The Underground Economist: Volume 3, Issue 24

Welcome back to The Underground Economist: Volume 3, Issue 24, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of December 11th, 2023.

Mass Access Brokering Event Impacting Corporate Citrix VPN Users

On November 26, 2023, highly regarded threat actor “Punktir” announced the auction of access to at least 711 compromised Citrix Virtual Private Network (VPN) instances with verified credentials on the Russian-speaking forum exploit[.]in. Since 2020, Citrix VPN has been one of the most widely-exploited products used by access brokers to gain a foothold into corporate networks. 

The post very likely represents a legitimate mass access brokering event; the threat actor has a strong reputation and states that they will accept escrow at the buyer’s expense. The post alleges that:

• There are no two-factor authentication (2FA) protected instances.
• There are no duplicates of previously-sold login portal links. 
• The auction has a starting bid of USD 700, and it is USD 35,000 for a “blitz” or “buy now” price to acquire the total package without waiting for the auction to expire.

Translated exploit[.]in post advertising the mass access brokering event

Source: ZeroFox Collections

Organizations included in the access sale have an alleged revenue over USD 5 million—a figure that typically satisfies the criterion used by ransomware collectives. No government, education, or Commonwealth of Independent States (CIS)-based entities are included. The targets are all Europe and U.S.-based, with U.S. targets allegedly accounting for more than 400 entries. 

The emergence of corporate access checkers on the deep and dark web has driven an increase in bulk access sales in 2023. 

• A corporate login checker (such as the Multi Network Checker) was likely leveraged in this instance to verify the list of targets given the high volume of compromised Citrix VPN portals and the claim that the credentials were checked. 
• The target list was likely prepared prior to obtaining access and likely based on manual research supplemented by scanning via pentesting tools. 

Use of these tools is expected to continue on an upward trajectory as corporate checkers become more readily available to potential attackers.

New “Akitacrypt” Ransomware-as-a-Service Announced

On November 26, 2023, untested English-speaking threat actor “gana” announced a new Ransomware-as-a-Service (RaaS) offering named “Akitacrypt” on the Dark Web community BlackForums. The BlackForums platform is operated by actors connected to the “Five Families” hacking group, consisting of ThreatSec, GhostSec, Stormous, Blackforums, and SiegedSec.

The post claims that “Akitacrypt”is a fully-featured ransomware solution, developed and tested privately for two years prior to release. “Akitacrypt” is allegedly:

• Written in Rust, a programming language becoming increasingly popular amongst malware developers; 
• Fast;
• Fully undetectable (FUD), bypassing all antivirus products, including  Endpoint Detection and Response (EDR) services;
• Currently deployable on both Windows and Linux operating systems, and–highly unusually–is being developed to have the capability to infect systems running Mac OS.

Post advertising the new “Akitacrypt” RaaS offering

Source: ZeroFox Collections

Affiliates deploying the offering will initially be entitled to 50 percent of the profits of successful extortion campaigns. While this is considerably lower than most Russian RaaS offerings–which typically offer in excess of 80 percent of profits–Akitacrypt affiliates that demonstrate sustained successes will be eligible to work up to as high as 90 percent of profits. To qualify, would-be affiliates must satisfy one of the following specialization requirements:

• Initial network access brokers
• Hobby penetration testers or web application hackers.
• Bug bounty hunters, 
• Exploit developers
• Insiders with internal access.

The ransomware-as-a-service model has become increasingly popular outside of the typical Russian-speaking threat actor communities. Historically, English-speaking actors have advertised entrepreneur-type ransomware products which are designed to be used by a single actor or a small team in isolation. However, in 2023 the RaaS model has gained greater traction within English-speaking communities. 

ZeroFox assesses that if “gana”s claims around “Akitacrypt”’s technical specifications are legitimate, the strain will very likely achieve considerable success and pose a significant threat to corporate entities worldwide. However, the actor is untested and therefore the veracity of their claims is difficult to ascertain. And although BlackForums is the official home of the “Five Families” outside of Telegram, it is still not widely regarded as a gathering place for serious brokers because of its low numbers of less notable forum members.

Modified OpenBullet Tool for Cookie Use

On November 25, 2023, well-regarded Russian-speaking actor “Alek74” announced the release of a modified version of the popular pentesting tool OpenBullet on the Dark Web marketplace xss[.]is. The OpenBullet tool enables threat actors to attack the servers of a particular entity by checking credentials against various login pages using commands within a specific configuration file. This modified version, dubbed “OpenBullet Cookie Edition” parses cookies from botnet and infostealer logs and checks them against a list of targets.

Translated post advertising the new OpenBullet Cookie Edition tool
Source: ZeroFox Collections

“Alek74” posted full instructions for operating the tool and provided a link to the OpenBullet modification on GitHub. The actor also referred to a download of their OpenBullet Cookie Edition project which targets TikTok accounts by checking session cookies against them. If a hit is recorded, the attacker can begin integrating the validated cookies into their browser and continue the victim’s session.

Links provided by the actor to GitHub and their project targeting TikTok accounts
Source: ZeroFox Collections

OpenBullet Cookie Edition will likely gain traction on dark web marketplaces, greatly aiding threat actors’ efforts to leverage botnet and infostealer logs by streamlining parsing and validation of cookies. It represents a continuation of the trend seen in 2023 where bonet and infostealer logs have become a more valuable resource to threat actors than database dumps and combolists containing emails and passwords. While the standard OpenBullet tool leverages email:password lists to attack login portals, the modified Cookie Edition has been adapted to leverage logs, which are now a more valuable and more common resource.

Learn More about the Authors Behind The Underground Economist

The ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct threat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web intelligence team extends the reach of your security resources, engaging with the underground community. We give you an advantage over emerging threats and stop active threats before damage can be done. Integrated into hundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn more here.