The Underground Economist: Volume 3, Issue 4
Welcome back to The Underground Economist: Volume 3, Issue 4, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of February 20, 2023.
Automated Telegram Service Provides Network Access To Paying Members
New and untested threat actor “barf” announced an automated Telegram service that provides paying members with network access to various targets worldwide on the predominantly Russian language Deep Web forum “XSS.” Most network access deals are typically conducted manually, giving vendors more time to negotiate and potentially scam would-be buyers. The service offers remote desktop access (RDP) access with user and administrator-level rights to approximately ten different target networks per month, including individual and corporate instances. The actor noted the same RDP accesses would be shared among all members of the group. While some peers expressed concern over this, the majority supported the service, stating that most network access brokers sell the same network access bundles to multiple buyers anyway, despite claims the deals are exclusive. The subscription fee for the service was $100 USD per month. The group was limited to 35 members.
More Supply Than Demand For Access Deals Involving WordPress Accounts
In mid-February 2023, well-regarded threat actor “punktir” cancelled an auction for administrator access to 10,500 compromised WordPress accounts, citing a lack of interest from potential buyers, on the predominantly Russian language Deep Web forum Exploit. This likely indicates the number of access deals involving WordPress accounts across the criminal underground far exceeds the current demand from attackers.
For years, threat actors have targeted websites built on WordPress to perform various cyber-attacks, including:
- Website defacement
- URL hijacking
- Malware distribution
- Stealing the personally identifiable information (PII) of victims
The actor originally listed the access for auction in mid-January 2023, with a starting bid of $3,250 USD, a minimum bid of $250 USD and an instant purchase price of $5,250 USD. The actor eventually decreased the price before cancelling the auction.
Scammers Looking To Profit From Recent Earthquakes In Turkey & Syria
In early February 2023, ZeroFox researchers identified new Telegram channels run by scammers looking to profit from the recent earthquakes in Turkey and Syria. One channel, “Support Your love once in Turkey and Syria earthquake financially,” is asking for Bitcoin donations for those affected. Specifically, the channel is soliciting for funds from the following countries:
The administrator of the channel also shared a screenshot of what they claimed to be a successful payment transaction. It is virtually certain this was done to make the campaign look more legitimate to potential victims.
Service Scans Target Networks For Vulnerabilities Using Commercial Tools
New and untested threat actor “CINT” advertised a service that scans target networks for vulnerabilities on the predominantly Russian language Deep Web forum “XSS.” The service gives threat actors access to licensed copies of commercial penetration testing tools at heavily discounted rates, including:
- Metasploit Professional
- Invicti Enterprise
- Burp Suite Enterprise
For an additional fee, the service team can also help threat actors set up their own command-and-control (C2) servers using Metasploit Professional, Cobalt Strike, or Brute Ratel. This would allow the actors to maintain communications with any compromised devices on a network. Prices for the service started at $35 USD per scan. It cost $300 USD per month for unlimited scans.
Tags: Dark Ops , Deep & Dark Web