What is RedPane?
RedPane is a dark web search engine tool that has been developed by Red Sky Alliance since late January 2021. With RedPane we are able to make dark web content available without the need for analysts to touch the dark web to visit Tor .onion sites. To date, we have over 300,000 data points on over 50 sites and we are adding new sites weekly.
With RedPane we have developed custom processes to capture text data from dark web sites that we designate, parse that information into a format that then gets added to our Cyber Threat Analysis Center, known as CTAC. CTAC uses Elasticsearch on the backend which makes querying the data extremely easy. Using CTAC, analysts can also run analytics on that data using Kibana. Everything in this article was generated from our RedPane collection and CTAC.
Regarding the data, we ingest a fair amount of non-English language content from the dark web. We are currently working on a project to translate that content to English. When the project is completed, we will be retaining both the English-language copy and the original-language copy for reference.
Dark Web Trends
If we take a look at the pie chart in Figure 1, it shows the RedPane collection broken down by site type. We currently ingest data from dark web forums, marketplaces, and ransomware sites.
Figure 1: RedPane data by site type
Discussion forum posts make up a large part of the RedPane content. While we do certainly find a lot of noise on discussion forums, there is also valuable information to found there. For example in Figure 2 we see a post from the ”Best Carding World Forum” that exposes Netflix credentials. This entry also exposes the payment method that the Netflix customer used for billing. In 2 of the 4 cases, the payment menthod is Paypal. As we all know, password re-use is a big problem. If the compromised Netflix user used the same password for their PayPal account, that PayPal account is very likely to have also been compromised. This is just one of the many forums available in RedPane.
Figure 2: "Best Carding World Forum" Netflix credential leak
Figure 3 shows the Top 5 most active sites for each site type over the past 4 months.
For discussion forums, we see as most active are:
- DNM Avengers
- Dread Forums
- Simple Machine Forum
- The Hub Forum
Looking at marketplaces, we see the following as the most active: UAS RDP Market deals strictly in the sale of compromised Remote Desktop Protocol credentials for hosts that are publicly accessible over the internet. White House Market is a general marketplace. Regarding Zero Day Today Market, it is a bit of a misnomer to call it a marketplace. That site offers fully functional software exploits free of charge. Lastly, Cartel Market and ASAP Market are both general marketplaces.
Ransomware groups will steal data from a victim and then post it for download on their site, either for free or for sale, if the organization chooses not to pay the ransom. The most active Ransomware groups that we have seen based on the number of victim postings made to their site are shown in Figure 3:
Figure 3: Most active dark web sites by type
Looking at the most active cybersecurity-related marketplace categories, we see “web applications” tops the list (Figure 4). Examining the data shows this data primarily comes from a site named “Zero Day Today Market” which as mentioned earlier, offers software exploits for free. We see a small sample of those listings in the upper right of the slide. A random sampling of the available exploits shows them to be sourced from various places across the surface web including exploit-db.com and various cybersecurity blog posts. While the information may not be unique to this dark web marketplace, it does provide an anonymous way for attackers to download working exploits without exposing themselves or their activities on the clear net where their downloads might be logged.
Other categories, such as remote exploits and local exploits provide access to similar software exploit materials. The “Various Logins” category provides compromised account credentials for sale. The “Digital Goods” category offers items for sale such as instructional materials on how to commit cyber-crime, pirated software, pirated video collections, and database dumps.
Figure 4: Most active marketplace categories
Looking at the most active users on the Top 5 most active marketplaces that include a vendor name (Figure 5), we see some vendors operating on multiple marketplaces. For example, the user GoldApple is active on both the World Market, and ASAP Market, while the user DrunkDragon is active on both the ASAP and White House markets. This is likely done to build brand loyalty with customers, but it also makes it easier for analysts to track threat actor activities across multiple marketplaces.
Figure 5: Most active marketplace vendors on the Top 5 marketplaces
Looking at ransomware in Figure 6, we see a list of domains for the most active ransomware listings on the left. Looking further into the dassaultfalcon.com breach, we see in the upper right of Figure 6 the attacker’s intent to release more data as time goes on if the ransom is unpaid. This is not a new extortion tactic but worth mentioning that it is still in use, although its effectiveness is questionable.
However, in the case of Dassault, we find an interesting collaboration between the Mount Locker and Ragnar Locker groups in marketing this stolen data. At the bottom of Figure 6, we see both Mount Locker and Ragnar Locker have Dassault data listed for sale, and Mount Locker names Ragnar Locker as a “partner” and links to the Ragnar Locker page in their listing. In some cases these listings will include the size of data dump in Gigabytes, as well as information about what kind of data it is. We do not see that in every listing, it just depends on what the attacker adds to their description. In the case of Dassault, the Ragnar Locker site displays images of stolen documents to prove authenticity. These images are not included in RedPane since it only collects text data. Manual analysis of the source site is required to see them.
Colonial Pipeline & DarkSide Ransomware Group
The Colonial Pipeline ransomware breach has been big news recently. The attack has been attributed to the DarkSide ransomware group. While we do capture data from the DarkSide ransomware site, we do not find anything related to Colonial posted there. This could support the DarkSide claim that an affiliate is responsible for the attack, not the DarkSide group itself. We would not be surprised if DarkSide tries to pressure their partner into giving up the decryption keys to turn over to Colonial, free of charge. Why? Simply because of all the negative press and the U.S. government response to this attack on critical infrastructure. It is, of course, too late for a gesture of good will like that to make any difference as far as the U.S. response to DarkSide, but we will of course continue to monitor their site to see how this plays out. It will also be interesting to see if any Colonial data appears for sale or released free of charge in the underground.
Having said that, what we do see regarding Colonial is in our breach data collection (Figure 7). We see 46 compromised credentials for domains belonging to Colonial Pipeline over the past year. The majority were contained in the large COMB (Compilation of Many Breaches) breach released in February of this year, however, 16 have been used between May 2020 and December 2020 with various credential stuffing software tools to gain access to multiple accounts where passwords have been re-used. This could have been a contributing factor for the attackers to gain an initial foothold before deploying their ransomware payload.
Figure 7: Colonial Pipeline compromised credentials 2020-2021
In summation, based on the dark web activity we have seen over the past 4 months, the Top 3 cybersecurity threats for 2021 continue to be: ransomware, Internet accessible Remote Desktop Protocol systems, and password re-use.
Please contact Red Sky Alliance with any question regarding this material or for more information on RedPane.