The Underground Economist: Volume 3, Issue 16

Welcome back to The Underground Economist: Volume 3, Issue 16, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of August 21st, 2023.

Network Access To Unnamed Brazilian Certificate Authority Alleged

Well-regarded and established threat actor “el84” advertised domain administrator access to the internal network of an unnamed Brazilian certificate authority (CA) on the predominantly Russian language Dark Web forum “RAMP.” The threat actor who purchases this can likely monetize the network access in more than one way. The actor can likely leverage this network access to impersonate trusted websites and perform man-in-the-middle attacks to steal sensitive data from victims or perform a traditional ransomware attack.

• A CA is an organization that issues digital certificates for websites and other entities. These certificates are trusted by web browsers to validate the identity of the company/individual responsible for a website. They also provide encrypted communication over the Internet and ensure the integrity of documents in transit.  

The actor charged $5,000 USD for the access.

ZeroFox researchers assess the target is likely Certisign because the actor specified the company generates $96 million in revenue and has issued more than 10 million digital certificates. These details match publicly available information on the company’s zoominfo[.]com page.

Network Scanner Identifies Active RDP Instances

Untested threat actor “Expl0it_777” advertised a network scanner designed to enumerate active RDP instances, dubbed “RdpHints,” on the predominantly Russian language Deep Web forum “Exploit.” The scanner leverages undisclosed Windows tools and the Python-based Tesseract optical character recognition (OCR) package to capture sensitive data about RDP instances, including usernames and passwords. It is highly likely that threat actors can use the collected information with other tools to compromise target networks, the first step in a ransomware attack.        

The scanner works with systems running Windows 8.1/Windows Server 2012 R2 or higher. A threat actor would need to supply their own list of IP addresses and port numbers to enumerate. The actor charged $200 USD for the scanner.  

ZeroFox researchers assess this scanner will likely find success on the criminal underground because it lowers the barrier to entry for threat actors looking to compromise target networks.

Shop Selling Compromised OpenAI Accounts

New and untested threat actor “fernquaker” announced an automated marketplace selling compromised OpenAI accounts with API credits attached on the predominantly Russian language Deep Web forum “BHF.” The marketplace had accounts for different services, including ChatGPT, DALL-E 2, and Whisper. Threat actors can likely use these accounts to automate the content creation process for malicious campaigns, such as generating AI-powered propaganda or phishing emails.

Prices for the accounts vary depending on the credit balance, including:

• $12 USD for accounts with $120 USD credit
• $39 USD for accounts with $500 USD credit
• $59 USD for accounts with $1,000 credit

ZeroFox researchers assess there will likely be continued demand for malware logs that contain compromised OpenAI accounts because threat actors can potentially earn more by selling the accounts individually.

New Stolen Payment Card Shop Launches

In early August 2023, the new and positively trending threat actor group “AUTHORIZE” announced the launch of the previously reported stolen payment card shop, dubbed “Authorize,” on the predominantly Russian language Deep Web forum “WWH-Club.” The shop had approximately 10,000 stolen payment cards available to purchase. Would-be customers can filter search results by:

• BINs
• Zip codes
• Card type
• Card vendor
• Country
• Bank
• CVV

A threat actor can also search for specific payment cards that match a victim’s personally identifiable information (PII), including their physical address, Social Security number, or date of birth. The shop provides support in multiple languages, including Russian, English, and Chinese. 

ZeroFox researchers assess this new shop will likely gain momentum in the carding community because of the favorable conditions for sellers. This includes automatic payments for transactions, the flexibility to add new cards without administrator approval, and capabilities to set the prices for their own cards. 

Additionally, the shop claims a high validity rate for its cards, indicating that buyers are less likely to be scammed or request replacements for invalid cards.

Learn More about the Authors Behind The Underground Economist

The ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct threat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web intelligence team extends the reach of your security resources, engaging with the underground community. We give you an advantage over emerging threats and stop active threats before damage can be done. Integrated into hundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn more here.