymity it provides, the darknet is often a hub for illegal activity. However, investigating crime on the darknet and deep web poses technical challenges, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next. The technology DarkOwl leverages to scrape and index hidden digital undergrounds are key to the mission of obtaining proactive situational awareness for protection of the nation’s security initiatives. DarkOwl Vision UI provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. DarkOwl Vision has been used to support local and federal police investigations, as well as work done in intelligence/fusion centers and federal agencies to uncover human trafficking, opioid selling, terrorism, security issues, and other illegal activity, making it the perfect tool for this audience to be able to dive into.
The DarkOwl team was able to meet with several clients at the event, including Siren and OSINT Combine. You can read about our partnerships here. Being able to connect with current clients is always a huge plus when attending events and hearing feedback, brainstorming new ideas, and connecting with new members in person is invaluable.
G-20 Summit: Crime and Security in the Age of NFTs, AI, and Metaverse
The group of 20 (G-20) is comprised of 19 countries (Argentina, Australia, Brazil, Canada, China, France, Germany, India, Indonesia, Italy, Japan, Republic of Korea, Mexico, Russia, Saudi Arabia, South Africa, Turkey, United Kingdom, and the United States) and the European Union. Together these countries represent 85% of the global GDP and about 66% of the global population.
On Friday, Mark Turnage, CEO and Co-Founder of DarkOwl, presented on “Connecting the Dots on the Darknet: Darknet and Cryptocurrency.” This presentation covers the use of cryptocurrency (crypto) as it is used on the deep and dark web (DDW), as well as nascent efforts to regulate the cryptocurrency markets and transactions. On dark web marketplaces and forums, which sell everything from drugs and weapons to the latest malware and data leaks, the currency of choice for transactions — due to what cyber actors espouse is the provided anonymity — is crypto. Most common is Bitcoin, but DDW markets are accepting more currencies such as Ethereum, Monero, Litecoin, and Zcash, among others. Cyber actors generally feel that Bitcoin has become less anonymous as global entities move to regulate Bitcoin and follow financial transactions and state this as the reason they are using other cryptocurrencies. Regulatory efforts towards cryptocurrencies vary greatly by nation, but standard Know Your Customer (KYC) and Anti-Money Laundering (AML) policies are common, agnostic of country or entity efforts to regulate crypto transactions. Efforts to change from crypto into more traditional cash, known as “fiat”, are also analyzed from a regulatory standpoint.
Other speakers covered topics such as internet governance, security digital public infrastructure, the Metaverse and digital ownership, challenges of AI, and information and communication technologies. An official overview of the conference can be found in the Chair’s Summary.
Interested in meeting with the DarkOwl team? See where we are around the world the rest of the year here.
Read on for highlights from DarkOwl’s Product Team for Q2, including new product features and collection stat updates!
Data and Product Updates
DarkSonar Launch and Updated Features
In April, DarkOwl announced the release of a new product, DarkSonar API, to help organizations better assess and track their potential cyber risk based on the nature of their exposure on the darknet.
Built on DarkOwl’s proprietary Entity dataset, DarkSonar generates a risk rating that is unique to each company. The algorithm used to generate these signals takes into account key quantitative and qualitative factors over time of organizational exposure of email addresses with associated passwords, and weights each signal accordingly. The result is a quantifiable risk indicator that can help companies and organizations monitor and potentially predict cyberattacks.
In testing internally and with beta partners in the insurtech and third-party risk industries, DarkOwl found an elevated DarkSonar score in the months before a cyberattack in nearly 75% of the cases where a company publicly acknowledged a breach.
Date Input Option
This recently added feature allows users to input the date of a known event or breach, to get DarkSonar signals and trending for the months leading up to that date. This update is particularly important for customers with known historical incidents (reminder – DarkOwl never captures API queries in the system!).
Resources
In case you missed it and want to learn more about DarkSonar and the importance of forecasting cyber threats, there are several resources available to check out:
Report: Forecasting Cyber Threats: This report outlines DarkOwl’s new metric based on email and credential volume to measure an organization’s exposure. We tested our metric against 237 public cyberattacks occurring in 2021 and 2022 and found our signal was elevated within the last four months prior to an attack for 74% of the organizations.
DarkSonar API Document: Signals to inform threat modeling, third party risk management, and cyber insurance, that potentially predict the likelihood of attacks.
Search Tabs
The product team has added Search Tabs into the Research section of the UI, thanks to customer feedback! With Search Tabs, a user can have up to four search inquiries open at the same time. This will help users pivot while still retaining results from another search. To start a new search, simply click on the “+” icon next to the current result tab. With this new feature, the quick filter menu has also been adjusted to be more streamlined.
Enhanced Forum Presentation
The product team is most excited about improvements to forum presentation in our UI and Search API. A user will be able to easily distinguish thread Titles, number of posts on the time of collection, Users, Post Dates, and Posts. The numbers of forums available in the new format is growing every day, as of early July, there are 60 available. The below screenshot demonstrates the new formatting.
Decode/Encode Buttons
The Decode URL feature allows users to see the original (non-encoded) URL. Users need the encoded version to search in URL in our system. If a URL has been encoded, there will be a new Decode URL button below the URL in the search result.
Example of improved forum presentation and Decode URL
User-Selected Default Search Settings
The team has also added more personalization to the UI so that users can select their own Default search options for sorting, seeing duplicates, or seeing empty bodies. Ease of use for customers is always top of mind when implementing new changes and features.
Alternate Telegram Usernames
Telegram channels have become increasingly popular with threat actors as a means of advertising illicit goods and communicating with each other. Although Telegram users can change their display name as often as they want, when registering they are assigned a user ID which cannot be changed.
This quarter the team added a feature which allows the user to search on the User ID with the click of a button to see all the posts made by that user regardless of their username saving the analyst time and making it easy to focus in on posts. The screenshot below from Vision UI shows exactly when someone has changed their name in a channel, what their old name was and what they have changed it to. As mentioned above, their user ID is not changed.
Lexicon Updates
DarkOwl Vision’s DARKINT Search Lexicon is an easy-to-use tool intended to help users find interesting content within our database. This quarter a huge audit took place updating and adding hundreds of Lexicon entries for Forums, Markets, and Ransomware Sites. Clients can always submit content for us to add. Curious what DarkOwl means by “DarkInt?” Check out our full write up.
Collection Stats and Initiatives
The collections efforts and team continue to grow as advances are made in crawling technology and focus on emerging areas of activity continues. Below stats show tremendous areas of growth over Q1, 2023.
Highlights
This quarter 386 new chat channels and groups and 56 unique data leaks, totaling 900,000 new documents, were added. The team was able to obtain and index most channels and data leaks requested by customers within 24 hours of the incoming request. Some of the most notable include Shell.com, Viva Air, and Eye4Fraud.
Entity Numbers
As of the beginning of Q3 this year, DarkOwl Vision has captured the below number of critical entities and the database is growing every day.
Notable Leaks added in Q1:
Shell.com
Russian ransomware gang Cl0p, mainly oriented around double extortion ransomware, successfully exploited a zero-day vulnerability in the MOVEit file transfer tool in June 2023 which has led to the exposure of over 150 victims. The group listed Shell.com as one of their victims and released files including names, email addresses, phone numbers, social security numbers, physical addresses and more of customers and employees as well as internal documents. DarkOwl analysts are seeing their activity continue into July, with more victims being added and more files released. Learn more about the Shell Data Breach.
File structure in DarkOwl Vision from Shell breach indicating what victim information is available.
Throughout June, the actors were highly active using the nascent MOVEit zero-day vulnerability. They have shared details of their victims on their leak site which now contains over 150 organizations with information relating to 15 million individuals. Stay tuned as we release more in-depth analysis of MOVEit and their recent activities.
Viva Air
Viva Air, a budget airline based in Colombia, was allegedly hacked in March 2023 by Ransomexx ransomware. According to the original posting, shown in the DarkOwl Vision screenshot below, on BreachForums, 26.5 million records containing clients names, dates of birth, passport numbers, phones, and emails were leaked with a total size of 18.25GB. The posting also provided a sample of the data showing the personally identifiable information leaked. Processing this alone added nearly 450,000 documents into the DarkOwl darknet database. DarkOwl analysts also found listings and conversations about the leaked data re-posted for sale on several other forums and marketplaces as well as Telegram.
Eye4Fraud
In March 2023, Eye4Fraud, a global fraud detection firm, publicly announced that they fell victim to a data breach that resulted in the compromise of over 16 million unique email addresses, as well as full names, phone numbers, physical addresses from businesses that use their services. The company provides services to help protect against fraudulent orders for eCommerce companies and received criticism for their slow response to notify customer about the breach.
In today’s world, the internet is an integral part of everyone’s personal life and even more so of every organization. Over the past several years, social media platforms have come to play a big part of an organization’s strategy and digital footprint as people connect, share information, and express themselves. In addition, the darknet and darknet adjacent platforms have grown in popularity – characterized by anonymity and illicit activities.
In this webinar, DarkOwl CEO, Mark Turnage and Socialgist CRO, Justin Wyman explore how the two interconnect and dive into the topics of:
Data collection and enhanced insights
Online identities and connections
Social engineering and phishing attacks
Reputational risk
Ethical concerns and legal challenges
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Kathy: I would like now to introduce Justin Wyman, the CRO for Socialgist, and Mark Turnage, the CEO for DarkOwl. I’m going to turn it over to them to do some introductions and introduce their companies and then we’ll get started. Justin.
Justin: Thank you, Kathy. I really appreciate you putting this together. And thank you, Mark, for joining me in this webinar.
I feel like our two companies are kind of different sides of the same coin in the sense that we both scour the internet looking for online conversation. Socialgist really specializes in what I would call public conversation, people talking on blogs, message boards, forums and social networks about everything under the sun, including brands, political issues, etcetera. We’ve been doing this since 2001. Our goal is to take all the information on the left, package it in that blue box in the middle, and then distribute it to analytics platforms on the right.
We call this DOS or data as a service. Our core values provide high quality global datasets of the world’s online conversations. The key strengths are important for this webinar. It’s very broad, right? 30 plus languages. We provide a lot of context. That means history. And then we really focus on high quality, low spam data collection. A lot of this is looking for a needle in the haystack, and if you don’t have accurate data, then you’ll get a lot of false needles.
This is just a sample of our data sources. The things to understand are there are many different parts of the internet to potentially mine for insights, blogs. Journaling news is where you watch things spread from social media to online media. Videos like YouTube are obviously important forums or threaded conversations or where you see really hobbyist conversations. And then there’s review sites and social networks reviews being people trying to fish in this example, looking for selling competitive products in social networks, being a parlor, true social, those types of things.
Kathy: Mark, would you like to introduce DarkOwl?
Thank you. And it’s a delight to be here. Thanks for hosting, Kathy, and thanks to Justin. We’ve been looking forward to this webinar. DarkOwl, as Justin said, we’re two sides of the same coin. In fact, the presentation that Justin gave, if you just substituted darknet data for all the data sources that he and Socialgist collect, you would get to DarkOwl. We have been collecting data now for well over a decade. We supply that data to our customers. And we, and just for the for the sake of clarity, we only specialize in darknet and related deep web and surface web sites that repost data from the darknet. And we supply that data through our Vision UI or through a range of APIs and data feeds.
This gives you a sense of what we’re talking about. The bottom of that slide is the traditional definition of a darknet, by which I mean our traditional definition is it usually requires a specialized browser to get to. And once you are in those darknets, your user identity is obfuscated and oftentimes the traffic is encrypted. So the beginnings of the darknet traditionally trace back to the Tor network. As you can see, a range of other darknets have arisen for a variety of different reasons. For example, the third one in called ZeroNet is very popular in China. It’s a blockchain based darknet so that the conversations that occur on ZeroNet are actually distributed around a blockchain. And in order to collect data from ZeroNet, you have to actually continually crawl the entirety of the blockchain to recreate a single conversation. And perhaps unsurprisingly, darknets are popular among the criminal groups because of user obfuscation. And with the rise of cryptocurrency, a relatively anonymous currency, it’s the perfect place to do crimes, the deep web and the surface web we also collect from, but we don’t collect from generally from social media and from the sites that Socialgist collects from, which makes us ideal partners. We collect from authenticated websites and the deep web and then some high-risk surface sites, direct messaging platforms, Discord, Telegram, IRC are new platforms for us where we collect data and increasingly a lot of criminal activity is moving to these direct messaging platforms. And I think the topic we want to discuss here today is how does how does the data that DarkOwl collects, how does it fit in in a cyber investigation and in an analytical context, how does it fit with what Socialgist is doing?
Just very briefly, this gives you a sense of the volume of data that is coming out of the darknet that we collect on a daily, weekly, monthly basis. And you can see some of the types of data that we that we collect as well.
Kathy: Thank you for the introductions to both of your our companies. Today we would like to start off with the first talking point of data collection.
Data Collection
Socialgist specializes in collecting and aggregating social media data while DarkOwl focuses on collecting dark web data. Can you both talk to how these two are connected?
Justin: I will start. I think what’s important to understand is that in an increasingly interconnected world, you have what’s called a butterfly effect, which is where small things can snowball very quickly. And if you see the sources that Mark presented on his slide versus mine, you can see a very interconnected world. Now, the thing that Mark and I have spoken a lot about in our partnership together is how often things that are damaging to brands or cyber investigations start in the dark. That’s where they get organized. But you cannot tell if it’s going to have an impact, especially when the intention of the criminals is to battle perception or brand awareness until it bubbles up into the public net. So it’s smart to look at. Have a wide net across dark and public to see what issues are emerging in the darknet and then going into public and going traditional news. Would you agree with that, Mark?
Mark: Absolutely would agree with that. In fact, we find that threat actors regularly use social media to bubble up threats, to bubble up data that they’ve stolen, to bubble up information to the surface web. We also find, by the way, that in terms of identifying threat actors, most threat actors are very, very active on social media. Whether they do that personally or in their professional, quote unquote, capacity as criminals. And we find that it’s very easy to pivot back and forth between the two in trying to identify who they are. And oftentimes we are able to identify them by virtue of their use of social media and the commonality of what they’re doing in social media with what they’re doing in the darknet. And I have some examples we can talk about later on.
Data Insights
What kind of data can come from social media that helps investigators or threat intelligence teams? And what about from the darknet?
Justin: Any person in crisis communications or PR will kind of have two principles. It’s how fast do you get the insight? And how accurate is the insight? What social media does is take that accuracy component and really helps you understand what’s happening. Or accuracy might be another word for validity. So when you see issues that are very important to you bubbling up in social media, then you know that it has momentum. That snowball is building that butterfly effect. So when I think about how the darknet and social web thing work together, it’s about when it pops up into social media or the public web, that is a very big sign of validity or accuracy. So that’s how you can use that to justify what threats are real or not. Because as somebody that’s in cyber investigations, you’ll have a list of 10, 20, 100 issues and you’re constantly trying to see which ones are real or not. And social media data gives you that validity or accuracy. Okay. This is something we need to pay attention to, especially in information warfare.
Mark: The range of data that is available in the darknet that is of interest to analysts and investigators is very broad. The darknet is a primary repository of threat data. It can be data that’s been hacked or stolen from organizations. It can be vulnerabilities that are being bought and sold or discussed in the darknet as a way to get entry into organizations. It can be a wide range of PII that’s available on the darknet for executives and companies. To Justin’s point, there are disinformation specialists who offer services in the darknet. And so I equate the darknet to the sort of 2 or 3 city blocks in every town where all the crimes occur, and we see ourselves as a primary policeman for those types of activities that occur in the darknet. And obviously, the darknet is growing. It’s a growing phenomenon. That chart I showed earlier shows that what started out as the Tor network is now a number of distributed networks. We, as an example, extract data from 25 to 30,000 darknet sites a day into our platform. But to Justin’s point, when you start to see data bubble up into social media or into the surface web from the darknet or from actors who are very active in the darknet, you know that something has happened. You know they’re bubbling it up for a reason. Usually it’s to draw attention to the fact that they have committed an act or extracted data from an organization or are in the middle of a ransomware attack. And you can easily see that when they when it when it bubbles up to the social media level.
Justin: I thought an important point you brought up on your slides was the ZeroNet Chinese aspect of this. We’ve watched us together, as you know, these 2 or 3 blocks as a great analogy, but those blocks are growing. They’re getting more organized and they’re getting more effective. And ZeroNet in China is a great example of how we watch them organize in the dark web, go up into Chinese forums, then go to more of the US public web. And so the question is, at what point in time are you going to be aware of that? Do you want to be aware of it by the time it hits the public web in the US, that’s probably not the speed you want. If you’re a crisis communications person, you probably want to understand that threat in the ZeroNet so you can prepare for it long in advance. You want to understand that threat as early in that kill chain as possible. And that’s the reason why our two platforms work so very well together.
Mark: And by the way, Justin, the example you cited with respect to ZeroNet also applies to the use of Telegram in the Ukraine Russia conflict and the various spiders that have arisen from the primary use of telegram by threat actors on both the Russian side and the Ukrainian side in spilling and leaking data and attacking each other. It then spreads through a broader social media environment and it has changed, frankly, the landscape of how we think about threats and how we pivot, how we see pivoting by threat actors between social media and the darknet. It is amazing to think about. The lag between traditional news and what we know, what’s happening online when it comes to the Ukraine war, the surprise when certain things happen are not nearly surprising to you and I, because we’ve been watching it for a while. We don’t you know, we obviously can’t predict the future, but we can anticipate it better by using that kill chain, as you described.
There’s no question about that. And it is interesting to me. I think if we were executives in traditional social and traditional media companies how to incorporate the speed with which news travels, particularly in social media, would be a real challenge. I know for, for example, that I go to social media when I hear something is late breaking or newly breaking. I go to social media as a first instance. It beats all the mainstream media sources in terms of speed, there’s no question. And, you know, I’m not unusual in relying on that. I think, you know, certainly the younger generation relies on that almost to the exclusion of any other sources.
Justin: Traditional media no longer breaks news. It’s supposed to analyze news and it always struggles when it tries to do the other thing.
Kathy: We’ve had a question come in and someone would like to know, how do you know when a company is being targeted on the dark web?
Mark: That’s a great question. My first part of that answer is oftentimes they’re named in the darknet. We are attacking XYZ company or we have a back door into XYZ company, and here’s some data we’ve always already exfiltrated. So shockingly, the first thing is look in our platform and see what companies are being named as targets. Secondly, threat actors oftentimes will post IP data of targets that they’re targeting. And if you know your IP range, you can see that you’re being actively targeted. But the most common way to know it is threat. Actors will oftentimes extract data out of a company, post it in the surface web, on surface web sites or in social media and say, we have attacked XYZ company and here’s proof of that, and they will put out some embarrassing documents and they will simultaneously, ransomware operators will simultaneously be discussing talking to the company directly and saying, we have a lot more of this data and we’re going to leak it unless you pay us a ransom. And so, you know, this is a case where seeing what’s happening in the darknet and seeing what’s happening in the surface net go hand in hand. And as Justin said earlier, you don’t want to be on the receiving end of that. You don’t want to see your company’s most confidential data already posted or in whole or in part on social on surface web sites. At that point, you’re way behind. Your response is way behind where it should be. So, you know, it’s pretty easy to see what companies are being targeted in the darknet.
Justin: To build on Mark’s point, what’s interesting about information warfare is for it to be useful, you have to at some point make it public. You have to usually increase the value of the data by saying you have the data in some sort of public way. Now, maybe that starts in the darknet or maybe it starts in the public web. But that’s one advantage I guess the good guys have is when somebody has information on you, it’s only valuable when it’s being used publicly. So eventually they will reveal themselves.
Online Identities and Connections
Using social media and darknet data can help can help paint a picture of a cybercriminal or group. How can these data sets and tools. How can you use these data sets and tools in tandem?
Mark: I’ll give you an example. And I’ve referenced this earlier. A few years ago, one of our clients was being subjected to online disinformation campaigns in Latin America that they thought might originate in Russia. And it was actually causing physical attacks on their facilities in Latin America. They asked us to look at that in the darknet and see what we could find out. And this was a threat actor who was who was actually very active on social media in making threats against our client, but also was very active in the darknet. So we started in the darknet and we were able to trace certain activity and certain identities in the darknet, and we pivoted back to social media. We noticed that in the darknet he was using a specific username that was quite unusual, and we pivoted back to social media and started to see if anyone else was using that username in social media. And we did, we found that there was a user using that username on some fairly obscure social media sites.
We then pivoted to those social media sites and as is the case with many social media sites, we were able to identify both an IP address, located in Siberia of all places, and secondly we were able to locate contact details. We then pivoted back to the darknet and said, is this email address that has been identified on this social media site in use anywhere else in the darknet? And we found that that social media site tied directly to one of the darknet accounts that he was using to launch these disinformation attacks on our client. And we pivoted back and forth and back and forth, and we actually finally came up with, believe it or not, a social media post where the actor had not only posted his picture, but we believed in the end that he was actually acting at the behest of the Russian government. Now, that’s a perfect example where identities are in both the darknet and in social media. And to be honest, he was a bit sloppy in doing so. But that’s a hallmark of many criminals is that they can be sloppy and pivoting between. We would not have been able to do that analysis simply using darknet data. We had to pivot to social media and back several times in order to get to the conclusion that this was a Russian threat actor. It was probably acting at the behest of the Russian government in targeting our client.
Justin: I think what’s interesting about this is their job is not that different from most jobs, meaning if you’re going to have an ongoing concern where you’re trying to achieve objectives, then you need to establish an identity that is known in many worlds, right? Just like I’m on LinkedIn, I’m the same person on Facebook, I’m the same person on Instagram. So while they’re a little more opaque than we would be, obviously you still have to be identifiable across these various mediums and that gives a real opportunity for forensic analysis to follow things along that kill chain.
Social Engineering and Phishing Attacks
How does social engineering differ in social media and on the darknet?
Mark: It depends on what the social engineering is being used for. Phishing attacks are usually emails targeting specific individuals or groups of individuals with a view towards attempting to get them to open a data and corrupt their computer and then get access to their network or to the data that’s on their computer. Social engineering refers to broadly identifying those individuals or those targets ahead of time so that those attacks, those phishing attacks can be much more sophisticated. And I’ll give an example. I’ve been subject to social engineering and phishing attacks and a sophisticated attack, an unsophisticated attack. Is somebody sending me an email and saying, hey, you know, click on this article, it’s of interest. It would be of interest to you. A sophisticated attack appears to come from my CFO and says Mark, attached is a file which I need you to urgently look at and call me now.
Now, to get to that latter email, they have done some research on Mark Turnage. They have to know who my CFO is. They have to then build a template that looks as if it’s coming from my CFO. All of that occurs. All of that data is available in the darknet. My email address is available on my darknet. Biographical information about Mark Turnage is available in the darknet. And for most executives, by the way, it’s also available in the surface net. You can go to the DarkOwl website and see who our management team is. It’s very common for companies to post that data. And so pivoting back and forth between the darknet and social media allows the targeting that we are talking about, targeting of executives, targeting of individuals in organizations and in companies to enable criminals to do what they do.
Justin: The thing that scares me, well, Mark, I’m sure you’ve seen this too, is like how little information you need to do social engineering these days. It’s literally like five seconds of audio and you can clone my voice, basically. And Mark and I were talking before this phone call how we have the first, I think, political campaign ever creating somebody else’s voice today for ads, having somebody literally say what they don’t want to say and publishing that on television. So, I think we’re going to live in a world where social engineering and social media is going to be very personalized. To Mark’s point, because we’re all online, we all have identities, and it’s only going to get easier to trick people with more and more realistic content.
Mark: And to use the example that Justin gave, and I think Justin posted it in social media this morning. When you have deep fakes and you can imitate somebody’s voice or somebody’s a video of somebody really well, in an almost undetectable way. The opportunities for phishing attacks grow exponentially because imagine that that example where I get an email from my CFO saying, Mark, I need you to open this file. Imagine that instead of that being an email, it’s a voicemail. It’s or it’s a voicemail attached to an email that sounds exactly like my CFO. The range of the range of potential abuse of that technology is remarkable. I was just amazed, Justin, that the first use of it was a political presidential campaign. That’s the part that was a surprise to me. Not really phishing. It was just politics.
Justin: When we thought we couldn’t go lower, we go a little bit lower.
Reputation Risk
According to a recent report by Deloitte, 87% of executives rate reputational risks as more important than other strategic initiatives. What are your thoughts on that?
Mark: I think if I had to read behind that statistic, I would say I would guess that the reason most executives are worried about reputational risk versus other strategic initiatives is that they don’t control reputational risk to a large degree. Once an attack, say, a misinformation or disinformation attack is mounted on a company and recovering from an attack, a disinformation attack is inherently more difficult than almost anything else. So to Justin’s earlier point, you want to stay ahead of any disinformation attacks. You want to have a plan in place on how to react to them if they do arise. But if you can get early warning signals from social media, from chat rooms, from forums that people are targeting your company or your organization, and it gives you the chance to stay on the front foot as opposed to be on the on the back foot. I mean, am I right about that, Justin?
Justin: I believe so. What’s interesting about that statistic when I read that was in this business, I still remain very optimistic. People are understanding the risks and how they impact their business. I mean, that’s a very impressive number it generates from the C-suite. I believe most of that responsibility was put on the CEO or CFO of the C-suite, meaning they understand that this is a thing they can’t control. The other thing that was embedded in that study that I thought was really important was consumer perception, which reputational risk is kind of like the bigger version of consumer perception. But when it comes to the world of phishing and social engineering, people are really understanding that this is a problem, probably because they’ve seen many of their peers be burned at this point in time and they’re trying to figure out what to do. The big step now is now that we understand, the problem is how do you execute on it? You know, when those people raise their hands, how do Mark and I help them get systems in place that allows them to be protected?
Ethical Concerns and Legal Challenges
What challenges do you both face?
Mark: We at DarkOwl face a set of ethical challenges every day in terms of how do we collect data from the darknet in an ethical manner and make it available to legitimate clients and while respecting the privacy of people whose data has been posted to the darknet. So as an example, we don’t participate in darknet sites where purchase of data is necessary in order to participate because we don’t want to fund the criminal ecosystem. So there are clearly darknet sites that we will not collect data from. What we’re trying to do is return stolen data to its rightful owners or alert them to the threats that are arising from the darknet. So there’s a natural inherent balancing act that we have between privacy concerns, legitimate privacy concerns on one hand and the need to be continuously monitor this environment from which from which many threats arise.
Justin: In our world, we think a lot about the town square and public conversation and how important that is. And I think that when things are in the public square, our biggest ethical concern is not actually on our side. It’s on the people that are providing the public square. So we have major social networks that are creating these environments to have misinformation spread. A lot of other information is spreading as well. But misinformation is also spreading. And I think the thing we’re seeing, the thing that’s concerning to me and my company is that. These large social networks seem to be, as an attempt to save money, get profitable, abdicating their responsibility to moderate this town square. You can’t sell gasoline to a bunch of people and then be upset when everything is on fire. So that is the big concern I’m seeing, is that moderation is going down, which is causing for a rise of disinformation because they’re filling the vacuum that previously wasn’t there.
Kathy: What are the key technological or macro developments in the space to be aware of?
Mark: I mean, you know, everybody is talking about AI, and rightly so, to be honest. If there’s anybody on this webinar who hasn’t been on ChatGPT or any of the look a likes to ChatGPT, I would I would highly encourage you to do so. AI is moving at a very rapid pace and I think critically it will allow, Justin spoke in his introduction earlier, about the noise to signal ratio and the noisiness of data. Both our companies collect so much data that parsing through that noise to get to your particular signal is oftentimes quite challenging, even with the tools that both our companies provide. AI I think will enable investigators and companies to get to that signal much faster and to monitor in a much more comprehensive way. But with all technologies, it’s also used by the criminals. So we were talking about we were talking about deepfakes, but AI can be used in a criminal context as well. So, you know, it’s going to be an interesting challenge going forward to see both how AI is used to protect companies and how AI is used to attack organizations as well.
Justin: I was reading earlier this morning. So they did a study – they think there’s 220 websites, news websites that are just all AI generated at this point in time. So it’s up from like 73 months ago.
It’s like tools go both ways, right? You can create bad content and you can identify bad content. But if we learn the lessons from the previous versions of AI, which was recommendation engines, where the social networks keep generating more and more or surfacing more and more clickable content, which is usually conspiracy based or negative. Well, soon they’re not recommending the content. In that example, they needed a library of content or people creating content, but they’re going to be able to do that on their own in real time and test and then go, oh, this vein is working. Keep going deeper and deeper. That is a massive macro trend that I think is really going to change how we think about information and maybe in a weird way create a rise of journalism again, because we’re gonna need some validation because we can’t trust what’s in our feeds. And then the last one would be the one I just mentioned previously is as this rise of content is happening, social networks seem to be taking a step back from moderation, which again, I think is going to embolden people with ill intent.
Mark: No, I think that’s you know, I think that’s very clear, by the way. Another potential use of AI on the criminal side is if I were going to mount a disinformation campaign on a company or an organization, it can do so using generative AI could very easily generate an extremely professional sounding set of facts that are misinformation or disinformation and can be used in an offensive capability, and you can generate that almost instantly. So to your point earlier, where companies have at the C-suite level have to be cognizant of the risks they’re facing, that’s a massive risk because instead of responding to a disinformation specialist who’s putting out a rumor that your company did X, Y, Z or was involved in X, Y, Z, criminal act or bad act, you could be facing, you know, what looks like a legitimate article with legitimate sounding facts that’s been generated by AI. And then you’re up against a much steeper cliff in terms of responding. So what is interesting is most of these people are opportunistic. They’re taking a misstep and they’re amplifying it. But soon they’re going to be able to or probably today they’re going to be able to create a perceived misstep and amplify that. So you will be under attack from things that you had no connection to. But that won’t change how the consumer perceives you unless you’re very on top of that.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
