dark - X-Industry - Red Sky Alliance2024-03-29T11:56:45Zhttps://redskyalliance.org/xindustry/feed/tag/darkDark Web Trends, Q3 & Q4 2021https://redskyalliance.org/xindustry/dark-web-trends-q3-q4-20212022-02-09T22:59:25.000Z2022-02-09T22:59:25.000ZMatt Weidnerhttps://redskyalliance.org/members/MattWeidner<div><p><a href="{{#staticFileLink}}10084484464,RESIZE_180x180{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10084484464,RESIZE_180x180{{/staticFileLink}}" alt="10084484464?profile=RESIZE_180x180" width="123" /></a>Red Sky Alliance has been building our dark web data collection since late January 2021. With it, we are able to make dark web content available without the need for analysts to touch the dark web to visit Tor .onion sites. To date, we have over 1.3 million data points on over 75 sites and we are adding new sites regulary. The dark web sites that we collect from evolves over time as new sites come and older sites shut down, but we maintain a historical record of those decommissioned sites. Lastly, we also take suggestions from our customers if we are not collecting from a site that they would like to see data from.</p><p>We have developed custom processes to capture text data from dark web sites that we designate, parse that information into a format that then gets added to our Cyber Threat Analysis Center, known as CTAC. CTAC uses Elasticsearch on the backend which makes querying the data extremely easy. Using CTAC, analysts can also run analytics on that data using Kibana. Everything in this article was generated from our dark web data collection and CTAC.</p><p>If we take a look at the pie chart in Figure 1, it shows the dark web collection broken down by site type. We currently ingest data from dark web forums, marketplaces, and ransomware sites.</p><p style="text-align:center;"><a href="{{#staticFileLink}}10084549866,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10084549866,RESIZE_710x{{/staticFileLink}}" alt="10084549866?profile=RESIZE_710x" width="478" height="313" /></a><strong>Figure 1: Dark Web Data by Site Type</strong></p><p> </p><p>Discussion forum posts make up a large part of the content. While we do certainly find a lot of noise on discussion forums, there is valuable information to found there. For example in Figure 2, we see a post from the ”Best Carding World Forum” that exposes credentials for several Netflix accounts. This entry also exposes the payment method that the Netflix customer used for billing which for 2 of the 4 cases, is Paypal. As we all know, password re-use is a big problem and if the compromised Netflix user used the same password for their PayPal account, that PayPal account is very likely to have also been compromised. And this is just one of many forums that we have data for.</p><p style="text-align:center;"><a href="{{#staticFileLink}}10084552095,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10084552095,RESIZE_710x{{/staticFileLink}}" alt="10084552095?profile=RESIZE_710x" width="710" /></a><strong>Figure 2: "Best Carding World Forum" Netflix credential leak</strong></p><p>Figure 3 shows the Top 5 most active sites for each site type over the past 4 months.</p><p> For discussion forums, we see as most active are:</p><ol><li>XSS</li><li>Rutor</li><li>Kohlchan</li><li>DNM Avengers</li><li>Dread</li></ol><p>Compare this to what we <a href="https://redskyalliance.org/xindustry/deepdive" target="_blank">observed in May, 2021</a>.</p><p>Looking at marketplaces, UAS RDP Market has decreased over the last half of 2021 while White House Market activity has increased. Zero Day today activity has also decreased significantly, dropping from the #3 spot to the #5 spot.</p><p>Ransomware groups that sell or give away stolen data are ranked in Figure 3. The activity we have seen remained largely unchanged in the last half of 2021 from what we observed in May of that same year. However, it's worth noting that the Revil site was shutdown after an Russian FSB enforcement action in late January 2022.</p><p style="text-align:center;"><a href="{{#staticFileLink}}10084565860,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10084565860,RESIZE_710x{{/staticFileLink}}" alt="10084565860?profile=RESIZE_710x" width="449" height="502" /></a><strong>Figure 3:</strong> <strong>Most active dark web sites by type</strong></p><p> </p><p>While preparing for this presentation, on Feb. 7, 2022, Red Sky analysts discovered this notification posted on the UAS RDP Market site, indicating the stie was “closed forever” by the Russian government.</p><p style="text-align:center;"><a href="{{#staticFileLink}}10084566681,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10084566681,RESIZE_710x{{/staticFileLink}}" alt="10084566681?profile=RESIZE_710x" width="560" height="291" /></a><strong>Figure 4: UAS RDP Market take down page</strong></p><p>The page reads, in part: “Management ‘K’ of the BSTM of the Ministry of Internal Affairs of Russia warns: theft of funds from bank cards is illegal!</p><p>The page goes on to cite Articles 272 and 273 of the Criminal Code of the Russian Federation which makes it illegal to steal or destroy data, or to create, distribute, or use software that is knowingly intended for data theft or destruction, or neutralizing data protection mechanisms.</p><p>Traditionally, cyber criminal have been allowed to operate in Russia territories as long as they did not target Russian organizations. The motivation behind these take downs performed by the Russian authorities is unknown at this time.</p><p>Looking at the most active cybersecurity-related marketplace categories in Figure 5, we see “digital goods” has replaced “web applications” at the top of the list. Examining the data shows the digital goods category encompasses many things, including instructions for committing fraud and identity theft, compromised account credentials, stolen databases, software keys, and stolen credit card information. You can see a small sample of those listings in Figure 6. Also in Figure 6, you will see that we have price data on these items as well for anyone that is interested in doing a price analysis on dark web marketplaces.</p><p>Among the other categories, we can see a strong emphasis on fraud, credit card theft, and compromised credentials.</p><p style="text-align:center;"><a href="{{#staticFileLink}}10084567087,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10084567087,RESIZE_710x{{/staticFileLink}}" alt="10084567087?profile=RESIZE_710x" width="492" height="274" /></a><strong>Figure 5: Most active marketplace categories</strong></p><p> </p><p style="text-align:center;"><a href="{{#staticFileLink}}10084569856,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10084569856,RESIZE_710x{{/staticFileLink}}" alt="10084569856?profile=RESIZE_710x" width="395" height="422" /></a><strong>Figure 6: Digital goods for sale</strong></p><p>Looking at the most active users on the Top 5 most active marketplaces, we see some users operating on multiple marketplaces in Figure 7. For example, EmpireShop is active on both ASAP marketplace and White House Market. The user DrunkDragon seems to have decreased activity on White House Market since last May.</p><p>Likewise, the vendor GoldApple seems to have decreased activity on both World Market, or ASAP Market from what we <a href="https://redskyalliance.org/xindustry/deepdive" target="_blank">observed last May</a>.</p><p>Operating on multiple markets with the same account name, like EmpireShop is doing, is likely done to build brand loyalty with customers, but using the same vendor name on both sites also makes it easier for analysts to track threat actor activities across multiple marketplaces.</p><p style="text-align:center;"><a href="{{#staticFileLink}}10084571283,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10084571283,RESIZE_710x{{/staticFileLink}}" alt="10084571283?profile=RESIZE_710x" width="710" /></a><strong>Figure 7: </strong><strong>Most active marketplace vendors on the Top 5 marketplaces</strong></p><p> </p><p>Looking at ransomware activiy, on the left side of Figure 8 we see a list of domains for the most active ransomware listings in the second half of 2021. This is interesting to compare with what was printed in mainstream media. We have found that many ransomware victims are not publicized in the mainstream media. Also in Figure 8, we see a correlation between our breach data collection and our dark web collection that powerfully illustrates how a single compromised set of credentials could lead to a ransomware attack.</p><p>At the bottom of the figure, we see a record from out breach data collection showing a compromised credential pair for a domain belonging to a law firm. This record is dated July 2020.</p><p>Then, in January 2022, we observed the same law firm as being the victim of a ransomware attack on the Marketo ransomware site where stolen data is auctioned to the highest bidder. To be clear, these are the ONLY two indicators we have found in our threat intelligence data related to this domain. It’s an interesting correlation, and we must be careful not to assert causation. We cannot be sure that the leaked credentials were used in the ransomware attack. However, it is a definite possibility with the tendency of users to re-use passwords across multiple accounts.</p><p style="text-align:center;"><a href="{{#staticFileLink}}10084576056,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10084576056,RESIZE_710x{{/staticFileLink}}" alt="10084576056?profile=RESIZE_710x" width="710" /></a><strong>Figure 8: Dark Web correlation with Compromised Credentials</strong></p><p>In summation, based on the dark web activity we have seen over the last half of 2021, the Top cybersecurity threats for 2022 continue to be ransomware, and password re-use.</p><p>Please contact Red Sky Alliance with any question regarding this material or for more information on our dark web data set.</p><p style="text-align:left;"> </p></div>Dark Web Deep-Dive,Trends, & DarkSide/Colonial Pipelinehttps://redskyalliance.org/xindustry/deepdive2021-05-12T15:14:47.000Z2021-05-12T15:14:47.000ZMatt Weidnerhttps://redskyalliance.org/members/MattWeidner<div><p><a href="{{#staticFileLink}}8920606657,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8920606657,RESIZE_400x{{/staticFileLink}}" alt="8920606657?profile=RESIZE_400x" width="250" /></a></p><p><span style="font-size:12pt;"><strong>What is RedPane?</strong></span></p><p>RedPane is a dark web search engine tool that has been developed by Red Sky Alliance since late January 2021. With RedPane we are able to make dark web content available without the need for analysts to touch the dark web to visit Tor .onion sites. To date, we have over 300,000 data points on over 50 sites and we are adding new sites weekly.</p><p>With RedPane we have developed custom processes to capture text data from dark web sites that we designate, parse that information into a format that then gets added to our Cyber Threat Analysis Center, known as CTAC. CTAC uses Elasticsearch on the backend which makes querying the data extremely easy. Using CTAC, analysts can also run analytics on that data using Kibana. Everything in this article was generated from our RedPane collection and CTAC.</p><p>Regarding the data, we ingest a fair amount of non-English language content from the dark web. We are currently working on a project to translate that content to English. When the project is completed, we will be retaining both the English-language copy and the original-language copy for reference.</p><p> </p><p><span style="font-size:12pt;"><strong>Dark Web Trends</strong></span></p><p>If we take a look at the pie chart in Figure 1, it shows the RedPane collection broken down by site type. We currently ingest data from dark web forums, marketplaces, and ransomware sites.</p><p><a href="{{#staticFileLink}}8921329870,RESIZE_584x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}8921329870,RESIZE_584x{{/staticFileLink}}" alt="8921329870?profile=RESIZE_584x" width="497" /></a></p><p style="text-align:center;"><strong>Figure 1: RedPane data by site type</strong></p><p>Discussion forum posts make up a large part of the RedPane content. While we do certainly find a lot of noise on discussion forums, there is also valuable information to found there. For example in Figure 2 we see a post from the ”Best Carding World Forum” that exposes Netflix credentials. This entry also exposes the payment method that the Netflix customer used for billing. In 2 of the 4 cases, the payment menthod is Paypal. As we all know, password re-use is a big problem. If the compromised Netflix user used the same password for their PayPal account, that PayPal account is very likely to have also been compromised. This is just one of the many forums available in RedPane.</p><p><a href="{{#staticFileLink}}8921479057,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}8921479057,RESIZE_710x{{/staticFileLink}}" alt="8921479057?profile=RESIZE_710x" width="710" /></a></p><p style="text-align:center;"><strong>Figure 2: "Best Carding World Forum" Netflix credential leak</strong></p><p> </p><p> Figure 3 shows the Top 5 most active sites for each site type over the past 4 months.</p><p> For discussion forums, we see as most active are:</p><ol><li> Kohlchan</li><li>DNM Avengers</li><li>Dread Forums</li><li>Simple Machine Forum</li><li>The Hub Forum</li></ol><p>Looking at marketplaces, we see the following as the most active: UAS RDP Market deals strictly in the sale of compromised Remote Desktop Protocol credentials for hosts that are publicly accessible over the internet. White House Market is a general marketplace. Regarding Zero Day Today Market, it is a bit of a misnomer to call it a marketplace. That site offers fully functional software exploits free of charge. Lastly, Cartel Market and ASAP Market are both general marketplaces.</p><p>Ransomware groups will steal data from a victim and then post it for download on their site, either for free or for sale, if the organization chooses not to pay the ransom. The most active Ransomware groups that we have seen based on the number of victim postings made to their site are shown in Figure 3:</p><p><a href="{{#staticFileLink}}8921482456,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}8921482456,RESIZE_710x{{/staticFileLink}}" alt="8921482456?profile=RESIZE_710x" width="710" /></a></p><p style="text-align:center;"><strong>Figure 3: Most active dark web sites by type</strong></p><p>Looking at the most active cybersecurity-related marketplace categories, we see “web applications” tops the list (Figure 4). Examining the data shows this data primarily comes from a site named “Zero Day Today Market” which as mentioned earlier, offers software exploits for free. We see a small sample of those listings in the upper right of the slide. A random sampling of the available exploits shows them to be sourced from various places across the surface web including exploit-db.com and various cybersecurity blog posts. While the information may not be unique to this dark web marketplace, it does provide an anonymous way for attackers to download working exploits without exposing themselves or their activities on the clear net where their downloads might be logged.</p><p>Other categories, such as remote exploits and local exploits provide access to similar software exploit materials. The “Various Logins” category provides compromised account credentials for sale. The “Digital Goods” category offers items for sale such as instructional materials on how to commit cyber-crime, pirated software, pirated video collections, and database dumps.</p><p><a href="{{#staticFileLink}}8921492267,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}8921492267,RESIZE_710x{{/staticFileLink}}" alt="8921492267?profile=RESIZE_710x" width="710" /></a></p><p style="text-align:center;"><strong>Figure 4: Most active marketplace categories</strong></p><p>Looking at the most active users on the Top 5 most active marketplaces that include a vendor name (Figure 5), we see some vendors operating on multiple marketplaces. For example, the user GoldApple is active on both the World Market, and ASAP Market, while the user DrunkDragon is active on both the ASAP and White House markets. This is likely done to build brand loyalty with customers, but it also makes it easier for analysts to track threat actor activities across multiple marketplaces.</p><p><a href="{{#staticFileLink}}8921501062,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}8921501062,RESIZE_710x{{/staticFileLink}}" alt="8921501062?profile=RESIZE_710x" width="710" /></a></p><p style="text-align:center;"><strong>Figure 5: Most active marketplace vendors on the Top 5 marketplaces</strong></p><p>Looking at ransomware in Figure 6, we see a list of domains for the most active ransomware listings on the left. Looking further into the dassaultfalcon.com breach, we see in the upper right of Figure 6 the attacker’s intent to release more data as time goes on if the ransom is unpaid. This is not a new extortion tactic but worth mentioning that it is still in use, although its effectiveness is questionable.</p><p>However, in the case of Dassault, we find an interesting collaboration between the Mount Locker and Ragnar Locker groups in marketing this stolen data. At the bottom of Figure 6, we see both Mount Locker and Ragnar Locker have Dassault data listed for sale, and Mount Locker names Ragnar Locker as a “partner” and links to the Ragnar Locker page in their listing. In some cases these listings will include the size of data dump in Gigabytes, as well as information about what kind of data it is. We do not see that in every listing, it just depends on what the attacker adds to their description. In the case of Dassault, the Ragnar Locker site displays images of stolen documents to prove authenticity. These images are not included in RedPane since it only collects text data. Manual analysis of the source site is required to see them.</p><p style="text-align:center;"> <a href="{{#staticFileLink}}8921505090,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}8921505090,RESIZE_710x{{/staticFileLink}}" alt="8921505090?profile=RESIZE_710x" width="710" /></a><strong>Figure 6: Mount Locker, Ragnar Locker partnership against Dassault Aviation</strong></p><p style="text-align:left;"> </p><p><span style="font-size:12pt;"><strong>Colonial Pipeline & DarkSide Ransomware Group</strong></span></p><p>The Colonial Pipeline ransomware breach has been big news recently. The attack has been attributed to the DarkSide ransomware group. While we do capture data from the DarkSide ransomware site, we do not find anything related to Colonial posted there. This could support the DarkSide claim that an affiliate is responsible for the attack, not the DarkSide group itself. We would not be surprised if DarkSide tries to pressure their partner into giving up the decryption keys to turn over to Colonial, free of charge. Why? Simply because of all the negative press and the U.S. government response to this attack on critical infrastructure. It is, of course, too late for a gesture of good will like that to make any difference as far as the U.S. response to DarkSide, but we will of course continue to monitor their site to see how this plays out. It will also be interesting to see if any Colonial data appears for sale or released free of charge in the underground.</p><p>Having said that, what we do see regarding Colonial is in our breach data collection (Figure 7). We see 46 compromised credentials for domains belonging to Colonial Pipeline over the past year. The majority were contained in the large COMB (Compilation of Many Breaches) breach released in February of this year, however, 16 have been used between May 2020 and December 2020 with various credential stuffing software tools to gain access to multiple accounts where passwords have been re-used. This could have been a contributing factor for the attackers to gain an initial foothold before deploying their ransomware payload.</p><p><a href="{{#staticFileLink}}8921507463,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}8921507463,RESIZE_710x{{/staticFileLink}}" alt="8921507463?profile=RESIZE_710x" width="710" /></a></p><p style="text-align:center;"><strong>Figure 7: Colonial Pipeline compromised credentials 2020-2021</strong></p><p style="text-align:left;"> </p><p><span style="font-size:12pt;"><strong> Conclusion</strong></span></p><p>In summation, based on the dark web activity we have seen over the past 4 months, the Top 3 cybersecurity threats for 2021 continue to be: ransomware, Internet accessible Remote Desktop Protocol systems, and password re-use.</p><p>Please contact Red Sky Alliance with any question regarding this material or for more information on RedPane.</p></div>