BLOG

The Underground Economist: Volume 1, Issue 7

5 minute read

Welcome back to The Underground Economist, Issue 7, an intelligence focused blog series illuminating Dark Web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the Dark Web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the Dark Web and criminal underground. Here’s the latest for the week of January 13th, 2022.

List Of 500,000 Servers Likely Susceptible To Log4j Vulnerability For Sale

Threat actor “leopoldo787”, on the Russian language Deep Web forum exploit[.]in, advertised a list containing the IP addresses of 500,000 servers, which they claim do not contain the patch for the remote code execution vulnerability in Apache’s Log4j software library, tracked as CVE-2021-44228.

The vulnerability allows a remote threat actor to exploit versions 2.0-beta9 to 2.14.1 of the widespread logging utility to execute code on unpatched systems. The actor is asking $150 USD for the full list of IP addresses. 

The actor’s post indicates that threat actors are likely tailoring mass-scanners to detect Log4j vulnerabilities in the wild. This comes less than one-month after the public disclosure of the critical issue, in early December 2021. 

Actor Shares Exploit For Apache APISIX Dashboard Vulnerability

In late December 2021, well-regarded threat actor “0x0021h” shared their proof of concept exploit for the vulnerability in Apache APISIX Dashboard, tracked as CVE-2021-45232, on the Russian language Deep Web forum xss[.]is. The vulnerability impacts the Apache APISIX Dashboard versions 2.10.1 and below, and would enable an actor to bypass authentication, in an effort to gain unauthorized access.

The actor claimed that their exploit allows a remote threat actor to bypass the authentication process for the APISIX dashboard to execute code. In response to the original post, positively-trending threat actor “joseph_salazar” shared a list of 2,000 servers, based out of China, that they claimed were vulnerable to the exploit.

New SIM-Swap Method Targets T-Mobile Users

In late December 2021, well-regarded threat actor “posman” advertised what they claimed to be one of the only working SIM-swap methods to compromise devices from T-Mobile users on the Russian language Deep Web forum exploit[.]in. 

Original post from threat actor “posman” announcing new T-Mobile SIM-swap method

The actor specified that their method requires access to a victim’s “My T-Mobile” and associated email accounts. Once a threat actor has gained this initial access, they claim that the method can be used to transfer a victim’s phone number to a threat actor’s device, in near real time, without having to interact with T-Mobile live support. 

The actor initially listed two copies of the method for sale for approximately $21,765 USD (0.50 BTC) each. The price has since been reduced to $5,000 USD per copy.

ZeroFox researchers believe this threat actor to be a credible source of knowledge in the SIM swapping space, based on their extensive forum activity on SIM-swapping, and their positive reputation on the forum.

Fresh Source Of Botnet Logs ”BSC-CLOUD” Announced

New threat actor “BSC” advertised a new source for botnet logs, dubbed “BSC-CLOUD”, on the Russian language Deep Web forum “Black Hat Forum”. 

The actor claimed that the new botnet logs marketplace adds more than 10,000 unique logs per day, containing the PII of victims from Europe and the United States. The actor alleged that the market has collected approximately 135,000 logs since launching in early October 2021. 

Original post from threat actor “BSC” announcing fresh source of botnet logs “BSC-CLOUD”

The actor also cautioned would-be customers that users are not permitted to purchase mass quantities of botnet logs in an effort to intentionally deplete the market’s stock of logs. This threat was further stressed by the actor stating that they would reveal the identities of any policy violators. There were several different pricing options available to access the market, including:

  • $799 USD for two weeks 
  • $1,299 USD for one month 
  • $3,999 USD for life

The emergence of this new marketplace could potentially indicate that a new network of malware infected devices is spreading.

About the Writers of The Underground Economist: The ZeroFox Dark Ops Team

ZeroFox’s Dark Ops team operates amongst the criminal underground community. Our global threat hunting and Dark Web intelligence team extends the reach of your security resources by engaging with the underground community, bolstering your capabilities in an effort to give you an advantage over emerging threats and stop active or future attacks before damage can be done. Embedded into hundreds of Dark Web communities where few possess the cultural or language expertise to infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to your threat intelligence requirements. Engage directly with the team here.

See ZeroFox in action