Tag: FeatureDarkSonar

Review of CL0P’s Zero-Day Exploit Against MOVEit

Written by DarkOwl Content Team on . Posted in Blog.

Updated August 02, 2023

Reviewing Victims on DarkOwl’s DarkSonar API

While ransomware attacks have continued to grow in 2023, the recent attacks leveraged by CL0P against the MOVEit file transfer software have garnered much publicity. Additionally, the zero-day exploit against the MOVEit software has led to huge data theft and extortion attacks. 

On June 7th, CL0P began posting the names of the victims they had successfully targeted. By July 11th, they had listed 140 companies which had been compromised. These companies were from a variety of industries as illustrated in Figure 1. These attacks highlight the risk posed to organizations through third parties who have access to sensitive information relating to some of their clients.

Figure 1: Breakdown of industries targeted by CL0P

DarkOwl’s DarkSonar risk signal can be used to forecast cyber threats to an organization by measuring the relative risk rating for an individual domain. Additionally, organizations can measure the risk of third parties who have access to sensitive data. An elevated signal is a cause for concern as it shows a dramatic increase in relative risk, providing warnings of potential threats. We tracked DarkSonar in the weeks and months leading up to the attack for all 140 company domains to see if there was an elevated signal. The results are shown in Table 1. Of the companies attacked, 10% had no email exposure. Of the remaining companies, we found an elevated signal (1) within the 4 months leading up to an attack for 67% of the organizations. In addition, 94% of organizations had a signal that was trending upwards.

Elevated Signal (1)Signal Trending Upwards
All Attacks60%84%
All Attacks for Domains w/ Email Exposure67%94%
Table 1: True Positive rates (positive accuracy) for elevated signals and upward trending DarkSonar signals

A prior independent third-party analysis of DarkSonar showed that a trending upward signal is also a significant indicator of risk. Thus, we explored not only an elevated signal prior to the attack, but also an upward trending signal. We calculated the trend line in the 4 months leading up to the attacks to determine the number of upward trending signals. For the companies with an elevated signal or an upward trending signal, we saw a true positive rates between 84% and 94%.

Breaking down the results across the industries with the most attacks, we see the positive accuracies shown in Figure 2. While this requires further analysis, it does point to some industries where DarkSonar may have the potential to be a higher indicator of risk.

Figure 2: Positive accuracy across the main industries

To learn more about how DarkSonar may predict future attacks on your organization, contact us.

Review of CL0P’s Zero-Day Exploit Against MOVEit

Original Post: July 25, 2023

Ransomware attacks continue to grow in 2023, with the number of attacks taking place this year surpassing those at the same stage last year. One of the most successful groups this year has been CL0P which leveraged a zero-day exploit against MOVEit, a managed file transfer software which has led to huge data theft and extortion attacks.

Figure 1: Initial vendor alert on the newly discovered MOVEit vulnerability; Source: Community Progress

CL0P have been active since early 2019 conducting both ransomware and extortion attacks, highlighting the fact that they are financially motivated. They have been known to make large scale demands to release data, in 2020 they became one of the first ransomware groups to demand over $20 million. While law enforcement activity has identified some members of the group, they continue to be active.

DarkOwl analysts have been actively monitoring CL0P, and the leak site to which they post victim data. On June 6th, 2023, they claimed responsibility for the use of the privilege escalation vulnerability in the MOVEit Transfer. In their post they threatened to post the stolen data if victims did not pay an extortion fee and also provided instructions for how to make payments. Security researchers have indicated that CL0P are likely to raise $75 million from their extortion attacks.

Figure 2: Instructions on making payment; Source: CL0P blog

On June 7th, they began posting the names of the victims they had successfully targeted. As of July 24th, they have added 187 victims’ names, however a number of other organizations have indicated that they are also victims of the attack. The group appears to be slowly releasing names, holding back those which could be considered more high profile. It is not currently clear how many organizations they were successfully able to compromise. The group have been teasing new victims and also what data will be included in the document leaks.

Figure 3: Teasing data threatened to be released; Source: CL0P blog

As of July 24th, only 11 victims have been removed from the leak site, which would suggest that they paid the extortion fee or are currently in negotiations with the threat actor. Full data has been provided for 21 victims and partial data has been released for a further 65. DarkOwl’s assessment of the victims indicates that the industry most impacted by this attack is finance.

Although some government and law enforcement agencies have self-reported as victims of the MOVEit campaign, no victim data has been provided. CL0P issued a notice on their website indicating that although they have successfully targeted government and law enforcement sites they will not be releasing this information as their intentions are purely financial in nature.

Figure 4: CL0P’s notice that they are not interested in government data; Source: CL0P blog

However, it does seem that CL0P may have fallen victim to too much success. Their leak site appears to have been overwhelmed by the amount of media attention they have received. The site has regularly gone down, there is often a queue to enter the site, and the download of data is very slow, offering an advantage to the victims that means it is not easy for people to download the information which has been stolen. It could be argued that it is not worth paying the extortion fee if no one can access the data. This could be why so few victims have been removed from the site.

Figure 5: Waiting page; Source: CL0P blog

Perhaps as a result of this issue on their darknet site, coupled with known slowness on TOR, the group have started releasing some of the data on clear websites. It is not yet clear if that will make the victim data more readily available.

The MOVEit attack has also highlighted the risk posed to organizations through third-parties, high profile consultancy companies have been included in the CL0P leaks, which are likely to contain information relating to some of their clients. Some of the reported victims, which have not yet appeared on the list use vendors that are known or have been reported to be breached.

Below is an example of a media item discussing a vendor breach that affected other organizations:

Figure 6: Source: TechMonitor

DarkOwl collects data released by ransomware groups in order to identify what information has been released, what victim data has been present and what risk it may pose to the organization. As well as the named victims, this data can also include large amounts of third-party data. It is therefore important to access this to enable searches for mentions of all organizations. DarkOwl can help your organization be alerted if their information appears in any of the data that we collect and further, how to turn that data into actionable threat intelligence.

Schedule a time to chat with us to learn more.

Forecasting Cyber Threats

Written by DarkOwl Content Team on . Posted in Whitepapers.

June 13, 2023

The darknet contains data critical to understanding criminal behavior and security risk, and companies need an understanding of their exposure on the darknet to determine risk and take mitigating actions. 

This report outlines DarkOwl’s new metric based on email and credential volume to measure an organization’s exposure. We tested our metric against 237 public cyberattacks occurring in 2021 and 2022 and found our signal was elevated within the last four months prior to an attack for 74% of the organizations. 

To learn more how DarkSonar can inform threat modeling, third party risk management, cyber insurance, and potentially predict cyber threats, contact us.

Introducing DarkSonar: An Interview With our Product Team

Written by DarkOwl Content Team on . Posted in Blog.

April 25, 2023

In honor of the launch of our newest product, DarkSonar API, our marketing team sat down with DarkOwl’s Director of Product, Sarah Prime and Product Manager, Josh Berman to learn more.

Leah: Hi! Thanks for taking the time to chat with me today. Let’s start out with the basics: what is DarkSonar and what it does it do?

Josh: DarkSonar is a relative risk rating based on exposed credentials in the darknet. So, basically, it looks at not only the volume of a company’s exposure, but also the severity of it. For example, a leaked email address that was posted with an associated plain text password would be considered a greater indicator of risk than just a standalone email address. DarkSonar takes that into account and generates a signal that is specific to that company based on its historical exposure, which means companies can monitor for their specific level of risk. Basically, you can think of DarkSonar as an indicator of current cyber risk. 

Sarah: Yeah – really the most defining characteristic of DarkSonar is that it tells you something. It gives you a signal, versus just giving you a score. Is your risk elevated today compared to what it was last week? This is really valuable information for threat intelligence teams or anyone in charge of assessing cyber risk levels. 

Leah: Why did you decide to focus on credentials as the basis for DarkSonar risk signals?

Josh: Exposed or compromised credentials are something that have been definitively proven to be a direct predictor of cyberattacks, which is leaked credentials. Basically, that means that DarkSonar takes into account not just the presence of the emails, but also the context in which it appears. DarkSonar asks questions like, is it just an email by itself? Or, is there a plaintext password with it? Those are two very different things that a threat actor is going to do two very different things with.  

For example, if we detect a domain that has a bunch of emails and plaintext passwords that were put on the darknet yesterday, there’s a very good chance somebody out there is going to try to use those plaintext passwords. I say that because, from the perspective of the threat actor, there’s almost no work they have to do on their end to exploit that information. It’s like it’s an invitation to use this for an attack. Whereas, if there’s no passwords – or even if there’s a hashed password – there’s an extra step there that a threat actor would have to take to compromise that account. And so that’s why that’s weighted heavier in our new calculation. Because of the weighting we have, which accounts for the recency and the severity, we’re able to make an assessment about the relative likelihood of an attack.  

Sarah: As we were thinking about the DarkSonar model, we thought about how we incorporate the actual risk of an exposed entity more meaningfully. You know, instead of just looking at the overall hackishness of the page where an entity is mentioned, how could we assess the hackishness of the mention? We set out to develop a tool that evaluates exposure in a qualitative way, rather than just quantitative. 

Leah:  What does “relative risk” mean in the context of DarkSonar? 

Josh: I think it’s important to point out that by incorporating standardization into the algorithm, DarkSonar signals are relative to the company itself. It has nothing to do with other companies, which means it’s a lot more indicative of actual risk.  

Sarah: Yeah, another way to think about is that DarkSonar gives you a personalized risk indicator.  

Leah: Do you envision companies using DarkSonar for monitoring? 

Sarah: Absolutely. We believe that darknet data is a really important source of insight into criminal activity and potential threats to your attack surface. We know that breaches and ransomware are a huge problem for businesses of all sizes. At a conference I attended recently, one of the presenters cited a survey where 80% of CISOs felt that they were going to be hit by a ransomware attack in the next year. So, with things like that being very top of mind, we’ve continued to innovate new ways to help companies monitor for and potentially even predict cyberattacks.  

Josh: That’s a good point, Sarah. Essentially, we want to help companies use darknet data in a way that means something to them. 

Leah: So lets say I’m a company monitoring my DarkSonar signal and it suddenly is elevated. Does that mean a cyberattack is imminent?  

Josh: It does not mean an attack is imminent, but it does mean that there is a greater likelihood of such an attack occurring. We know this based off of our internal research, combined with validation by external companies that we’ve partnered with. The results of that analysis showed that there’s a pretty strong indicator that an elevated DarkSonar signal correlates with cyber risk.  

Sarah: In developing DarkSonar, we looked at 250 companies with known cyberattacks, and found that their signal was elevated nearly 75% of the time in the months leading up to the attack. For those companies, the DarkSonar signal would have been an early indicator of a future cyberattack. And, to our knowledge, there is no other cyber risk monitoring tool out there that could do that.   

Leah: Are DarkSonar signals something that would benefit small businesses? Or are they more geared towards enterprise companies? 

Josh: DarkSonar is absolutely valuable for small companies as well. That’s because, as we’ve been saying, signals are relative to the company. It’s relative to how they’ve been doing the last two years. So it was not built for just big businesses or just small businesses… it adds the same value to any company with a domain that has email addresses. That’s who it applies to.  

Leah: Are there any other use cases for DarkSonar other than monitoring your own company’s signal?  

Sarah: Oh my gosh, yes. Many. DarkSonar can be used to assess risk for anything that is a part of your attack surface, including third party vendors for example.  

Josh: Monitoring for your own company is definitely important, but, it definitely shouldn’t end there. Your full attack surface includes your supply chain, your clients, your clients’ clients, and so on. This is a tool for monitoring risk across your entire portfolio.  

Leah: Any other closing thoughts? 

Josh: Yeah, I think just generally, we’re proud of the evolution of our darknet exposure monitoring tools. We think it’s super important that we listen to our customers, conduct regular product evaluations based on feedback, etc – and that is what we do every day.  

Sarah: For me, particularly given the environment that we’re in with ransomware attacks that you can see in the headlines on a daily basis, we’ll be thrilled if we can help even one company be aware of a potential risk by using DarkSonar. 

Learn how DarkSonar can help your organization track risk and potentially predict cyberattacks. Contact us.

DarkSonar API

Written by DarkOwl Content Team on . Posted in Products and Use Cases.

With cyberattacks increasingly on the rise, organizations need better intelligence to safeguard themselves, employees and customers from incidents such as data breaches and ransomware attacks. This rise in illicit cyber activity only increases the need to protect against and determine the likelihood of these attacks.

DarkSonar, a relative risk rating based on darknet intelligence, measures an organization’s credential exposure on the darknet. DarkSonar enables companies to model risk, understand their weaknesses and anticipate potential cyber incidents. In turn, organizations are able to take mitigating actions to protect themselves from loss of data, profits, and brand reputation.

Want to learn how to monitor your relative risk? Contact us.

Cyber Risk Modeling: Introducing DarkSonar

Written by DarkOwl Content Team on . Posted in Blog.

April 18, 2023

Over the past few years, there has been an increase in global cyberattacks, with reports indicating that overall attacks were up 38% in 2022 from years previous. In the USA alone there was a 57% increase, while the UK experienced a 77% increase in cyberattacks. Many of these attacks result in data breaches and ransomware attacks, which cost organizations time and money, as well as long term negative effects such as loss of reputation. 

On top of this, the average cost of a data breach has reached a record high of $4.35 million. The cost of a ransomware attack is $4.54 million, on average, not including the cost of a ransom payment. With cyberattacks on the rise, organizations need better intelligence to enable them to model risk and take mitigating actions, particularly small businesses which are three times more likely to be a target of a cyberattack.

Darknet data is a key source of insight into criminal and other nefarious activity. The darknet—or dark web as it is also referred to—is a layer of the internet that cannot be accessed by traditional browsers. Sensitive corporate information is regularly leaked or sold on the darknet. These sets of darknet data can be used to identify cybersecurity threats and calculate organizational risk. Understanding risk enables an organization to better be prepared for potential threats.

Cybersecurity Risk

Cybersecurity risk can be most simply described as the amount of potential the risk your organization faces against a cyberattack. The possibility of a cyberattack feeds several different corporate risk calculations. One of the biggest threats of a cyberattack poses is the loss or public exposure of data, which presents a significant risk to a company’s brand and reputation.

Stolen and leaked intellectual property can pose a significant risk to a company’s profit/finances/bottom line and competitive edge. In addition to loss of data, there is a direct risk to executives and key leadership from phishing attacks and stolen credentials. If the direct risk within a company wasn’t enough, there is also an indirect risk through third-party vendors and suppliers. To better map out cybersecurity risk, organizations need to model risk.

Figure 1: Generic Risk Model; Source: NIST

The figure above shows a generic risk model and the relationships between the components. In organizational risk calculations, threat includes anything that can cause harm to the organization. This includes threats from natural disasters, significant hardware or backup failure that triggers a disruption in services or production, and cybersecurity attacks by external malicious entities. Threat calculations are often tied to scenarios with likelihoods of occurrence that involve an adversary’s intent, capability, and targeting. To effectively model risk, organizations need to (1) model internal threats, (2) model external risk from third parties, and (3) determine the likelihood of specific scenarios. The risk is then calculated from a combination of impact and likelihood.

DarkOwl Data

DarkOwl provides a variety of data to model risk and threats to an organization:

Leaks/Data Breaches: Leaks, or data breaches, are aggregate data files of information obtained without the owner’s consent. This can consist of internal email records, usernames and passwords, personally identifiable information (PII), financial records, and more. Leaks are often sold for profit on the darknet, though they are sometimes posted and leveraged by criminal actors for means other than financial gain.

Dark web search data: Vision UI provides access to a variety of darknet and deep web resources. Additional capabilities enable the user to search for cve’s, construct searchblocks, etc. The platform provides the ability to fully customize darknet searches based on individual priorities and focus areas. Approximately 10-15 million pages/targets are crawled daily, with updated content becoming accessible to users in near-real time.

Entities: In addition to being able to search all collected darknet data, DarkOwl extracts entities such as IP addresses, credit card numbers, bank identification numbers, crypto addresses, email addresses, and credentials. This enables an organization to search specifically for relevant entities, such as server IP addresses and email addresses.

Group data: Vision UI enables a user to search for groups. Groups include chan, ransomware, forum, market, and paste data. Ransomware and forum data are particularly useful for determining organizational risk. Discussions of relevant software and exploitability of specific CVEs can assist an organization in determining potential unpatched vulnerabilities.

Telegram and Chat Platforms data: Telegram and other chat platforms data consists of encrypted, semi-encrypted, and open-source chats. DarkOwl has over 400 thousand telegram chats. Discussions between threat actors can be found on these chat platforms.

DarkSonar: DarkSonar is a risk metric based on darknet intelligence and measures an organization’s credential exposure on the darknet. It provides a relative risk rating for an individual email domain. The metric is based on email exposure using three parts of email entities: unique plaintext credentials, unique hashed credentials, and total unique email address volume with no credentials. 

DarkOwl’s data can assist an organization with threat modeling, managing third party risk, and potentially predicting the likelihood of an attack.

Threat Modeling

Identifying threats involves creating threat scenarios consisting of threat events exploits caused by threat sources which exploit vulnerabilities which are weaknesses in systems. Vulnerabilities can be internal, such as an unpatched server or poor employee awareness, or external, such as a third-party vendor.

Threat vectors refer to the vulnerability pathway that cyber attackers take to gain access to an organization’s network. Regardless of the actor or the motivation, they will utilize one or more threat vectors to gain access to a system. Below, Table 1 gives a list of common threat vectors used by an adversary. Also included are the associated solutions that DarkOwl data offers to help to model risk and mitigate damage for each of these different threat vectors.

 Table 1: The Most Common Threat Vectors

Threat VectorsStatisticsDarkOwl Data
Phishing Emails61% increase in rate of phishing attacks in the six months ending October 2022 compared to the previous year and attacks are getting more sophisticated.
90% of IT professionals believe email phishing is the top cyber threat to their organization due to sharp increase in email phishing.
92% of malware was delivered through email in 2021. Phishing emails in particular were responsible for 90% of 2021’s data breaches.		– DarkSonar: Risk Signal
– Entities: Emails, Credentials
Third Party Vendors/Supply chain48% of organizations deem third-party relationship complexity as their main problem.
54% of businesses do not vet third-party vendors properly and do not have a complete list of all the third parties who have access to their network.
59% of companies experienced a third-party data breach. Only 16% say they effectively mitigate third-party risks.
65% of firms have not identified the third parties that have access to their most sensitive data.		– DarkSonar: Risk Signal
Weak or compromised login credentials80% of hacking incidents caused by stolen and reused login information.
82% of data breaches involves a human element, including phishing and the use of stolen credentials.		– DarkSonar: Risk Signal
– Entity Emails: Credentials
Brute Force Attacks– Brute force is the most widely used initial vector to penetrate a company’s network.
– Brute force attacks increased from 13% to 31% in 2021.
Over 80% of breaches caused by hacking involve brute force or the use of lost or stolen credentials.		– Vision UI: Company mentions
– Entity Emails: Credentials: available data for credential stuffing for brute force
Unpatched vulnerabilities60% of breach victims admitted they were breached due to an unpatched known vulnerability where the patch was not applied. 62% claimed they weren’t aware of their organizations’ vulnerabilities before a breach.
75% of attacks in 2020 used vulnerabilities that were at least two years old.
84% of companies have high-risk vulnerabilities on their external networks, more than half of these could be removed simply by installing updates.
87% of organizations have experienced an attempted exploit of an already-known existing vulnerability. 		– CVE Mentions: for relevant software and combination CVE mentions for 0-days
– Forum data: discussions of malware development
Cross-site scripting (XSS)It is estimated that more than 60% of web applications are susceptible to XSS attacks, which eventually account for more than 30% of all web application attacks.– Entity IP addresses
– CVE mentions: for exploitable web server vulnerabilities
Man-in-the-middle (MITM)Nearly 58% of all posts on criminal forums and marketplaces contain banking data of others collected by MITM or other attack types.– Vision search: company mentions
– Entity IP addresses
– Forum data
DNS PoisoningA six year study of DNS data showed that DNS spoofing is still rare, occurring only in about 1.7% of observations, but has been increasing during the observed period, and that proxying is the most common DNS spoofing mechanism.Entity IP addresses
Malicious Apps/Trojans46% of organizations have had at least one employee download a malicious mobile application which threatens their networks and data.DarkSonar: for phishing attacks which often include links or attachments of malicious apps/trojans
Insider Threat– Insider threats increased by 47% between 2018 and 2020.
70% of organizations witnessing more frequent insider attacks.		Vision Search: searchblocks for insider targeted searches

Examples

Email Exposure

DarkSonar provides a metric to chart an organization’s relative risk ratio over time. To demonstrate this, we have included several case studies using actual organizations that experienced cyberattacks. The example below looks at AMD, who publicly announced that they experienced a cyberattack in June of 2022 (as illustrated by the dotted line). 

Figure 2: DarkSonar exposure for AMD over time

Figure 2 above shows that DarkSonar detected an elevated risk signal for AMD from January to April. This figure shows an elevated risk from January to April of 2022. An elevated score indicates that the exposure on the darknet has dramatically increased, which translates to higher risk. In this example, DarkSonar forecasts the attack that ultimately transpired with an elevated signal in the months preceding the incident.

Entity Explore

Entity Explore provides information about entities in DarkOwl’s entity database. Using the Entity Explore or the Entity API allows an organization to see all emails, IPs, credit card and bin numbers, and crypto addresses. Additionally, when viewing emails, all plaintext and hashed passwords can be sorted and analyzed. For financial institutions, credit card numbers and bin numbers provide a notion of financial exposure for their risk calculations. Organizations can also search for IP addresses of their sensitive infrastructure points to determine if and how those IP addresses are being discussed on the darknet.

The example below looks at Entity results for Honda.com and illustrates how a company can use Entity Explore to assess their credential exposure within Vision UI.

Figure 3: Email Entities for honda.com; Source: DarkOwl Vision

Vision Searches

Additionally, DarkOwl Vision UI provides tools to focus an organization’s search of darknet content. Group searches enable an organization to focus on forums and ransomware sites. Similarly, queries can focus on specific sources, such as telegram content. Search blocks provide terms that can be used to focus on insider attacks and exclude results from search engines. 

After a recent product update, Vision now allows users to more easily search for specific CVEs. This enables an organization to find discussions of exploiting vulnerabilities relevant to software they run on their network. Figure 4 shows a forum discussion about an exploit for CVE-2022-30190, which is a Microsoft office vulnerability that hackers can leverage for remote code execution.

Figure 4: DarkOwl Vision search reveals an exploit based on CVE-2022-30190; Source: DarkOwl Vision

Manage Third Party Risk

As per the data shown in Table 1, third-party vendors pose a significant risk to businesses of all sizes. Most organizations don’t even know who has access to their sensitive information. This is in part due to the fact that, typically, an organization does not have adequate insight into the types of protection mechanism a third party takes to protect their data. 

To fill in this gap, DarkSonar provides an organization with a risk metric for their third-party vendors based on email exposure on the darknet. This enables an organization to better understand the risk of a third-party. 

Figure 5: Example of a third-party vendor attack, where the Cancer Centers of Southwest Oklahoma’s data was compromised through third party cloud provider Elekta.  While Both companies exhibit an increase in their DarkSonar signal, Elekta’s is elevated higher 5 months prior to the attack.

Figure 5 gives another case study example of how DarkSonar can be used to forecast a third-party attack. In this case, the Cancer Centers of Southwest Oklahoma’s third-party cloud-based storage provider, Elekta, was the victim of a data breach in April 2021.

During the attack, unauthorized personnel accessed the protected health information of 8,000 oncology patients from the Cancer Centers of Southwest Oklahoma. While both companies experienced an increase in DarkSonar by the time of the attack, the third-party vendor, Elekta, was elevated higher for longer prior to the attack.

Help Determine the Potential Likelihood of Threat with DarkSonar

Calculating organizational risk is a combination of the likelihood of a threat and the adverse impact it may have on your organization. Overall, DarkSonar exposure signals can help to indicate when the likelihood of a particular attack increases. In fact, in a study of 237 publicly disclosed data breaches and ransomware attacks from 2021 and 2022, DarkSonar was shown to have an elevated score within several months for 74% of the attacks. 

Given that such a large percentage of cyberattacks start with an email, DarkSonar can be particularly beneficial to an organization in determining the likelihood of an attack.

Conclusions

Darknet data includes a variety of information relevant to organizational risk. Utilizing DarkOwl’s data sources enhance an organization’s ability to understand threats posed to their organization, manage third-party risk, and potentially determine the likelihood of a threat. Modeling risk enables an organization to both understand their weaknesses and take mitigating actions to protect their organization from loss of data, profits, and reputation. 

Contact us today to learn how to monitor your darknet exposure.

[Developing] Despite FBI Takedown, Genesis Market Persists on the Darknet

Written by DarkOwl Content Team on . Posted in Blog.

Last Updated 10 April 2023 – 15:52 UTC
10 April 2023 – 15:52 UTC

Update: The Genesis Market Onion site is still online, however there has been no new listings or activity since early Friday the 7th.

April 06, 2023

In the last 36 hours, the United States Federal bureau of Investigations has announced the seizure of the criminal forum Genesis Market in an internationally coordinated effort dubbed “Operation Cookie Monster.” Our analysts detected the disruption in Genesis Market at early afternoon Tuesday April 4th, which is consistent with other accounts who also saw the popular marketplace replaced with the law enforcement landing page at that time.

Figure 1: Screenshot of the landing page of Genesis Market on the Surface Web after its seizure on April 4th taken at 12:30pm MST (Source, Genesis Market Surface Web)

Much reporting has focused on the arrest of at least 100 known users of Genesis Market on the surface web (or “clearnet”), and few outlets have discussed the fact that darknet mirrors of Genesis Market are still online. 

Figure 2: Login portal to Genesis Market on Tor, which is still live at time of publication (Source, Tor – Genesis Market)

DarkOwl Vision analysts detected the seizure notification of Genesis surface web domains just after noon MST on April 4th, though it is possible the seizure took place in the hours preceding. As pictured above, the message displayed a large banner and included the logos of the various international organizations they coordinated with to execute this operation.

The declaration from the FBI states that the marketplace’s domains have been compromised in part due to a warrant administered by the United States District Court for the Eastern District of Wisconsin.

Interestingly, they end their message with a solicitation to readers of the notice to contact them if they themselves have ever been active on the illicit marketplace. The language and nature of the message suggests the FBI are still actively pursuing evidence to further their case in taking down the entirety of Genesis Market – including its darknet mirrors.

Figure 3: Closing message of the FBI’s statement posted on Genesis Market and to the DOJ press office (Source, Genesis Market Surface Web)

On Telegram, Arvin Club specifically mention that it was only the clearnet domains of Genesis Market that had been taken down (pictured below).

Figure 4: Arvin Club post specifying that all official clearnet domains of Genesis Market had been taken down (Source, DarkOwl Vision)

Quick Background on Genesis Market

Genesis Market is a well known darknet exchange that specializes in the sale of identity and account-takeover tools – which, in the case of this forum, primarily means the sale of compromised personal devices via the use of malware. When a buyer obtains a “bot” from Genesis Market, they are actually purchasing persistent remote access to an unsuspecting victims computer.

Figure 5: Screenshot of a dashboard from Genesis Market on Tor, which is still live at time of publication (Source, Tor – Genesis Market)

The goods described as “bots” on Genesis’ site frequently include cookies and related user logs, which in part explains the name “Operation Cookie Monster.” On a typical day, upon logging in, a user’s dashboard would look something like the above example. These advertised bots are tied to an actual human’s unique personal device.

Is it common for surface web domains to be seized, but not the onion mirror?

We asked our analysts about this potential scenario and they indicated that yes, this could be possible in a number of scenarios, including:

A) The onion mirrors are hosted on a different server that’s not subject to the warrant

B) Law Enforcement might want to run the onion service as a honeypot for a bit to catch those with higher OpSec

C) This is all an elaborate ruse

Given the official statements that have been subsequently released by law enforcement, it is unlikely that this is anything less than an official operation – making option C a very unlikely scenario. In any case, chatter on telegram posed a number of opinions reflecting that of our analysts above. This includes speculation about the seizure’s legitimacy, and the possibility of exit scams.

The screenshots below demonstrate the variety of reactions users had – including instructions and warnings urging others to take the situation seriously:

Figure 6: Users on Telegram discuss the legitimacy of the FB takeover by pointing out technical flaws such at mobile-friendliness of their seizure posting (Source, DarkOwl Vision)
Figure 7: Users on Telegram speculate that the FBI seizure is a rouse and/or an exit scam (Source, DarkOwl Vision)
Figure 8: Users on Telegram continue to express confusion on the situation, and offer advise on how to minimize financial osses from potential exit scams (Source, DarkOwl Vision)

Recent Activity Suggest Business Is Continuing as Usual On Genesis Market on the Darknet

Figure 9: Screenshot of Genesis Market Listings at 1:45 PM MST on April 5, 2023 (Source, Tor – Genesis Market)

At 1:45 MST on Wednesday the 5th, it appeared that activity had come to a halt on Genesis Market – with only one new bot being added in the last 24 hour period when the screenshot was taken. However, only a few hours later at around 4pm MST, this number rose back to 241 new bots offered for sale.

Figure 10: Screenshot of Genesis Market Listings at 4:00 PM MST on April 5, 2023 (Source, Tor – Genesis Market)

According to our analysts, Genesis does tend to go for periods of time without adding or updating content under regular circumstances. And, from our observations, there is often little to no activity over the weekends – so a 24 hour period with no new bots isn’t unheard of.

Based on new bot advertisements alone, one could claim it is business as usual for Genesis Market users on the darknet. However, given all of the press surrounding this matter, we speculate that the number of people actually buying from Genesis has dropped.

Future of Genesis Market

Regardless of when the dark web domains for Genesis Market inevitably come offline, the fact remains that users on the dark web will only relocate to buy or swap liminal assets such as the digital fingerprints Genesis was known for. Some chatter in private dark web sources indicate that the FBI seized the surface web domain name registrars & servers but did not actually get the web host which is why it’s still online on tor. Others are sure the persistence of the dark web criminal forum can only be explained by it being an exit scheme or a Law Enforcement honeypot.

As to what comes next, chatter suggests users of the popular marketplace may relocate to 2easy or Russianmarket.

Figure 11: Users on Telegram discuss potential relocation options should Genes Market be truly compromised (Source, DarkOwl Vision)

Stay tuned for more developments as our analysts consider to monitor this matter.

Contact us to see if your company’s name or credentials have been mentioned in high-risk places such as forums or marketplaces on the dark web.

[Developing] BreachForums’ Alleged Admin Pompompurin Arrested, Dark Web Reacts

Written by DarkOwl Content Team on . Posted in Blog.

Last Updated 28 March 2023 – 23:09 UTC
28 March 2023 – 23:09 UTC

Connor FitzPatrick Appears in Court

Last week we reported that an individual alleged to be the administrator of the dark web forum BreachForums was arrested in New York. On Friday, March 24, Connor FitzPatrick appeared in court charged with facilitating the unauthorized purchasing and selling of stolen identification documents, unauthorized access devices, unauthorized access to victim computer systems and login credentials.

What is really interesting is how the FBI were able to identify FitzPatrick as Pompompurin. It seems from the affidavit provided in court that Fitzpatrick made several mistakes that ultimately led to his downfall. Proving that human error is a big factor in the attribution of cyber criminals.

FitzPatrick logged on to both BreachedForums and its predecessor RaidForums from IP addresses which were registered to his parent’s home address. Furthermore, he also made access to these forums and cryptocurrency wallets, exclusively funded by the bitcoin address linked to Pompompurin’s account, from a mobile device registered in his name. What’s more, Fitzpatrick provided his real email address to the admin of RaidForums, as proof that a breach he had purchased was not complete. Although he stated this was not his address a fact that was identified by the FBI when they were able to seize RaidForums in early 2022.

Upon his arrest FitzPatrick claimed that he earned approximately $1,000 a day from his activities on BreachForums which he mainly used to maintain the forum – one wonders if this was worth the 5 years in prison he is likely to receive.

March 21, 2023

Almost exactly a week ago on March 15, 2023, an admin of the popular darknet and deep web site BreachForums who goes by the alias Pompompurin was arrested in Peekskill, NY. In this blog, DarkOwl analysts review what has happened to date and will continue to the monitor the situation and update this blog accordingly.

Pompompurin Identified and Arrested

Pompompurin has been identified as US citizen Conor Brian FitzPatrick. FitzPatrick was charged with one count of conspiracy to commit access device fraud and bail was set at $300,000 – paid for by his parents. 

After news of the arrest broke publicly on March 17th, the reaction on BreachForums was quick, with members scrambling to find out what had happened and concern that the forum had been taken over by the FBI in a similar way to what happed with RaidForums. Raidforums was seized by the DOJ in April 2022 and had been taken over by them previous to the announcement of the arrest of the alleged administrator “Omnipotent” – Diego Santos Coelho. 

Thread chatter on the soon-to-be defunct forum revealed members questioning if the news of Pompompurin’s arrest was real – even pointing to their user activity being “away” for the 48 hours beforehand as evidence that the news was in fact accurate.

Figure 1: Users on BreachedForums discussing the news announcement of its administrator’s arrest, Source: DarkOwl Vision

The users of BreachForums wanted to know if they could delete their accounts to avoid meeting the same fate as Pompompurin at the same time that they seemed to be discovering that he had been arrested. They posted elements of reporting as well as details of FitzPatricks’s true identity.  

Figure 2: Users of BreachForum discussing arrest, Source: Breachforums

BreachForums emerged in April 2022 in the wake of the takedown of RaidForums, and allowed users to buy and sell data which had been obtained through illegal means. The admins of the site ran an escrow service ensuring that sellers received the funds that they had requested. The site was widely used by cybercriminals to purchase stolen data and hosted controversial leaks such as data stolen from the Washington DC healthcare exchange. 

Pompompurin was also known to conduct cyber-attacks himself, admitting in an interview with Brian Krebs in November 2021 that he was responsible for sending fake emails using the fbi.gov domain. He claimed at the time this was done to point out vulnerabilities in the FBI systems, but it undoubtably put him higher on the FBI’s radar leading to his recent arrest.  

Interestingly when Pompompurin was arrested, he admitted to his role as admin on BreachForums and the use of this alias. 

“When I arrested the defendant on March 15, 2023, he stated to me in substance and in part that: a) his name was Conor Brian FitzPatrick; b) he used the alias ‘pompourin,’ and c) he was the owner and administrator of ‘BreachForums,’ the data breach website referenced in the Complaint,” FBI special agent John Longmire testified

This fact does not appear to have been looked on favorably by users of his forum, with discussions turning to how to evade the FBI by living in a different country than the US and not attacking US companies from within the US.

 Figure 3: Discussions on how to evade the FBI, Source: BreachForums

On the other side, numerous users appeared to have some sympathy for “Pom” (as he is commonly referred to), with some stating that he was one of the nicest admins they had ever worked with and that he would delete accounts if you asked nicely.

One user even volunteered responsibility for any content they hosted on the dark web forum, ostensibly to alleviate potential legal trouble on Pom‘s behalf

Figure 4: BreachForums posts from users attempting to mitigate legal fallout for their former admin, Source: DarkOwl Vision

Others offered to support him financially in his time of legal trouble.  

Figure 5: Users voice words of support among the fallout, Source: BreachForums

Discussion also centered around how it was that the FBI were able to identify the true identity of Pom with fingers being pointed at an open source intelligence company, with whom Pom had apparently registered. With threats being made to attack that company.  

They also showed concern about whether Pompompurin would share any information or become an informant with the “feds” with users being worried that their registration information would be found by the FBI.  

BreachForums had a co-admin who indicated that the FBI may have been able to access the systems if Pompompurin had shared this information or left his computer open when his parents home was raided. 

 Figures 6 and 7: More chatter around the potential fallout – including FBI involvement, Source: BreachForums

It was quickly shared that all of Pompompurin’s access had been disabled and that the co-admin was checking to see if they could confirm that the FBI were able to infiltrate the site. 

Figure 8: BreachForum’s co-admin chatting about checking FBI access, Source: BreachForums

While the discussions remained largely focussed on potential risks for the remaining active users, others continued to point to a grassroots effort to protect Pom from Law Enforcement Operations.

Figure 9: Discussions around how to remove logs and other digital evidence tying Pompompurin to BreachForums, Source: DarkOwl Vision

On Sunday the admin “Baphomet” announced that he would be closing down Breach Forums as he was concerned that the FBI did in fact have access. He posted on the groups telegram channel as well as posting a more complete message explaining his decision.  

Figure 10: Breach Forums closing down announcement, Source: Telegram

Interestingly, he stated that the Telegram channel would maintain operation and that he was looking to create new infrastructure which would replace BreachForum even working with competitor marketplaces. As of writing, the onion site has been taken down and is unreachable.  

DarkOwl will continue to monitor the dark web and adjacent sources such as Telegram to identify any new of emerging groups and sites which may take the place of BreachForums. Stay up to date.

Super Bowl Security and the Darknet

Written by DarkOwl Analyst Team on . Posted in Blog.

February 08, 2023

Events that bring masses of people together are inherently attractive to cyber threat actors. For one, the physical gathering of such a large crowd of people offers the opportunity for close-proximity hacking. However, the cyber threats surrounding large-scale events like this are much more complex. Well before fans, performers, media teams and vendors arrive at the stadium that Sunday, there will have been numerous betting transactions made, sponsorship payments delivered, and accounts for fantasy apps created. All of these digital touch points offer threat actors with the opportunity for exploitation and theft.  

In taking a closer look at what the cyber threat landscape looks like around Super Bowl LVII, our analysts turned to the darknet and found examples of key game-day vendors with darknet exposure. This includes exposed credentials, chatter around malware that can allow hackers access to key vendor technologies, such as ticket payment systems.  

The Super Bowl as a Target for Hackers 

Cyber incidents impacting large scale events such as the Super Bowl have ranged from “hacktivists” making political statements to DDoS attacks that have taken down entire stadium, as witnessed in the 2018 Winter Olympics  

While an attack on that catastrophic level has not been successfully carried out during the Super Bowl to-date, experts agree that it remains a highly attractive target for hackers. Further supporting this notion is a recent example from the 2019 Super Bowl, when – just before the big game – cyber crime group OurMine took over teams’ Twitter accounts, as well as the official account of the National Football League. Per reporting, 15 teams had their Twitter or Instagram accounts compromised, as well as accounts for ESPN and the UFC.

Darknet Risks to the Super Bowl: Key Vendors Pose Supply Chain Risk

This following findings from our analysts present these examples using screenshots from the darknet (and dark web adjacent sources such as Telegram), as well as from DarkOwl Vision, our darknet threat intelligence tool.  

Gambling & Online Sports Betting Apps 

This year, gambling and sports betting apps are a highly attractive target for hackers for a number of reasons. After legislation legalized sport betting around the nation, these types of apps are now available and being used by a vastly higher degree of population than in previous years.  

These types of services are also typically connected to a payment system, allowing users to make bets and access their transaction with minimal effort. From a threat actor perspective, that makes digital sports gambling apps one of the most likely targets for phishing campaigns and potential account takeover.  

DraftKings 

Below is an example of a threat actor selling stealer logs for DraftKings on the darknet site Russian Market. These logs include stolen browser session cookies, which are used to crack accounts and bypass multi-factor authentication for logins. In this case, the vendor is offering “premium” stealer logs for just $10 US dollars.   

Stealer logs are typically harvested by threat actors using a form of malware known categorized as “info stealers,” such as Raccoon and Redline. 

Figure 1: DraftKing Stealer Logs for sale on a darknet marketplace, Screenshot: DarkOwl Vision, Original Source: Tor, Russian Market

Hackers also gain access to existing DraftKing accounts using more traditional methods like credential stuffing and exchanging combolists to exploit exposed account login information.  

In the screenshot below, a user on Telegram lists DraftKings as one of the services they have cracked (likely stolen) credential logins for.   

Figure 2: DraftKings accounts among the many listed under compromised credential combolists, Screenshot & Original Source: Telegram 

Other listings for stolen DraftKing accounts on Telegram are more explicit, with some offering accounts that come with pre-existing balances, as well as methods to bypass multi-factor authentication.   

As demosntrated in the screenshots below from Radiant’s Market, the listing for “DraftKing + bal (New method instant cash)” accounts appears alongside similar listings for other services popular with NFL fans, including Fanduel and Superdraft.  

Figure 3: Listing on Telegram for compromised accounts including popular NFL affiliated vendors, Screenshot & Original Source: Telegram, Raidiant Market

BetMGM

The below screenshot from DarkOwl Vision shows multiple listings for BetMGM accounts (in the preview window on the left), as well as a noteworthy result from the darknet carding forum, WWH Club. The post is from a russian-speaking threat actor looking to buy “betmgm.com and fanduel accounts”. 

The fact that this solicitation was posted on a carding forum indicates that this actor is actively targeting sell BetMGM – even linking their Telegram handle for potential sellers. This, combined with the numerous listings for already-cracked BetMGM accounts, demonstrate that they are a desirable target for hackers.  

Figure 4: Post on a darknet marketplace soliciting for BetMgM (and Fanduel) accounts, Screenshot: DarkOwl Vision, Original Source: Tor,  WWH Club 
Figure 5: Post on a darknet marketplace soliciting for BetMgM (and Fanduel) accounts, Screenshot: & Original Source: Tor, WWH Club 

Banking Systems

Truist

In January 2021, the bank Truist signed a multi-year deal to be the official retail bank of the NFL. As a result of this agreement, Truist is now the exclusive financial service provider for all facets and personnel within the NFL, including player contracts. Per their website, the services Truist offers include:  

  • Banking products and services, including loans and deposit accounts
  • Investment management services  
  • Securities, brokerage accounts and /or insurance (including annuities)  
  • Investment advisory services  
  • Life insurance products 

The partnership between the NFL and Truist also contains a heavy branding component, with the Tuist logo now featured on all official NFL materials and marketing campaigns. The combination of Truist’s role in the NFLs financial security, in tandem with their brand’s newly formed partnership tying them together so closely, make Truist a critical asset for the football league – and an attractive target to threat actors.  

Below are several examples of actors on the darknet and deep web actively targeting Truist Bank. 

Figure 6: Post on the forum Cracking X offering a Truist bank account for sale, Screenshot: DarkOwl Vision, Original Source: Telegram, Cracking X 

In the screencapture from DarkOwl Vision above, a user on the site Cracking X offers access to cracked Truist bank accounts for as little as $60 US dollars.  

Figure 7: Another offer for Truist.com accounts on the Cracking X channel, Screenshot & Original Source: Telegram, Cracking X 

Below, two different vendors offer Truist bank accounts with Debit Logs. Both listings advertise that they come with associated Personally Identifiable Information including login credentials, SSN, Date of Birth, and Email Access for bypassing multi-factor authentication.  

The first example pictured contains several listings for stolen or fraudulent Truist bank accounts. One of these advertised listings allegedly contains a balance of $122,000 and is listed for only $1,200 US dollars.  

In the second screenshot, taken directly from Telegram, a more modest listing offers a Truist account with an alleged $14,000 balance for $250 US dollars.  

Figure 8: Hacked Truist Accounts with Debit Logs and PII on offer for sale, Screenshot: DarkOwl Vision, Original Source: Telegram 
Figure 9: Hacked Truist Accounts with Debit Logs and PII on offer for sale, Screenshot & Original Source: Telegram 

Ticket Payment Systems

StubHub

As the official ticket payment system of the Super Bowl, DarkOwl analysts found numerous instances of official Super Bowl ticket vendor StubHub data on the darknet. 

Figure 10: Source DarkOwl Vision

Above is a listing to a stealer log marketplace called 2easy Shop that has a large Russian language userbase. In this instance, a threat actor is selling access to stealer logs for someone’s accounts to StubHub and all the other domains mentioned. Price for bulk purchase of these logs typically sell for around $10-$20 US dollars.  

Below, users on Telegram offer access to cracked Stubhub accounts, including some that have access to order history and payment methods. 

Figure 11: Users on Telegram sell stolen StubHub accounts, Screenshot: DarkOwl Vision, Original Source: Telegram 
Figure 12: Users on Telegram sell stolen StubHub accounts, Screenshot & Original Source: Telegram 

Streaming Services 

Sunday Ticket  

NFL Sunday Ticket is a streaming package provided by exclusively by DirectTV. While unlikely to pose a direct threat to the NFL directly, hackers defraud the streaming service frequently by cracking, selling, and trading stolen accounts. 

YouTube TV 

While not officially associated with the NFL yet, in 2024, YouTube is slated to pay around $2 billion dollars a year for the rights to the “Sunday Ticket” package, taking it over from DirectTV. While the deal presently does not include commercial rights or give YouTube TV stake in NFL Media, negotiations are ongoing and that is expected to change. So, while YouTube and its parent company Google are presently a low-risk asset for this year’s Super Bowl – that is something to keep an eye on for next year’s season.  

Cyber Risks to the Super Bowl: The Bigger Picture 

While the dispersed and perhaps seemingly small-scale nature of these vendors’ darknet footprints may make them seem inconsequential, it is important to consider the bigger picture. There is a good likelihood that threat actors will continue to ramp up attacks surrounding this event in tandem, which beyond the financial consequences can have a significant effect on corporate brand reputation.  

With threat attack vectors becoming ever more sophisticated, large events like the Super Bowl –which bring together humans and technology at such a high magnitude during such a concentrated period of time – offer a unique opportunity to threat actors. By maintaining visibility into threat actor activity on the darknet, NFL fans, vendors, and corporate decision makers can position themselves in the best way possible to be ahead of and respond to cyber incidents.

Interested in learning how darknet data applies to your use case? Contact us.

Products

Services

Use Cases

Company

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.