The Underground Economist: Volume 3, Issue 25

Welcome back to The Underground Economist: Volume 3, Issue 25, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of December 25th, 2023.

Network Access Sale Linked to Chandrayaan-3 Mission

On December 6, 2023, network access broker RobinHood announced on Russian-language dark web forum RAMP the sale of likely network access to an unnamed India-based enterprise in the Defense and Aerospace sector. The compromised organization is alleged to have “active ongoing main partnership with recent [sic] achieved India moon landing mission Chandrayan-3.” The price requested is USD 5,000. The post states that access includes:

• Remote Desktop Protocol (RDP), AnyDesk, and user logins
• Over 30 terabytes of data

Judging from the long-standing positive reputation of RobinHood, the post likely represents a legitimate network access sale. RobinHood is also willing to accept escrow at the buyer’s expense—a positive indicator of an actor’s reliability. The advertised access is very likely designed to appeal to Russian ransomware and digital extortion collectives, as the forum was built and is dominated by Russian-speaking actors. High-profile targets on the network access market—particularly those with geopolitical implications—often draw widespread attention from extortion collectives.

• The targeted company’s partnership with Chandrayan-3 will draw threat actors that are keen to hit back at organizations contributing to the success of Russia’s competitors.
• The access broker RobinHood is very likely linked to the recently-announced Kuiper Ransomware-as-a-Service (Raas) operation

RAMP post advertising access to an Indian Defense and Aerospace Organization
Source: ZeroFox Collections

New Crypto Scam Platform Announced in Dark Web Community

On December 7, 2023, untested Russian-speaking threat actor NoMoneyNoLife announced a yet-unnamed, new crypto scam platform in dark web community “Gate2Dark.” The platform functions as a fake cryptocurrency exchange and encompasses many functions typically utilized in legitimate counterparts.

The post claims that the threat actor is searching for affiliates who can drive traffic to the platform so that victims register and deposit/transfer funds into the scam exchange. These roles are very likely similar to those undertaken by affiliates of RaaS operations, though likely much less sophisticated. Affiliates are also provided with a manual to guide their progress on the platform.

The post advises that successful “traffic” specialists can receive up to 90 percent of the funds stolen in crypto scam attacks leveraging the platform. Amongst RaaS affiliates, this percentage is very likely considered a high payout rate.

Gate2Dark post advertising new Crypto Scam-as-a-Service offering
Source: ZeroFox Collections

The threat actor noted that the platform can be outfitted with different designs, as well as linked to affiliates’ own domains, and that further customization can be carried out in order to fit users’ own targeting approach. Other advertised features include:

• The logging of all victim actions
• Metamask integration via seed phrase phished from victim
• Platform support to victim in order to remain undetected for as long as possible
• Access to future updates and features

Gate2Dark post advertising features of new Crypto Scam-as-a-Service offering
Source: ZeroFox Collections

The proliferation of RaaS, access-as-a-service (AaaS), and malware-as-a-service (MaaS) in deep and dark web marketplaces in recent years is likely indicative of the lucrative opportunities and efficiency of as-a-service offerings. Crypto Scam-as-a-Service offerings are likely to pose an increasing threat to cryptocurrency users and legitimate platforms, with a roughly even chance that they require less expertise to operate than other as-a-service offerings.

Data Protection Legislation Set to be Leveraged in BlackMail of Victims

On December 16, 2023, untested threat actor hackerGPT announced that they will lead a team of “data hunters” to target victims set to be penalized by specific data protection legislation. Posting on dark web platform RAMP, hackerGPT implied that they have already begun to act, but a lack of exploitable network access has forced them to enter the access-brokering market. They are now seeking the services of corporate network access dealers, though allege that they are competent enough to exploit the initial foothold, once established, and exfiltrate data.

hackerGPT post seeking Access-as-a-Service Brokers
Source: ZeroFox Collections

The post alludes to specific data protection legislation that governs the penalization of organizations that experience data leaks and the subsequent fines, which are based on a percentage of the organization’s revenue. As a company’s revenue is often publicly available, threat actors are able to negotiate a ransom demand by allowing the buy-back of stolen data at a cost likely just below that of the fine.

Threat actors conducting this form of data kidnapping (data exfiltration omitting the deployment of ransomware) are likely to prioritize European Union (EU)-based companies that are subject to the General Data Protection Regulation (GDPR), which can systematically enforce fines.

• U.S.-based organizations will also likely be targeted in this manner, though data protection legislation governing them is less comprehensive. This likely means that attacks would target organizations falling within different, industry-specific data protection legislation. This would very likely require additional research and effort by threat actors.
• U.S.-based organizations that handle the data of EU residents are also likely to be prioritized as targets, due to their subjection to GDPR.

Recommendations

• Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege.
• Implement network segmentation to separate resources by sensitivity and/or function.
• Implement secure password policies, with phishing-resistant multi-factor authentication (MFA), complex passwords, and unique credentials.
• Leverage cyber threat intelligence to inform detection of relevant cyber threats and associated tactiques, techniques, and procedures (TTPs).
• Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently.
• Develop a comprehensive incident response strategy.
• Configure email servers to block emails with malicious indicators, and deploy authentication protocols to prevent spoofed emails.
• Deploy a holistic patch management process, and ensure all IT assets are updated with the latest software updates as quickly as possible.
• Proactively monitor for compromised accounts being brokered in deep and dark web forums.
• Configure ongoing monitoring for Compromised Account Credentials.

Learn More about the Authors Behind The Underground Economist

The ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct threat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web intelligence team extends the reach of your security resources, engaging with the underground community. We give you an advantage over emerging threats and stop active threats before damage can be done. Integrated into hundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn more here.