The Underground Economist: Volume 3, Issue 22

Welcome back to The Underground Economist: Volume 3, Issue 22, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of November 13th, 2023.

Automated Tool Targets High-Value Cryptocurrency Wallets

On November 4, 2023, the well-regarded threat actor “boomking” advertised an automated tool that targets high-value cryptocurrency wallets on the predominantly Russian language Deep Web forum “Exploit.” The tool attempts to trick victims into sending funds to threat-actor controlled cryptocurrency wallets. This is accomplished by leveraging the public blockchains of various cryptocurrencies to identify the wallet addresses of potential targets involved in high-value transactions.

Once the tool identifies a target, it automatically generates a cryptocurrency wallet controlled by the threat actor. The threat-actor generated address is nearly identical to the wallet addresses of the targets, utilizing the same sequence of characters for the beginning and end of the address. The tool then uses the generated wallet addresses to send $0.001 USD to the target wallets. The tool uses this test transaction to determine the total balance available in each wallet. The operator of the tool relies on the victim to see the transaction for $0.001 USD and mistakenly send funds to the threat actor-controlled wallet address instead of their intended destination.

• The actor charged between $15,000 USD and $25,000 USD for the tool. 

ZeroFox researchers assess this tool is unique because it exclusively leverages publicly available resources to operate. This is significant because the operator of the tool would not need to compromise a target machine with malware to steal a victim’s cryptocurrency assets.

Exploit for Unpatched Vulnerability in FortiOS Alleged

On October 29, 2023, the untested threat actor "razor4721" advertised an exploit for an unpatched vulnerability in FortiOS SSL-VPN, tracked as CVE-2023-27997 (AKA XORtigate), on the predominantly Russian language Dark Web forum "Exploit." This exploit would allow an unauthenticated attacker to run shell commands via Node.js on target machines running FortiOS version 7.2.2. 

The exploit was available for auction, with a starting price of $11,000 USD.

ZeroFox researchers assess that the sale of this exploit will likely lead to more targeted attacks against unpatched FortiOS instances, since a threat actor can likely use this exploit to gain initial access to target networks and launch malicious campaigns, such as ransomware attacks.

Actor Selling Email Addresses of 100,000 Exodus Users

On October 29, 2023, the untested threat actor “sing” advertised a list containing the email addresses of approximately 100,000 users of the cryptocurrency wallet Exodus on the predominantly Russian language Deep Web forum “Exploit.” Although the list does not contain the victims’ passwords, ZeroFox researchers assess the sale of this list will likely lead to an increase in targeted credential stuffing attacks against Exodus users because currently the Exodus wallet does not have a password lockout for incorrect attempts. Exodus users exposed in this list are now at greater risk of spear phishing attacks. The actor charged $5,000 USD for the complete list of email addresses, and they will sell it to three threat actors.

Underground Forum Unveils Counterintelligence Section

On October 17, 2023, the Deep Web forum “Hydra Market” unveiled a new counterintelligence section to the community. This new section highlights the physical locations of surveillance devices in Europe, including:

• A hidden camera in a van outside a political event in Bremen, Germany
• An audio recording device in an anarchist library in Paris, France
• A microphone in a house in Pozzuoli, Italy

The administrator of the forum claims these surveillance devices were installed by law enforcement agencies to spy on politically motivated threat actors.

ZeroFox researchers assess the posts in this new section will likely serve as early warning indicators for some threat actors, since they contain enough details about the surveillance devices for anyone nearby to find or avoid them.

Learn More about the Authors Behind The Underground Economist

The ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct threat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web intelligence team extends the reach of your security resources, engaging with the underground community. We give you an advantage over emerging threats and stop active threats before damage can be done. Integrated into hundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn more here.