Welcome back to The Underground Economist: Volume 2, Issue 19, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of October 14, 2022.
New Ransomware-As-A-Service Project Established
Untested threat actor “cobaltforce” announced a newly established ransomware-as-a-service (RaaS) project on the predominantly Russian language Dark Web forum “RAMP”. Unlike similar services, this new, unnamed project automates most interactions between the affiliate groups and ransomware developers, giving affiliates more autonomy to run the campaigns. The project is designed to compromise devices running various operating systems and software that creates and runs virtual machines, including:
- VMWare ESXi
Additional features of the project include:
- Strong encryption
- Leverages multithreading to encrypt files faster
- Performs directory traversal attacks to gain access to sensitive files
- Generates new Cobalt Strike payloads via remote server
- Moves through multiple systems on the network
- Encrypts hidden drives
ZeroFox researchers assess this new project is likely to attract a significant number of affiliates because they would immediately have an elevated role within the ransomware gang.
Data Breach Impacting Stockpile Announced
Well-regarded threat actor “nightly” announced a data breach impacting Stockpile, the digital brokerage, on the predominantly Russian language Deep Web forum “XSS”. The actor claims the breach involves the PII of more than one-million users, along with an undisclosed number of gift cards that contain stock shares or cryptocurrency. Compromised data includes a user’s:
- Full name
- Email address
- Hashed password
- Date of birth
The actor charged $75,000 USD for the complete dataset. They also agreed to use an escrow service, indicating the actor is more likely to possess what they claim.
ZeroFox researchers assess that it is virtually certain a threat actor can resell the stolen data or cash out funds from the gift cards to turn a profit on the criminal underground, due to the constant demand among both vendors and threat actors for fresh sets of PII and gift cards.
Custom Payloads That Avoid Detection By EDR Solutions Advertised
Well-regarded threat actor “LORD1” advertised a service to generate custom Cobalt Strike payloads that will not be detected as malicious by multiple Endpoint Detection and Response (EDR) solutions on the predominantly Russian language Deep Web forum “Exploit”. The announcement follows a recent trend where an increasing number of threat actors are developing methods to bypass EDR solutions to compromise corporate targets. The impacted EDR solutions allegedly include:
- Carbon Black
The actor said that each payload is customized based on the target and the goals of the threat actor. They claim to build 32-bit or 64-bit executable files.
Prices for the payloads start at more than $1,000 USD per build.
Service Provides Threat Actors With Access To Various Penetration Testing Tools
New and untested threat actor “CINT” advertised a service to scan target networks for potential vulnerabilities, dubbed “CINT Scanner as a Service”, on the English language Dark Web forum “CryptBB”. The service provides users with access to a comprehensive set of premium penetration testing tools, including:
- Metasploit Professional
- Invicti Enterprise
- Burp Suite Enterprise
- Cobalt Strike
- Brute Ratel
The actor charged $35 USD for a single scan using most tools. There was also an option to perform an unlimited number of scans for $100 USD per month.
ZeroFox researchers assess this service is highly likely to succeed because it allows threat actors to quickly begin reconnaissance on a target without having to buy expensive licenses or rely on compromised (AKA cracked) versions of software.
For more insights from the ZeroFox Intelligence team, download our new Quarterly Threat Landscape Report.