The Underground Economist: Volume 2, Issue 9

The Underground Economist: Volume 2, Issue 9
5 minute read

Welcome back to The Underground Economist, Volume 2, Issue 9, an intelligence focused blog series illuminating Dark Web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the Dark Web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the Dark Web and criminal underground. Here’s the latest for the week of May 27, 2022.

Actor Claims Network Access To 6 High-Profile U.S.-Based Companies

New and positively trending threat actor “citrix” advertised network access to six different, high-profile U.S. companies on the Russian language Deep Web forum xss[.]is. This is significant as most network access brokers in the Russian underground have largely avoided targeting U.S.-based corporate networks since the war in Ukraine began in February 2022. 

The actor claims to have remote desktop, VPN, and Citrix access to various companies, including:

  • A financial organization that generates $2 billion USD in revenue
  • A healthcare provider that generates $354 million USD in revenue
  • A systems management company that generates $281 USD million in revenue
  • An insurance company that generates $4 billion USD in revenue
  • A manufacturer that generates $800 million USD in revenue
  • A healthcare provider that generates $2 billion USD in revenue

The actor requires escrow for payment, indicating that they are more likely to possess the alleged access. 

Additionally, the actor noted that they are looking for long-term partners. This suggests a renewed interest among threat actors in U.S.-based network access deals that will likely lead to an increase in cyber-attacks against U.S. companies in the coming months.

Threat Actor Notes Potential Impact Of New OpenSSL Vulnerabilities

Well-regarded and established threat actor “r1z” recently posted about the potential impact of two new vulnerabilities in OpenSSL tracked as CVE-2022-1292 and CVE-2022-1473, on the predominantly Russian language Deep Web forum xss[.]is.The two new vulnerabilities enable unauthorized users to remotely execute code on a target machine and perform denial-of-service attacks, respectively. 

The actor shared scan results from the Chinese mapper service fofa[.]info, showcasing more than 38.6 million vulnerable devices running the affected versions of OpenSSL worldwide, including more than 11.7 million devices in the U.S.

Based on the sheer quantity of vulnerable devices and the positive response the actor’s initial post has received from other forum members, ZeroFox researchers assess it is likely that threat actors will soon begin sharing exploits for the two vulnerabilities across the underground.

Impacted OpenSSL versions for the critical remote code execution vulnerability (CVE-2022-1292) include:

  • 3.0.0,3.0.1,3.0.2
  • 1.1.1-1.1.1n
  • 1.0.2-1.0.2zd

Impacted OpenSSL versions for the high-level denial-of-service vulnerability (CVE-2022-1473) include:

  • 3.0.0,3.0.1,3.0.2

Actor Looking For Developer To Build Web-Based Crypto Wallet For Fraud

Untested threat actor “heisen” is seeking a developer to build a web-based cryptocurrency wallet on the Russian language Deep Web forum exploit[.]in. ZeroFox researchers assess that this project will likely render a crypto wallet that steals funds from victims, based on the functionality the actor requested. 

The actor specified that the wallet must have the following features:

  • Supports various cryptocurrencies, including BTC and ETH
  • Log all user data and actions
  • Withdrawal requests for one-percent fee 
  • Editable withdrawal percentages
  • Send fake transactions to users; labeled internal transactions
  • Instantly rebrand website from web panel

Additionally, the actor specified that administrators must be able to send emails and custom popups to users. It is almost certain that the actor leverage social engineering methods to steal funds from victim, based on the requested features.   

Envoy Reboot Gains Popularity

Since its return in January 2022, after its initial 2020 shutdown, the Dark Web English language forum Envoy has gained popularity amongst threat actors.The new Envoy features a section for almost anything related to Deep Web activity, drugs (being the most popular thus far), hacking, cracking, pentesting, carding, and fraud have also been included as main topics of forum sections. 

Researchers assess that this forum likely fills the need for a forum that contains high-profile information and is accessible to most common threat actors. This void was left by the closures of more reputable English language forums such as Torum and Torigon that both closed up shop in 2021. Although other forums have emerged that contain the high-profile topics and backdoor deals threat actors desire, such as KickAss, these remain largely inaccessible due to a high entry cost and require proof technical knowledge.

Researchers assess that drug sales, delivery methods, and vendors reviews are likely to dominate the content of the renewed Envoy. Due to the popularity of these sections so far and the well-regarded threat actor and administrator “Witchman” is discussing putting in a marketplace type functionality to facilitate this.

The serious cyber crime sections are currently either empty or feature basic method, and attack vectors, it is highly likely that these copied from other sources.

Tags: Deep & Dark WebThreat Intelligence

See ZeroFox in action