The Underground Economist: Volume 4, Issue 6

Welcome back to The Underground Economist: Volume 4, Issue 6, an intelligence-focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team.

The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of March 14, 2024.

Threat Actors Continue to Exploit ZeroLogon Vulnerability

Nearly four years after its discovery, CVE-2020-1472 (ZeroLogon) is almost certainly still being exploited by malicious actors. On March 10, 2024, well-regarded English-speaking threat actor “Secdat9xx” posted in deep and dark web (DDW) community RAMP a detailed, two-part manual covering how the ZeroLogon vulnerability can still be exploited.

• ZeroLogon is a privilege-elevation vulnerability with a NIST severity score of 10.0 (critical). Successfully exploited, it enables threat actors to establish a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC). This can enable the attacker to gain domain administrator access.

The first part of the manual covers scanning for potentially vulnerable servers via Censys to collect their IPs. Then, coder “dirkjanm”’s 2020 proof-of-concept (PoC) for ZeroLogon and the CrackMapExec network pentesting tool, both readily available on GitHub, are deployed to identify the vulnerable servers from the IP list generated via Censys. A Metasploit module is then deployed to remove an administrator’s password. Utilizing these steps, Secdat9xx was able to access the active directory of the entity at innotech-sa[.]com (a technological company based in Saudi Arabia) via the pass-the-hash technique.

RAMP post by Secdat9xx introducing exploitation instructions
Source: ZeroFox Intelligence

• The actor’s peers on RAMP reacted positively to the manual, and some of them will likely be prompted to implement or repost it.

• The finding indicates that a sufficient number of networks remain vulnerable to warrant a threat actor leveraging the ZeroLogon attack flow. This reinforces the often-made observation that many successful cyberattacks occur via the leveraging of well-developed exploits and attack flows against networks that remain vulnerable a significant length of time following the initial identification and remediation of vulnerabilities. 

X Account Sales in DDW Forums Continue to Diversify

On March 8, 2024, positive-reputation Russian-speaking threat actor “investimer” announced in DDW forum exploit[.]in that they are selling X accounts that include either USD 500 or EUR 500, which can be spent on promotional ads. The accounts, which are advertised for USD 50 each, also include details for an associated payment method.

• As of Q1 2024, eligible X business accounts may purchase ads, which are used to publicly promote their content. As of the writing of this report, it is not clear how malicious users spend this advertising credit. However, this is very likely to appeal to politically or ideologically-motivated threat actors seeking to influence opinion, as well as to those able to leverage malicious advertisements in the conducting of social engineering campaigns.
• The inclusion of payment information indicates it is likely the USD/EUR 500 credit has been funded by personal data, which has been stolen along with the accounts themselves.

The actor’s Telegram channel, Kendrik Shop, allows buyers to make automated purchases without interaction with the seller. At the time of writing, 10 accounts were for sale in the shop and can be purchased via several types of cryptocurrencies—including Bitcoin (BTC), Ethereum (ETH), or Tether (USTD)—offering anonymity for the buyer.

ZeroFox has observed several new services specializing in the sale of illicitly-obtained social media accounts in 2024, indicating a very likely chance that they are growing in popularity. X accounts are almost certainly in the highest demand; this is very likely due in part to low levels of moderation, high levels of inherent anonymity, and the ability of threat actors to leverage licit as-a-service tools to bypass Know Your Customer (KYC) protocols, which are often associated with the creation of social media accounts.

Post by investimer advertising X accounts for sale
Source: ZeroFox Intelligence

Threat Actors Target Israel over Possible Rafah Incursion

On March 3, 2024, hacktivist organization Handala boasted on dark web forum RAMP of successfully infiltrating the servers of DRS Rada Technologies (RADA), an Israeli defense company that manufactures radar solutions and legacy avionics systems. The group also claimed an attack against Israel’s Iron Dome infrastructure.

• The latter is more high profile, as the Iron Dome is a well-known, anti-missile technology that Israel has used to down projectiles fired from Gaza. 
• However, the targeting of radar technologies could be more impactful as Israel currently utilizes its air force more frequently than the Iron Dome, which was primarily used at the onset of the war when Hamas was able to maintain constant rocket attacks on Israel. 
• ZeroFox notes that previous claimed attacks against the Iron Dome, most recently by self-styled hacktivist organizations Anonymous Sudan in May 2023 and Anonymous Arabia in January 2024, appear to have had little impact on the system.

Handala’s claim of hacking RADA
Source: ZeroFox Intelligence

Handala claimed that it could have targeted “all flying planes” but did not do so since the group is not “like the occupying Zionists” who “kill children." 

• While it is highly unlikely the group could have downed Israeli aircraft, Handala did claim to have taken down RADA’s factory data, and the company’s website remains down. 
• A prolonged outage could impact Israel's ability to carry out its military operations. If the leaked radar output and stolen technical information were disclosed to Israel’s regional enemies, such as Iran, it could put Israeli forces at a disadvantage against Tehran’s proxies—particularly in the case of a significant escalation with Hezbollah, which is thought to possess up to 150,000 rockets and missiles that could be used against air and ground targets. 

In addition to live radar interface instances, the actor also claimed to have accessed RADA’s factories. Allegedly, 2 terabytes of data were stolen and can be disclosed to the DDW public. Handala left its TOX contact, indicating the group expected representatives of RADA to contact them and negotiate regarding the stolen data. 

• No ransom value was stated, indicating the group has political rather than financial motives. 

The websites drsrada[.]com and rada[.]co[.]il were also defaced with messages threatening more attacks if Israel continues with its offensive in Rafah.

Defacement message on drsrada[.]com and rada[.]co[.]il
Source: ZeroFox Intelligence

• Handala also has a website “under construction” at handala[.]cx, indicating that the team plans on expanding its activities.

Website “under construction” at handala[.]cx
Source: ZeroFox Intelligence

This development comes against a backdrop of intensive ceasefire negotiations and Israeli threats to invade the southern Gazan city of Rafah during Ramadan (March 10–April 9, 2024). According to numerous reports, Israeli officials have agreed to the “framework” of a deal that would see a six-week ceasefire, including the release of an unspecified number of hostages held by Palestinian militants in the Gaza Strip. However, the agreement hit a snag when Hamas failed to provide a list of living hostages, claiming that gathering such information is impossible in an active war zone. Disagreements also reportedly remain regarding the right of Palestinian citizens to reoccupy their homes in areas declared “cleared” by Israeli forces. 

The international community, and especially the United States, has continued to push for a deal to ease the humanitarian crisis in the enclave, which became more pressing following the Al-Rashid incident in which over 100 Palestinian civilians were killed while attempting to get food from aid trucks on February 29, 2024.

The failure to secure a ceasefire and further humanitarian issues triggered by a subsequent invasion of Rafah, which currently houses hundreds of thousands of refugees, would likely incentivize pro-Palestinian actors to increase cyberattacks against Israeli targets and interests. 

Recommendations

• Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege. 
• Implement network segmentation to separate resources by sensitivity and/or function. 
• Implement secure password policies with phishing-resistant multi-factor authentication (MFA), complex passwords, and unique credentials.
• Leverage cyber threat intelligence to inform the detection of relevant cyber threats and associated tactics, techniques, and procedures (TTPs).
• Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently. 
• Develop a comprehensive incident response strategy.
• Configure email servers to block emails with malicious indicators and deploy authentication protocols to prevent spoofed emails.
• Deploy a holistic patch management process and ensure all IT assets are updated with the latest software updates as quickly as possible. 
• Proactively monitor for compromised accounts being brokered in deep and dark web forums. 
• Configure ongoing monitoring for Compromised Account Credentials.

Learn More about the Authors Behind The Underground Economist

The ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct threat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web intelligence team extends the reach of your security resources, engaging with the underground community. We give you an advantage over emerging threats and stop active threats before damage can be done. Integrated into hundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn more here.