The Underground Economist: Volume 1, Issue 1

Welcome to The Underground Economist, an intelligence focused blog series illuminating Dark Web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the Dark Web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the Dark Web and criminal underground. Here’s the latest for the week of October 6th, 2021.

Threat Actor Sets Sights On Falcon EDR

Well-regarded threat actor “Kr1m1n4l4c” is seeking a corporate insider to secure administrator access to Falcon Sensor Endpoint Detection and Response (EDR) to test an alleged backdoor access method. The strategy of recruiting insiders is increasing in frequency amongst Dark Web actors looking to gain easier access to corporate networks, and to minimize their attacker footprint. The actor, active on Russian language Deep Web forum exploit[.]in, is willing to pay the recruited insider up to USD $200 per instance, to run a total of 10 to 15 tests with the use of admin login credentials.  

The implications of a successful bypass of world class endpoint protection software are wide ranging, leaving no particular sector “safe” from this potential threat. This is a sober reminder that cyber criminals do not discriminate between small, medium, or large businesses which possess varying degrees of security expertise or acumen. They want money, notoriety, and validation that they are smarter than law-abiding security professionals working to earn an honest wage in any given industry. 

Recent Fortinet Leak Actively Exploited By Attackers

The fallout from the recent Fortinet leak continues to manifest on various Deep and Dark Web forums. In late September, well-regarded threat actor “MS-13” shared compromised login credentials for various Fortinet resources, including the company’s VPN portal and an FTP server, on the Russian language Deep Web forum club2crd[.]cc. The actor claims they used the leaked Fortinet credentials to access the internal network of a company known as “MM-Group” to install Maze ransomware--malicious software used by the Maze Ransomware Group, very active in late 2019 and 2020, claiming to have ceased operation under Maze in November 2020. 

Additionally, the threat actor shared a link to a thread on a Dark Web forum known as “Deep Web”, from which the actor initially obtained the Fortinet usernames, passwords, and IP addresses that were subsequently leaked by the Groove hacking group. The linked thread contained scripts and tutorials on how to install ransomware on a target machine. Sharing this type of information effectively lowers the bar for entry into the ransomware space, and facilitates easier access to lower-skilled threat actors, underscoring the fact that security teams should still remain on guard against ransomware groups, regardless of their claims of being active or inactive. 

Development of Tools To Encrypt Corporate S3 Buckets 

New and untested threat actor “ElGr1ngo” announced they are developing a tool to automatically encrypt the contents of an S3 bucket, specifically a bucket containing the “very sensitive information” of an unspecified company, on English language Dark Web forum “KickAss”. The actor claims that the tool is coded in GoLang and will be used to automatically enumerate and download every file in the S3 bucket, encrypt them, and then replace the original versions of the files with the encrypted versions.

• The actor claims that they will disclose and share the contents of the S3 bucket, and the new tool they are developing, on the forum as soon as they launch the attack against the company. 

• In the interim, however, the actor is soliciting advice from fellow forum members for best practices on encrypting S3-derived data and is open to cooperation. 

Actors have been taking advantage of misconfigured servers for some time, and dumping the sensitive contents or reselling the data. The move to automate the discovery, dumping, encryption, and file replacement is unique and highlights the need for IT and security teams to ensure any and all cloud-based servers are properly configured and secured.

About the Writers of The Underground Economist: The ZeroFox Dark Ops Team

ZeroFox’s Dark Ops team, the authors of The Underground Economist, operates amongst the criminal underground community. Our global threat hunting and Dark Web intelligence team extends the reach of your security resources by engaging with the underground community, bolstering your capabilities in an effort to give you an advantage over emerging threats and stop active or future attacks before damage can be done. Embedded into hundreds of Dark Web communities where few possess the cultural or language expertise to infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to your threat intelligence requirements. Engage directly with the team here.