Welcome back to The Underground Economist: Volume 3, Issue 11, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of June 12, 2023.
Actor Leaks Alleged Source Code For ChatGPT
Well-regarded threat actor “morkibis” leaked the alleged source code for ChatGPT on the English language Deep Web forum “LeakBase.” The actor said that users can customize the artificial intelligence (AI) models to remove ChatGPT restrictions. This is noteworthy because the leaked source code lowers the barrier to entry for threat actors looking to exploit the AI chatbot to write malicious code.
The actor specified the source code came directly from OpenAI, the developers of ChatGPT. This likely indicates an insider leaked the source code; however, it is unclear how credible the actor’s claim is without conducting further analysis.
Custom Tool Aims To Compromise Web Applications
Moderately credible threat actor “GridsNetwork” advertised a custom tool designed to compromise web applications, dubbed “Araneida,” on the predominantly Russian language Deep Web forum “XSS.” The tool exploits SQL injection and remote code execution (RCE) vulnerabilities in various web applications, including:
- SQL databases
- Adminer instances
- Configuration files
- Git directories
Additional features of the tool include:
- Works on machines running most versions of Windows
- Automatically indexes content from websites
- Steals sensitive data from SQL databases
- Scans multiple targets
The actor charged $500 USD per month for the tool. ZeroFox researchers assess the sale of this tool will likely lead to an increase in data breaches, since the tool lowers the barrier to entry for threat actors looking to compromise web applications.
Actor Selling Compromised Accounts For Various Government Entities Worldwide
Well-regarded threat actor “CryptoTrust” advertised compromised accounts for various government entities worldwide on the predominantly Russian language Deep Web forum “XSS.” The actor said the login credentials were obtained via malware logs from different countries, including:
- New Zealand
- Sri Lanka
ZeroFox researchers assess the actor is likely to corner the market because there are very few, if any, trusted vendors who currently specialize in the sale of compromised government account credentials.
Deal Involving Alleged Zero-Day Exploit For RCE Vulnerability In qTox Confirmed
Well-regarded threat actor and moderator “Quake3” confirmed a deal involving an alleged zero-day exploit for a remote code execution (RCE) vulnerability in the free encrypted instant messaging application qTox on the predominantly Russian language Deep Web forum “Exploit.” This is significant because the use of qTox is prevalent across the criminal underground. The alleged exploit would allow threat actors to remotely execute code on target machines with Chromium-based browsers.
The threat actor “FHT” initially posted about the rumored zero-day exploit. “Quake3” later confirmed that a buyer purchased the exploit for more than $500,000 USD (20 BTC).
ZeroFox researchers highlight the existence of this exploit will likely disrupt the underground economy because many threat actors will likely move their operations from qTox to alternate platforms.
Learn More about the Authors Behind The Underground Economist
The ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct threat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web intelligence team extends the reach of your security resources, engaging with the underground community. We give you an advantage over emerging threats and stop active threats before damage can be done. Integrated into hundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn more here.