The Underground Economist: Volume 4, Issue 14

Dark Web Forum Hosts Discussion over Usability of Physical Access to Commercial Office Spaces

On July 18, 2024, an untested actor named “saltyyy” posted in the dark web forum Omniforums (to which they had recently registered), attempting to ascertain if their peers had interest in procuring physical access to commercial office spaces. While not specifically stated, saltyyy implied that they were able to offer physical access to server rooms and office spaces that host digital infrastructure belonging to Fortune 500 companies and government entities.

Other forum participants questioned the usefulness of such access, stating that both physical security measures such as cameras and electronic badge readers and digital security measures like encryption and privilege restrictions would prevent any exploitation from taking place.

While this post is unlikely to represent an imminent threat, it highlights the diverse techniques, tactics, and procedures (TTPs) that threat actors are willing to explore, develop, and monetize in order to facilitate malicious cyber activity. It also accentuates the necessity for organizations to adopt comprehensive security protocols that address the growing convergence of physical and cyber threats. These threats are likely to be exacerbated in the coming years as organizations adopt increasingly diligent cybersecurity measures, resulting in threat actors seeking alternative means of gaining malicious access.

SiegedSec Announces Disbandment Following Breach of Think Tank Institute

On July 9, 2024, hacktivist collective “SiegedSec” announced their alleged success in breaching a network associated with The Heritage Foundation, claiming to have stolen over 200GB of data that includes passwords and personally identifiable information (PII). In the announcement, SiegedSec revealed their stance on The Heritage Foundation-led conservative initiative known as “Project 2025”, which the actor describes as “an authoritarian Christian nationalist plan to reform the United States government.”

• SiegedSec is a hacktivist group that was first observed in approximately April 2022 and often refer to themselves as the “gay furry hackers.”
• The group was initially a member of “The Five Families”, a unified hacker collective that has conducted financially, ideologically, and politically motivated attacks against organizations across the globe.
• Since its inception, SiegedSec has conducted data theft and disruption attacks against organizations promoting what the group has deemed to be “right-wing” political agendas. Targets have included several U.S. state governments, as well as legal, scientific, and religious institutions. In April 2024, SiegedSec announced its intent to target churches, media establishments, and other entities it perceives to be infringing on the rights of transexual individuals and communities.

The next day, SiegedSec revealed alleged correspondence with a senior representative of The Heritage Foundation, providing insight into the nature of their conversations. This was followed by a Telegram post announcing SiegedSec’s disbandment, with law enforcement scrutiny and mental health among the cited reasons. Given the intense and threatening nature of the previously revealed conversations between SiegedSec and The Heritage Foundation, there is a likely chance that they contributed to SiegedSec’s alleged decision to cease operations.

Notorious threat actor “IntelBroker” re-published the leaked information to the hacking forum BreachForums on July 11, 2024. This is very likely to significantly expand the reach and accessibility of the information and increase the likelihood of it being leveraged in social engineering, spam, or blackmail activity.

New Extended Validation Code-Signing Service Advertised

On June 30, 2024, untested actor “enryu” advertised a new extended validation (EV) code-signing service on the primarily Russian-speaking dark web forum Exploit. According to the advertisement, illicit validation certificates can be purchased that allow malicious webpages to bypass security protocols such as SmartScreen, Windows User Account Control, and Windows Defender, as well as some AV software provided by third parties such as Kaspersky, Avast, and Malwarebytes.

• Compared to SSL/TLS-encrypted web pages certified with domain validation (DV) or organization validation (OV) certificates, those with EV provide a higher level of verification security assurance.
• EV-certified web pages often offer the interacting end user visual reassurance, such as the requested URL being preceded by a green padlock and the organization’s name. They are also much less likely to trigger alerts from the operating system or third-party security software programs. Both of these translate to higher levels of endorsement and subsequent end user trust.
• Enryu’s orders are allegedly completed within 24 hours and available to a single buyer only. This is a faster turnaround than that offered by many competing services, which typically range between two and five days.

According to enryu, a single certificate costs USD 500, with other options of “one week” and “one month” advertised for USD 1,500 and USD 2,900, respectively. While it is not specified what these services relate to, is it likely the length of time for which a certificate is valid.

If this is the case, enryu’s service is slightly more expensive than others observed by ZeroFox, which typically charge between USD 1,500 and USD 3,000 for a single certificate valid for one year, depending on the certificate authority. There is a roughly even chance that enryu’s higher price is due to the ability to bypass additional security protocols.

Illicit validation certificates offer cyber threat actors the ability to augment a wide array of malicious activities, such as the deployment of disruptive malware to target networks, enhanced social engineering attacks, or data theft resulting in operational disruption, extortion, or fraud. To enable this, threat actors  attract victims to malicious web pages by leveraging techniques such as SMS and email phishing, domain spoofing, and—if the web page is able to establish a positive reputation—search engine optimization (SEO) poisoning.

• Threat actors almost certainly seek to leverage illicit validation certificates in as many separate, lucrative attacks as possible to justify their price tag. However, they are sought after and often revoked by certificate authorities, web browser vendors, and threat researchers.
• EV-certified web pages do not implicitly enable hosted files that are downloaded by the end user to bypass the same security protocols. There is a roughly even chance that downloaded files will be scrutinized by security software regardless of their originating location.

Given the versatility offered by initial network access, services such as these are very likely to appeal to a wide range of threat actors with varying intents and motivations, leading to their continued development, competitiveness, and innovation.

Positive Reputation Actor Advertises Access to Managed Service Providers

On June 28, 2024, a positive reputation threat actor named “uroboros” advertised network access to two U.S-based managed service providers (MSP) in the primarily Russian-speaking dark web community RAMP. According to the post, the first organization has 1,700 “PC” in their administration panel, and the second has 1,400. This very likely refers to the number of network endpoints contained within the victim networks that can be illicitly accessed—likely via a remote monitoring and management (RMM) tool. Although not initially advertised, uroboros updated the post on June 10, 2024, to include an asking price of USD 6,000.

• The next day, uroboros also advertised network access with admin rights to an Israeli-based organization with an alleged annual revenue of USD 30 million. The advertisement is very likely reflective of a continued interest in Israel-based targets amongst both financially and ideologically-motivated threat actors.
• Much of uroboros’ positive reputation almost certainly originates from a single RAMP post in May 2023 advertising network access to two U.S.-based companies with alleged annual revenues of USD 2.6 billion and USD 1 billion. The advertisement also included a zero-day vulnerability targeting a commonly-used virtual private network (VPN) provider.

MSPs are very likely considered potentially highly lucrative targets by financially-motivated threat actors, such as R&DE collectives. Successful network intrusion would likely enable access to networks belonging to the MSP’s client organizations, leading to the compromise of multiple organizations simultaneously. This threat is exacerbated by the implicit trust underlining MSP-client relationships, as it increases the likelihood that the threat actor would be able to leverage enhanced access or administrator rights.

If data is successfully exfiltrated, the threat actor would likely have the opportunity to exploit both the victim organizations and the MSP, a tactic commonly observed in attacks targeting organizations containing vast quantities of third-party data.

Ransomware Services Gain Traction in Dark Web Forums

In June 2024, two ransomware and digital extortion (R&DE) collectives advertised their intent to attract additional affiliates with posts in the primarily Russian-speaking dark web forum RAMP. The two outfits—which are unlikely to be related—both specified their need for various specialists, almost certainly alluding to their intent to expand capabilities and increase operational tempo.

On June 26, 2024, untested actor “DragonForce” advertised collaboration opportunities to individuals or “teams” able to carry out penetration testing, as well as other unspecified “specialists.” The post likely attracted significant attention as an update (posted on July 4, 2024) outlined several stringent requirements that potential affiliates must possess, one of which is to demonstrate a potential victim has an annual revenue above USD 5 million.

• DragonForce has conducted extortion attacks relatively consistently since approximately December 2023, averaging nine per month up to July 2024. Their most frequently targeted industries are manufacturing, construction, and retail, with the majority of victim organizations located in North America and Europe.
• DragonForce has been observed leveraging the LockBit 3.0 ransomware builder, leaked in approximately Q3 2022. The collective leverages a double extortion technique, encrypting and exfiltrating targeted data.

DragonForce described their service as state-of-the-art, listing many features that would be made available to prospective affiliates. Many such features appear to enhance the usability of the internal environment, such as a comprehensive administration panel and customer support options, as well as bolster security, such as globally-dispersed digital infrastructure. 

Despite the announcement originally being posted in Russian, DragonForce did not include the typical warning against targeting entities within the Commonwealth of Independent States (CIS). However, there is roughly even chance that this is implied given that the advertisement was posted in the Russian-speaking community RAMP.

On June 29, 2024, positive-reputation actor “Cicada3301” advertised a new Ransomware-as-a-Service (RaaS) under the same name and announced their search for pentesters and “access advertisers” (very likely synonymous with initial access brokers) with which to affiliate.

In addition to many of the features generally expected from modern RaaS operations—such as fast and secure encryption and an ability to operate offline—Cicada3301 also claims its RaaS is compatible with all versions of Microsoft Windows from 7 onwards, as well as  Linux distributions. The advertisement specifically states that attacks against CIS targets are prohibited.

DragonForce and Cicada3301 are both very likely credible and adept RaaS operations capable of posing a threat—primarily to Western organizations. Their manifestation in the wake of significant disruption affecting prominent R&DE outfits in early 2024 very likely reflects an intent to capitalize upon a perceived market gap and affiliates of various specializations that are seeking new opportunities. The innovative features advertised very likely attempt to appeal to prospective partners and affiliates—particularly those centered around ensuring secure operations. Given the likely relative abundance of available affiliates, RaaS operators will very likely continue to employ highly selective recruitment processes.

ZeroFox Intelligence Recommendations

• Develop a comprehensive incident response strategy.
• Deploy a holistic patch management process, and ensure all IT assets are patched with the latest software updates as quickly as possible.
• Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege.
• Implement network segmentation to separate resources by sensitivity and/or function.
• Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently.
• Implement secure password policies, phishing-resistant multi-factor authentication (MFA), and unique credentials.
• Configure email servers to block emails with malicious indicators, and deploy authentication protocols to prevent spoofed emails.
• Proactively monitor for compromised accounts and credentials being brokered in deep and dark web forums.
• Ensure social media accounts are configured with organic security features, such as phishing-resistant multi-factor authentication and complex, unique passwords.
• Leverage cyber threat intelligence to inform the detection of relevant cyber threats and associated TTPs.

Tags: Deep & Dark Web, Threat Intelligence