Customer portal
Articles Tagged with

SOS Intelligence

Home / SOS Intelligence
"SOS
Investigation, Ransomware

A Special Investigation exposing a ransomware group’s clear-web IP and their duplicate identities

Intro

Before we dive into this investigation it’s worth to just spend a brief moment to describe the Apache Server-Status page.

The Apache Server Status page is a diagnostics and metrics page provided by the mod_status module. When mod_status is enabled a metrics page is served via localhost on the /server-status path. 

This page is typically served via localhost only. It offers diagnostic information about the Apache service and client requests. It shows the full request URI and client IP information.

Serving this page in production, outside of localhost would be considered an information disclosure vulnerability and could offer an attacker information about client requests, essentially anything disclosed in a POST request URI or GET request. 

In the scope of Tor onion services where a Tor service is published it will inherently expose all localhost services to the entirety of Tor – therefore any services designed to be protected by the typically non externally routeable local loopback interface become externally accessible.

Locating Onions with Server-Status Pages

We must first export a list of all onions we are aware of that have server-status pages. One of the tasks we perform when crawling an onion service is to identify interesting paths and services. We perform a check for common directories such as server-status along with many others.

This process is identical to a directory enumeration, except for being far more optimised to ensure crawler performance is prioritised.

Therefore using our path API we are able to query for all onions we’ve found and that are operational with server status pages:

server path search for server-status pages API

We find that there are 1,370 results with server-status pages:

Search results JSON export

The next task is to compile a list of all known (relatively current) ransomware blogs. We do this by merging our own lists, those we’ve found via OSINT and other published ransomware group site lists.

Of those we find a total of 71 onion unique addresses, these include v2 and v3 onions.

Now we have a relatively straightforward task of cross-checking our server-status results against this list to see what ransomware group sites have server-status pages, if any.

We do this with a very simple bash script that uses the grep tool:

Checking out output we see that there are in total only 3 ransomware blogs/group sites:

Arvin Club, Haron & Midas

Checking the first, Arvin Club:

We see that the server status page presents a vhost of localhost, not much to go by!

We also note that the server is running Ubuntu and is located in the UTC time zone.

Haron Server-Status Page

Checking the Haron server-status page we see that again the vhost is localhost, the server is running Debian and the time zone is Moscow Standard Time (MSK)

Lastly, checking the Midas server status page:

Midas Server-Status Page

We see a VHOST that is not localhost, this time it shows as “Becquerel.selectel.ru”

A server running Debian and a time zone of Moscow standard time.

Becquerel.selectel.ru

The hostname exposed in the servers-status page for the Midas shows that the web server running the Midas blog is being hosted by Selectel a Russian cloud hosting company:


For at least a short period of time the clear web portion of the Midas blog was exposed to the internet allowing Google to crawl and index the server-status page. 

The Google Cache is of a AWS IP, Germany “3.70.39.23” . According to the Google Cache entry the server was exposed at least up to 27th of September 2021 likely some time before that date, possibly after the 2nd of October 2021. 

How are we sure that this cache entry is the Midas blog web-server? 

It could very likely have been another server if Selectel reprovision hostnames. The evidence contained in the server-status client requests for the Becquerel host cache page are unique to the files found on the current Midas blog. 

Identical files requested in the Google Cache as what exists on the Midas blog web server

We can say with strong certainty that the cache entry, the clear-web IP and hostname all belong to the Midas web server and that the host is current and operational. 

Linking Midas to Haron and Avaddon

Reviewing the client request on refresh revealed some interesting paths. These paths point to image and file locations. Further investigation of these paths uncovered content that is shared or identical to both the Haron and Midas blogs. 

For example…

Haron test.jpg image

Midas test.jpg image

Artist: https://twitter.com/JarekMadyda

Midas Victim file [redacted]

Identical victim file on the Haron web server

Midas Mess directory

Mess directory

Identical but older Mess directory on the Haron web server

Haron mess directory

There is significant cross referencing between folder structures and files to show that the Midas web blog is a copy of the Haron web blog, if we go by the last modified date stamps on all of the files we have been able to observe across both blog sites. 

Not only do the sharing of files and file structure suggest that this is the same group/operator but both web sites have each other’s logos.

Further, we can see logo “development” taking place with logo names such as “newlogo2.png” and “finalLogo.png”. We propose it would be very unusual for one seemingly competing group to have another group’s logo on their web server and indeed for them to have each others!

The curious case of Avaddon

On the topic of logos. Investigation showed that both Haron and Midas contained the logo file for Avaddon Ransomware group:

There were rumours that not only Haron / Midas were the same group but that there were links with Haron to Avaddon.

Forum post on the Dublikat (Duplicate) dark web forum:

“Haron is built on code copied from other ransomware. So, the researchers noticed the following “parallels”: to create binaries, Haron uses the old ransomware builder Thanos; The ransomware site, where victims are asked to negotiate and pay the ransom, is almost identical to Avaddon’s site (as is the site for leaking stolen data); the ransom letter contains large snippets of text copied from a similar Avaddon note; Haron’s server contains icons and images previously found on the official Avaddon website. What all these similarities are connected with is still unclear. The researchers believe that the Haron operators may have hired one of the former Avaddon members, but they clearly did not have access to the source code of the Avaddon ransomware.”

Translated.

We are now able to shed a bit more light on this forum post. It would seem that not only did Haron share resources, images text and icons but so does Midas now too, since it is just a copy of the Haron blog.

Although Avaddon is now defunct and their onion address is no longer valid we’ve been able to extract a html cache of their page from our index. 

Making minor changes to the HTML code, to refacing the Midas and Haron onion address we’ve effectively been able to “resurrect” the old Avaddon website.

Minor html updates to the Avaddon historic html source:

These minor updates allowed us to load the html source and have the page render in an almost exact way it would have done in the past.

Avaddon website resurrected loaded locally from a file:

And this is because the file and folder structure of the Haron / Midas websites still contain the original logo CSS and other content that were made for the Avaddon ransomware group website.

We are therefore able to put forward the claim supported by the evidence in this article that all previous suggestions that these groups were interlinked do appear to be correct.

We’ve confirmed the following Clear Web IPs for both Haron and Midas, both hosted by Selectel Russia:

45.146.164.58 – Midas

45.93.201.176 – Haron

This proves our assumption that the blogs are hosted on separate VMs both hosted at Selectel.

"MI6"/
Opinion

MI6 to work with more tech companies

In his first speech as the new MI6 boss, Richard Moore has made it very clear that they need to work with innovative technology companies to help protect the UK in the future. He spoke at The International Institute for Strategic Studies today.

“I cannot stress enough what a sea change this is in MI6’s culture, ethos and way of working, since we have traditionally relied primarily on our own capabilities to develop the world-class technologies we need to stay secret and deliver against our mission”.

Guardian
Richard Moore

He emphasised how we are living through times where adversaries are feeling emboldened and have greater than-ever resources. He said how our world is being transformed by digital connectivity, increases in data and computer power.

He said he is paid to look at the threats and he said that the cyber attacks are growing exponentially.

His mission as Chief is to oversee the modernisation of MI6 and investing in the skills that they need in the digital age and partner with the right people and companies to help them stay ahead of our adversaries.

What we do here at SOS Intelligence, Dark Web Threat Intelligence plays a small, but important role in enabling companies and organisations to monitor what is happening on the Dark Web.

Focus on cyber threats

MI6’s focus on cyber threats is nothing new. They explicitly list this on their website:

The world increasingly interacts digitally through cyber space. Alongside the many benefits, it leaves individuals, organisations and governments open to cyber risks. These include the possibility of hostile cyber intrusions or attacks against the UK and the UK’s interests. The National Security Strategy identifies this as one of the four main areas of security risk to the UK.

Working as part of a cross-government effort, including GCHQ and it’s National Cyber Security Centre (NCSC), MI5 and law enforcement, SIS provides secret intelligence to help protect the UK from current and future cyber threats. These can come from a range of cyber actors, such as malign states, terrorists and/or criminals.

MI6
"Ransomware"/
Ransomware, The Dark Web

Keeping track of the CL0P ransomware group

We’ve been featured again over on ITPro. This time it’s about the latest CL0P ransomware group and the news that they have been busy compromising Swire Pacific Offshore (SPO). They announced it had fallen victim to a cyber attack with “some confidential proprietary commercial information” along with personal information believed to be stolen.

ITPro. article

Sadly, this is an all to common occurrence and one which is increasing in frequency.

If you are concerned about your cyber security and need to monitor the Dark Web, then please schedule a demo. The best 30 minutes you’ve ever spent cold possibly be a slight exaggeration, but you never know!

You can also follow us on Twitter – @sosintel

Photo by Oxa Roxa on Unsplash.

"SS7
Opinion, The Dark Web, Tips

An investigation into SS7 Exploitation Services on the Dark Web

In this latest investigative article we will be taking a look at alleged SS7 exploitation services on the Dark Web and diving into their credibility using our SOS Intelligence analytics toolkit.

If you don’t want to miss the latest post, then please sign up to our newsletter here.

SS7 Significance &  Background

Signalling System 7 is a telecommunications protocol adopted internationally that defines how the network elements in a public switched telephone network (PSTN) exchange information and control signals.

The signalling transport (SIGTRAN) protocols proved interoperability of SS7 signalling to operate over IP based networks. This enables PSTN services to operate analogue telephone systems and modern IP network equipment. SIGTRAN uses its own Stream Control Transmission Protocol (SCTP) as opposed to TCP or UDP (Transmission Control Protocol or User Datagram Protocol)

With the flexibility of SIGTRAN operating over IP this has given rise to the commoditisation of SS7 access through SS7 gateways, that bridge TCP based service such as VoIP, SMS gateways etc. providing interconnectivity through to SS7 Link providers. 

SS7 offers the following key services (but not limited to):

  • Call set up, routing and tear-down
  • Caller ID
  • SMS
  • Mobile phone roaming and tracking
  • Call forwarding 
  • Voicemail and call waiting 
  • Conference calling

The primary security defence of a SS7 network is that it is a closed system, no real message integrity or security exists and therefore messages transmitted across the SS7 network are easily intercepted or forged. End users, even SMS gateway providers do not have access to it.

However, given the feature rich tooling of SS7 it is ripe for abuse and a target for not only government run intelligence agencies but also organised crime groups that operate partly or wholly in the cyber domain, therefore access to SS7 is a sought after wildcard for any criminally minded hacker.

SS7 enabled crime and abuse

There are a number of significant abuses of SS7 that are possible with a compromised gateway or with clandestine access to a SS7 network.

We will discuss some of the SS7 enabled abuses as an overview. Please read on!

SMS 2FA Interception

SS7 plays a part in the transportation of SMS messages. An attacker may be able to register a victims MSISDN (mobile number) on a fake MSC (Mobile Switching Centre), the victims operator’s HLR (Home Location Register) that works as a kind of telephone directory for MSISDNs, operators and SMS service centres (SMSC) will set the new location for the Victim’s MSISDN.

When, for this example the victims Bank sends them a 2FA authentication token the MSC transfers the SMS to the SMSC the real MSMSC asks the victims opeartor’s HLR for the victims location, the HLR replies with the attacker operated MSC. The real operator’s SMSC transfers the SMS to the fake MSC operated by the attack.

Therefore the attacker is able to obtain the original 2FA token and respond to the victim’s Bank authentication prompt.

Call Intercept 

Likewise a similar attack is possible with Call interception where an attacker can using the first part of the spoofing process redirect a victims call to a VoIP provider or their own IP-PBX (for example Asterisk) and handle the call much like any VoIP call.

This attack can also surface in other ways, such as WhatsApp and other ‘end to end’ encrypted messaging services where the attack may be able to redirect WhatsApp enrolment to another device and intercept, by redirecting messages to their own attacker controlled phone.  

SMS Spoofing

By far the simplest of attacks and an attack that doesn’t require direct SS7 access is the spoofing of SMS messages to a sender. Most are unaware that the “from” part of a SMS message has no authentication and can easily be spoofed, in fact the SMS sender can put any alpha numeric word in the “from” of an SMS message. 

SMS spoofing attacks can be easily and cheaply performed by obtaining access to an SMS gateway service (on the clear web). Nearly all of the ones that SOS Intelligence were able to asses appeared to have no abuse monitoring or prevention. It is therefore possible to very easily and cheaply (in some cases for free) send a spoofed message much like a phishing email to a victim and prompt a call to action. 

Location Tracking

There are a number of free or paid for clear web services that allow some basic HLR lookup services, none of these services necessary provide an exact location fix of a Mobile Subscriber however they do in part allow some one to see if a MSISDN is roaming, assigned to its home operator, active or deactivated. 

Within the SS7 network of a network operator it may be possible to request the LAC (Location Area Code) and Cell ID and with that information get a reasonably good location for a victim. However, this may require the prior knowledge of the subscribers IMEI (International Equipment Identity) or and IMSI (International Mobile Subscriber Identity) – A MSISDN alone may not be sufficent to be able to query this information. However, a LHR lookup may provide an attacker with an IMSI.

It understood that it is fairly common and universal for an operator to provide specific LAC/CID, information to a GSM MAP (Mobile Application Part) message where an attack could send a “provideSubscriberinfo” message asking for the subscribers location and spoofing a SMSC. The LAC, CID and other information can then be looked online for example using Ofcoms website or service such as cell mapper.

cellmapper.net tower locator

It may be possible to automate the process of mapping LAC/CID [along with MCC&MNC information] to a geographic location such as with joining together of services provided by cellmapper.net for example. 

Availability and Legitimacy of SS7 hacking services on the Dark Web

With the initial introduction to SS7 background and the significance of hacking SS7 out of the way lets start by taking a look into what SS7 hacking or exploitation services are available on the Dark Web. 

If we start off with using our DARKSEARCH too and searching for SS7 in page titles across the last year of our index we see some 84 unique onion domains. 

SS7 Title Search

Narrowing down on only onions that we’ve seen to be up recently further reduces our results to a manageable amount.

Key providers of alleged SS7 exploitation services

It would appear that there are a few main key providers of alleged SS7 exploitation services. 

1) SS7 Exploiter 

64n64bh345yszlrp3diytow33gxzriofaii72lsiiq4uh4laqgddvyad.onion 

vif4nngqgrdzjk7oavtolvw4uxhtzepog2y7piudinkjovhnnhav2pid.onion 

xpll5hy2jlze25w2.onion 

Services Offered:

  • Get Location 
  • DoS subscriber 
  • Intercept calls 
  •  Intercept SMS 
  • Spoof call/SMS 
  • Manage subscription 
  • Voicemail settings 
  • Upload SIM toolkit 

2) SS7 ONLINE Exploiter

3zx4rwy3izy2zhywz2vm5krc2zqmrahc7sv7ps2ekqvfxv62skueruid.onion 

 Services Offered:

  • Get Location 
  • DoS subscriber 
  • Intercept calls 
  • Intercept SMS 
  • Spoof call/SMS 
  • Manage subscription 
  • Voicemail settings 
  • Upload SIM toolkit

3) SS7 Hack

ss7hxvtum6iyykshcefjmm5pvb2y3lsvcfh2lzml2vtdhqlseqhqnpqd.onion/ 

ss7hfyqn7fv7kjs7.onion 

Services Offered:

  • SMS Intercept
  • Call Intercept and Redirect
  • Location Tracking

Services appear to be offered on time bases (1 day, 7 days, 30 days)

SS7 Hack

All onions associated with this provider appear to be offline at time of writing. All information of this service is gained from the historic SOS Intelligence Dark Web index.

4) Dark Fox Market

darkfoxt5pv4gjak.onion/index.php/product/ss7-software/

http://darkfoxikqntsbpi4olzks26o5ejvej7lhy3mxhfltonbh2k2wrlumad.onion/ 

Services Offered:

  • SS7 Bypass 2FA (SMS Intercept)
  • SS7 Call Intercept 
  • SS7 Location Tracker

Lets dig into these and see what we can find. 

Looking at the “SS7 Exploiter Dashboard” service 

 SS7 Exploiter Dashboard

The oldest reference we have in our index, from June 6th 2020, we see that the HTML source of that page appears to have been Mirrored using HTTrack (A common website mirroring tool used by ‘419’ Advance Fee Fraud scammers) on the 14th of May 2019 mirroring another domain, xpll5hy2owj4zj22.onion 

  HTTrack Mirror of xpll5hy2owj4zj22

and likewise the other domain for the SS7 Exploiter Service: 64n64bh345yszlrp3diytow33gxzriofaii72lsiiq4uh4laqgddvyad.onion 

Appears also to have been a copy of xpll5hy2owj4zj22.onion 

This then leaves the SS7 ONLINE Exploiter an almost identical looking website, as the SS7 Exploiter Service but without the Demo Video 

 We see that this page has a contact email address of “[email protected]

But these pages have no HTTrack comments in them, suggesting that they may be the original pages and that the “SS7 Exploiter – Dashboard” are copies.

SS7 Exploiter Dashboard

We can use our dark web email search API to locate any reference to that email address across the dark web

So far we only see one result.

Email Dark Web Search API

It would appear that the “SS7 ONLINE Exploiter” services came after SS7 the cloned “SS7 Exploiter” and may in fact just be clones of a clone with the HTTrack parts stripped out and  demo video link removed and with the contact email address added.

SOS Intelligence DARKMAP tool

Using our DARKMAP tool we see the xpll5hy2jlze25w2.onion website on the very edges of the Dark Web with no known links in or out.

 Dark Map location of  xpll5hy2jlze25w2.onion

However, the identical copy of the website but under the 64n64bh345yszlrp3diytow33gxzriofaii72lsiiq4uh4laqgddvyad.onion address we see in a much more central part of the Dark Web:

Dark Map location of 64n64bh345yszlrp3diytow33gxzriofaii72lsiiq4uh4laqgddvyad.onion

And we see it with 3 inbound links 

inbound Links from:

sz5h6tiqkdkfl55qa3kcxgzck3xeffo6cso7sjpc7hc7sr3vghdyicqd.onion “The Dark Web Links Directory

linkdir7ekbalksw.onion  “The Dark Web Links Directory v2 Onion Address

toponiibv4eo4pctlszgavni5ajzg7uvkd7e2xslkjmtcfqesjlsqpid.onion “Hidden Link Directory

 Dark Map 64n64bh345yszlrp3diytow33gxzriofaii72lsiiq4uh4laqgddvyad.onion inbound Links

SS7 Hack

As for the SS7 Hack service. This too appears to have been a copy clone, this time of a clear web website www[.]ss7[.]dev made on Friday the 18th 2021

 HTTrack clone of ss7.dev website

Indeed, both of the “SS7 Hack” websites appear to be identical 

Dark Map location of SS7 Hack

SS7 Hack has one inbound link from:

e6wzjohnxejirqa2sgridvymv2jxhrqdfuyxvoxp3xpqh7kr4kbwpwad.onion  “TorNode – Onion Links Directory “

On the cached front page of SS7 Hack website we find an email address and as before using our Email Search API we see there are 3 results, 1 being a Tor Search service and the other two being the SS7 Hack website duplicates. 

[

    {

        “created_at”: “Mon, 22 Feb 2021 16:30:49 GMT”,

        “description_json”: {},

        “hostname”: “searchgf7gdtauh7bhnbyed4ivxqmuoat3nm6zfrg3ymkq6mtnpye3ad.onion”,

        “is_up”: false,

        “language”: “en”,

        “last_seen”: “Sat, 09 Oct 2021 08:42:11 GMT”,

        “portscanned_at”: “Tue, 23 Feb 2021 02:59:20 GMT”,

        “powered_by”: “”,

        “server”: “nginx”,

        “ssh_fingerprint”: null,

        “title”: “The Deep Searches”,

        “url”: “http://searchgf7gdtauh7bhnbyed4ivxqmuoat3nm6zfrg3ymkq6mtnpye3ad.onion/”,

        “useful_404”: true,

        “useful_404_dir”: false,

        “useful_404_php”: true,

        “useful_404_scanned_at”: “Wed, 29 Sep 2021 18:15:38 GMT”,

        “visited_at”: “Sat, 09 Oct 2021 08:43:37 GMT”

    },

    {

        “created_at”: “Fri, 25 Jun 2021 21:19:08 GMT”,

        “description_json”: {},

        “hostname”: “ss7hfyqn7fv7kjs7.onion”,

        “is_up”: false,

        “language”: “en”,

        “last_seen”: “Tue, 07 Sep 2021 19:02:07 GMT”,

        “portscanned_at”: “Tue, 29 Jun 2021 18:23:08 GMT”,

        “powered_by”: “”,

        “server”: “Apache”,

        “ssh_fingerprint”: null,

        “title”: “SS7 Hack – SMS Intercept – WhatsApp, Telegram, GMAIL, Facebook, Instagram, Twitter, Phone Tapping, Call, Tracking.”,

        “url”: “http://ss7hfyqn7fv7kjs7.onion/”,

        “useful_404”: true,

        “useful_404_dir”: true,

        “useful_404_php”: true,

        “useful_404_scanned_at”: “Mon, 06 Sep 2021 17:46:32 GMT”,

        “visited_at”: “Wed, 06 Oct 2021 15:28:34 GMT”

    },

    {

        “created_at”: “Tue, 05 Oct 2021 21:35:23 GMT”,

        “description_json”: {},

        “hostname”: “ss7hxvtum6iyykshcefjmm5pvb2y3lsvcfh2lzml2vtdhqlseqhqnpqd.onion”,

        “is_up”: false,

        “language”: “en”,

        “last_seen”: “Fri, 15 Oct 2021 21:21:48 GMT”,

        “portscanned_at”: “Wed, 06 Oct 2021 02:31:26 GMT”,

        “powered_by”: “”,

        “server”: “Apache”,

        “ssh_fingerprint”: null,

        “title”: “SS7 Hack – SMS Intercept – WhatsApp, Telegram, GMAIL, Facebook, Instagram, Twitter, Phone Tapping, Call, Tracking.”,

        “url”: “http://ss7hxvtum6iyykshcefjmm5pvb2y3lsvcfh2lzml2vtdhqlseqhqnpqd.onion/”,

        “useful_404”: true,

        “useful_404_dir”: true,

        “useful_404_php”: true,

        “useful_404_scanned_at”: “Thu, 07 Oct 2021 23:26:02 GMT”,

        “visited_at”: “Tue, 26 Oct 2021 21:19:15 GMT”

    }

]

The clear web “original” website appears to have almost identical services and pricing:

Screenshot of the “original” website.

This supplier boasts a good reputation rating on securedhacks.com

Secured Hacks

DarkFox Market

They appear to have a fairly e-commerce style webpage, payment is in either Bitcoin or Monero.

DarkFox Market appears to be a more “holistic” hacking service provider, offering a wider range of non SS7 services from DDoS to Ransomware As a Service. 

The check out process requires you to enter your “victim’s” Phone number.

In terms of inbound and outbound links the DarkFox Market website has the most out of all the services seen so far,

DarkFox DARKMAP links

Inbound Links from:

uprb6pfh6yslgecvrx7w4kcsqyxrox26yt4sap5m4sdkvirmsmkroyad.onion “Dark Web Forums –

dwforumsmrcqdnt3.onion “Dark Web Forums 

searchgf7gdtauh7bhnbyed4ivxqmuoat3nm6zfrg3ymkq6mtnpye3ad.onion “The Deep Searches

Outbound Links to:

hackerss4ptfozouwjix72eh2y7cu2v72nz57c4myjdceejqfwnz3zyd.onion “DSM Hackers – All Hacking Tools And Services In One Place

The Proof videos on the DarkFox Proofs page for “Telegram hacking” show an SMS Intercept video. Part of this video actually shows a web portal similar to what’s shown on the SS7.dev “SS7 attack demos” web page! The video is actually stolen content from a journalist who wrote an article on this very attack back in June 2016, with the video along with a WhatsApp hack video uploaded originally in May 2016.

DarkFox Video

Original Youtube Video https://www.youtube.com/watch?v=dkvQqatURdM&t=1s

www[.]ss7[.]dev video analysis

Although not on the Dark Web the ss7.dev website carries probably the most ‘credibility’ out of all of the SS7 hacking services on the Dark Web. 

The SS7.dev proof videos show web pages that look extremely similar to that of the original demo hack videos from 2016, with a distinctive “superman” SS7 logo however, the page background is white rather than a light yellow

 

ss7.dev proof video uploaded 2nd August 2020

In one of the tabs from the proof video we see an open page to the DSM Hackers forum

Proof video tabs

We know that this was one of the outbound links from the DarkFox market, although this could be coincidental, we are not quite sure of the relevance for the Moscow local time web page tab.

In the SS7.dev service demo video, the first 6 minutes are spent showing how to set up an account and pay for the services.

The most unconvincing of all the services, “SS7 Exploiter ” has to no surprise one of the most unconvincing demo videos. Like the SS7.dev, it spends the first nearly 3 minutes out of 5:23 showing how to buy bitcoin and pay for the service. 

It then shows what is meant to be the supposed “SS7 Exploiter” CLI interface.

SS7 Exploiter Demo Video

Note that this version of the web page, at the time of it being recorded does not show a demo video link in the navigation menu on the left hand side.

Note also the Subscription End date “9/03/21 12:00AM GMT”

If the operator purchased a subscription “out of their own pocket” of 1 Month then that would put the recording of the video at around the 9th of February assuming a DD/MM format. 

Assuming a MM/DD format, this puts the recording at around the 3rd of August. The video itself was uploaded on the 16th of October 2021 to YouTube. It is possible that the video was re-uploaded, from an earlier time.

Interestingly looking back on our index history for this onion domain. We first added the domain to our index on the 23rd of July 2020 with pages crawled  on the 27th and 4th of August 2020. 

The demo.html page and link to it from the left navigation menu was only added to our index on the 18th of October 2021, a few days after the video is uploaded to Youtube. 

With the entire website being originally mirrored by the HTTrack tool on the 13th of May 2019

Conclusion

There appear to be 4 main alleged SS7 Hacking/Exploitation services on the Dark Web, with one “SS7 Hack”, a clone of a clear web website “SS7.dev” being completely offline. 

The other service appears to be a clone of another almost identical website offering a highly suspicious SS7 Exploiter service

With the last, DarkFox Market that offers more than just SS7 services showing nothing more than already stolen / faked videos. 

With ironically the most ‘credible’ of all a clear web website, ss7.dev shows what appear to be spoofs / copies of SS7 hacking demos that were originally uploaded to YouTube back in May 2016.

Like most things on the Dark Web that promise a lot they are very likely all fake money making schemes for some one who is benefiting from all of those who failed to do even the smallest amount of due diligence, as they say Caveat Emptor. 

Are there genuine SS7 hacking services on the Dark Web? 

Most likely, but they are more than likely to be hidden behind membership only hacking services advertised by individuals for a very short period of time, an example of some posts related to SS7 hacking from our intelligence collection service:

SOS Intelligence posts on SS7

In any case it is very unlikely to find a long lived actual openly advertised service offering compromised SS7 gateway access 

It would seem that there is a lot of interest in SS7 exploitation services but not a lot of genuine providers.

Exploit.in post about SMS OTP Interception

Of all of the fairly openly advertised services, clear web or dark we strongly believe to be complete fakes.

How much money could they have made?

Using the advertised bitcoin wallets and assuming they are not changing wallets with each transaction we can look at the Bitcoin blockchain explorer to see exactly when and how much bitcoin was sent these wallets

http://64n64bh345yszlrp3diytow33gxzriofaii72lsiiq4uh4laqgddvyad.onion/balance.html

3Dw3ZFDjVFCwn1siatB53ZbX2rWx7bYdaW

2x Transactions $159.62

http://vif4nngqgrdzjk7oavtolvw4uxhtzepog2y7piudinkjovhnnhav2pid.onion

38AFU5YCK8bjiNwoyRroGfLZbf4Tuh6a62

1x Transaction $10.09

DarkFox

It would appear that DarkFox e-commerce shop assigns a bitcoin wallet at time of transaction. It is difficult to tell if a wallet contains transactions specifically for SS7 hacking or other services. Upstream review of outbound transactions from these wallets reveal fairly large transactions suggesting that DarkFox is doing a reasonable amount of business.

1KU6c4ZuARpgypNMAdB4yDBxB873Yj5Bm8

2x Transactions $180.03

1DWX6ThGfVN8VNJiJPNhJiRjtXTxVFFvEf

4x Transactions $779.55

1CKvtyULCbf9iAeaxt7iuBSN7gChxcqqnz

2x Transactions $140.23

1MHXKbrCnBRQXTT5BTTJhLusGTQcxXNpmz

2x Transactions £319.50

http://3zx4rwy3izy2zhywz2vm5krc2zqmrahc7sv7ps2ekqvfxv62skueruid.onion/balance.html

3Qp7cTaLm2hnzsx8fYaTM76GWynM1YMZ4d

1x Transaction $389.57

32Gbi2p66PdyzZXpW2VxHk8jrWaCtBRcz7

No Transactions.

Featured image Photo by Mario Caruso on Unsplash

"SOS
Product news

We are on the Cyber Runway

Plexal has announced the 108 cyber startups joining the Cyber Runway accelerator and we are delighted to have been chosen!

Cyber Runway is the UK’s most diverse community of cyber founders and entrepreneurs.

Cyber Runway has been designed to address some of the biggest challenges facing cybersecurity, such as diversity and inclusion and regional representation, and support the most promising innovators at various stages of growth. 

The full membership list confirms that Cyber Runway will not only be the largest cyber startup accelerator in the UK, but the most diverse community of cyber founders in the country. 

The cohorts are solving challenges like ransomware, cyber fraud, cyber-physical threats to critical national infrastructure, cloud security, improving threat intelligence and boosting education using emerging technologies such as AI, quantum and cloud security. 

45% of Cyber Runway members are female-led startups and 52% are run by founders from black, ethnic or minority backgrounds.

You can see a list of Grow members including us here.

Plexal has ensured inclusivity is at the heart of Cyber Runway by including under-represented groups in the design and delivery of the programme. Members will also have access to a diverse mentor pool of investors and industry experts. 

50% of member companies are based outside of London and the South East of England. From Ashford to Yeovil, members and their teams are based across the country and Cyber Runway will be delivered in person and virtually to maximise nationwide reach.   

The Cyber Runway membership represents some of the most innovative and high-potential cyber startups currently operating in the UK. Members include scaleups such as CybSafe, which raised £5m earlier this year for its security awareness software, SECQAI, which uses quantum technology and AI to combat cyber threats, Yorkshire-based Bob’s Business, which delivers cyber training, insurtech startup Regulativ.ai, which aims to disrupt cyber regulatory compliance, and Hack The Box, which raised £7m in April for its online cybersecurity training platform.

Member

Cyber Runway programme

Backed by the Department for Digital, Culture, Media and Sport and delivered by Plexal in partnership with CyLon, Deloitte and CSIT (the Centre for Secure Information Technologies), Cyber Runway will be an intensive six-month programme. Three distinct streams will deliver dedicated curricula for cyber startups based on their growth phase: Launch, Grow and Scale. 

Launch: 20 entrepreneurs will get support with launching their business, building a minimum viable product and creating a network. 

Grow: 68 startups and SMEs will get business support to help them address their growing pains, access funding and achieve commercial success. 

Scale: 20 scaleups will access support (including 1:1 mentoring) to help them grow rapidly in the UK and around the world. 

Cyber Runway has replaced and consolidated three DCMS-funded programmes: HutZero, Cyber 101 and Tech Nation’s cyber accelerator for startups. 

The accelerator is designed to strengthen the UK’s cyber ecosystem and accelerate the growth of a new generation of breakthrough cyber startups to improve national security, stimulate innovation and drive economic growth. 

Cyber Runway: member benefits

The 108 member companies will receive:

  • business masterclasses (both virtual and in person)
  • mentoring, engineering support from CSIT and access to CSIT’s data and testing centre
  • technical product development support
  • opportunities to connect with international cyber hubs 
  • regional events 
  • connections to investors and corporates to fuel growth

“We are delighted to have been selected to be a part of the Cyber Runway accelerator programme, we are excited to be participating in the excellent programme and to network with fellow cohorts. The Plexal team has put a lot of hard work into the programme and it shows. Many thanks to the team for making us feel so welcome.”

Amir Hadzipasic, CEO and Founder SOS Intelligence

“This is a golden age for the UK cyber startup ecosystem. Cyber startups are attracting record levels of investment and both the government and global tech giants are coming to British cyber companies to adopt emerging cyber technologies. The scale of Cyber Runway is testament to the enormous potential within the cyber startup community and will help stimulate the supply of innovative cyber solutions that will be needed by the economy and society. 

However, Cyber Runway is also specifically designed to address some of the challenges facing cyber startups as they scale. Our three programmes will connect cyber founders to the mentors, investors and corporates they need to accelerate their growth and access diverse talent. This is a significant moment for UK cyber and I have every confidence that the collaboration between the government and the private sector to create Cyber Runway will make the cyber ecosystem more successful, innovative and inclusive.”

Saj Huq, director of innovation at Plexal.

For more information on SOS Intelligence, please schedule a demo here.

"Stop
Tips

New 159 Fraud Number launches

A new service launched today aimed at helping prevent what is sadly a growing menace – scam calls and people being defrauded.

People who think they are being defrauded on the phone are encouraged to stop, hang up and call 159. Any real bank or person will not mind you doing this. A scammer *will* mind and will always try and keep you on the phone.

It has been launched in conjunction with a number of major banks and phone service providers, including HSBC, Barclays, BT and Kcom.

A growing threat

Scams and financial fraud are increasing at an unprecedented rate. They have become a fast-moving and industrialised business.

Criminals stole over £1.26bn through fraud and scams in 2020. There were over 80,000 instances of fraud reported by UK telecommunications companies in 2019 as well.

The challenges presented by the COVID-19 pandemic have presented new opportunities for scammers to exploit. There were 149,946 reported Authorised Push Payment scams in 2020 – up 22% from 2019. These are scams where victims are conned into making a payment to a scammer who has posed as genuine and gained their trust. These scams often use legitimate platforms to reach victims, borrowing the credibility of the platforms and services they abuse.

Banks and financial institutions are making great efforts to stops frauds and scams. In 2020 that they stopped £1.6bn of attempted unauthorised transactions.

Stop Scams UK website

Having listened to a number of features about this on the radio today, it is always deeply troubling to hear about people losing money to scammers and fraudsters.

People think that they will be clever enough or switched on enough to know when it is happening to them, but in a lot of cases, the criminals are being incredibly devious and can trick you into transferring money.

In one instance, the scammers pretended to be not only the bank, but also the bank’s fraud prevention team PLUS sent official looking text messages at the same time from a spoofed number.

How does the new number work?

If you think someone is trying to trick you into handing over money or personal details…

…Stop, hang up and call 159 to speak directly to your bank.

Last year criminal gangs stole over £470m by pretending to be your bank or other service provider.

159 is the memorable, secure number that contacts you directly to your bank if you think you’re being scammed.

159 works in the same way as 101 for the police or 111 for the NHS. It’s the number you can trust to get you through to your bank, every time.

159 will never call you. Only a fraudster will object to you calling 159.

How does 159 work?

How SOS Intelligence plays a part in preventing fraud

SOS Intelligence provides Real Time Threat Intelligence for everyone. We are not connected with fighting scam phone calls directly but we are actively fighting fraud online with our service.

Often scam callers use details they may have obtained online, often from breaches of popular services which are then sold on the Dark Web. We monitor keywords, key phrases and email addresses in realtime on the Dark Web and offer a free option to monitor an email address you use when signing up. As a result, you get alerted when your data / email address is out there on the Dark Web.

Sadly businesses and organisations don’t know until too late when their data has been compromised. We prevent that from happening.

It’s really good to see this new service launch.

"Cyber
Product news, The Dark Web

Automating Cyber HUMINT Collection

This blog post will attempt to give a high-level overview of how we go about automating typically manual Cyber HUMINT ( “a category of intelligence derived from information collected and provided by human sources.”) collection. 

Significant elements of this blog will have to be described in general, non-specific, terms or redacted. Due to the nature of the work that we do, keeping our tradecraft methods, tactics and techniques private is important. The methods employed by us are not only commercially sensitive but over disclosure of specific details may render the methods ineffective.

Automating Cyber HUMINT Collection - SOS Intelligence
Screenshot of SOS Intelligence showing OSINT search

OSINT Source Selection

OSINT source collection SOS Intelligence
OSINT source

A fair amount of thought and research goes into selecting our OSINT (Open Source INTelligence) sources. For the most part, ideal collection sources would be ones that offer an API (Application Programming Interface) for information scraping and do so without significant restrictions. 

For example, Pastebin with a paid account grants access to a reasonable scraping API. Using this API we’ve been able to create a custom collection to download each paste, analyse it for relevant customer keywords and, if any matches found, store the paste & alert our customers.

In most cases, however, paste sites typically have no available APIs. Where these sites have a rolling list of new pastes posted, and those pastes can be enumerated & are publicly accessible, further development of a custom collection is required. 

An automated process is used to periodically check for new and available pastes, fetch those pastes in a raw format where possible, perform keyword matching and store where needed. A significant number of paste sites that we collect from, either on the internet or Dark Web, fall into this category. Generally there are no significant technical challenges other than the creation of a bespoke collection for each specific source type.

SOS Intelligence
URL code

As a general rule, for websites that do not have any specifically designed automated collection or scraping method, we apply a high degree of courtesy and do not aggressively scrape the site. 

Since the paste enumeration and paste collection is a fairly lightweight process, and given that pastes in general are uploaded every so often, there is no need for any aggressive polling of a target site.

SOS Intelligence
Lightweight and courteous collection

Authenticated Access

Member only Dark Web Forum
Member only forums

Some of the sources we collect from are closed, member only, Dark Web or internet hacking forums. Without going into too much detail as to how accounts are created on these forums, an account is essential since we must be able to access topics and posts as well as a roll of recent posts. 

In most cases forums helpfully provide a feed of new content by way of RSS (Really Simple Syndication) feed. This can in part, like an API, assist in the creation of a custom automated collection for that source. An additional caveat to this being that the collector passes credentials to the forum so as to appear to be a “logged in” user, e.g. simply viewing posts or browsing the forum. 

A good 30% of all the OSINT sources we collect from are authenticated. To maintain continuous automated collection, we ensure that we have a sufficiently well stocked array of back up accounts for each of the forums we collect from.

Bot Protection Bypass

In some cases the sources we collect from deploy DDoS or Bot Protection. The purpose of this is typically not to prevent scraping or automated collection but more to prevent the site from high volume denial of service attacks. 

The bypass for this defence varies depending on the source. In some cases, for example collection from Doxbin, we employed a CloudFlare challenge bypass method that essentially consists of:

  • Detecting the browser challenge.
  • Solving the challenge.
  • Passing the challenge answer back and obtaining a cookie.
  • Passing the cookie over to the collection processes to begin automated collection. 
  • Detecting when the cookie expires, ensuring any further challenge request are solved.
CloudFlare challenge bypass method
Bot Bypass
CloudFlare challenge bypass method
CloudFlare challenge bypass method

Even when fairly advanced bot/browser verification defences have been deployed by the target source, these have thus far all been mitigated and not prevented our automated OSINT collection. 

As for the Doxbin example, the challenge of bypassing their new bot protection was significant and on balance, considering the quality of the OSINT source, might not have been warranted. It was, however, still a challenge that couldn’t be left unmatched! 

CAPTCHA (Human Verification)

Raid Forums CAPTCHA
Raid Forums CAPTCHA

Automated solving of CAPTCHAs is tricky and is probably the toughest bypass we’ve had to solve so far. The amount of detailed technical information that we can share for how we go about bypassing CAPTCHA is very limited. However, it runs along similar lines to the browser challenge process, whereby detection of a CAPTCHA and the solving of it are tied into the automated collection functions. 

So far there are very few OSINT sources that employ this type of challenge and we’ve been able to mitigate these in all cases whilst maintaining automated collection.

Old school CAPTCHA
Old school challenge!

Staying Undetected

As with the above topic, it is tricky to discuss and share in any level of detail our methods for remaining “undetected“. However, in general we ensure that the accounts we use do not raise any significant cause for concern to the forum operators. 

In most cases, accounts with no post count after a number of months (or sooner!) are deleted. This means that our accounts must have some level of interaction with the forum, however minimal, to ensure their persistence. 

We try, wherever possible, to use Tor to access content. This helps preserve our anonymity in as much as not pinning our collectors down to one location. We also ensure we rotate things like user agents and other fingerprints to ensure relative anonymity. 

Then important aspect to blending in with the noise is ensuring that collection is not overly aggressive and not overly routine. We achieve this by randomising the frequency and timings of either enumeration of new posts, fetching / viewing posts or pastes. The key is to appear sufficiently “human“. This has afforded us the ability, in some cases, to collect with the same account for a year or more without administrator intervention. 

Detecting Faults

This can be even more challenging than bypassing CAPTCHA challenges. The goal for us is to ensure we have sufficiently robust detections for whenever a logged in session expires; a challenge pass expires; the very likely and common scenario of an overloaded website itself going offline or a Tor circuit is struggling. 

To ensure the best chance of successfully reaching a website over Tor, we employ a number of load balanced Tor routers that are themselves proxied and balanced to cater for our crawling services and automated collection. 

But things do go wrong, Tor is not the most reliable tool so our collection processes that utilise it have sufficient retry intervals and “back-off” intervals programmed into them. Should one of our requests result in a gateway time out the system will simply retry, hoping it is balanced to a less utilised Tor relay. 

At times we do get detected and blocked by forum administrators. In such instances, the system will attempt to detect any “authentication loops” and select another account to continue automated collection with. 

Some of the fault detection is relatively simple, such as enumerating how many pages a collection source has and iterating through each page until all pages have been collected.

SOS Intelligence Cyber HUMINT
Collection source
SOS Intelligence Cyber HUMINT
SOS Intelligence Cyber HUMINT

The process is not always perfect, but we try to monitor it and optimise wherever possible. We spend a lot of time on the initial development phases of a collection ensuring that all possibilities, within reason, are accounted for and once a collection goes into production that any following “cat and mouse” changes required are as minimal as possible. 

We hope this gives an insight into how SOS Intelligence works. We have a number of plans available and if you would like to schedule a demo, please click here.

Thanks for reading!

Amir

PS If you enjoyed this, we think you also enjoy An investigation into the LinkedIn data sale on hacker forums.

"SOS
Opinion

SOS Intelligence featured on BBC website

The headline is a scary one, but absolutely accurate.

How your personal data is being scraped from social media

Joe Tidy, Cyber security reporter, BBC News

Joe Tidy recently got in touch after we published our blog post last week, An investigation into the LinkedIn data sale on hacker forums.

We spoke at length about the data sale and the conflicting theories of how it was sourced. Joe has now written up his news article which you can read here and where we were featured.

The chief executive and founder of SOS Intelligence, a company which provides firms with threat intelligence, Amir Hadžipašić, sweeps hacker forums on the dark web day and night. As soon as news of the 700 million LinkedIn database spread he and his team began analysing the data.

Mr Hadžipašić says the details in this, and other mass-scraping events, are not what most people would expect to be available in the public domain. He thinks API programmes, which give more information about users than the general public can see, should be more tightly controlled.

“Large-scale leaks like this are concerning, given the intricate detail, in some cases, of this information – such as geographic locations or private mobile and email addresses. 

“To most people it will come as a surprise that there’s so much information held by these API enrichment services. 

“This information in the wrong hands could be significantly impacting for some,” he said.

Amir Hadžipašić, BBC News

We’d be very interested to speak to anyone who thinks they’ve been impacted by this.

Sadly, the vast majority of people won’t be aware that this can happen and also won’t be aware when a leak occurs. This is precisely where SOS Intelligence comes in.

We offer a free plan for anyone which takes seconds to set up and always monitoring of the email address you use on the Dark Web. What are you waiting for? You can sign up here.

1 2
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from Youtube
Vimeo
Consent to display content from Vimeo
Google Maps
Consent to display content from Google
Spotify
Consent to display content from Spotify
Sound Cloud
Consent to display content from Sound