June 27, 2024

As DarkOwl have previously reported, a group known as Scattered Spider have been attributed to several high-profile attacks including against MGM casinos and Caesars Palace. They are known to use social engineering techniques to target call center staff in order to gain access to systems. Active since early 2022, Scattered Spider is also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra and is largely financially motivated. 

Although many cyber security researchers hypothesized that the actors were Western-based, due to the times that they operated and the language used, little is known about the individuals behind the attacks. Although the group has been named Scattered Spider by researchers, it is thought that there are many different groups of individuals who have been involved in this and other nefarious activity.  

Arrests 

The FBI had announced in May that they were seeking to charge members of the Scattered Spider group. However, the first individual purported to be a member of Scattered Spider was arrested in January 2024 in Florida. Noah Michael Urban who is 19 years old was charged with stealing $800,000 from 5 victims. He is awaiting trial.  

On June 14th, the VX Underground reported via X (formerly Twitter) that a 22-year-old British man was arrested in Palma de Mallorca Spain. The arrest was reported to be part of a multi-agency operation between the FBI and Spanish authorities.  

An official statement stated that the individual was alleged to be behind a series of large enterprise “hacks” which resulted in the theft of corporate information. 

Further reporting indicated that the individual arrested used the alias “Tyler” and that he was a sim swapper allegedly involved in the Scattered Spider group. VX Underground reported: “Most notably he is believed to be a key component of the MGM ransomware attack, and is believed to be associated with several other high profile ransomware attacks performed by Scattered Spider.“

A video was circulated online which purported to be this individual being arrested by Spanish authorities, which happened as he attempted to board a flight to Italy.  

Scattered Spider are also reported to be behind the Oktapus campaign which used SMS phishing campaign to target several high profile organizations. The arrested individual was reported to be active in sim swapping.  

Brian Krebs later reported that the individual arrested was Tyler Buchanan from Dundee, Scotland who used the alias “tylerb” on sim swapping channels. 

Tyler Buchanan 

Searching for further information relating to Tyler Buchanan in DarkOwl Vision, highlights that individual was doxed in January of this year. Details were shared on the Doxbin site which included his full name, address, telephone numbers, email addresses, IP addresses, usernames and social media accounts.  

The post seems to have been made by a rival who appears to share the information in retaliation for Buchanan speaking about his and states that he has made money off him whereas Buchanan doesn’t have money.  

But this was not the first time this individual was victim of a dox, with other posts identified in 2023 which includes financial information and information about his family members. Another post was found as early as 2019. 

A review of the usernames listed highlights that Buchanan was also active on several dark web markets selling financial information.  

Further reporting from Krebs indicated that Buchanan had been subject to an attack from a rival trying to access his cryptocurrency keys. In that event his mother was assaulted highlighting the real-world risks that are posed by these criminal groups and sharing their information online. 

We will await further information from law enforcement on what Buchanan is charged with.  

---

Don’t miss any updates. Follow us on LinkedIn.

June 19, 2024

In the digital age, understanding user behavior and engagement within online communities is crucial for any OSINT or dark web investigator. Increasingly, Telegram channels have been used by threat actors to communicate, sell illicit goods, share disinformation, and generally communicate among other activities. Monitoring of these channels is important to track the activities of these groups and mitigate any threats they may pose to individuals and/or organizations.  

However, the amount of data that can be included in these channels can be very large in volume. DarkOwl, therefore, wanted to establish if AI (artificial intelligence) could be used to analyze the data included in a specific channel and what could be discerned from that data.  

Disclaimer: This blog is based on A.I analysis of a Telegram channel content. This covered the period of August 2022 to February 2024. DarkOwl does not take responsibility for the analysis conducted and is shared for informational purposes only. Other AI platforms are available.  

Star Fraud Chat 

The Telegram channel “Star Fraud Chat” was selected as a channel to analyze to see what information could be gleaned about this group from their activity on Telegram. This group have been attributed by security researchers to a group known as Scattered Spider which is assessed to have been responsible for the attack on MGM Casinos. Furthermore, they are assessed to be part of a group which describes itself as “the Com” who are reported to conduct cyber attacks as well as cyber bullying and swatting attacks.  

Figure 1: Profile page for StarFraud Chat 

Data Analyzed and Methodology 

DarkOwl analysts used open-source tools to extract a download of the Telegram chat content from when it was started in August 2022 to February 2024. This generated a CSV file which included the usernames of participants, timestamps of activity, content, media shares, replies, and reactions. ChatGPT was then used to analyze the CSV file, with specific questions being asked to identify what information could be gleaned.  

This blog was written with a mix of AI analysis produced directly by ChatGPT as well as analyst review and enrichment.  

Parsing the Dataset: Challenges and Solutions 

ChatGPT was asked to analyze the CSV file to see what information could be found. It initially had issues due to the formatting of the document but was able to overcome these issues after a few tries.  

ChatGPT said: 

The initial attempt to read the CSV file encountered issues due to irregularities in the data format, such as varying numbers of fields per line and improperly escaped or quoted strings. By inferring the delimiter and adjusting parsing strategies, we successfully re-parsed the data using a semicolon (;) as the delimiter. This correction allowed us to structure the dataset properly, revealing 56,210 rows and 42 columns, including information on message IDs, display names, user IDs, message texts, timestamps, and reactions. 

Topic Analysis 

First, we wanted to understand which topics were most commonly being discussed in this Telegram channel to understand what threat that the users of this channel could pose. We therefore asked ChatGPT to analyze the message content itself and provide us with a summary of what was discussed.  

ChatGPT said: 

The most common words in the messages are general and do not provide specific insight into the topics discussed. To better understand the themes, we should look for specific terms and phrases related to the context of the chat. 

Key Observations: 

1. Fraud-related Terms: 

• Words like “debit,” “pin,” “balance,” “card,” and “verified” suggest discussions about fraudulent financial activities and the exchange of sensitive financial information. 

2. Communications: 

• Common conversational terms like “you,” “me,” “for,” “is,” and “on” indicate typical interactions among users. 
• Informal and slang terms like “lol” and “bro” indicate casual communication. 

3. User Mentions: 

• Usernames and mentions, such as “@FENTOPENUPS” and “@bankopendropps,” likely reference specific users or groups within the chat. 

We wanted more information, so we then asked ChatGPT to do a deeper analysis of the text used related to fraud and take samples of the data. ChatGPT itself suggested ways in which we may be able to conduct further analysis. The output was as follows: 

ChatGPT said: 

Summary of Topics Discussed: 

1. Sale of Financial and Personal Information: 

• Users are discussing the sale and exchange of debit cards, ATM PINs, verified personal information (SSN, DOB), and related financial details. 

2. Resetting and Hacking Services: 

• Offers for resetting email accounts and other services for specific fees, indicating a market for hacking services. 

3. Social Engineering Techniques: 

• Strategies for social engineering and cashing out from accounts, including profit-sharing details and specific email domains targeted. 

4. Account Requests: 

• Requests for various types of accounts, such as Netflix, indicating a broader market for access to subscription services and accounts. 

5. Panel Management and Availability: 

• Discussions around the availability and longevity of panels, which could relate to account management services or access points for various fraudulent activities. 

The chat primarily revolves around fraudulent activities, including the sale of financial and personal information, hacking services, social engineering techniques, and requests for various account types. There is also a market for managing and providing access to certain panels or services related to these activities. This environment indicates a highly active and diverse exchange of illegal services and information.

Identifying the Most Active Users 

Once the document had been reviewed and we understood what information was being discussed, we then wanted to understand more about the users of the channel. We began to ask ChatGPT specific questions about the users starting with an analysis of which users were the most active. 

ChatGPT said:  

The analysis determined the most active users based on the number of messages sent. The top 10 most active users are: 

1. **”.”** – 1,076 messages 

2. **netbox** – 1,062 messages 

3. **ㅤ** (a whitespace character) – 718 messages 

4. **MY UZI HOLDS A HUNDRED ROUND CONSCIENCE** – 697 messages 

5. **ʹ** (a single quote) – 504 messages 

6. **Osama (GENERATING)** – 469 messages 

7. **Perc** – 468 messages 

8. **bloed** – 347 messages 

9. **Systoned** – 327 messages 

10. **boomb** – 320 messages 

These users have significantly contributed to the conversation, making them central figures in the community. 

The analysis highlighted that many of the most active users didn’t have a specific display name, with punctuation or blank spaces being used. This analysis also did not account for the fact that users are able to change their display names, so there may be messages within the data from the same user that appear to be different. It is possible to conduct this analysis based on the user IDs as that was included in the data extracted from Telegram.  

The admins of the account are listed on the Telegram channel, this includes a bot which is likely used to administer new joiners etc. None of these appear in the most active users: 

Figure 2: List of StarFraud Chat admins 

Users Receiving the Most Reactions 

We then wanted to establish if we could look at the activity on the channel from a different perspective, not just who had posted in the chat, but who had provided a reaction. Telegram users can react to posts on Telegram using emojis etc. We looked at which users post had received the most reactions from other users.  

ChatGPT said: 

Reactions to messages indicate the level of engagement and resonance of user contributions. The users who received the most reactions are: 

1. **Star Sanctuary** – 34 reactions 

2. **netbox** – 15 reactions 

3. **Jack** – 12 reactions 

4. **ㅤ** (a whitespace character) – 9 reactions 

5. **.** (a period) – 8 reactions 

6. **Perc** – 6 reactions 

7. **digital cannibal** – 6 reactions 

8. **MY UZI HOLDS A HUNDRED ROUND CONSCIENCE** – 6 reactions 

9. **Stardusts in my memoryCard** – 5 reactions 

10. **Panama Creative** – 5 reactions 

This list highlights the users whose contributions garnered the most engagement from others. 

This did include posts by some of the admins, the number of reactions given the volume of posts appeared to be relatively low.  

Key User Interactions 

We then wanted to understand how the users were interacting to do this we asked ChatGPT to analyze replies between users. However, this did not take into consideration the nature of the posts, as some posts may garner more interest than others. Added context would be needed to understand how they users were interacting.  

ChatGPT said: 

Understanding who interacts with whom provides insights into the community dynamics. The top user interactions, based on reply activity, include: 

1. **’** replied to **fan (real)** – 6 times 

2. **Perc** replied to **netbox** – 5 times 

3. **nef** replied to **boxingloves** – 5 times 

4. **Systoned** replied to **Osama (GENERATING)** – 5 times 

5. **ㅤ** (whitespace character) replied to **Osama (GENERATING)** – 4 times 

6. **Osama (GENERATING)** replied to **Systoned** – 4 times 

7. **ㅤ** replied to **geekypoo** – 3 times 

8. **Osama (GENERATING)** replied to **ㅤ RR BB** – 3 times 

9. **King** replied to **𐕣₩** – 3 times 

10. **netbox** replied to **Uno[Shop in Bio]** – 3 times 

These interactions highlight the most engaged pairs of users within the community. 

However, this again did not take into consideration that display names could change, nor does it factor in who made the most replies. Which user generally received the most replies and to what content. It is possible that this information could be obtained from the data using ChatGPT with more precise questions. 

Visualization of Interactions 

We wanted to see if it was possible to visualize these interactions, network analysis is a really useful tool for analysts see connections between individuals and identify who is communicating with who and if patterns can be identified. So, we asked ChatGPT to create this visualization and to clean it up.  

ChatGPT said: 

A network graph was created to visualize the interactions between users. Each node represents a user, and each directed edge indicates that one user has replied to another. This graph illustrates the structure of interactions, showing which users are more centrally involved in conversations and how clusters of users interact more closely with each other. 

Figure 3: ChatGPT generated visualization of user replies 

Being able to review this information can be incredibly useful for analysis and gives us an insight into which users in the StarFraud chat interact the most and are the most active on the channel. Being able to manipulate this graph and see which users are most active could give analysts a starting point for which users it may be most useful to investigate. 

Peak Activity Times 

We then wanted to know if it was possible to identify the time that the chat was most active, as this could maybe help us identify which time zone the users were in helping us to narrow down a location. We therefore asked ChatGPT to review the timestamps.  

ChatGPT said: 

Analyzing the timestamp data revealed that users are most active at 1 AM, with a total of 3,973 messages sent during this hour. This peak in activity suggests that the majority of users might be located in a specific time zone or find this time particularly convenient for engaging in conversations. 

Figure 4: ChatGPT generated timeline of posts 

However, it was not possible to ChatGPT to identify the time zone without additional context. The timestamp provided by Telegram appeared to use GMT however which would indicate that most of the posts were made during the early hours of the morning in Europe or late afternoon US time.  

Location Mentions 

As this analysis was inconclusive, we wanted to see if there was any information in the messages sent which may link to a location. So, we asked ChatGPT to look for this information within the posts.  

ChatGPT said: 

A search for location-related keywords identified 152 messages referencing specific locations. Examples include: 

– ““victory park” its a 2 story police department…” 

– “u in middle of street” 

– “ghost town” 

– “smh u the same ni**a scared to meet up and we …” 

– “**🎉 Get the Best RDP/VPS Deal with StealthRDP!…” 

These references vary in context, ranging from conversational mentions to specific addresses or locations. 

This analysis did not add much value as the locations mentioned were very generic in nature, again more specific questions and directions may be beneficial to improve results here, perhaps focusing on country or city locations rather than more generic terms.  

Conclusion 

The analysis of StarFraud Chat provides valuable insights into user activity, engagement, and interaction patterns. By understanding the most active users, the times of peak activity, and the dynamics of user interactions, we can better understand how this group is operating and where best to focus our analysis. We can also analyze the topics discussed to understand what threats this group poses.  

This also highlights how AI can be used by analysts to assist in their investigations, allowing them to speed up how long it takes so review large amounts of data. However, these specific examples also highlight the importance of asking AI models very specific questions and ensure they understand the information you are seeking to obtain, these models are only as good as the seed questions that are being asked.  

---

Questions about AI impacts DarkOwl’s darknet data collection? Contact us.

May 31, 2024

RSA Conference in San Francisco, this year held May 6-9, is one of biggest and most anticipated cybersecurity events of the year. The DarkOwl team plans and looks forward to RSA each year; to see friendly and new faces alike, hear the latest trends, news and innovations in cybersecurity, share our latest product updates and offerings, and of course have some fun around San Francisco. This year, the team had a booth on the show floor, a private meeting space around the corner from Moscone Center to hold one-to-one meetings with prospects, partners, press, and clients, and for the first year ever, host a party with several of our customers and partners on Tuesday night!

“The Art of Possible”

The RSA Conference slogan, “Where the World Talks Security” is the perfect quick elevator pitch for what happens each year at RSA – thousands of security professionals from around the globe gather together to hear and discuss new and leading perspectives, innovation and best practices. The most memorable RSA moments can be found on their website here.

The theme of RSA this year was “The Art of Possible.” According to Dr. Hugh Thompson, Executive Chairman of RSAC and Program Committee Chair in his keynote speech describes the theme as “a phrase that, on the one hand, is meant to inspire hope, but it also serves as a warning. We should never underestimate what is possible by our adversaries.” It is a great point as over 40,000 cyber security professionals across 130 countries around the globe all gather at RSA.

DarkOwl Highlights

Representing the DarkOwl team, we had several executive team members, sales reps, customer success managers, and analysts present manning the booth and holding private one-to-one meetings. Of note, DarkOwl Chief Business Officer, Alison Halland, shared, “Great week of seeing new and friendly faces alike – tons of great conversations, especially at the booth which a welcomed change of pace – not just attendees looking for some freebies, but genuinely interested in what DarkOwl has to offer.” Magnus Svärd, Director of Strategic Partnerships, echoed that sentiment, “RSA this year was the busiest yet with a higher number of meetings compared to previous years. The names of the companies were top tier visiting the booth.”

Big shoutout to all our customers and partners that stopped by the booth to say hi, see the latest updates and provide feedback. These face-to-face conversations are invaluable to us as we work towards making darknet data relevant, actionable, and digestible for all our clients!

Showcasing Customers and Partners

This year, we were happy to host several sessions at our booth, highlighting the work that we do with different customers. We hosted OSINT Combine, Silobreaker, Authentic8 and Datastreamer. This was a great way to showcase how we work together. Below, we briefly summarize how DarkOwl works with each of these companies.

OSINT Combine

This collaboration empowers OSINT Combine’s clients with access to DarkOwl’s extensive darknet database, bolstering their open-source intelligence capabilities and enabling them to address complex operational requirements more effectively through training, software solutions, and consulting services. Read more.

Silobreaker

DarkOwl’s robust darknet data enables our customer, Silobreaker, to provide their customers enriched monitoring of deep, dark web and dark web adjacent sites to help identify risk at scale and drive better decision-making. Use Case here.

Authentic8

This partnership brings together the advanced technologies and expertise of both Authentic8 and DarkOwl to address the escalating challenges posed by cyber threats. By combining DarkOwl’s comprehensive darknet database and monitoring capabilities with Authentic8’s Silo cloud browser, which is known for its secure browsing environment, organizations will gain unprecedented visibility and protection against cyber threats surfacing on the darknet. Read more.

Datastreamer

With Datastreamer and DarkOwl’s combined solution, organizations can integrate dark web data without in-house engineering teams needing to maintain complex data pipelines. Furthermore, analysts can broaden coverage by merging additional web data including TikTok, Threads, news, forums and more. Previously raw unstructured data is federated for analysts to perform queries and real-time surveillance as easily as they would with structured data. Learn more.

Product Highlights

Ahead of RSA, the team put together several product highlights and updates to be able to share on the showfloor. Below, we outline a few of them, but a full blog of Q1 product highlights can be found here and a summary 1-Pager here. Curious about how any of these can help your use case? Contact us!

Access the Darknet Safely and Securely Directly from DarkOwl Vision

Last quarter the team released “Direct to Darknet” within Vision UI in partnership with Authentic8, a leading provider of cloud-based secure browsing solutions. This feature allows users to further investigate Vision UI search results on forums, marketplaces, and other Onion sites. This can be helpful for an investigation to view the original website, view images or advertisements that may be on the sites, take a screenshot for reporting, and more. By combining DarkOwl’s comprehensive darknet database and monitoring capabilities with Authentic8’s Silo cloud browser, which is known for its secure browsing environment, organizations will gain unprecedented visibility and protection against cyber threats surfacing on the darknet.

Collection Stats

Last quarter showed tremendous growth in data collection. The team had 5% growth quarter over quarter in added Tor documents, 27% growth in I2P documents, 31% growth in ZeroNet documents, 15% growth in records from Telegram, to highlight a few.

A Watchful Eye Evening

On Tuesday night, for the first time, DarkOwl hosted a happy hour after the show floor closed… and what a fun night! We’d like to extend a huge thank you to our co-sponsors, Doppel, OSINT Combine, and Socialgist. From networking with net new prospects, current customers, partners and everything in between, it was a great event and we hope that everyone that attended enjoyed their evening. If you didn’t get an invite this year, make sure to ask for invite next year! We would love to see you and look forward to hosting again!

---

Didn’t get a chance to meet with our executive team at RSA? Contact us to set up some time to chat!

May 28, 2024

In December of 2023, DarkOwl analysts released a blog answering the burning question of “What are Stealer Logs”. In another piece, DarkOwl analysts presented an overview of the different types of Information Stealers (Info Stealers) that are sold on the Darknet.

Now, DarkOwl would like to shed some insight into info stealers from an engineering perspective, to further explore the functionality, specific behaviors, and technical characteristics of this sophisticated form of credential theft.

Info Stealers infiltrate systems and compromise data primarily through social engineering attacks. Common tactics include but are not limited to:

• Phishing Emails
• Malicious Websites
• Exploiting Software Vulnerabilities
• Remote Access Trojans (RATs)
• Removable Media Attacks
• Drive-by-Downloads

Info stealers are very sophisticated forms of malware, and the complexity of the modular architecture allows them to often go undetected even by anti-virus software. While each type of info stealer does vary in its level of refinement, as they are still relatively new but rapidly evolving, this review will be focused on generalizing key elements commonly found in info stealers. Info stealers are known for their evasion techniques and for targeting what people want to protect, their private information, credentials, and financial data.

Info Stealers

Part of what makes info stealers so sophisticated are their complex modular architecture. A simplified overview of that architecture includes the following key elements:

1. Core Engine Module
2. Communication Module
3. Data Collection Module
4. Encryption Module
5. Exfiltration Module
6. Evasion Module

To understand what each of these modules are and their functionality within a stealer log we will review each term and look at a very basic version of the complex code that is used to design an Information Stealer.

Core Engine Module

This serves as the central intelligence hub of the info stealer and manages its functionality. The core engine drives tasks such as initialization and configuration of all the other modules coordinating their actions. It also initializes the malware, establishes communication with the command control (C2) server and houses the execution codes for the other five modules.

Below is a basic sample of what part of the code for a Core Engine could look like:

• Keylogger – provides a basic framework for logging keystrokes
• log_keystroke – this captures and logs keystrokes
• save_logs – method used to save and send the logged keystrokes to a remote server
• start_logging – acts as a place holder for when to start the keylogging process

Communication Module

This establishes and maintains communication with the C2 server, handles sending/receiving commands, transmission of stolen data, and maintains a covert channel of communications. Generally, this module will have some form of encryption in place to prevent the interception of the data that is being stolen as well as protecting the location of where the stolen data is being sent.

Below is a basic Communication Module code to demonstrate part of the module’s functionality:

• request – this library is used to send a HTTP request to the C2 server
• send_request – sends what is called a POST request to the C2 servers URL which generates a JSON response
• handshake – initiates communication with the C2 server and contains information about malware versions, system architecture and contains the installation ID
• execute_command – simulates the execution commands from the C2 server
• exfiltrate_data – simulates the exfiltration of the stolen data

Data Collections Module

The responsibility of this module is to identify and harvest the data the threat actor is after once the system has been infected. The Data Collections Module can house a large array of submodules for specific forms of data the threat actor wants to collect. Common forms of data such as PII, financial data, device information, Geo locations, and personal photos would all require their own submodule to identify. In addition to the targeted data, the Data Collections Module also collects from numerus other sources such as browsers, system files, and apps installed on the device.

Below is a basic example to demonstrate the structure and functionality of Data Collections Module often found in info stealers:

• keystroklogger – mentioned above in the core engine module
• NetworkMonitor – captures network traffic (a placeholder) and sends it to a remote server.
• DataExfiltration – mentioned above in the core engine module
• If _ _name_ _ == “_ _main_ _”: – this creates a block instance of the three submodules are created, and separate threads are started to run their respective functions concurrently

Encryption Module

This provides cryptographic functionality and encryption keys used to communicate with the C2 server. As ironic as it seems the use of strong encryption algorithms (AES) is used to prevent interception of “unauthorized” access to the data that is currently being stolen. Only instead of protecting the device owner from the threat actor it is protecting the threat actor from the device owner, authorities, and aids in keeping the info stealer from malware detection.

Below is an example of one type of AES often used in info stealers:

• EncryptionModule – methods for encrypting/decrypting data with the use of the AES algorithm
• encrypt_data – imports plaintext data, encrypts it using AES, and outputs encrypted data as a “base64” encoding string
• decrypt_data – does the reverse action of “encrypt_data”
• if _ _name_ _== “_ _main_ _”: – generates a random encryption key

Exfiltration Module

This module handles the transmission of the stolen data once it has been encrypted. Exfiltration module formats the encrypted data into messages and sends them through the communications channel established by the communications module. This module often includes contingencies for when there are network interruptions, failed transmissions, and bandwidth issues.

Below is an example of the type of code that could be used in the Exfiltration Module:

• ExfiltrationModule – this is a class that will provide a method to send the stolen data to the remote server
• send_data – takes the stolen data as an input and sends it to the designated server URL
• if _ _name_ _== “_ _main_ _”: – creates and instance of the exfiltration module with the URL of the remote server
• data_to_exfiltrate – stolen data is sent to the remote server

Evasion Module

Just as it sounds this final module is responsible for the evasion tactics to evade malware detection by software and humans. Some common evasion techniques include polymorphism, obfuscation, and anti-debugging to hide the malware. This module acts as a chameleon as it continually adapts and evolves to remain under the radar. This is a highly scalable and adaptable to the various environments and target systems but below is a simple example of what the code could look like.

• EvasionModule – defines the methods for simulating normal user activity while detecting virtualization/sandboxing and analysis tools
• simulate_normal_activity – mimics typical user behavior, by opening files, browsing websites, or launching apps to hide amongst legitimate activity
• detect_virtualization AND detect_analysis_tools – check for signs of virtualization/sandboxing and the presence of analysis tools
• evade_detection – continuously runs evasion checks
• if _ _name_ _== “_ _main_ _”: – the EvasionModule class is created, and the evade_detection method is called to start the evasion process.

There is no doubt about it, information stealers are a formidable threat to cybersecurity on multiple levels. Info Stealers are sophisticatedly engineered to stealthily execute malicious intent. By studying the architecture, functionality, and technical characteristics through an engineering perspective, cybersecurity analysts can gain a deeper understanding of how to create effective countermeasures and create robust detection strategies.

---

Questions? Contact us!

May 23, 2024

Internet censorship is arguably a critical threat facing freedom of expression and access to information today. This is especially true for countries where access to information is restricted by governments or other controlling entities. For many countries around the world, controlling entities use various tools, techniques, and technology in order to control and restrict access to certain websites and publicly available content. The Tor Project’s response to such targeted censorship is WebTunnel.

In this blog, DarkOwl analysts summarize WebTunnel, not to be confused with TORTunnel, what it is, how it is implemented, and the impacts it has.

Image 1: Source: Tor Blog

WebTunnel 

Released March 12^th, 2024, WebTunnel is a bridge developed by the Tor Project that allows users to bypass censorship by disguising traffic to mimic encrypted web traffic. Essentially, WebTunnel helps users evade censorship by hiding traffic in plain sight. The bridge tunnels TOR traffic by wrapping the TOR connection in a websocket-like HTTPS connection, making traffic more difficult for tools, techniques, and technology to detect and block. The Tor Project designed WebTunnel to be easy to use and simple to deploy. 

Key Features:

• HTTPS Tunneling:
  • Uses HTTPS tunneling to mimic ‘normal’ HTTPS traffic 
• Obfuscation: 
  • Uses obfuscation techniques to disguise Tor traffic 
• User-Friendly Interface: 
  • Designed to be user-friendly and easy to use 

Configuring a TOR browser to use the new WebTunnel feature is easy. Users simply navigate to the TOR Project bridges resource from any browser, select “webtunnel”, and copy the provided line. The user then simply opens the TOR browser, selects “add a bridge manually”, pastes the copied line, and restarts the browser. No further modifications or configurations are required. 

Tor provides individuals with a means to protect and obfuscate online privacy and anonymity, enabling users to browse internet connected resources without potentially revealing personal or location data. WebTunnel has the potential to significantly impact censorship evasion by providing users with an easier, more effective and reliable means to access restricted content. 

Impact

The availability of features like WebTunnel impacts corporate security and further extends the corporate risk surface. Corporate security policies and technology often lock down networks and devices to protect the organization. Anonymity driven tools and features often allows users to bypass corporate defenses to browse the totality of the internet both good and bad. While it’s fair to assess most users using privacy-driven tools to bypass corporate security policies, technology, and controls are likely not doing it out of spite or hostility towards the organization, these users often lack the guidance and information on why these tools and features should not be used to bypass corporate defenses.

Educate users on the risks bypass tools expose the organization to and why such tools are not allowed inside the corporate environment or on corporate devices. Allow staff to understand the potential impact and outcome. TOR is a tool neither good nor bad until assigned an action by the user. Encourage staff to include the security of the organization in their decisions.  

---

Don’t miss any updates or research from DarkOwl. Register for email.