Customer portal
Articles Tagged with

dark web threat tracking

"Compromised
Uncategorized

Compromised Password Analysis

How threat actors target your credentials and what you can do to protect yourself

Across the dark web, and shadier parts of the clear web, there is a booming marketplace for compromised credentials.  Threat actors are looking to make a quick return can monetise your sensitive data, leaving you vulnerable to further compromise.  So how do threat actors get ahold of your credentials, and what can you do to protect yourself?

How do threat actors get your credentials?

Threat actors have an arsenal of tools and techniques for obtaining credentials to facilitate further criminal activity. These range from the highly technical to meticulously researched to plain and simple brute force.  We discuss a sample of these techniques below to assist you in understanding how threat actors can obtain your credentials.

Malware

For the more technically-minded, malware can be utilised to intercept passwords being input across the internet, or just simply to steal passwords from your device.

A “man-in-the-middle” attack sees a threat actor tactically position themself between a victim and the service the victim is accessing.  While the victim is inputting their credentials, the threat actor can see the input and capture this for their use.  This technique has commonly been utilised with banking trojan’s, such as TrickBot.

Once installed on a victim’s device, TrickBot would identify when victims attempted to access banking services online and provide them with a cloned website, controlled by the threat actor.  Subsequently, they would then be able to see what the victim was typing, thereby gaining access to their login details.  To preserve the illusion that nothing was amiss, the threat actor would then redirect the victim to the legitimate site as if they were logged in.  The threat actor would then capture the victim’s credentials, allowing them to log in whenever they saw fit.

Infostealer malware is much simpler.  Once installed on a device, it can quickly query common areas of a device used for password storage, and send this data to a waiting server controlled by a threat actor.  Owing to the various deployment methods used, threat actors can quickly generate a large volume of content from infostealer malware.  This content is then sorted and sold online, or at times even given away.  Further information regarding infostealer malware can be found in our article here.

Phishing

Phishing requires an element of trickery from the threat actor.  In this situation, they are portraying themselves as something they aren’t to trick the victim into divulging their credentials.  This can often be in the form of messages (email, SMS etc) asking victims to clarify their credentials associated to a legitimate service, i.e. banking, or premium services such as Netflix.  The threat actor will also provide a convenient link for the victim however, this link will invariably lead to a cloned website controlled by the threat actor, who can then collect credentials as victims input them.

Social Engineering

Remembering passwords for all the different services we use can be tiresome.  It has been estimated that the average person has over 100 passwords to remember.  Therefore it’s only natural that we utilise the things in our lives that matter most when coming up with passwords.  Significant dates, names of pets, and our favourite locations.  All can be useful when creating passwords as you’re more likely to remember these details.

The problem comes with our online activity.  Many people are very public about what they post online, and we talk about the things we like and what’s important to us.  If we’re then using those important things to generate our passwords, it becomes very easy for threat actors to do a little research into us to discover those passwords for themselves.

As an example, we have identified within our data collections that “fiona2014” is one of the most commonly used passwords.  If someone were to be using this password, it could be very easy to use social engineering to obtain it.  It would be straightforward to talk to someone, engage them about their life, and quickly find out they have a daughter called Fiona who is 10 years old.  Putting these details together we can come to “fiona2014”.

Dictionary Attacks

We are inundated with accounts requiring passwords, so it is common for people to use simple passwords to avoid having to remember anything too complex.  Threat actors rely on this as the basis for a “dictionary attack”.  Years of data regarding passwords has allowed for generating files containing thousands of common passwords and their variants.  These files then allow a threat actor to query a service, armed with a victim’s email address, and try each password until the service allows them to log in.

Thankfully, dictionary attacks are somewhat easier to defend against.  Most services will now only allow a few login attempts before any suspicious activity is flagged and the account is locked down.  Threat actors will constantly look for methods to bypass this security, so the best option is to keep those passwords unique.

Brute Force

When finesse will not work, take a sledgehammer to the door.  Brute force requires a threat actor to have some coding knowledge.  They can write code which will query a service to attempt a login, but instead of being more methodical, this method is more trial and error.  Commonly, brute force attacks will iterate through millions of potential combinations to find the correct password (assuming that any security the service has does not lock the account down).  This method can be more easily defeated by using longer, more complex passwords, and we will explain why shortly.

Brute force attacks can also occur when a threat actor obtains a username:password combination for a particular site.  Banking on poor password hygiene, they will attempt the same combination across multiple sites to see if there has been any password reuse.

What happens when your credentials are compromised

What happens when credentials are compromised depends on who the victim is.

Compromise of personal accounts tends to provide threat actors with access to various services and information, including the victims’ banking, online shopping, premium entertainment services etc.  These have some value to others, who may want the benefits of those services without having to pay, e.g. to watch Netflix, listen to Spotify etc.  These types of data will often be grouped and sold in bulk on online forums for a fraction of the cost of the service they give access to.

Real value for threat actors comes from compromised corporate accounts.  These accounts allow a threat actor to access a corporate system, giving them a platform to launch further criminal activity.  There is an entire marketplace dedicated to gaining initial access to corporate systems – initial access brokerage – and depending on the size of the victim, can bring in thousands of pounds for the threat actor selling credentials.  Such access can be a precursor to more serious cybersecurity events, such as data theft/loss, or the deployment of ransomware.

Password hygiene and habits

Now for the statistics.

We have taken a sample of data collated by SOS intelligence in March 2024, totalling over 10 million passwords obtained by infostealer malware.

The most common password length was 8 characters, with an average length across the dataset of 10.5.  This was to be expected as 8 characters is often presented as a minimum across many password policies.  Additionally, it’s also the number of characters in “password”…

Top 20 most common passwords
PasswordCount
12345651022
admin22322
https16682
1234567816525
12345678915737
123458958
Profiles8611
password6533
Opera3946
12345678903326
1231233093
12345672923
Aa1234562866
Kubiak222821
Pass@1232761
Password2665
1111112488
fiona20142206
123456789102043
P@ssw0rd2029

On that note, the word “password”, and numerous variants utilising common character substitutions, appeared over 37,000 times.  “admin” appeared more than 22,000 times, while “https” was used more than 16,000 times.  This is concerning as dictionary attacks will often focus on keywords such as this first, knowing they are so common.  “admin” is frequently used as a default password on routers and other IoT devices which highlights the ongoing vulnerability of these devices.

In total, approximately 1 million passwords contained only digits, while approximately another 1 million contained only letter characters.  Overall, over 7.5 million passwords contained no special characters.

So the fundamental question is, why are these statistics important, and how can we use them to improve our password hygiene?

Password strength works based on “entropy” – the measure of randomness or uncertainty of the password.  Password entropy allows us to quantify the difficulty or effort required to guess, or “crack”, a password using brute force or other similar methods.  As a general rule, higher entropy passwords are deemed stronger and more secure.

We measure entropy in bits. The number of bits a password has indicates how strong it is.  The basic formula for calculating entropy looks like this:

 Entropy = log2​(NL)

Where:

  • N is the number of possible characters in the character set used for the password
  • L is the length of the password (in characters)
  • log2 is the base-2 logarithm

Taking this formula we can see that the longer a password is, and the more characters it pools from, the higher entropy it will have.  We can visualise this with our data.

Using a length of 8 (being the most commonly seen) we can see the entropy when different sizes of character sets are used:


NumericalSingle CaseAll CaseAlphanumericAlphanumeric w/ Special Characters
Total # of characters1026526292
Entropy26.5837.6045.6047.6352.19

If we increase the password length to 12, strength increases significantly:


NumericalSingle CaseAll CaseAlphanumericAlphanumeric w/ Special Characters
Total # of characters1026526292
Entropy39.8656.4168.4171.4578.28

Based on the above, working at 1000 guesses per second, a brute force attack on an 8-character numerical password would take about 27 hours.  However, a similar attack on a 12-character password utilising alphanumeric and special characters would take roughly 11.5 billion years!

The key factor to note here is that there is a reason we’re always asked for longer passwords with uppercase, lowercase, numbers and special characters – they’re that much stronger and secure.

So a crucial question remains; what should be done with this information?  We sincerely hope that what we’ve discussed here will highlight the need for strong and enforced password policies.  These should factor in the following:

  • Use of alphanumeric and special characters
  • Mandatory lengths (at least 10, but longer is better)
  • No password reuse
  • Frequent and enforced password changing.

Wherever possible, we would highly recommend the use of password managers.  They can save a lot of time for users, allow for significantly more complex passwords to be used, and only require the user to remember one password.  We don’t recommend using one product over another, but one such example would be KeePassXC.  KeePassXC is a host-based password vault which keeps passwords encrypted when not in use.  It offers numerous options for password generation, varying on characters used, length etc.  The benefits of this are that you can generate passwords up to 128 characters long, which simply need to be copied and pasted whenever they are required.  Here is one such example with an entropy value of 715:

J4kKutHec3RYxQo3kpm4mot5EAVp&opRCSr&x4J5r%fQ$XxzrjdW2ZgRg@k42XhA@zz`S4ofiR4~^s`&43zZ@JQ&qQ$Mad2^jtQdHSZ@hbJbVk5Qabvs5Kc$KW3#W@Rm

What our external research shows

Research conducted by NordPass in 2022 identified that the average person has approximately 100 user accounts requiring password verification.  This is the most probable cause for password reuse and password fatigue; where users are exasperated by the constant need to generate unique strong passwords and fall into a habit of using weak, easy-to-remember passwords, or reusing old ones. Verizon’s Data Breach Investigations Report, published in 2021, estimates that 80% of hacking-related breaches were a result of stolen or brute-forced credentials.  This number could be significantly reduced by ensuring and maintaining good password hygiene.

Forgetting passwords can have a significant impact on the password owner, the services they use, and the organisations they work for:

  • Research firm Forrester has indicated that, for some organisations, the costs associated with handling password resets could be up to $1 million USD per year.  Gartner estimates that around 40% of help desk queries in large companies relate to password resets, taking up a substantial part of billable work, and taking focus away from more business-critical support.
  • In 2017, MasterCard and the University of Oxford published a study looking at users of online shopping platforms.  Their research indicates that 33% of users would abandon a purchase if they could not remember an account password, while 19% would abandon a purchase while waiting for a password reset link.
  • Chainalysis, a cryptocurrency data firm, estimates that 20% of all mined Bitcoin are locked in lost or otherwise inaccessible wallets.  In one such example, one user has 7002 Bitcoins locked within a hard drive, which risks being encrypted following two more incorrect password attempts.

What is SOS Intelligence doing, and how can it benefit you?

At SOS Intelligence, we understand the risk that credential theft can pose to the security of your data.  What we can provide is early detection for when your data has been exposed. 

We are actively collecting and analysing stolen credentials from multiple sources which feeds into our intelligence pipeline.  Within moments of ingestion, we can generate bespoke alerts for you to indicate when you may be at risk.  Early detection is vital to allow you to take action before an issue becomes serious and impactful against your business.

If you are serious about your cyber security, why not book a demo?

Photos by Ed Hardie on Unsplash,  Ryunosuke Kikuno on Unsplash, Joshua Hoehne on Unsplash

"SOS
Product news

Introducing the SOS Intelligence Source Library

Amir and Daniel

I’m delighted to announce that last week we launched our newest feature, the Source Library for paying customers. This has been in development for the past few months and the team has done an outstanding job getting this live. Thank you guys!

I sat down with Daniel, our Threat Intelligence Analyst and frequent guest on our webinars to run through the specifics.

You can see what we covered below:

  1. Introduction of the Source Library: this has been developed in the background over the last few months and the team has done an excellent job. Having our new developer, Srdjan is already paying dividends.
  2. Purpose: The Source Library aims to provide customers with additional context and information about the sources being monitored, as well as specific alerts generated. This has been something that has been requested and gives the extra information which often helps with context and understanding of what is happening, or could happen.
  3. Strategic Decision: Integrating the Source Library into the platform was a strategic decision based on customer feedback and the direction of the platform. The 2024 roadmap is looking solid! We are always balancing the work required / difficulty and return.
  4. Collection Plan Management: The focus of the development was on managing the collection plan, which is crucial for the intelligence process, especially in content ingestion and matching.
  5. Features of the Source Library:
    • Provides a browsable view of all collection sources with status indicators making it easy to read.
    • Includes tags for categorizing sources based on topics – this is extremely useful for marking and returning to data.
    • Implements a risk scoring system for each source based on various factors, showing the high risk items.
    • Offers transparency and visibility to our customers.
  6. Continuous Development: The Source Library is considered a living thing and will be continuously updated and expanded as the platform evolves.
  7. Ransomware Data and Statistics: Customers can access ransomware statistics, filtering by industry vertical, group, and time period, to understand the frequency and distribution of ransomware attacks.
  8. Integration with Alerts: Each alert references a collection source, allowing users to quickly assess the risk level associated with the alert based on the source’s risk score.

I’d like to highlight the importance of listening to our customers. We pride ourselves on actively listening to feedback and requests. Whilst not all may be feasible, a lot are and we are focused on continuing to launch new features based on customer needs.

Thanks again to Daniel and Srdjan for the work on this!

If you have any questions about the source library or SOS Intelligence in general and how it can become part of your companies’ cyber protection, please do get in touch.

Photo by Ryunosuke Kikuno on Unsplash

"SOS
SOS Intelligence Webinar

Special launch webinar for UK Charities, NHS Trusts and Schools – February 22nd

To celebrate the launch of the special plan we just announced, we are having a webinar on Wednesday February 22nd at 11am and you’re invited.

Sign up here for the webinar.

Join us on the webinar to learn why we are doing this, how to apply and the details of the special plan.

Who is this for?

  • Senior Managers
  • IT and Security teams
  • Anyone with a responsibility for data
  • NHS Trust Heads
  • School Heads
  • SLT of charities

You will learn:

  • Why cyber threat intelligence and especially on the Dark Web is so vital
  • How the world has changed
  • Data diligence
  • Why we are launching this special plan and how to apply
  • Plan details

If you are a UK Charity, School or NHS Trust, you can apply for a special plan with SOS Intelligence, which gives you the first six months for free. 

You can apply now by clicking here.

We look forward to seeing you!

"Cyber
Product news

A Special Cyber Threat Intelligence Plan for UK Charities, NHS Trusts and Schools

We like brands, companies and organisations that do the right thing. They are for good. They want to help. Their product or service is helpful, is useful and goes some way to fight the bad in the world, and let’s face it, there is way too much of that right now.

So, we are also going to try and do the right thing. We are a startup, a fledgling business and one which has not got endless reserves and pots of cash. But, we strongly believe that by helping people we can develop a loyal customer in the future…

From today, if you are a UK charity, a NHS trust or UK school, you can apply for a special account with SOS Intelligence, which gives you the first six months for free. An application takes seconds and once approved, you can up and running in minutes. We are offering this as we know this can make a huge difference to your cyber security, and we know that is more and more important.

Apply here.

What does this account include?

  • 10 Keyword Limit
  • 3 User Account Limit
  • Breach Monitoring, OSINT & Dark Web 
  • Excludes Domain Monitoring. 
  • Email Notification.

After the six months free time period, this will cost £200+VAT per month or £1,920+VAT with a 20% discount for 1 year.


We have seen time and time again that organisations who don’t act, even with intelligence we’ve come across ourselves, leave themselves open to tremendous risk.

Charities at increased risk

A new threat report published by the NCSC reveals why the charity sector is particular vulnerable to cyber attacks, the methods used by criminals, and how charities can best defend themselves.

 “More charities are now offering online services and fundraising online, meaning reliable, trusted digital services are more important than ever. During the Ukraine crisis, we saw more criminals taking advantage of the generosity of the public, masquerading as charities for their own financial gain.”
Lindy Cameron, NCSC CEO

You can read their blog post here and download the report here.

Just one set of compromised credentials is it all takes. Imagine, if you will, knowing when a user has been compromised and so you can act and secure the account. Imagine seeing an alert, almost in real time, where some of your data has been posted on a dark web forum.

Intelligence means you can do something about it.

Please do share this far and wide – we want to help! 🙂

Apply here.



FAQs

  1. Who can apply? This is open for any UK charity, NHS trust or school. If you are a non-profit, don’t fit in these categories, but think you should be considered, you can fill out the form here and click no to the fit question – you will be prompted to enter more information and we will get back to you.
  2. How long is the free account for? It is for six months from the date of account sign up. When this period has finished, you will be charged on the card you used for sign up. The annual version gives you a 20% discount and is by far the most popular option.
  3. What if I don’t want to continue using SOS Intelligence? You will need to tell us prior to the end of the six months as otherwise you may be charged.
  4. Do you provide training? At present, we offer email support and screencasts to get you up and running.
  5. What is the process to apply? To apply, head on over to the application form here and we will be in touch as soon as possible. If successful you will receive an email with a link to sign up and a voucher code to use to give you the six month free access. 
  6. Do I need to add credit card details on sign up? Yes, we use Stripe for payment and this requires card details. However, you will not be initially charged as you will use a six month free voucher. At the end of the six months the plan will renew using the card details provided.
  7. What about domain / typo / squatting monitoring? This is not included on this plan but is on the Pro or Enterprise plans.
  8. What is typo-squatting? Typo-squatting is the act of registering domain names, i.e. Web Domains that look similar to your legitimate domain name. Cyber Criminals may by several domains across a number of different Top Level Domain Registrars. Typo-squatting could be used against you, as a business to phish your employees or customers or in order to contact fraud under your name or brand. Most common occurrence is 419 Advance Fee Fraud. 

    SOS Intelligence monitors recently registered domain names from a large number of Top Level Domain Registrars and scans those against you domain type keywords.
"SOS
Product news, The Dark Web

SOS Intelligence Dark Web Map

We thought it would be interesting to show you something we generate every now and again…

That is our representation of the SOS Intelligence Dark Web Index, the physical placement of the nodes represents the interconnectivity between onion services on the Dark Web (Tor).

It is an energy model of the network structure of the Dark Web.

The diagram is a visual representation of an energy model of the network structure for interconnecting onion services 

Essentially, If a node has a lot of links, it has a heavier weight applied to it.

If a node has fewer links, it has a lighter weight applied to it and has less weight represented. The more links, the more central we represent that node on the map. Therefore onion services with fewer inbound or outbound links get ‘pushed’ outward to the edges of the map. Onions with more links weigh more so are positioned more centrally.

The colour is a computed modularity class – the social network of the nodes. We have calculated the community networks of the nodes. i.e. how likely it is that a node is linked to other nodes within the network. 

What we get is a spatial representation and social network of around 43000 nodes in the past 24 hours.

The colour itself is random, but the membership of the colour is representative of their social network. What we don’t mean is their Facebook membership, but rather their community connections within the Dark Web.

The visualisation is stunning when seen on a large screen so we have made this available to download here in 4K.

SOS Intelligence Dark Web Render

If you are feeling kind, a tweet or short blog post about this would be much appreciated 🙂

"Go-Ahead
Opinion, The Dark Web

Major UK transport company battles cyber-attack

Another week and yet another cyber-attack on a major UK company. The Guardian broke the news yesterday highlighting that Go-Ahead are facing problems with their back office systems, including bus services and payroll software.

Fortunately it is only affecting the bus services they run and not their rail business.

There are a couple of important things to note here. Firstly, the UK and other countries are seeing more threats to government organisations, transport and infrastructure companies. Infrastructure, by it’s nature, is vital to the smooth running of a countries’ daily life and an interruption to this can cause serious problems.

One of the most infamous cyber attacks to infrastructure took place last year when hackers breached the Colonial Pipeline using a compromised password.

The key aspect of this case was that investigators suspect hackers got password from dark web leak. This scenario is a perfect demonstration of how SOS Intelligence could have helped, alerting the company to this in time and possibly preventing what happened.

In the UK, companies have faced sizeable fines when they have been the subject of a breach and lost customer data.

British Airways was told in July 2019 that it faced a fine of £183m after hackers stole the personal information of half a million customers. Eventually they paid £20M, still a considerable amount.

If you are reading this and wonder if we can help, we probably can. You can book a call and demo here.

"Cyber
Opinion

What is Cyber Threat Intelligence?

You may have heard of the term “Cyber Threat Intelligence”, sometimes abbreviated as “CTI”. 

The term is often thrown around with little to no explanation, so, what actually is CTI? It’s always useful to know what an acronym means 🙂

The origin of the term can be traced back to 2009 in reference to research on the Tactics, Techniques, and Practices (TTP) of APT 1. 

Traditional threat intelligence, meaning the collection and dissemination of intelligence of emerging and reoccurring threats, was a key part of the intelligence apparatus during the Cold War. 

However, traditional threat intelligence is a very general term, referring to intelligence on anything from nation-states to small guerrilla insurgent groups. 

The rise of Advanced Persistent Threats (APT) forever changed the threat intelligence landscape. 

Like any other covert action, a nation-state sponsored cyber attack is designed to cause as much damage as possible, while maintaining plausible deniability for guilty parties. 

Threat intelligence on these APT groups became known as Cyber Threat Intelligence. 

CTI analysts analyse the tactics, techniques, and practices of these groups. They collect everything from the groups’ malware to their chat logs to build a full profile for defensive purposes. 

Since the rise of APTs in the mid-2000s, the field of CTI has had to  evolve and adapt to new threats and attack styles. Threat actors less sophisticated than APTs can now emulate many of the tactics APTs use. 

As a result, CTI has had to expand to collect intelligence on these groups as well. CTI is now not only crucial for governments, but also private organisations and businesses. 

2021 saw a 1,885% increase in ransomware attacks. This was an unprecedented increase with the healthcare industry alone reported a 775% increase in cyber attacks. 

CTI is not only for large businesses either, roughly 60% of ransomware attacks target businesses with less than 500 employees. However, building a CTI team is easier said than done. Collecting intelligence on relevant threat actors is often a time consuming and expensive task. 

What we see time and time again is the “it won’t happen to us” conversation which can then turn into…

Why didn’t we know about this?! 

The question posed by the CEO or MD when there has been a data breach.

Here at SOS Intelligence, it’s our mission to provide cyber threat intelligence that won’t break the bank and is accessible. You don’t need a big team to use it.

Our Open Source Intelligence (OSINT) tool automatically collects and aggregates data from the top cybercriminal forums, including some private forums. 

Using the web UI or the custom API, you can set alerts for keywords like emails or usernames. If a keyword is posted on one of the many forums we monitor, you will get an immediate alert via several communication channels. 

Using our OSINT tool you will have the capabilities of a full CTI team, minus the overhead and head count.

Save yourself the headache and risk, let SOS Intelligence be your eyes and ears in the dark world cyber criminals have built online.

Cyber Threat Intelligence is clearly an essential pillar of a modern defence strategy, but don’t take our word for it. Let’s look into a case involving CTI…

LAPSUS$ – A Study of Cyber Threat Intelligence Successes

There is no better case study of modern Cyber Threat Intelligence than the case of the international hacking group known as LAPSUS$. 

LAPSUS$ was first noticed in early December of 2021 when the group compromised systems belonging to the Brazilian Ministry of Health. This attack was a classic extortion attempt and would pale in comparison to LAPSUS$’s later attacks. 

It took the Brazilian government more than a month to make a full recovery, the attack effectively halted the roll out of Brazil’s COVID-19 vaccine certification app; ConectSUS. 

Over the next few months LAPSUS$ would go on to breach several more companies, including Impresa, a Portuguese media company and Vodafone Portugal. LAPSUS$’s first 5 attacks took place in quick succession, in just 3 months. 

The group exclusively targeted Portuguese localised companies leading many CTI researchers to suspect the hackers were located in Brazil or Portugal. Members of the group solidified this suspicion, using slang like “kkkkkkkkk” the Portuguese equivalent of the English slang “hahaha”.

LAPSUS$ member using Portuguese slang in Telegram chat

LAPSUS$ was put on the map after the attack on the Brazilian Ministry of Health garnering headlines like “Lapsus$: The Hot New Name in Ransomware Gangs” and “Watch Out LockBit, Here Comes Lapsus$!”. 

While these headlines were catchy, the articles themselves offered no insight into the tactics or motivations of the group. At the time, many thought LAPSUS$ was just like any other ransomware/extortion group, financially-motivated with the goal of encrypting or exfiltrating data and holding it for ransom. 

However, LAPSUS$’s next attack would challenge everything we thought we knew about LAPSUS$. On February 25th 2022, GPU chipmaker Nvidia announced it was investigating an “incident” that knocked some of its systems offline for 2 days. 3 days later LAPSUS$ announced “We hacked NVIDIA” on their telegram…

NVIDIA hacked

 LAPSUS$’s breach of Nvidia was, no doubt, a big deal, but what was far more interesting were their demands. 

More often than not, hacking groups fall into one of 3 motivational categories: financially-motivated, ideologically-motivated, or state-sponsored. Up until the Nvidia breach LAPSUS$ fell squarely in the financially-motivated category, but their unusual demands for Nvidia changed this fact. 

Instead of demanding money or selling the data to the highest bidder, LAPSUS$ demanded Nvidia release their GPU drivers as open source software. Naturally, Nvidia refused to release their code. In response LAPSUS$ would leak some source code from Nvidia on in their Telegram group, but nothing all that interesting or noteworthy. 

Less than 2 weeks after the Nvidia breach, LAPSUS$ announced they had compromised Samsung. The attackers stole roughly 200 gigabytes of data which included some source code for the Samsung Galaxy. 

By this point, threat intelligence researchers were keenly aware of LAPSUS$’s tactics, techniques and procedures. CTI analysts drew up models of how LAPSUS$ operates, giving defenders insight on how to avoid a possible breach. 

Intrusion Analysis Diamond model for LAPSUS$

Continuing their attacks on large tech companies, LAPSUS$ compromised Microsoft. Again, the group started exfiltrating source code. 

LAPSUS$ was able to download the partial source code for Bing, Bing Maps, and even some Windows code. However, Microsoft CTI researchers were able to halt the download before it could be completed. LAPSUS$ mentioned in a public Telegram chat how they were able to access Microsoft systems before the data exfiltration had finished. 

LAPSUS$ chat about MS

Microsoft’s threat intelligence team had been monitoring this chat and was able to stop the exfiltration in real-time. That’s something even advanced EDR software can’t do. While LAPSUS$ would never admit their mistakes, one member did acknowledge the download was interrupted.

A close call for MS

LAPSUS$ would soon after be exposed to be led by a teenage boy out of the United Kingdom who was arrested with six other teenagers associated with the group. Many still suspect there may have been a member located in Brazil, but as of now, this has not been confirmed. 

The LAPSUS$ affair is an excellent showcase of how Cyber Threat Intelligence can protect your organisation from advanced and emerging threat actors.

The SOS Intelligence toolkit can provide you and your company the capability to monitor threats like LAPSUS$. Just as Microsoft leveraged CTI analysis to minimise damage of the LAPSUS$ attack, your organisation can use our CTI tools.

The SOS Intelligence toolkit includes advanced CTI tools capable of monitoring both Dark Web and Clear Web hacking forums and chats. Protect your assets from sophisticated threats today by checking out the SOS Intel toolkit.

Would you like to discover how SOS Intelligence can help you mitigate the cyber threats?

Click the link below to book a call: https://tinyurl.com/sosinteldemo


FAQ

What is Cyber Threat Intelligence?

Cyber Threat Intelligence or CTI, is the process of collecting and analysing threat actor’s behaviours. CTI analysts build profiles of known threat actors by investigating their Tactics Techniques and Procedures (TTPs).

How is Cyber Threat Intelligence used?

Network defenders use profiles as well as the TTPs collected by CTI analysts to make informed decisions on how to protect their network. 

Threat actors will often reuse attack vectors on many targets. When CTI analysts discover these attack vectors, they pass on the information to defenders. 

Cyber Threat Intelligence provides the defenders the ability to fight existing and emerging threat actors. 

What is a CTI framework?

A Cyber Threat Intelligence framework is an organisational tool for CTI analysts. There are many CTI frameworks, one of the most popular being the MITRE ATT&CK framework.

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

Source: https://attack.mitre.org

Why is Cyber Threat Intelligence Important?

Much like a physical conflict, cyber conflicts need proactive intelligence for good defence. 

Cyber criminals often use forums and chat rooms to communicate with each other. Infiltrating these groups can provide great insight into upcoming and ongoing cyber attacks. 

With the shocking increase of ransomware attacks, proper threat intelligence has become imperative. Ransomware groups are tracked and monitored day and night by CTI analysts. Analysts then alert defenders to a possible breach or upcoming attack. 

Who do cyber criminals target?

The cyber criminal atmosphere is constantly evolving, but most cyber criminals fall into one of three categories. 

First, you have your typical financially-motivated cyber criminal. These threat actors are motivated by one thing and one thing only; money. 

They will scam, hack, and steal anything or anyone for money. In fact, sometimes they scam other cyber criminals! 

The second category is the ideologically-motivated threat actor. Often dubbed hacktivists, these cyber criminals care less about money and are motivated by a political cause. Prime examples of “hacktivist” style hacking groups are “AgainstTheWest” or “Anonymous”. 

The third and most dangerous category is the state-sponsored threat actor. These threat actors work directly or indirectly for a nation-state. 

State-backed threat actors have almost unlimited resources as well as legal protection provided by their government. CTI analysts classify these groups as Advanced Persistent Threats or APTs. 

While not every APT group is state-backed, all state-backed groups are APTs. For cyber criminals, their motivation is the key behind who they target. Financially-motivated cyber criminals often target businesses both small and large. 

Ideologically-motivated threat actors tend to target governments, institutions, or individuals who they deem political enemies. State-backed threats have very specific targets given to them by whatever nation-state they work for. These targets often control vital systems, i.e. energy companies or defence contractors.

Photo by Philipp Katzenberger on Unsplash

"MI6"/
Opinion

MI6 to work with more tech companies

In his first speech as the new MI6 boss, Richard Moore has made it very clear that they need to work with innovative technology companies to help protect the UK in the future. He spoke at The International Institute for Strategic Studies today.

“I cannot stress enough what a sea change this is in MI6’s culture, ethos and way of working, since we have traditionally relied primarily on our own capabilities to develop the world-class technologies we need to stay secret and deliver against our mission”.

Guardian
Richard Moore

He emphasised how we are living through times where adversaries are feeling emboldened and have greater than-ever resources. He said how our world is being transformed by digital connectivity, increases in data and computer power.

He said he is paid to look at the threats and he said that the cyber attacks are growing exponentially.

His mission as Chief is to oversee the modernisation of MI6 and investing in the skills that they need in the digital age and partner with the right people and companies to help them stay ahead of our adversaries.

What we do here at SOS Intelligence, Dark Web Threat Intelligence plays a small, but important role in enabling companies and organisations to monitor what is happening on the Dark Web.

Focus on cyber threats

MI6’s focus on cyber threats is nothing new. They explicitly list this on their website:

The world increasingly interacts digitally through cyber space. Alongside the many benefits, it leaves individuals, organisations and governments open to cyber risks. These include the possibility of hostile cyber intrusions or attacks against the UK and the UK’s interests. The National Security Strategy identifies this as one of the four main areas of security risk to the UK.

Working as part of a cross-government effort, including GCHQ and it’s National Cyber Security Centre (NCSC), MI5 and law enforcement, SIS provides secret intelligence to help protect the UK from current and future cyber threats. These can come from a range of cyber actors, such as malign states, terrorists and/or criminals.

MI6
"Cyber
Product news, The Dark Web

Automating Cyber HUMINT Collection

This blog post will attempt to give a high-level overview of how we go about automating typically manual Cyber HUMINT ( “a category of intelligence derived from information collected and provided by human sources.”) collection. 

Significant elements of this blog will have to be described in general, non-specific, terms or redacted. Due to the nature of the work that we do, keeping our tradecraft methods, tactics and techniques private is important. The methods employed by us are not only commercially sensitive but over disclosure of specific details may render the methods ineffective.

Automating Cyber HUMINT Collection - SOS Intelligence
Screenshot of SOS Intelligence showing OSINT search

OSINT Source Selection

OSINT source collection SOS Intelligence
OSINT source

A fair amount of thought and research goes into selecting our OSINT (Open Source INTelligence) sources. For the most part, ideal collection sources would be ones that offer an API (Application Programming Interface) for information scraping and do so without significant restrictions. 

For example, Pastebin with a paid account grants access to a reasonable scraping API. Using this API we’ve been able to create a custom collection to download each paste, analyse it for relevant customer keywords and, if any matches found, store the paste & alert our customers.

In most cases, however, paste sites typically have no available APIs. Where these sites have a rolling list of new pastes posted, and those pastes can be enumerated & are publicly accessible, further development of a custom collection is required. 

An automated process is used to periodically check for new and available pastes, fetch those pastes in a raw format where possible, perform keyword matching and store where needed. A significant number of paste sites that we collect from, either on the internet or Dark Web, fall into this category. Generally there are no significant technical challenges other than the creation of a bespoke collection for each specific source type.

SOS Intelligence
URL code

As a general rule, for websites that do not have any specifically designed automated collection or scraping method, we apply a high degree of courtesy and do not aggressively scrape the site. 

Since the paste enumeration and paste collection is a fairly lightweight process, and given that pastes in general are uploaded every so often, there is no need for any aggressive polling of a target site.

SOS Intelligence
Lightweight and courteous collection

Authenticated Access

Member only Dark Web Forum
Member only forums

Some of the sources we collect from are closed, member only, Dark Web or internet hacking forums. Without going into too much detail as to how accounts are created on these forums, an account is essential since we must be able to access topics and posts as well as a roll of recent posts. 

In most cases forums helpfully provide a feed of new content by way of RSS (Really Simple Syndication) feed. This can in part, like an API, assist in the creation of a custom automated collection for that source. An additional caveat to this being that the collector passes credentials to the forum so as to appear to be a “logged in” user, e.g. simply viewing posts or browsing the forum. 

A good 30% of all the OSINT sources we collect from are authenticated. To maintain continuous automated collection, we ensure that we have a sufficiently well stocked array of back up accounts for each of the forums we collect from.

Bot Protection Bypass

In some cases the sources we collect from deploy DDoS or Bot Protection. The purpose of this is typically not to prevent scraping or automated collection but more to prevent the site from high volume denial of service attacks. 

The bypass for this defence varies depending on the source. In some cases, for example collection from Doxbin, we employed a CloudFlare challenge bypass method that essentially consists of:

  • Detecting the browser challenge.
  • Solving the challenge.
  • Passing the challenge answer back and obtaining a cookie.
  • Passing the cookie over to the collection processes to begin automated collection. 
  • Detecting when the cookie expires, ensuring any further challenge request are solved.
CloudFlare challenge bypass method
Bot Bypass
CloudFlare challenge bypass method
CloudFlare challenge bypass method

Even when fairly advanced bot/browser verification defences have been deployed by the target source, these have thus far all been mitigated and not prevented our automated OSINT collection. 

As for the Doxbin example, the challenge of bypassing their new bot protection was significant and on balance, considering the quality of the OSINT source, might not have been warranted. It was, however, still a challenge that couldn’t be left unmatched! 

CAPTCHA (Human Verification)

Raid Forums CAPTCHA
Raid Forums CAPTCHA

Automated solving of CAPTCHAs is tricky and is probably the toughest bypass we’ve had to solve so far. The amount of detailed technical information that we can share for how we go about bypassing CAPTCHA is very limited. However, it runs along similar lines to the browser challenge process, whereby detection of a CAPTCHA and the solving of it are tied into the automated collection functions. 

So far there are very few OSINT sources that employ this type of challenge and we’ve been able to mitigate these in all cases whilst maintaining automated collection.

Old school CAPTCHA
Old school challenge!

Staying Undetected

As with the above topic, it is tricky to discuss and share in any level of detail our methods for remaining “undetected“. However, in general we ensure that the accounts we use do not raise any significant cause for concern to the forum operators. 

In most cases, accounts with no post count after a number of months (or sooner!) are deleted. This means that our accounts must have some level of interaction with the forum, however minimal, to ensure their persistence. 

We try, wherever possible, to use Tor to access content. This helps preserve our anonymity in as much as not pinning our collectors down to one location. We also ensure we rotate things like user agents and other fingerprints to ensure relative anonymity. 

Then important aspect to blending in with the noise is ensuring that collection is not overly aggressive and not overly routine. We achieve this by randomising the frequency and timings of either enumeration of new posts, fetching / viewing posts or pastes. The key is to appear sufficiently “human“. This has afforded us the ability, in some cases, to collect with the same account for a year or more without administrator intervention. 

Detecting Faults

This can be even more challenging than bypassing CAPTCHA challenges. The goal for us is to ensure we have sufficiently robust detections for whenever a logged in session expires; a challenge pass expires; the very likely and common scenario of an overloaded website itself going offline or a Tor circuit is struggling. 

To ensure the best chance of successfully reaching a website over Tor, we employ a number of load balanced Tor routers that are themselves proxied and balanced to cater for our crawling services and automated collection. 

But things do go wrong, Tor is not the most reliable tool so our collection processes that utilise it have sufficient retry intervals and “back-off” intervals programmed into them. Should one of our requests result in a gateway time out the system will simply retry, hoping it is balanced to a less utilised Tor relay. 

At times we do get detected and blocked by forum administrators. In such instances, the system will attempt to detect any “authentication loops” and select another account to continue automated collection with. 

Some of the fault detection is relatively simple, such as enumerating how many pages a collection source has and iterating through each page until all pages have been collected.

SOS Intelligence Cyber HUMINT
Collection source
SOS Intelligence Cyber HUMINT
SOS Intelligence Cyber HUMINT

The process is not always perfect, but we try to monitor it and optimise wherever possible. We spend a lot of time on the initial development phases of a collection ensuring that all possibilities, within reason, are accounted for and once a collection goes into production that any following “cat and mouse” changes required are as minimal as possible. 

We hope this gives an insight into how SOS Intelligence works. We have a number of plans available and if you would like to schedule a demo, please click here.

Thanks for reading!

Amir

PS If you enjoyed this, we think you also enjoy An investigation into the LinkedIn data sale on hacker forums.

1 2
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound