Customer portal
Articles Tagged with

dark web threat intelligence

"Dark
Investigation, The Dark Web

Dark Web Services Current Average Prices

by Amir Hadzipasic
December 14, 2022

It started with a tweet.

The dark web has long been associated with illegal activities and the sale of illicit goods and services. Among the many services offered on the dark web, hacking services are particularly prevalent.

Daniel’s tweet

We had our PIR and got to writing an Intelligence Requirements sheet following the PESTLEP model and that allowed us to prioritise our Collection Plan.

Collection plan.

With which we were able to start our collection process and begin answering Daniel Card’s Tweet.

The collection process consisted of using the SOS Intelligence platform to identify current active market places for the specific IR areas we had to answer to.

Our platform has the capability to scan the dark web very quickly, with the ability to rotate around all active Onion services within 24-48 hours. This gives us a clear view of current and active Onion services.

In addition SOS Intelligence has a broad range of automatic closed and open forum collection giving us a real time view into purchases and sales.

Gathering the relevant information and calculating averages per service, per market place. 

The research

The research for this article looked at around 40 different current dark web marketplaces and clear web and dark web forums, where hacking services are commonly offered for sale. The average prices for the services mentioned were determined based on the information gathered from these sources.

According to our research, the average price for a stolen credit card on the dark web is around $243.15.

This may seem like a low price, but the value of a stolen credit card can vary depending on the country it was issued in and the remaining balance on the card. For example, a credit card from the United States may be worth more than one from a less economically developed country. To keep things as like for like as possible we took the average card limit for a USA bank.

Counterfeit money is also commonly available on the dark web, with the average price per $1,000 coming in at around $396.24.

This may seem like a high price, but it’s important to remember that producing high-quality counterfeit money can be a time-consuming and expensive process.

Botnets, which are networks of compromised computers used to launch distributed denial of service (DDoS) attacks, are also commonly available on the dark web.

The average price for a botnet or DDoS attack is around $382.41.

Another common service offered on the dark web is the sale of  so called residential proxies,  which are more difficult to detect and block as they “proxy” a cyber criminals connection out through a residential ISP. These proxies are used to mask the true IP address of the user and are often used by hackers to avoid detection.

The average price for a residential proxy is around $645 per month.

Finally, initial access to a target network is often available for sale on closed forums and marketplaces. This can include login credentials or vulnerabilities in a network that can be exploited to gain access, Initial Access or AI is typically the first ‘open door’ into a victim’s network and can lead to ransomware.

Prices for this service ranged wildly from a few hundred dollars to tens of thousands, due to wide ranging victims and seller motivations, varying greatly depending on access offered, method of access and compromised company.

The average price for initial access to a network is around $7,700. 

In conclusion, the dark web is a hub for a wide range of hacking services, from stolen credit card information to initial access to target networks.

While the prices for these services may seem steep, it’s important to remember that at least for some of the services offered there is a more demand than supply.

It is also important to note that there is no guarantee with any of the services provided and the sellers or marketplaces themselves could be scams or scammers although a majority do offer purchase through escrow.

Header photo by Jefferson Santos on Unsplash.

"SOS
Product news

Join us for our first SOS Intelligence webinar on December 8th at 11am

by Amir Hadzipasic
November 16, 2022

We are delighted to invite you to our first webinar. This is at 11am on Wednesday 8th December and will last around twenty minutes.

Hosted by myself, I’ll give you a short overview of the product and how it fits as an essential part of your business or organisation’s online security plus a demonstration of how easy it is to use the keyword alert feature.

Who is this for?

  • Anyone in a business or organisation who has responsibility for online security
  • CTOs who wants to understand the risks of cyber breaches and how to monitor them
  • MSSPs who would like to leverage our solution with their clients

You will learn:

  • Why cyber threat intelligence and especially on the Dark Web is so vital
  • What SOS Intelligence does and what you can expect when using it
  • How it meets the need of a modern business / organisation

All you need to do is click the button below. We look forward to seeing you!

Click to register
"pwn
Product news

pwnReport tool for MSSP and Enterprise customers

by Amir Hadzipasic
September 23, 2022

One of the features which we’ve been working on recently is a pwnREPORT Breach Report Tool. I’m pleased to say this is now available for our MSSP and Enterprise customers.

What does it do?

  • Generates an aggregated breach report for records found across our BreachDB, OSINT collections and Dark Web.
  • Searches for a provided company email domain.
  • Returns a CSV document on completion for you to download.

Watch the short video below to see it in action.

pwnREPORT Breach Report Tool

This kind of tool is precisely what we try and focus on. Simple execution of a query and a quick, useful output for you to use and potentially share.

If you have any questions, please don’t hesitate to get in touch and book a call / demo here.

Photo by Kevin Ku on Unsplash.

"SOS
Product news, The Dark Web

SOS Intelligence Dark Web Map

by Amir Hadzipasic
September 7, 2022

We thought it would be interesting to show you something we generate every now and again…

That is our representation of the SOS Intelligence Dark Web Index, the physical placement of the nodes represents the interconnectivity between onion services on the Dark Web (Tor).

It is an energy model of the network structure of the Dark Web.

The diagram is a visual representation of an energy model of the network structure for interconnecting onion services 

Essentially, If a node has a lot of links, it has a heavier weight applied to it.

If a node has fewer links, it has a lighter weight applied to it and has less weight represented. The more links, the more central we represent that node on the map. Therefore onion services with fewer inbound or outbound links get ‘pushed’ outward to the edges of the map. Onions with more links weigh more so are positioned more centrally.

The colour is a computed modularity class – the social network of the nodes. We have calculated the community networks of the nodes. i.e. how likely it is that a node is linked to other nodes within the network. 

What we get is a spatial representation and social network of around 43000 nodes in the past 24 hours.

The colour itself is random, but the membership of the colour is representative of their social network. What we don’t mean is their Facebook membership, but rather their community connections within the Dark Web.

The visualisation is stunning when seen on a large screen so we have made this available to download here in 4K.

SOS Intelligence Dark Web Render

If you are feeling kind, a tweet or short blog post about this would be much appreciated 🙂

"SOS
Product news

SOS Intelligence Development Update

by Amir Hadzipasic
August 10, 2022

We can’t stand still. We believe it is vital to keep investigating new threat intel feeds for our customers, so over the last 2 weeks we have created 15 new bespoke collection pipelines to gather intelligence from various hacking forums.

We have also been listening closely to customer feedback…

  • We have developed our alert feedback system with an additional feedback text entry box so that customers can provide additional information web submitting feedback about an alert that was not useful. 
Pop up to give us feedback
  • You can now perform multiple alert actions. If you need to mass acknowledge alerts, or mass vote alerts, select all or a number of individual alerts and perform a multi action. This can be very helpful when acknowledging and closing of a number of alerts that have been dealt with.
Multiple alert actions

We value all of our customer feedback and aim to deliver feature requests as soon as realistically possible. Please continue to give us suggestions and feedback!

Photo by Fotis Fotopoulos on Unsplash.

"Legal
Opinion, The Dark Web

Hacking your lawyer: Why Legal Firms need Cyber Threat Intelligence

by Ben Hurst
August 8, 2022

Data breaches are not good for anyone (excluding the cyber criminals), but breaches are particularly bad for industries that handle sensitive information. Unfortunately companies that often handle sensitive data typically do not take their security threats seriously. The pharmaceutical and medical sectors saw a 20% increase in cyber attacks in 2021, costing them, on average, $45,000 per hour of downtime. 

The medical industry is not the only industry handling sensitive data. Legal firms hold a tremendous amount of personal data on, not only clients, but also anyone involved in their respective cases.

For threat actors, legal firms hold a treasure trove of data that they can use for criminal activities such as, financial fraud, extortion, or even just crude doxxing. 

Unlike hospitals and pharmaceutical companies legal firms typically are not held to the same security and data privacy standards and regulations. In the United States acts like HIPAA and GLBA require any company that handles certain information to abide by set security standards. But, regardless of the law, a data breach looks good for no one. 

Defensive security measures like proper data storage and encryption are a must for any legal firm, but these measures can only go so far. In order to take your security to the next level proactive measures are needed.

Luckily for us, threat actors are often very open about their upcoming or ongoing attacks. Hackers will post on dark web forums or even in public chat rooms. 

Publicly posted data leak of a New York legal firm 

Collecting and aggregating this information can be difficult for a small legal firm with less resources. This is where SOS Intelligence comes in. SOS Intelligence can offer your legal firm – small or large – tools to bolster your proactive security measures. 

Due to the nature of established and emerging threat actors, defensive measures like proper data encryption and storage is not enough. Threat actors will always be able to find a way around these defences.

Whether it involves paying an insider for access to your network or exploiting a n-day vulnerability in your VPN software, SOS cyber threat intelligence will be able to provide insider intelligence not found anywhere else. 

Our Dark Web monitoring tool can be utilised for searching for hackers discussing your company. You can quickly build a profile on threat actors targeting your firm then proactively adapt your defensive measures to compensate. 

Getting a sense for threat actors targeting your firm will do wonders for both your cyber defence and – in the case of a breach – can assist incident response. SOS Intelligence offers tools that can actively pull information from common dark web forums and chat rooms. 

Our tools can also grab messages from closed source forums and chats. Dark web monitoring will be able to offer a different perspective than the hundreds of various defensive tools. The SOS Intelligence toolkit will allow you to see through the eyes of a hacker. It’s time to take your security to the next level, try out the SOS toolkit today.

If you are a legal firm who would like some advice on what you need to be doing plus a demo of how we can help you, then click here now to book some time with Amir, our founder. We promise this is something you won’t regret.

Photo by Tingey Injury Law Firm on Unsplash

"Cyber
Opinion

What is Cyber Threat Intelligence?

by Ben Hurst
July 13, 2022

You may have heard of the term “Cyber Threat Intelligence”, sometimes abbreviated as “CTI”. 

The term is often thrown around with little to no explanation, so, what actually is CTI? It’s always useful to know what an acronym means 🙂

The origin of the term can be traced back to 2009 in reference to research on the Tactics, Techniques, and Practices (TTP) of APT 1. 

Traditional threat intelligence, meaning the collection and dissemination of intelligence of emerging and reoccurring threats, was a key part of the intelligence apparatus during the Cold War. 

However, traditional threat intelligence is a very general term, referring to intelligence on anything from nation-states to small guerrilla insurgent groups. 

The rise of Advanced Persistent Threats (APT) forever changed the threat intelligence landscape. 

Like any other covert action, a nation-state sponsored cyber attack is designed to cause as much damage as possible, while maintaining plausible deniability for guilty parties. 

Threat intelligence on these APT groups became known as Cyber Threat Intelligence. 

CTI analysts analyse the tactics, techniques, and practices of these groups. They collect everything from the groups’ malware to their chat logs to build a full profile for defensive purposes. 

Since the rise of APTs in the mid-2000s, the field of CTI has had to  evolve and adapt to new threats and attack styles. Threat actors less sophisticated than APTs can now emulate many of the tactics APTs use. 

As a result, CTI has had to expand to collect intelligence on these groups as well. CTI is now not only crucial for governments, but also private organisations and businesses. 

2021 saw a 1,885% increase in ransomware attacks. This was an unprecedented increase with the healthcare industry alone reported a 775% increase in cyber attacks. 

CTI is not only for large businesses either, roughly 60% of ransomware attacks target businesses with less than 500 employees. However, building a CTI team is easier said than done. Collecting intelligence on relevant threat actors is often a time consuming and expensive task. 

What we see time and time again is the “it won’t happen to us” conversation which can then turn into…

Why didn’t we know about this?! 

The question posed by the CEO or MD when there has been a data breach.

Here at SOS Intelligence, it’s our mission to provide cyber threat intelligence that won’t break the bank and is accessible. You don’t need a big team to use it.

Our Open Source Intelligence (OSINT) tool automatically collects and aggregates data from the top cybercriminal forums, including some private forums. 

Using the web UI or the custom API, you can set alerts for keywords like emails or usernames. If a keyword is posted on one of the many forums we monitor, you will get an immediate alert via several communication channels. 

Using our OSINT tool you will have the capabilities of a full CTI team, minus the overhead and head count.

Save yourself the headache and risk, let SOS Intelligence be your eyes and ears in the dark world cyber criminals have built online.

Cyber Threat Intelligence is clearly an essential pillar of a modern defence strategy, but don’t take our word for it. Let’s look into a case involving CTI…

LAPSUS$ – A Study of Cyber Threat Intelligence Successes

There is no better case study of modern Cyber Threat Intelligence than the case of the international hacking group known as LAPSUS$. 

LAPSUS$ was first noticed in early December of 2021 when the group compromised systems belonging to the Brazilian Ministry of Health. This attack was a classic extortion attempt and would pale in comparison to LAPSUS$’s later attacks. 

It took the Brazilian government more than a month to make a full recovery, the attack effectively halted the roll out of Brazil’s COVID-19 vaccine certification app; ConectSUS. 

Over the next few months LAPSUS$ would go on to breach several more companies, including Impresa, a Portuguese media company and Vodafone Portugal. LAPSUS$’s first 5 attacks took place in quick succession, in just 3 months. 

The group exclusively targeted Portuguese localised companies leading many CTI researchers to suspect the hackers were located in Brazil or Portugal. Members of the group solidified this suspicion, using slang like “kkkkkkkkk” the Portuguese equivalent of the English slang “hahaha”.

LAPSUS$ member using Portuguese slang in Telegram chat

LAPSUS$ was put on the map after the attack on the Brazilian Ministry of Health garnering headlines like “Lapsus$: The Hot New Name in Ransomware Gangs” and “Watch Out LockBit, Here Comes Lapsus$!”. 

While these headlines were catchy, the articles themselves offered no insight into the tactics or motivations of the group. At the time, many thought LAPSUS$ was just like any other ransomware/extortion group, financially-motivated with the goal of encrypting or exfiltrating data and holding it for ransom. 

However, LAPSUS$’s next attack would challenge everything we thought we knew about LAPSUS$. On February 25th 2022, GPU chipmaker Nvidia announced it was investigating an “incident” that knocked some of its systems offline for 2 days. 3 days later LAPSUS$ announced “We hacked NVIDIA” on their telegram…

NVIDIA hacked

 LAPSUS$’s breach of Nvidia was, no doubt, a big deal, but what was far more interesting were their demands. 

More often than not, hacking groups fall into one of 3 motivational categories: financially-motivated, ideologically-motivated, or state-sponsored. Up until the Nvidia breach LAPSUS$ fell squarely in the financially-motivated category, but their unusual demands for Nvidia changed this fact. 

Instead of demanding money or selling the data to the highest bidder, LAPSUS$ demanded Nvidia release their GPU drivers as open source software. Naturally, Nvidia refused to release their code. In response LAPSUS$ would leak some source code from Nvidia on in their Telegram group, but nothing all that interesting or noteworthy. 

Less than 2 weeks after the Nvidia breach, LAPSUS$ announced they had compromised Samsung. The attackers stole roughly 200 gigabytes of data which included some source code for the Samsung Galaxy. 

By this point, threat intelligence researchers were keenly aware of LAPSUS$’s tactics, techniques and procedures. CTI analysts drew up models of how LAPSUS$ operates, giving defenders insight on how to avoid a possible breach. 

Intrusion Analysis Diamond model for LAPSUS$

Continuing their attacks on large tech companies, LAPSUS$ compromised Microsoft. Again, the group started exfiltrating source code. 

LAPSUS$ was able to download the partial source code for Bing, Bing Maps, and even some Windows code. However, Microsoft CTI researchers were able to halt the download before it could be completed. LAPSUS$ mentioned in a public Telegram chat how they were able to access Microsoft systems before the data exfiltration had finished. 

LAPSUS$ chat about MS

Microsoft’s threat intelligence team had been monitoring this chat and was able to stop the exfiltration in real-time. That’s something even advanced EDR software can’t do. While LAPSUS$ would never admit their mistakes, one member did acknowledge the download was interrupted.

A close call for MS

LAPSUS$ would soon after be exposed to be led by a teenage boy out of the United Kingdom who was arrested with six other teenagers associated with the group. Many still suspect there may have been a member located in Brazil, but as of now, this has not been confirmed. 

The LAPSUS$ affair is an excellent showcase of how Cyber Threat Intelligence can protect your organisation from advanced and emerging threat actors.

The SOS Intelligence toolkit can provide you and your company the capability to monitor threats like LAPSUS$. Just as Microsoft leveraged CTI analysis to minimise damage of the LAPSUS$ attack, your organisation can use our CTI tools.

The SOS Intelligence toolkit includes advanced CTI tools capable of monitoring both Dark Web and Clear Web hacking forums and chats. Protect your assets from sophisticated threats today by checking out the SOS Intel toolkit.

Would you like to discover how SOS Intelligence can help you mitigate the cyber threats?

Click the link below to book a call: https://tinyurl.com/sosinteldemo

FAQ

What is Cyber Threat Intelligence?

Cyber Threat Intelligence or CTI, is the process of collecting and analysing threat actor’s behaviours. CTI analysts build profiles of known threat actors by investigating their Tactics Techniques and Procedures (TTPs).

How is Cyber Threat Intelligence used?

Network defenders use profiles as well as the TTPs collected by CTI analysts to make informed decisions on how to protect their network. 

Threat actors will often reuse attack vectors on many targets. When CTI analysts discover these attack vectors, they pass on the information to defenders. 

Cyber Threat Intelligence provides the defenders the ability to fight existing and emerging threat actors. 

What is a CTI framework?

A Cyber Threat Intelligence framework is an organisational tool for CTI analysts. There are many CTI frameworks, one of the most popular being the MITRE ATT&CK framework.

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

Source: https://attack.mitre.org

Why is Cyber Threat Intelligence Important?

Much like a physical conflict, cyber conflicts need proactive intelligence for good defence. 

Cyber criminals often use forums and chat rooms to communicate with each other. Infiltrating these groups can provide great insight into upcoming and ongoing cyber attacks. 

With the shocking increase of ransomware attacks, proper threat intelligence has become imperative. Ransomware groups are tracked and monitored day and night by CTI analysts. Analysts then alert defenders to a possible breach or upcoming attack. 

Who do cyber criminals target?

The cyber criminal atmosphere is constantly evolving, but most cyber criminals fall into one of three categories. 

First, you have your typical financially-motivated cyber criminal. These threat actors are motivated by one thing and one thing only; money. 

They will scam, hack, and steal anything or anyone for money. In fact, sometimes they scam other cyber criminals! 

The second category is the ideologically-motivated threat actor. Often dubbed hacktivists, these cyber criminals care less about money and are motivated by a political cause. Prime examples of “hacktivist” style hacking groups are “AgainstTheWest” or “Anonymous”. 

The third and most dangerous category is the state-sponsored threat actor. These threat actors work directly or indirectly for a nation-state. 

State-backed threat actors have almost unlimited resources as well as legal protection provided by their government. CTI analysts classify these groups as Advanced Persistent Threats or APTs. 

While not every APT group is state-backed, all state-backed groups are APTs. For cyber criminals, their motivation is the key behind who they target. Financially-motivated cyber criminals often target businesses both small and large. 

Ideologically-motivated threat actors tend to target governments, institutions, or individuals who they deem political enemies. State-backed threats have very specific targets given to them by whatever nation-state they work for. These targets often control vital systems, i.e. energy companies or defence contractors.

Photo by Philipp Katzenberger on Unsplash

"MI6"/
Opinion

MI6 to work with more tech companies

by Amir Hadzipasic
November 30, 2021

In his first speech as the new MI6 boss, Richard Moore has made it very clear that they need to work with innovative technology companies to help protect the UK in the future. He spoke at The International Institute for Strategic Studies today.

“I cannot stress enough what a sea change this is in MI6’s culture, ethos and way of working, since we have traditionally relied primarily on our own capabilities to develop the world-class technologies we need to stay secret and deliver against our mission”.

Guardian
Richard Moore

He emphasised how we are living through times where adversaries are feeling emboldened and have greater than-ever resources. He said how our world is being transformed by digital connectivity, increases in data and computer power.

He said he is paid to look at the threats and he said that the cyber attacks are growing exponentially.

His mission as Chief is to oversee the modernisation of MI6 and investing in the skills that they need in the digital age and partner with the right people and companies to help them stay ahead of our adversaries.

What we do here at SOS Intelligence, Dark Web Threat Intelligence plays a small, but important role in enabling companies and organisations to monitor what is happening on the Dark Web.

Focus on cyber threats

MI6’s focus on cyber threats is nothing new. They explicitly list this on their website:

The world increasingly interacts digitally through cyber space. Alongside the many benefits, it leaves individuals, organisations and governments open to cyber risks. These include the possibility of hostile cyber intrusions or attacks against the UK and the UK’s interests. The National Security Strategy identifies this as one of the four main areas of security risk to the UK.

Working as part of a cross-government effort, including GCHQ and it’s National Cyber Security Centre (NCSC), MI5 and law enforcement, SIS provides secret intelligence to help protect the UK from current and future cyber threats. These can come from a range of cyber actors, such as malign states, terrorists and/or criminals.

MI6
"Ransomware"/
Ransomware, The Dark Web

Keeping track of the CL0P ransomware group

by Amir Hadzipasic
November 29, 2021

We’ve been featured again over on ITPro. This time it’s about the latest CL0P ransomware group and the news that they have been busy compromising Swire Pacific Offshore (SPO). They announced it had fallen victim to a cyber attack with “some confidential proprietary commercial information” along with personal information believed to be stolen.

ITPro. article

Sadly, this is an all to common occurrence and one which is increasing in frequency.

If you are concerned about your cyber security and need to monitor the Dark Web, then please schedule a demo. The best 30 minutes you’ve ever spent cold possibly be a slight exaggeration, but you never know!

You can also follow us on Twitter – @sosintel

Photo by Oxa Roxa on Unsplash.

1 2
Recent Posts
Recent Comments
    Privacy Settings
    We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
    Youtube
    Consent to display content from - Youtube
    Vimeo
    Consent to display content from - Vimeo
    Google Maps
    Consent to display content from - Google
    Spotify
    Consent to display content from - Spotify
    Sound Cloud
    Consent to display content from - Sound
    Save