Welcome back to The Underground Economist: Volume 3, Issue 19, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of October 2nd, 2023.
Threat Actors Share Sensitive Data from Alleged T-Mobile Breach
In late September 2023, ZeroFox researchers observed well-regarded threat actors “Tanaka” and “Rheadzz” share sensitive data allegedly obtained from a T-Mobile data breach on the English language Deep Web forum “Black Forums” and the Russian language Dark Web forum “RAMP.” The alleged breach occurred in April 2023. The file shared by the threat actors contains the sensitive data of both employees and customers, including:
- Employee names
- Job titles
- Email addresses
- Customer names
- Plan types
- Phone numbers
- Invoice numbers
- SIM card numbers
- IMEI numbers
- Billing account numbers
ZeroFox researchers assess there will likely be more SIM swap attacks against T-Mobile users because of the information derived from this breach. A threat actor can likely use this data in combination with compromised T-Mobile account credentials to perform account takeovers and transfer the phone numbers of victims to threat actor-controlled devices.
New RaaS Project Dubbed ‘KUIPER’ Announced
On September 22, 2023, the well-regarded threat actor group “RobinHood” announced a new ransomware-as-a-service (RaaS) project dubbed “KUIPER” on the predominantly Russian language Dark Web forum “RAMP.” ZeroFox notes there has been a steady increase in the number of ransomware gangs offering RaaS services with affiliate programs on the Russian underground in 2023.
The new RaaS service was written from scratch in Golang. Features of the ransomware include:
- Works on systems running most versions of Windows, Linux, and ESXi
- Uses RSA-4096 encryption
- Kills services and processes to avoid detection by most antivirus and EDR solutions, including Windows Defender
- Automatically deletes malicious code
- Removes system backups to make recovery more difficult
- Encrypts files on network attached storage (NAS) devices
The RaaS group can also set up post-exploitation infrastructure for affiliates to exfiltrate the stolen data.
ZeroFox researchers assess it is highly likely this new RaaS project will gain momentum because the ransomware gang is offering affiliates 90 percent of the profits from any successful ransomware attacks if they provide the initial network access and perform the post-exploitation actions themselves. Ransomware groups typically keep a larger share of the profits and pay affiliates less.
More Threat Actors Selling Bulk Access to Corporate Networks
ZeroFox observed two threat actors selling bulk access to corporate networks on the predominantly Russian language Deep Web forum “Exploit.” Our researchers assess this recent surge in the number of bulk network access deals is likely due to the emergence of custom checker tools designed to compromise corporate networks. These tools significantly lower the barrier to entry for threat actors looking to gain initial network access to target companies.
On September 18, the untested threat actor “ppfuck” advertised a network access bundle for 502 companies worldwide. The bundle contains compromised account credentials for different services, including:
The threat actor who purchases this bundle will also receive login credentials for various Cisco and Pulse Secure accounts. The actor specified these credentials were obtained by exploiting different directory traversal vulnerabilities, known as CSCOE and dana-na.
On September 11, untested threat actor “The-Best” advertised Secure Shell (SSH) access with root privileges to 200 corporate networks worldwide. This would be especially useful to ransomware gangs, since they would have unrestricted access to the compromised machines, allowing them to install ransomware on the target devices.
New Marketplace Selling The PII of U.S. Citizens
On September 17, 2023, untested threat actor “FuzzyBoss” announced an automated marketplace selling the personally identifiable information (PII) of U.S. citizens, dubbed “Fullbase,” on the predominantly Russian language Deep Web forum “Exploit.” Compromised data the actor advertises includes:
- Full name
- Driver’s license number
- Physical address
- Email address
- Date of birth
- Phone number
- Credit score
In addition to sensitive data, the store sells various accounts registered using the stolen PII of victims, including:
- Bank accounts (such as CARD, Square, and Go2bank)
- Google Voice accounts
ZeroFox researchers assess the rise of automated marketplaces like “Fullbase” will likely lead to more identity theft cases in the U.S. because these stores streamline the process for threat actors to obtain stolen PII.
Learn More about the Authors Behind The Underground Economist
The ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct threat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web intelligence team extends the reach of your security resources, engaging with the underground community. We give you an advantage over emerging threats and stop active threats before damage can be done. Integrated into hundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn more here.