The Underground Economist: Volume 4, Issue 8

The Underground Economist: Volume 4, Issue 8
14 minute read

Welcome back to The Underground Economist: Volume 4, Issue 8, an intelligence-focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team.

The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of April 18, 2024.

Temporary BreachForums Disruption Claimed by Hacking Group

On April 15, 2024, BreachForums’ surface web domain was taken down. The site's administrator, “Baphomet”, posted a subsequent PGP-encrypted message to the forum’s Telegram channel announcing the suspension of BreachForums[.]cx and added that the forum’s [.]onion domain was still functioning. ZeroFox can confirm that the deep and dark web (DDW) domain was not disrupted.

  • BreachForums is an illicit hacking forum that hosts discussion surrounding malicious network access and exploitation, as well as the trading of associated goods such as personally identifiable information (PII) and personal financial information (PFI).
  • The forum has experienced significant disruption on numerous occasions, including the April 2022 LE takedown of its predecessor Raidforums and the March 2023 law enforcement (LE) takedown of BreachForums following the arrest of the site’s creator, known as “Pompompurin.”

Threat actor “R00TK1T”, in alleged coordination with “CyberArmyofRussia”, declared responsibility for the site’s disruption several hours later in a Telegram post. The group also alluded it would imminently reveal “surprises” aimed at the “hacker community.” There is a roughly even chance that this will not take place, however, it could allude to the planned unveiling of a new campaign, motives, or the leaking of doxxing information aimed at the forum’s users.

  • R00TK1T is a financially and ideologically-motivated hacking outfit that has been responsible for data theft and denial-of-service (DoS) attacks against organizations globally, often leveraging vulnerability exploitation and allegedly disgruntled employees.
  • CyberArmyofRussia—which did not comment on the attack except to copy R00TK1T’s statement on to its own Telegram page—is a hacking group that is frequently implicated in DoS attacks against Ukrainian targets and the dissemination of pro-Russia propaganda.

R00TK1T’s involvement was quickly disputed by Baphomet, who instead blamed “the five eyes network, and various other large nations.” Baphomet also announced the resumption of the forum on the [.]st top-level domain (TLD). As of the time of writing, this site is fully functional.

  • “The five eyes network” almost certainly alludes to an international intelligence-sharing alliance comprising the United States, the United Kingdom, Canada, Australia, and New Zealand.

R00TK1T claims to support Russia and Israel, while opposing Iran. This is an unorthodox stance rarely seen amongst Russian-speaking threat groups, highlighted by inconsistencies such as friendly Russian-Iranian relations.

Many of R00TK1T’s historical targets are those perceived to be acting against the interests of Russia and Israel.

  • R00TK1T has claimed to target numerous Iran-based entities, including a financial exchange system, an educational institution, a hospital, and an overseas logistical company. In early 2024, the group also announced its intent to target Malaysian government entities due to their involvement in the Middle East.
  • Entities perceived as being anti-Russia have been targeted, with R00TK1T claiming to have attacked a Chinese drone manufacturer whose products are allegedly being used by the Armed Forces of Ukraine in the ongoing Ukraine-Russia conflict. The group also claimed credit for defacing an Azerbaijani state website, following a disagreement with the Russian government in October 2023.

There is a likely chance that the basis for this alignment stems from deeming both the Iranian and Ukrainian governments terrorists; R00TK1T has alluded to the latter on multiple occasions. There is also a roughly even chance that R00TK1T’s alleged allegiances are an attempt to generate “non-Russian” support for Russia by routinely undermining the current geopolitical status quo. 

As a primarily-English speaking forum, BreachForums is regularly frequented by actors discussing cyberattacks against both Russia and Israel, which R00TK1T almost certainly perceives as justification for its alleged involvement. However, given the forum’s short downtime and the lack of subsequent information posted by R00TK1T as threatened, it is unlikely that R00TK1T was involved in the site’s disruption. 

This is supported further by a BreachForums post made prior to the disruption by well-regarded threat actor “IntelBroker”, who claimed to advertise a leaked database associated with “Space Eyes”—a geospatial intelligence company that almost certainly works with the U.S. government. 

Posts of this nature are not uncommon from IntelBroker; however, they are not usually advertised in clear web forums such as BreachForums[.]cx. There is roughly even chance that the sensitivity of this alleged data breach encouraged and facilitated LE activity that resulted in the forum’s disruption.

Hacktivist Group SiegedSec Announces New Campaign

On April 8, 2024, hacktivist group SiegedSec posted on its Telegram channel announcing the start of a new campaign dubbed “Operation Trans Rights 2.” The post claims that SiegedSec intends to target churches, media companies, and other organizations perceived to be infringing on the rights of transexual individuals and communities.

  • SiegedSec is a hacktivist group that was first observed in approximately April 2022, and often refer to themselves as the “gay furry hackers.”
  • The group was initially a member of the “The Five Families”, a unified hacker collective that has conducted financially, ideologically and politically motivated attacks against organizations across the globe. Aside from SeigedSec, The Five Families collective consists of hacktivist groups ThreatSec, Stormous, and GhostSec as well as  Blackforums, a DDW forum used for illicit discussion and trading.
  • In December 2023, Sieged Sec was removed from The Five Families following the post of a statement appearing to promote paedophilia. The group subsequently claimed that its page was defaced, denying any involvement.

During 2023, SiegedSec conducted data theft and disruption attacks against organizations deemed to be promoting an anti-transexual, or right wing political agenda. Targets included several U.S. state governments as well as legal, scientific, and religious institutions. The group also conducted data theft attacks against the Community of Interest Cooperation Portal and The Lessons Learned Portal belonging to the North Atlantic Treaty Alliance (NATO). 

Over the coming months, it is almost certain that SiegedSec will attempt to conduct attacks against similar institutions. Attacks will very likely be aimed most often at  causing disruption, defacing digital property, undermining, and the doxxing of associated individuals—particularly those who are outspoken regarding beliefs that could be perceived as anti-transexual. Stolen information is very likely to be leaked or sold in DDW marketplaces, with an unlikely chance that the victim may be extorted first.

Access to U.S. Web Hosting Organization Advertised in Deep and Dark Web Forum

On April 8, 2024, untested threat actor “synthetic” posted in the DDW platform RAMP advertising access to a U.S.-based web hosting organization that has an annual revenue of approximately USD 16 million. According to the post, the victim organization is in the “General Telecommunications Hosting” industry and currently hosts over 120,000 web domains. 

Synthetic claims that the buyer will receive administrative access to all hosted web pages, which could number in the hundreds of thousands and belong to hundreds to thousands of separate organizations. The access is enabled through web hosting tools cPanel, WebHost manager (WHM), and Virtual Network Computing (VNC).

Fifty terabytes of data are also included in the sale, which very likely includes PII and PFI of employees and customers extracted from the hosted web pages.

The asking price for the initial access is USD 80,000, which is significantly higher than the typical price tag for initial access to an organizational network. This is almost certainly due to the notably high potential financial return for the successful exploitation of such significant access.

  • Between January 2023 and April 2024, the average asking price for illicit initial access sales publicized in DDW forums xss, Exploit, and RAMP was approximately USD 8,000.
  • The requested asking price of initial access is a reflection of the potential lucrativeness of the network access. This almost certainly takes into account factors such as the victim organization’s annual revenue, the type of access (virtual private network, remote desktop protocol, etc.), and any associated privileges that enable faster exploitation.

The description included in the advertisement suggests there is a likely chance that the victim is a web or cloud hosting organization with access to significant quantities of customer data. 

Privileged access to the web hosting tools of an organization's website can enable a threat actor to conduct an array of subsequent malicious activity.

  • The victim organization could be targeted in a digital extortion attack, whereby the buyer leverages ransomware to extract significant payment in exchange for the alleged deletion of the data. This would likely cause financial, operational, and reputational damage.
  • The threat actor may target the victim’s clients and associates by leveraging techniques such as cross-site scripting or SQL injection against their hosted web pages. The attacker could then move laterally toward the organizations’ own servers, putting them at risk of data theft or phishing attacks.
  • The end users of the compromised web pages’ services could also be targeted, resulting in phishing, impersonation attacks, or fraudulent activity. Their stolen information could also be used to extort the web page owners in large-scale ransomware attacks, leveraging techniques similar to those enacted by threat group Cl0p during 2023 campaigns.

Synthetic is not an active user in RAMP, but the advertisement indicates that sales will take place using the forum’s escrow service—significantly increasing the credibility of both the sale and the actor. Due to their limited exposure and the nature of the advertised access, there is a roughly even chance that synthetic is an insider and selling information gained through implicit access and trust.

Bassterlord Returns to Sell Third Malicious Publication

On April 7, 2024, username “mazzon” (almost certainly an account associated with the threat actor “Bassterlord”) posted in the the DDW forum xss. The thread addressed multiple topics and was locked shortly after it was posted following a request from the author. 

Bassterlord is a positive-reputation threat actor that has been active in DDW forums since approximately 2019 and has  been involved in various nefarious activities.

  • The actor has previously described themself as an “Access Broker” and has published two separate manuals titled “Nobody will tell you this” (versions 1.0 and 2.0). The documents, which were leaked in Q2 2023, provide guidance such as how to breach the networks of organizations and were generally well-received and highly regarded by their target audience.
  • Bassterlord has almost certainly been heavily involved with prominent threat groups LockBit, REvil, and Avadon, including leveraging their malware in ransomware and digital extortion (R&DE) attacks.
  • Since 2020, Bassterlord has authored periodic threads and blog posts both in DDW forums and on open source social media platforms, as well as conducted interviews with cybersecurity researchers.

The recent thread provides a general update covering the threat actor and their affiliated group, the NHA. Bassterlord claims that, following the February 2024 LE disruption of LockBit, the NHA was under close surveillance by the Federal Bureau of Investigations (FBI). This led to the seizure of all of NHA’s funds (including those stored in Monero, referred to as XMR).

The NHA subsequently destroyed “everything they could”, which very likely refers to the disbanding of its associated digital infrastructure and the cessation of operations.

  • Following the LE operation, an indictment was issued by the U.S. District Court that gives an overview of Bassterlord’s suspected malicious activity.
  • Bassterlord outlines some of the techniques, tactics, and procedures (TTPs) leveraged by the FBI during the operation, alluding to the fault lying with the insufficient practices of affiliates.

ZeroFox has observed two previous instances in which Bassterlord claims to be ceasing activities and quitting the R&DE marketplace.

  • There is a roughly even chance that recent LE scrutiny resulted in a genuine attempt by Bassterlord to “retire.” It is likely, however, that these statements are intended as disinformation aimed at LE and security researchers.

The thread also sought to advertise the release of Bassterlord’s most recent publication,  “Nobody will tell you this V3.0.” The new manual allegedly assists R&DE operatives in mass brute force targeting of corporations, including how to “organize” attacks, and also allegedly includes “the latest developments of the access mining team.” 

  • Previous iterations of the manual are widely considered as educational and designed for those that are “new to the subject.” In a 2023 interview, Bassterlord reportedly claimed that even an individual with minimal experience could conduct a ransomware attack if in possession of V1.0 and V2.0.
  • The publication is very likely aimed at educating malicious actors in the targeting of organizational VPN portals. During 2023, ZeroFox Intelligence observed an increase in DDW announcements pertaining to the sale of various checkers and brute force tools designed to compromise corporate VPN networks.

The asking price for V3.0 is advertised as USD 2,000, though a buyer may remove the product from the market for USD 200,000. Transactions use the forum’s guarantor. 

  • There is a roughly even chance that Bassterlord’s recent claim they are ceasing activities is an attempt to boost sales of their new publication.
  • There is a roughly even chance that the subsequent locking of the thread is indicative of a single buyer making an exclusive purchase. It may also have been purchased by a competing threat actor seeking to remove it from the marketplace and gain exclusive access to the information.

ZeroFox Intelligence Recommendations

  • Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege.
  • Implement network segmentation to separate resources by sensitivity and/or function.
  • Implement secure password policies with phishing-resistant multi-factor authentication (MFA), complex passwords, and unique credentials.
  • Leverage cyber threat intelligence to inform the detection of relevant cyber threats and associated TTPs.
  • Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently.
  • Develop a comprehensive incident response strategy.
  • Configure email servers to block emails with malicious indicators and deploy authentication protocols to prevent spoofed emails.
  • Deploy a holistic patch management process and ensure all IT assets are updated with the latest software updates as quickly as possible.
  • Proactively monitor for compromised accounts being brokered in deep and dark web forums.
  • Configure ongoing monitoring for Compromised Account Credentials.

Learn More about the Authors Behind The Underground Economist

The ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct threat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web intelligence team extends the reach of your security resources, engaging with the underground community. We give you an advantage over emerging threats and stop active threats before damage can be done. Integrated into hundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn more here.

Tags: Threat Intelligence

See ZeroFox in action