Customer portal
Articles Tagged with

dark web threat intelligence

"Compromised
SOS Intelligence Weekly News Round Up

Weekly News Round-up

29 July – 4 August 2024

CVE Discussion

Over the past week, we’ve monitored our vast collection of new data to identify discussions of CVEs. 

News Roundup

Linux Servers Exposed to Data Exfiltration from TgRat

The TgRat trojan, first discovered in 2022, is now targeting Linux servers to steal data. Controlled via a private Telegram group, it can download files, take screenshots, execute commands remotely, and upload files. TgRat verifies the computer name’s hash upon startup and establishes a network connection if it matches, using Telegram to communicate with its control server.

Due to Telegram’s popularity and the anonymity it provides, TgRat’s use of it as a control mechanism makes detection difficult. It executes commands via the bash interpreter, encrypted with RSA, and manages multiple bots using unique IDs.

This unique control mechanism complicates detection, as typical network traffic to Telegram servers can mask malicious activity. Installing antivirus software on all local network nodes is recommended to prevent infection.

Threat Actors Using Fake Authenticator Sites to Deliver Malware

Researchers from ANY RUN identified a malware campaign called DeerStealer, which uses fake websites mimicking legitimate Google Authenticator download pages to deceive users. The primary site, “authentificcatorgoolglte[.]com,” looks similar to the genuine Google page to trick users into downloading malware. Clicking the download button on this fake site transmits the visitor’s IP address and country to a Telegram bot and redirects users to a malicious file on GitHub, likely containing DeerStealer, which can steal sensitive data once executed.

The Delphi-based DeerStealer malware employs obfuscation techniques to hide its activities and runs directly in memory without leaving a persistent file. It initiates communication with a Command and Control (C2) server by sending a POST request with the device’s hardware ID to “paradiso4.fun.” Subsequent POST requests suggest data exfiltration.

Analysis revealed the use of single-byte XOR encryption for transmitted data, uncovering PKZip archives containing system information. Researchers also linked DeerStealer to the XFiles malware family, noting that both use fake software sites for distribution but differ in their communication methods.

Threat Actors Abusing TryCloudflare to Deliver Malware

Cybercriminals are increasingly using TryCloudflare Tunnel to deliver Remote Access Trojans (RATs) like Xworm, AsyncRAT, VenomRAT, GuLoader, and Remcos in financially motivated attacks. TryCloudflare allows developers to experiment with Cloudflare Tunnel without adding a site to Cloudflare’s DNS, which attackers exploit to create temporary infrastructures that bypass traditional security controls.

This tactic, initiated in February 2024, has intensified, posing a significant threat due to its rapid deployment and evasion capabilities. Recent campaigns often use URL links or attachments to download malicious files, which execute scripts to install RATs and other malware.

Campaigns frequently target global organisations, using high-volume email campaigns with lures in multiple languages, often exceeding the volume of other malware campaigns. Attackers dynamically adapt their attack chains and obfuscate scripts to evade defences, demonstrating a sophisticated and persistent threat.

By abusing TryCloudflare tunnels, attackers generate random subdomains on trycloudflare.com, routing traffic through Cloudflare to avoid detection. For example, on May 28, 2024, and July 11, 2024, targeted campaigns used tax-themed lures and order invoice themes, respectively, to deliver AsyncRAT and Xworm via malicious email attachments and PowerShell scripts, providing remote system access and data exfiltration capabilities.

Ransomware Threat Actors Exploiting VMWare ESXi

Microsoft researchers have identified a critical vulnerability in VMware’s ESXi hypervisors, CVE-2024-37085, which allows ransomware operators to gain full administrative permissions on domain-joined ESXi hypervisors. This flaw, associated with the “ESX Admins” group, enables any domain user who can create or rename groups to escalate their privileges, potentially gaining full control over the ESXi hypervisor. Exploiting this vulnerability can result in the encryption of the hypervisor’s file system, access to virtual machines, data exfiltration, and lateral movement within the network.

Ransomware groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have been observed exploiting this vulnerability, deploying ransomware like Akira and Black Basta to encrypt ESXi file systems.

A notable attack by Storm-0506 involved using Qakbot and exploiting a Windows vulnerability to elevate privileges, followed by deploying Black Basta ransomware. In response, VMware has released a security update to address CVE-2024-37085. Microsoft urges organisations to apply this update, validate and secure the “ESX Admins” group, deny access or change administrative group settings, use multifactor authentication for privileged accounts, and secure critical assets with the latest security updates and monitoring procedures.

Photo by Joshua Hoehne on Unsplash

"Crowdstrike
SOS Intelligence Weekly News Round Up

Weekly News Round-up

15 – 21 July 2024

CVE Discussion

Over the past week, we’ve monitored our vast collection of new data to identify discussions of CVEs.

News Roundup

Ransom paid by AT&T

AT&T recently paid $370,000 to a hacker affiliated with the ShinyHunters group to delete manipulated client data, including call and text metadata, which had been compromised between May 2022 and January 2023. The breach occurred from April 14th to April 25th, 2024, through unauthorised access to AT&T’s third-party cloud platform. The compromised data included phone numbers, communication dates, and call durations, but did not involve the actual content of conversations or text messages.

The payment was made in Bitcoin, and the hacker confirmed the data deletion through a demonstration video. Despite this effort to erase evidence, there is concern that some information might still be accessible, potentially posing ongoing security risks for AT&T’s consumers.

Compromise of Squarespace domain names

Squarespace customer accounts were compromised by hackers, leading to unauthorised access to sensitive information such as email addresses and account details. The breach was attributed to a third-party vendor, highlighting concerns about the security measures in place for customer data. In response, Squarespace has notified affected users and is working to enhance their security protocols.

To protect their accounts, customers are urged to change their passwords and enable two-factor authentication. This incident underscores the persistent risks associated with third-party integrations in the digital environment and the importance of robust security measures.

22 minutes to exploit

Cloudflare’s Q1 2024 Application Security Report reveals that it takes hackers an average of just 22 minutes to exploit newly disclosed vulnerabilities, highlighting a concerning trend in cybersecurity. The report indicates that Distributed Denial-of-Service (DDoS) attacks remain a significant threat, constituting 37.1% of mitigated traffic, while automated traffic makes up one-third of all internet activities, a substantial portion of which is malicious.

Additionally, API traffic has increased to 60%, with many organisations regularly missing a large number of their public-facing API endpoints. The report also underscores the growing use of zero-day exploits and the challenges posed by third-party integrations in web applications, emphasising the constantly evolving cybersecurity threat landscape.

Exploiting the Crowdstrike Issue

On July 19, 2024, Windows systems were impacted by an issue with the CrowdStrike Falcon sensor, which cybersecurity experts have flagged as a serious concern. Hackers exploited this vulnerability to target CrowdStrike customers through phishing campaigns, social engineering, and the distribution of potentially harmful software. The attackers impersonated CrowdStrike support, falsely claiming the issue was a content update error rather than a security problem.

This incident underscores the need for companies to authenticate communication channels and adhere to official guidance on modern threats. Additionally, it highlights the importance of educating employees about behaviours that could compromise security, helping to strengthen defences against such opportunistic attacks.

Photo by Joshua Hoehne on Unsplash

"SOS
Product news

Business Update

We’ve had a lot going on since the start of the year and so I’ve recorded a short update for you. Click to watch and listen!

We are very thankful for all our customers, those who have been with us since we started and the new ones over the past months.

"Data
Opinion, Tips

Happy Data Privacy Day!

Held annually on 28 January every year since 2007, Data Privacy Day was introduced by the Council of Europe to commemorate Convention 108 – the first, legally binding, international treaty on data protection signed in 1981.  Data Privacy Day exists now to bring the concept of data privacy to the forefront, and encourage everyone to consider the steps they take to keep their data safe, and what more they could be doing.

The landscape of data privacy has changed dramatically since that first celebration in 2007.  Wholesale changes to legislation have been implemented, new international regulations brought in and enforced, and on the whole, a shift in the dynamic of how the general public thinks about the privacy of their data.

Managing your data privacy can be a daunting task – our data is everywhere, and we’re not always consciously aware of what is happening to it.  Unsecured data, oversharing online, interacting with suspicious communications – these are all things that the threat actors of the world rely on from their victims to achieve their criminal goals.  Here are several simple things that can be done to improve your online privacy:

  • Limit sharing on social media

Social media is a gold mine of information for those with malicious intentions.  Sharing events such as birthdays, names of loved ones, employment details etc, can allow a threat actor to very quickly socially engineer scams to encourage you to divulge sensitive information.  Although we shouldn’t, quite often those details such as birthdays and loved ones’ names end up in our passwords too, so it doesn’t take much for a threat actor with a little motivation to work these out.  Ensuring privacy settings are set to maximum, and not over-sharing, will do much to protect from these threats.

  • Think before you click

We receive a deluge of emails every day, in both our personal and work lives.  Threat actors know this too which is why they’ll use email as a method to target individuals and businesses to gain access to sensitive data.  Phishing scams rely on the innocent victim not realising that the email in front of them is fake, or trying to get them to do something they shouldn’t be doing.  So if in doubt, stop and think before clicking on links or opening attachments.

  • Know your rights

Know your data privacy rights, and what applies in your country.  In Europe, this will be GDPR, which gives a lot of control back to the person to whom the data relates.  This includes:

  • The right to be informed
  • The right of access
  • The right of rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making, including profiling

Despite best efforts, threat actors are constantly looking for new and novel ways to gain access to our data, and inevitably, some of this will be stolen and used for criminal activity.  SOS Intelligence has been diligently monitoring the digital landscape over 2023.  Our recent findings are a stark reminder of the rising threat of phishing attacks.  Over the past year, we have observed over half a million unique credentials compromised through phishing, and with the growth of Generative AI techniques, we expect that number to grow in 2024.

One standout feature of our technology is our real-time alert system.  This capability ensures that our clients are promptly notified when their staff have fallen victim to phishing, allowing for a swift response and effective risk mitigation, helping you to ensure that your data remains as private as possible.

Photo by Jason Dent on Unsplash

"SOS
Product news

Join us for our next SOS Intelligence webinar on Understanding Third-Party Risk for Cybersecurity

I’m delighted to invite you to our next webinar on Wednesday 14th June at 11am for twenty minutes.

Understanding Third-Party Risk for Cybersecurity 

Who is this for?

  • Anyone in a business or organisation who has responsibility for online security.
  • CTOs or senior managers who want to understand the risks of third-party cyber breaches and how to monitor them.
  • MSSPs who would like to leverage our solution with their clients.

You will learn:

  • What are third-party cyber security risks and what are the common breaches + consequences
  • The role of cyber threat intelligence in third-party risk management
  • How SOS Intelligence will help you manage your risk and your third parties

We are recording the session so if you sign up and are not able to make it, you will be sent a replay.

Sign up takes seconds, just click the button below.

"SOS
Flash Alert

Flash Alert – Brute-Force scanning of VPNs

SOS Intelligence has recently seen indications of brute-force login activity against VPN services associated with a customer.  

Our research has linked this activity to an Initial Access Broker (IAB), who has recently released access to a brute force scanning tool through their profile on a high-profile cyber-crime forum. 

Thanks to Daniel, our new Threat Intelligence Analyst who has been investigating this. Future flash alerts and intelligence reports will come from Daniel via email. If you would like to get these, you can sign up here.

The IAB has shared information with our Intelligence Team, showing statistics relating to successful logins they have found whilst scanning VPN networks.

This has highlighted a concerning amount of networks accessible using commonly known default login credentials.  However, the IAB has acknowledged that some of these may represent honeypots.

Source: SOS Intelligence discussion with Bassterlord

Initial Access Brokerage is a common feature of cyber-crime forums.  The individuals concerned involve themselves with the compromise of computer networks. 

Once persistence within the network has been maintained, they monetize that access by selling it within forums, often to actors with access to destructive malware.  Therefore, IAB activity can often be a precursor to Ransomware and/or Data-exfiltration attacks.

Other Discussions identified by the SOS Intelligence Platform related to VPN Provider Scanning

Recommendation

We recommend reviewing any VPN services in use to ensure all default account passwords have been changed, and any built-in accounts have been disabled, in accordance with the best practices of your provider.

At SOS Intelligence we can provide bespoke intelligence feeds to help monitor your data to help you identify when credentials have been leaked and are appearing online, helping you to stay ahead of the attackers and keep your networks safe.

Photo by Kevin Ku on Unsplash

"Eastern
Product news

Supporting the Eastern Cyber Resilience Centre

We are delighted to announce that we are the newest Eastern Cyber Resilience Centre Community Ambassador.

The Eastern Cyber Resilience Centre (ECRC) supports and helps protect SMEs, supply chain businesses and third sector organisations in the East of England against cyber crime.

The ECRC began its journey in November 2020. Led by Policing and facilitated by Business Resilience International Management (BRIM), they have followed a structured modular programme based on a highly successful model that had previously been established for over 9 years in Scotland.

They work in structured partnership with regional Policing, Academia, Businesses, Third and Public Sector organisations through a variety of ways.

What is a Community Ambassador?

Community Ambassadors are local businesses who recognise that cyber resilience is essential for their own customers and supply chains and want to help the ECRC promote this message.

We fully support what the ECRC are doing and very much look forward to working closely with them in the future.

"SOS
Product news

The new SOS Intelligence UI

I’m delighted to announce that our new UI is now live on the SOS Intelligence platform. This is something we have been working on for a good few months and is the culmination of customer feedback since launch.

Not only does it give a better experience visually, it’s more intuitive, easier to navigate and much simpler to use.

This is the first important step as part of a series of improvements across the platform. This development and investment in SOS Intelligence as part of our growth funding project which we recently announced.

Our old UI, whilst ok, was not as good as it should be. Ever since launching SOS Intelligence it’s something that’s always caused me to wince slightly – the design and UI didn’t match the product.

Good software lives or dies by how easy it is to use and interact with and it sure helps to look nice too!

We’ve focused on improving the menus and navigation so that you can see exactly where you are and see how to get to the next thing. We’ve also made use of a full screen on desktop. Previously it felt cramped and we still had a lot of unused space. No more! We now have a well laid out screen which has easy-to-read visuals and the new colours.

Here is a walk through video showing the new UI:

You can see most of the new screens below with an explanation of what they are and what you can do:

Our new dashboard now gives you unparalleled information about your keyword alert performance. At a glance view your most recent alerts, Most popular collection type and keyword performance over time. 
Dashboard

Our new alerts UI allow you to get the information you need fast. Highlighting of matched keyword enables you to zone in on exactly what’s been identified. View the full content for accurate context. Not only do we provide you with the full URL but also the full unredacted content. 

Acknowledge the alert once you have completed your review. 

Provide feedback to us if the alert was useful or not, and you can provide a reason and commentary.

Alert management
Alerts
Alerts

OSINT Search – You can view posts on a forum or any collection, live without having to have an account on that forum yourself, this is especially useful for closed forums. Narrow down your search with the Search by Date option or add a keyword if you are searching for something or some one specific.

OSINT Search
OSINT Search

The new Dark Search – Use our Onion address search feature to search for just part of an onion address or URL – search for what you have or know and we will match the most relevant Onion service address.

Dark Search

Generate an on demand live screenshot of an onion website without having to use a Tor browser. Images on Onion sites are not rendered.

Dark Search

Search the dark web and retrieve thumbnail for Onion websites, text content and generate on demand screenshots for your search results. You can also customise your search by searching just for the page titles, content, content & title or part of an onion address.

Dark Search

Last but not least, we have the user management:

User profile

It’s been a complex project, not only the design but also the integration into the code base and structure of the platform.

If you’d like to know more and let us show you how easy it is to use, then please book a demo call here. Thank you!

1 2 3
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound