The Underground Economist: Volume 3, Issue 21

Welcome back to The Underground Economist: Volume 3, Issue 21, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of October 29th, 2023.

Threat Actors Continue to Target Israeli Entities

A growing number of politically motivated threat actors are targeting Israeli entities on the Deep and Dark Web. ZeroFox researchers assess that new hacktivist activity will likely continue to emerge on the criminal underground as the war between Israel and Hamas unfolds. 

On October 21, 2023, well-regarded and established threat actor “frog” shared sensitive data related to the Israel Ministry of Defense on the English language Deep Web forum “LeakBase.” The actor credited the hacktivist group “Garnesia Team” with the breach. The compromised data includes various internal documents, including some that detail: 

• The use of encrypted devices
• Injured soldier rehabilitation
• Financing expenses 

On October 14, 2023, well-regarded threat actor “socket” shared a list containing the IP addresses of seven unpatched web servers based in Israel that are allegedly susceptible to a remote code execution (RCE) vulnerability in Microsoft Exchange Server, tracked as CVE-2021-34473, on the predominantly Russian language Dark Web forum “RAMP.” This vulnerability would allow unauthenticated threat actors to remotely execute code on the target machines. It is worth noting that there is an exploit module readily available for this vulnerability in the free penetration testing framework Metasploit.

Service Buys Compromised VPN and RDP Login Credentials

On October 20, 2023, well-regarded and established threat actor “r1z” advertised a service that buys compromised VPN and RDP login credentials from peers on the predominantly Russian language Deep Web forum “XSS.” The actor can likely use these credentials to compromise corporate networks. Once they have established a foothold, the actor can likely use this initial network access to launch further cyber-attacks, such as ransomware attacks.

The actor also claimed to have private exploits for local privilege escalation (LPE) vulnerabilities in different services. These alleged exploits would not be detected as malicious by most antivirus and endpoint detection and response (EDR) solutions. 

ZeroFox researchers assess the threat actor is likely legitimate because they have deposited more than $30,000 USD (1 BTC) into the forum’s escrow service. The actor can use these funds in combination with a forum administrator or middleman to complete any network access deals.

Alleged Zero-Day Exploit for Vulnerability in Unnamed REST API

On October 17, 2023, the untested threat actor “dogmatic” advertised an alleged zero-day exploit for a vulnerability in an unnamed REST API on the predominantly Russian language Deep Web forum “Exploit.” Threat actors could exploit this vulnerability to access the API endpoints of target companies without authentication. The actor said they successfully used the exploit to steal the personally identifiable information (PII) of 1.6 million customers from an undisclosed company.

The exploit was available for auction, with a starting bid of $50,000 USD, a minimum bid of $5,000 USD, and an instant purchase price of $250,000 USD. 

ZeroFox researchers assess the sale of this exploit will likely lead to an increase in the number of data breaches worldwide, since the actor claimed that 15,000 companies had vulnerable API endpoints, including some cryptocurrency and pharmaceutical companies.

Threat Actor Looking to Buy Compromised X Accounts

On October 17, 2023, the untested threat actor “mercurial129” announced they will purchase compromised X (formerly known as Twitter) accounts from peers on the predominantly Russian language Deep Web forum “Exploit.” The actor specified that each account must have a minimum of 5,000 followers. They preferred accounts related to:

• Cryptocurrency
• Non-fungible tokens (NFTs)
• Media

This is significant because threat actors often use these types of accounts for fraudulent operations, such as stealing cryptocurrency and NFTs from victims or spreading political propaganda and disinformation on social media.

The actor offered to pay at least $100 USD per account. 

ZeroFox researchers assess the actor will likely draw interest from peers, since threat actors stand to profit by selling off any compromised X account credentials they obtain via malware logs.

Learn More about the Authors Behind The Underground Economist

The ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct threat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web intelligence team extends the reach of your security resources, engaging with the underground community. We give you an advantage over emerging threats and stop active threats before damage can be done. Integrated into hundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn more here.