SOS Intelligence is currently tracking 180 distinct ransomware groups, with data collection covering 348 relays and mirrors.

In the reporting period, SOS Intelligence has identified 395 instances of publicised ransomware attacks. These have been identified through the publication of victim details and data on ransomware blog sites accessible via Tor. Our analysis is presented below:

LockBit has maintained its position as the most active and popular ransomware strain.

This is despite significant law enforcement interruption, the impact of which will be discussed further below.

Despite law enforcement action towards the end of 2023, ALPHV/Blackcat has maintained a strong presence online and continues to post victim data. However, owing to how the ransomware process operates, this could be seen to be victims compromised before law enforcement takedown of ALPHV/Blackcat infrastructure.

Increased activity has been identified amongst BianLian, Play, QiLin, BlackBasta, 8base and Hunters ransomware strain. This increase may be attributed to these strains absorbing affiliates from LockBit and ALPHV/Blackcat as those services went offline.

This month, Ransomhub, AlphaLocker, Mogilevich, & Blackout have emerged as new strains. Mogilevich has been observed targeting high-value victims, including Epic Games, luxury car company Infiniti, and the Irish Department of Foreign Affairs.

Group targeting continues to follow familiar patterns in terms of the victim’s country of origin.

Attacks have increased in South American countries, particularly in Argentina, which may be a response to presidential elections in November 2023 in which the far-right libertarian Javier Milei was elected.

Targeting continues to follow international, geopolitical lines. Heavy targeting follows countries that have supported Ukraine against Russia. Attacks against Sweden continued as it pressed ahead with preparations to join NATO. This highlights the level of support ransomware groups continue to show towards the Russian state, and they will continue to use cyber crime to destabilise and weaken Western and pro-Ukrainian states.

Manufacturing and Construction and Engineering have remained the key targeted industries for February. These industries would be more reliant on technology to continue their business activities, and so it logically follows that they would be more likely to pay a ransom to regain access to compromised computer systems. The Financial, Retail & Wholesale, Legal, and Education sectors have also seen increased activity over the period. Health & Social Care has seen a significant increase over the period. This is likely in response to several groups, including ALPHV/Blackcat reacting to law enforcement activity and allowing their affiliates to begin targeting these industries.

We are seeing a shift in tactics for certain industries, particularly those where data privacy carries a higher importance (such as legal or healthcare), where threat actors are not deploying encryption software and instead relying solely on data exfiltration as the main source of material for blackmail and extortion.

LockBit Takedown

On 20 February, an international law enforcement effort was successful in taking control of and shutting down the infrastructure of the LockBit ransomware strain. Much has been disclosed and said regarding the takedown, some of it speculative, however, it was confirmed by the UK’s National Crime Agency (NCA) and the US’s Federal Bureau of Investigation that control of their dark web domains and infrastructure was obtained, providing them with significant information regarding the activity of the LockBit group and its affiliates.

Since then, multiple LockBit blog sites have re-emerged, and new data continues to be published. However, it is not clear whether or not this is new activity since the takedown. It is more likely that these are victims compromised before law enforcement activity which are only now being blackmailed with data release.

We are continuing to monitor the ransomware landscape at this time to properly analyse the impact this takedown will have. This event has had a significant impact on the reputation of the LockBit group, with many affiliates angry at the perceived lack of operational security resulting in the possible identification of their real-world identities. We are anticipating many of these will look to gain access to the affiliate programs of other strains, and so we will expect to see a significant increase in reported attacks from those strains in the coming weeks and months. As for LockBit, the threat actors behind the group remain active, and it is likely we will see a re-emergence as a new group in due course.

ALPHV/Blackcat exit scam

The ALPHV/Blackcat group is making headlines for all the wrong reasons. After first having their leak site taken over by law enforcement, they now appear to have absconded with affiliate funds.

In February 2024, ALPHV/Blackcat announced an attack against healthcare provider Change Healthcare (part of United Health Group). Following this, a ransom of $22 million was paid to ALPHV. Several days later, the responsible affiliate took to the cybercrime forum RAMP to state that they hadn’t been paid their share of the spoils (potentially up to 90%). It appears now that the group has collapsed from within, ending with a final exit scam as they shut down operations. The group have further claimed to have sold their source code in the process, so we may see copycat groups emerge in due course.

While the dissolution of a notorious group should be celebrated, especially following successful law enforcement activity, it should be noted that shutting down in this way presents a significant risk to recent victims. The affiliate responsible for the Change Healthcare data, as well as affiliates who may have been similarly affected, are likely to still hold victim data and so, for those victims, there remains a risk that they may be further blackmailed as affiliates attempt to recoup their lost earnings.

Photo by FLY:D on Unsplash

Investigation, Ransomware

Ransomware – State of Play January 2024

by Daniel Collyer

February 15, 2024

SOS Intelligence currently tracks 173 distinct ransomware groups, with data collection covering 324 relays and mirrors.

In the reporting period, SOS Intelligence has identified 274 instances of publicised ransomware attacks. These were identified through the publication of victim details and data on ransomware blog sites accessible via Tor. Our analysis is presented below:

Threat Actor Activity

Lockbit has remained the market leader, maintaining a market share of approximately 23%. Blackbasta, Akira, Trigona, 8base and Bianlian have seen significant increases in activity over the month, while there have been decreases in activity from Cactus, Werewolves, Siegedsec, Dragonforce, and Play.

January is typically a quieter month for ransomware threat actors. In 2022, the volume of attacks was 17% less than the yearly average. In 2023, this increased to 54%. This slowing of activity is likely due to the proximity of several national and religious holidays observed globally between December and January. However, in 2024, we observed a significant increase in attacks across January. Two factors stand out as possible causes for this:

Ongoing global hostilities

It has been observed that pro-Russian cybercriminal groups have been vocally supportive of the ongoing war in Ukraine, and have diverted significant resources in targeting the supporters of Ukraine. Similar patterns have been noted in the targeting of victims in countries which have shown support for Israel.

Although ransomware groups and threat actors are primarily financially motivated, their resources and skills are often seen turned against perceived enemies of the state, blurring the lines between criminal and hostile state activity.

Counter Ransomware Initiative

The Counter Ransomware Initiative (CRI) is a US-led group of 50 nations and organisations dedicated to promoting solidarity and support in the face of ransomware activity. In October 2023, CRI members pledged not to pay ransoms when faced with cyber attacks.

As a result, it is expected that the number of observed postings to ransomware blogs will increase as victims no longer pay ransoms. This may show an increase in victims’ data being published, rather than an overall increase in the number of victims.

Country Targeting

As stated above, ransomware threat actors’ choice of targets can be politically motivated, as well as financially. This is why we continue to see the majority of attacks target the USA, UK, Canada, France, Germany and Italy. As members of the G7, these countries have strong economies and therefore possess lucrative targets for financially-minded threat actors. However, this surge in activity may be politically motivated. Continued support for Israel and Ukraine may give certain threat actors additional motivation to target those countries.

This month has seen an increase in attacks against victims in Sweden. Sweden is in the process of joining NATO, which appears to have presented the country as a target for pro-Russian threat actors in support of the Russian state. Sweden’s membership would increase NATO’s presence in and around the Baltic Sea, a key waterway for allowing the Russian Navy into the North Sea and onward into the Atlantic. Furthermore, it would increase a NATO presence close to Russia’s border with the rest of Europe.

Industry Targeting

Manufacturing, Construction & Engineering, and Logistics & Transportation have remained the key targeted industries for January. These industries would be more reliant on technology to continue their business activities, so it logically follows that they would be more likely to pay a ransom to regain access to compromised computer systems. The Financial and Education sectors have also seen increased activity over the period.

ALPHV/Blackcat

In December 2023, law enforcement agencies from multiple jurisdictions targeted the ALPHV/Blackcat ransomware group, disrupting the groups’ activities and seizing their domain. Shortly after, the domain was “un-seized” before law enforcement agencies took back control. As a result of this action, the operators behind ALPHV/Blackcat have publicly withdrawn their rules regarding the targeting of Critical National Infrastructure (CNI), in apparent revenge for law enforcement activity.

Since the takedown, ALPHV/Blackcat activity has slowed but does not appear to have stopped. In recent weeks they claim to have targeted and stolen confidential and sensitive data from Trans-Northern Pipelines in Canada, as well as Technica, a contractor working with the US Department of Defence, FBI, and USAF.

The veracity of these claims is still being investigated, and so should be taken with a grain of salt. The ALPHV/Blackcat group has been hurt by law enforcement, impacting their operations and losing them customers. Therefore, it is possible that exaggerated claims are being made to save face and their reputation amongst the cybercrime community.

Photo by FLY:D on Unsplash

Investigation, Opinion, Ransomware

Cybersecurity in 2024 – A Forward Look

by Daniel Collyer

January 24, 2024

2023 was a record year for cybercrime and threat actor activity, and we anticipate 2024 to be a continuation of this upward trend. Below we discuss a few key items we consider will be at the forefront of 2024’s cybersecurity landscape.

Expansion of ransomware operations

2023 was a record year for ransomware operators. Reported attacks were nearly double the numbers seen in 2022. The most successful groups operated as-a-service (RaaS), allowing them time to improve and develop their product whilst others worked to deploy the malware and bring in the money.

Law enforcement has been extremely active against these groups, taking down infrastructure relating to HIVE and ALPHV variants. However, in the latter’s case, this has seemingly slowed, but not halted their operations and they remain active in some capacity into 2024. Current data has shown a slight decline in the number of posts to their leak site however, this is a common pattern seen across many different variants and is likely due to the links to Russia and periods of inactivity over the holiday period.

We expect this year to be no exception to the continued growth of ransomware operations. It remains a lucrative opportunity for threat actors and the RaaS operating model allows less-skilled operators to partake in this criminal activity.

It is anticipated that ransomware tactics will expand to provide further opportunities to “motivate” victims into paying a ransom for their data. This will include the threat of deployment of “Wiper” malware – designed to fully delete an infected device or network in the event of non-compliance.

An increase in Supply Chain Attacks

It is highly anticipated that supply chain compromise will continue to be a tactic of choice for financially motivated and nation-state threat actors, who routinely and opportunistically scan the internet to identify unpatched systems ripe for exploitation.

The efficiency of supply chain attacks will likely be improved by both the infection and dissemination of software packages granting third-party access. This in turn allows threat actors to select and target their victims on a larger scale, leading to increased levels of compromise and wider attack surfaces for the deployment of malicious code. Subsequently, this will allow threat actors to better maintain persistence within victim networks, granting more time to conduct reconnaissance, analyse connected networks, and spread to encompass more victims.

It is anticipated that supply chain attacks will target vulnerabilities in generative AI ecosystems. With AI and LLMs being utilised more and more to improve productivity, inevitably supply chains are becoming more interconnected. Failure to properly secure these components within the supply chain could be fatal, allowing threat actors to poison AI training data, manipulate updates, inject malicious algorithms, engage in prompt engineering, or exploit vulnerabilities as an entry point to compromise organisations’ data or systems.

The growth of AI-driven cyber-crime

AI has seen a massive boom in 2023, and this is expected to continue into 2024 and beyond as it becomes increasingly integrated into all manner of processes and procedures.

In 2024, we anticipate a surge in threat actors embracing AI to improve the quality and speed of development of the tools in their arsenal. This will include a quick and cost-effective way to develop new malware and ransomware variants. We also expect to see the increasing use of deepfake technologies to improve the standard of phishing and impersonation to support cyber-enabled frauds and business email compromise (BEC)

In contrast, it is anticipated that cyber security will employ a proactive strategy; as threat actors continue to harness the potential of AI and machine learning, cyber defenders will look to utilise similar techniques to counter these offensive tactics. The cyber security industry is already making substantial investments into the use of AI for defensive purposes, and this is expected to grow and be adopted by more in the field. Generative AI (GenAI)-powered capabilities such as automated code generation, reverse engineering, and document exploitation will reach previously unthinkable levels of sophistication and speed.

It is believed that GenAI will provide an improved toolkit to those targeting the human element when seeking to compromise network security. GenAI will provide threat actors with an easier method for developing more convincing phishing messages at scale, create video and audio deepfakes, and more easily collect information on their targets. This highlights the need in 2024 for an increased focus on awareness training to better prepare staff and colleagues for the inevitable surge of phishing attacks in 2024.

Key Global Events

Geopolitics is a key motivator for threat actors in certain sectors, particularly nation-states and hacktivists. Many key global events are scheduled for this year, providing high-profile targets for those who would seek to manipulate these events for their own gains.

Elections are due to be held in the following countries:

Taiwan
USA
Iran
Russia
Ukraine
South Korea
India
Austria
United Kingdom
European Parliament

The BRICS group is due to expand, taking on the following new members: Egypt, Ethiopia, Iran, Saudi Arabia, and the United Arab Emirates. BRICS is now seen as an economic group to rival the G7, so it is anticipated that this expansion will lead to increased targeting of G7 financial institutions.

In July, the 2024 Summer Olympic Games will be held in Paris, France. Such events provide numerous opportunities for threat actors to make financial gains through fraudulent ticketing, and phishing to obtain financial data and credentials. Furthermore, it provides a canvas with global attention for those with a hacktivist agenda, ensuring their message reaches a wide audience.

Regulatory Changes Driving Threat Actor Innovation

Changes to regulations regarding the reporting of significant breaches, implemented in the USA by the Securities Exchange Commission (SEC), will force threat actors to hone and improve their stealth methods. We anticipate seeing increased focus on encryption and evasion techniques to allow threat actors to maintain undetected persistence within victim networks, to avoid triggering reporting to the SEC, and the expected forensic-level scrutiny that would follow. We believe that threat actors may look to non-material systems as a lower-risk target and entry point, quietly building their access, persistence and privileges from there before targeting higher-value network resources.

Additionally, we are also beginning to see ransomware groups using this new reporting requirement as an additional blackmail tool, threatening to report victims to the SEC themselves if their demands are not met. It is expected that this tactic will expand in use over the year to come.

What’s in store for SOS Intelligence in 2024

2024 looks to be an exciting year for SOS Intelligence.

Our team is growing further with a full time developer joining in early 2024. This will allow us to focus on improving the usability of the product, implement new features, and generate new data collection streams.

One of our key focus areas will be to improve the quality of the context around the data we provide. Improvements made to the platform will allow customers to see pertinent information relating to data sources, giving context to the risk and threat posed by that source. This will allow customers to make more informed decisions about the risks to their business or that of their clients.

We will also be looking to expand and improve the quality of our data collection. One particular focus will be on improving the reporting of CVEs. We aim to expedite alerts of new, high-risk vulnerabilities to our clients and subscribers so they can better mitigate and protect against the risks they pose.

SOS Intelligence has been diligently monitoring the digital landscape over 2023. Our recent findings are a stark reminder of the rising threat of phishing attacks. Over the past year, we have observed over half a million unique credentials compromised through phishing, and with the growth of GenAI techniques, we expect that number to grow in 2024.

One standout feature of our technology is our real-time alert system. This capability ensures that our clients are promptly notified when their staff have fallen victim to phishing, allowing for a swift response and effective risk mitigation.

The unique services we provide at SOS Intelligence aren’t just about securing your digital assets; it’s a practical investment in proactive cybersecurity. Join us in creating a more secure digital environment.

Header Photo by freestocks on Unsplash

Investigation, Ransomware

Ransomware – State of Play December 2023

by Daniel Collyer

January 11, 2024

SOS Intelligence is currently tracking 170 distinct ransomware groups, with data collection covering 319 relays and mirrors.

In the reporting period, SOS Intelligence has identified 373 instances of publicised ransomware attacks. These have been identified through the publication of victim details and data on ransomware blog sites accessible via Tor. Our analysis is presented below:

We first look at strain activity. As ever, the ransomware landscape is dominated by strains using affiliate models (Ransomware-as-a-Service (RaaS)). Lockbit remains the most active strain, and while there has been a decrease in overall activity, it maintains a 22% market share. 8base, AlphV and Play remain significantly active, but this month we have also seen significant activity by Hunters (RaaS), Cactus (RaaS), and Dragonforce.

Dragonforce are a newly emerged group, with little known about them at the time of print. Given the level of successful disruption by law enforcement during 2023, it is suspected that this group may be a rebranding of a previous threat group.

The Werewolves group has been observed increasing their level of attacks. The group appears relatively new, however, they have taken responsibility for a 2022 attack on the Electric Company of Ghana which resulted in significant power outages. The veracity of this claim is not known. Their level of activity is called into question by several of their victims also appearing on the LockBit breach site. Six identical posts were seen across both sites. Additionally, the ransomware used is a public domain version of Lockbit3, while their attacks make use of tools leaked from the Conti group. This would seem to indicate that the group was previously an affiliate of LockBit.

What makes this group standout is the targeting of Russian victims. Ransomware groups and operators are quite often pro-russian, with several groups supporting the Russian government publicly in its war against Ukraine. The targeting may explain a potential split from LockBit, and hint at a possible location for the group.

Finally, we have observed increased activity from the SiegedSec group. They appear focused more on data exfiltration, and are politically, rather than financially, motivated. Their focus has been on hacktivism, with a significant focus on targeting Israel and the USA.

As seen in previous months, the USA remains the primary target of ransomware groups and threat actors. We have observed a steady release of data from Canada, France, Germany, Italy, and the UK. As members of the G7, these countries have strong economies and therefore possess lucrative targets for financially-minded threat actors.

However, this surge in activity may be politically motivated. In recent weeks these countries have all shown support for Israel in its conflict with Hamas, which may give certain threat actors additional motivation to target those countries. As highlighted previously, there have also been significant increases in the targeting of Israel and Russia.

Manufacturing, Construction and Engineering, and IT and Technology have remained the key targeted industries for December. These industries would be more reliant on technology in order to continue their business activities, and so it logically follows that they would be more likely to pay a ransom in order to regain access to compromised computer systems. The Financial and Education sectors have also seen increased activity over the period.

Photo by FLY:D on Unsplash

Investigation, Ransomware

Ransomware – State of Play November 2023

by Daniel Collyer

December 6, 2023

SOS Intelligence is currently tracking 166 distinct ransomware groups. Data collection covers 309 relays and mirrors, 110 of which are currently online.

In the reporting period, SOS Intelligence has identified 437 instances of publicised ransomware attacks. These have been identified through the publication of victim details and data on ransomware blog sites accessible via Tor. Our analysis is presented below:

As in previous months, the ransomware landscape is dominated by strains using affiliate models. Lockbit remains the most active strain, and has seen a 73% increase in breach posts when compared to the previous month. High on the list is 8base, who release a large amount of data on 30th November. In contrast to the other high-profile groups observed, it is believed that the 8base group do not have their own proprietary ransomware, but instead rely on using other ransomware-as-a-service (RaaS) variants, such as Phobos.

As seen in previous months, the USA remains the primary target of ransomware groups and threat actors. We have observed an increased release of data from France, Germany and Italy, while the UK and Canada have remained high on the list of targeted countries.

As members of the G7, these countries have strong economies and therefore possess lucrative targets for financially-minded threat actors. However, this surge in activity may be politically motivated. In recent weeks these countries have all shown support for Israel in its conflict with Hamas, which may give certain threat actors additional motivation to target those countries.

Logistics, manufacturing, and construction have remained the key targeted industries for November. These industries would be more reliant on technology in order to continue their business activities, and so it logically follows that they would be more likely to pay a ransom in order to regain access to compromised computer systems. We are seeing a shift in tactics for certain industries, particularly those where data privacy carries a higher importance (such as legal or healthcare), where threat actors are not deploying encryption software and instead relying solely on data exfiltration as the main source of material for blackmail and extortion.

New for this month we have also considered the victim ownership; whether they’re privately or publicly owned. Within breach sites, the publicised victims are overwhelmingly privately owned. Publicly-owned victims tend to be either smaller, local government entities or educational districts within the US school system. Higher level public entities, while offering a lucrative target for hostile state actors, but may be more than a financially-motivated threat actor wishes to take on, owing to the likely increased law enforcement effort to obtain a judicial outcome.

Photo by FLY:D on Unsplash

Investigation, Ransomware

New SOS Intelligence Pricing

by Amir Hadzipasic

November 23, 2023

Investigation, Ransomware

Ransomware Statistics for October 2023

by Daniel Collyer

November 8, 2023

SOS Intelligence is currently tracking 163 distinct ransomware groups. Data collection covers 299 relays and mirrors, 93 of which are currently online.

In the reporting period, SOS Intelligence has identified 337 instances of publicised ransomware attacks. These have been identified through the publication of victim details and data on ransomware blog sites accessible via Tor. Our analysis is presented below:

Our first graph shows attacks organised by strain. The most prominent threat groups have been AlphV/BlackCat, Play, and LockBit3. All three provide operate a Ransomware-as-a-Service (RaaS) business model, which would increase the number of threat actors using them, so it is no surprise to see these variants appearing responsible for more attacks.

Secondly, we have looked at the spread of victims by country of origin. The USA remains the target of choice for many ransomware groups and threat actors, owing to the value of its economy and the likelihood of victims to pay ransoms.

A significant number of victims have been identified in Bulgaria, all of whom were targeted by the RansomedVC strain. RansomedVC does operate a RaaS business model, so it is hypothesised that this has been a single threat actor specifically targeting Bulgarian retail businesses.

Finally, we have looked at the targeted industries. Business Services, Manufacturing and Retail sectors have experienced significantly more targeting. This is likely due to their reliance on technology to undertake their business functions: a company more reliant on technology is more likely to pay if their services and networks are disrupted.

Photo by FLY:D on Unsplash

Investigation, Opinion, The Dark Web, Tips

The Dark Web in 2023 – SOS Intelligence Special Report

by Daniel Collyer

September 13, 2023

Investigation, The Dark Web

Stealer Logs – what you need to know

by Daniel Collyer

August 2, 2023

Investigation, Opinion

Flipper Zero: An Introduction to Its Capabilities and Potential Risks

by Daniel Collyer

June 7, 2023

By Daniel Collyer, Threat Intelligence Analyst, SOS Intelligence

What is Flipper Zero?

Flipper Zero is a portable, multi-function device, similar in style to the Tamagotchis of the late-90s. While presenting itself as a cute gaming device, complete with a dolphin mascot, under the covers it is a versatile device that allows the user to interact with access control systems. It can read, copy, and emulate NFC and RFID tags, radio remotes, iButton, and digital access keys.

Development of Flipper Zero began in August 2020 with a Kickstarter campaign to raise funds for research and development. It was developed to build a sleek and versatile device to replace the more unwieldy options already available. The result was a single-case device with multiple features and skills to assist prototyping, hardware research, and penetration testing.

One of the key aspects of Flipper Zero is its commitment to open-source development. Its hardware and firmware are openly available, allowing users to modify and enhance its functionalities according to their specific needs. The open-source nature of Flipper Zero fosters collaboration, knowledge sharing, and continuous improvement within the hacker and security research communities.

Inside Flipper Zero – image credit Flipper Zero

What can it do?

Sub-Ghz radio frequencies

Flipper Zero contains a 433MHz antenna which allows it to access Sub-1 GHz radio frequencies. Its chipset gives it a range of ~50m for targeting wireless devices and access control systems, such as garage doors, boom barriers, IoT sensors, and remote keyless systems.

RFID (125 kHz)

A 125 kHz antenna allows Flipper Zero to read low-frequency proximity cards. Older cards, with no authentication mechanisms, can be stored in memory for later emulation.

NFC

Flipper Zero pairs its RFID capability with a 13.56Mhz NFC module. This provides a high-frequency (HF) alternative which allows the device to read, write and emulate tags

Infrared

Flipper Zero’s infrared transmitter can control electronics, such as TVs, stereo systems, etc. Common TV vendor command sequences are contained in a built-in library which is constantly updated and maintained by the Flipper community. It also functions as a receiver, which can receive signals and store them for later use.

Hardware Hacking

Flipper Zero allows versatility for hardware exploration, firmware flashing, debugging and fuzzing. The device can be utilised to run code or provide control to hardware connected via GPIO. It can function as a regular USB to UART/SPI/I2C/etc adapter.

Bad USB

Flipper Zero can emulate USB slave devices, making it appear as a regular device when attached to a computer, similar to a USB Rubber Ducky. It can be pre-programmed with payloads to execute upon connection or provide functionality for USB stack fuzzing.

iButton

Flipper Zero has a built-in 1-Wire connector with a unique design which allows it to read and probe iButton sockets. This allows it to read keys, store IDs in memory, write IDs and even emulate keys themselves.

Bluetooth

Flipper Zero has a built-in, fully supported, Bluetooth Low Energy module, allowing it to act as a host and peripheral device. A corresponding open-source library provided by the developers gives functionality support to community-made apps.

Open-Source Firmware

The key property of Flipper Zero is its open-source firmware. By making this available to all, the developers have encouraged the modification and extension of the Flipper Zero code. This allows access to all functions and hardware used by Flipper Zero to allow users to generate bespoke tools, for example, homemade dosimeters or carbon dioxide detectors

What are the risks?

As with a vast majority of technical tools and devices of this type, the Flipper Zero is not inherently malicious or illegal. Its abilities make it a useful tool for penetration testing, ethical hacking, and hardware development. However, Amazon has taken the view that the device is a “card skimmer”, and the Brazilian government have been seizing shipments of devices due to its alleged use in criminal activity.

Such a tool is not new to the market. Existing hardware, such as Arduino or Raspberry Pi, has often been utilised to develop hardware for nefarious purposes. The initial hardware itself is by no means illegal, and the same can be said for Flipper Zero. Instead, we have looked at the people using the device.

Using SOS Intelligence’s intelligence platform, we have researched and tracked discussions of Flipper Zero on the Dark Web and across online criminal forums. Using “Flipper Zero” as a keyword, used our Alerts system to identify and flag instances where Flipper Zero is mentioned online.

Our period of monitoring ran from the start of 2023 to June 2023. In that time we generated 158 alerts on the keyword “Flipper Zero”. We have been able to break these down into the following:

Our data shows that, while there has not been much in terms of published development within criminal forums or the dark web, there has been significant interest in what has been posted. Exploit development has been particularly popular within the Russian-language forums. The use of Portuguese in more recent Dark Web posts was noted, and this appears to coincide with the Brazilian Government banning the importation of Flipper Zero.

As the product becomes more widely available and used by the community, we expect to see a rise in the number of posts details exploit development as more people share their work with the community.

Cracked.io

On 16 May 2023, we identified Cracked.io member AKA Fu33y creating the thread “OPEN TESLA CHARGING DOORS MOD WITH FLIPPER ZERO”.

The result was a post containing Anonfiles links to two .sub files. These contained configuration data required to utilise Flipper Zero’s sub-GHz antenna to open the charging doors on Tesla vehicles.

Probing further into AKA Fu33y’s activity, we identified a second post from 16 May 2023 titled “HACKER FIRMWARE FOR FLIPPER ZERO”.

This post provided a link to a GitHub repository where over 250 contributors have customised and improved the Flipper Zero firmware, creating an “Unleashed” variant. The creators of this variant are explicit in their condoning of any illegal activity using Flipper Zero and state that their software is for experimental purposes only. This variant provides a massive expansion to the abilities of Flipper Zero’s inbuilt capabilities, widening the scope for criminal use.

Hackforums

We were able to identify similar activity on Hackforums. User AKA aleff shared their own GitHub repository (my-flipper-shits).

This repository focused on scripts to utilise the BadUSB function. They range from simple pranks, such as rick-rolling, to more exploitative functions, including data exfiltration or malicious code execution.

User AKA Angela White provided instructions on utilising cheap components and open-source software to create a WiFi Dev Board.

Utilising this upgrade, with the mentioned Wifi Marauder software, would turn the Flipper Zero into a device capable of sniffing or attacking WiFi networks.

Exploit.in

Flipper Zero is still relatively new to the market, and supply issues have meant that they have not progressed far into the community as yet. However, as it does, more opportunities will be given to both benevolent and malicious developers to generate custom firmware and code for Flipper Zero. Our alert system has identified user AKA Rain_4, a member of Exploit.in, discussing the BadUSB possibilities of Flipper Zero and providing a basic code for creating a reverse shell for MacOS devices. This highlights how, with only a few lines of code, the Flipper Zero can be utilised to gain access to victim devices (this does of course require Flipper Zero to be connected to the victim device).

Key Takeaways

The device itself: To reiterate, Flipper Zero is not in and of itself a malicious device. It can have multiple benevolent uses and has the potential to be a useful multitool for practical operators in the cyber security industry, such as ethical hackers and penetration testers. However, our data is showing that as the product becomes more widespread and available to the public as a whole, malicious users are generating code, tools and firmware to turn Flipper Zero into something more malicious than maybe its creators intended.

Using SOS Intelligence: What was apparent from the research undertaken, was how SOS Intelligence enabled us to do this in a straight forward and efficient manner. Historically, this kind of deep dive into the more nefarious uses would not have been possible.

Using keywords and phrases and looking into the forums and sites where this kind of thing is routinely discussed was both easy and enjoyable. We’ve worked hard improving the user experience and UI and the feedback from this continues to be incredibly positive.

“In today’s rapidly evolving digital and physical landscape, comprehending emerging threats like FlipperZero is of utmost importance. Robust intelligence coverage, including monitoring adversary communication, enables informed risk-based analysis to understand the implications of this new digital radiofrequency tool. Our publication of article on “Flipper Zero: An Introduction to Its Capabilities and Potential Risks” serves as a valuable guide for defence, equipping stakeholders with insights to navigate this threat through informed analysis and strategic decision-making while demonstrating the capability and ease of use of our platform.”

Amir Hadzipasic, CEO and Founder

If you’d like to learn more, then please click here to book a demo.

References

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ransomware – State of Play February 2024

LockBit Takedown

ALPHV/Blackcat exit scam

Ransomware – State of Play January 2024

Cybersecurity in 2024 – A Forward Look

Ransomware – State of Play December 2023

Ransomware – State of Play November 2023

New SOS Intelligence Pricing

Ransomware Statistics for October 2023

The Dark Web in 2023 – SOS Intelligence Special Report

Stealer Logs – what you need to know

Flipper Zero: An Introduction to Its Capabilities and Potential Risks

Recent Posts

Recent Comments