Customer portal
Articles Tagged with

SOS Intelligence

"MSSP
Opinion

Why MSSPs need Cyber Intelligence from SOS Intelligence

The Dark Web is a vital source for Cyber Threat Intelligence. Dark Web networks have been utilised by cyber criminals for more than 20 years. Longer than you may think.

They provide a deep insight into the world of online criminals.

For MSSPs and CTI researchers this means the Dark web must be closely monitored for new and ongoing attacks. 

Scouring the Dark Web is no easy task, and very difficult without proper software and a large team of researchers. 

The Dark Web is a vast territory made up of multiple networks using many network protocols for anonymous communication.

The most used Dark Web network, known as The Onion Router or Tor, consists of more than 7,000 relays and 3,000 bridges. This supportsa hefty user base of roughly 3 million users. These users use Tor to access one or more of the 40,000 services on the Tor network, transmitting more than 20 terabytes of data daily. 

So, the million dollar question is…

How does one index and analyse such a vast network in an affordable and time efficient manner? 

This is where SOS Intelligence comes in. We help MSSPs help businesses and organisations sleep easier at night by providing accessible cyber-threat and dark web intelligence with real time alerting. It’s a highly configurable threat intelligence solution.

Our Dark Web toolkit is capable of indexing the Tor network quickly and efficiently. 
The SOS Intel Dark Web toolkit is a “Turnkey” ready-to-go solution for MSSPs and CTI researchers, offering in-depth data on onion services. 

Our toolkit includes the Tor networking mapping tool known as “DARKMAP” plus the Dark Web search tool “DARKSEARCH”. We also have the Open Source Intelligence tool “OSINT SEARCH”. These are accessed via a custom API and a web dashboard where you can manage your alerts and keywords for CTI. 

We understand time limitations MSSPs and CTI researchers have. SOS Intelligence’s mission is to provide a service that is both affordable and accessible. Our entire Dark Web toolkit can be set up and configured in mere minutes!

We are your eyes and ears online, even in the darkest places.

Written by Ben Hurst.

Photo by Markus Spiske on Unsplash

"SOS
CVE Top 10, Product news

Announcing The SOS Intelligence CVE Chatter Weekly Top Ten

Keeping track of the number of CVEs can be a daunting task. We’ve got something that is going to help…

We’ve developed a process which gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

Firstly, what is a CVE?

The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. The system was launched for the public in September 1999.

The United States’ National Cybersecurity FFRDC, operated by The Mitre Corporation, maintains the system. They do this with funding from the US National Cyber Security Division of the US Department of Homeland Security.

What is a vulnerability?

A vulnerability is a weakness which can be used to access things one should not be able to gain access to. Obviously this is less than ideal! What would an attacker do? Well, they could run some malicious code or install malware. There could even be the option to copy useful data, or delete it.

What is an exposure?

An exposure is different. It’s a mistake made within the network or system, or code, that gives an intruder access to where they shouldn’t be.

Exposures are often mistakes. For example a GitHub repository which is open or an accessible Amazon S3 folder. These can be found accidentally and never become disclosed. What can happen is that they are found by the kind of people who you really don’t want snooping around.

CVE Identifiers give each one a different name, so people can talk about a specific vulnerability by using their name. At the time of writing, there are over 18800 CVEs listed!

So how are we going to help you keep track of CVEs?

We’ve developed a process which gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.  

This is via our unique intelligence collection pipelines, which include the Dark Web.

Every Monday, you’ll see a blog post appear with the latest CVEs which have been discussed the most over the previous 7 days. This is the first one from the 14th June.

If you use RSS (https://en.wikipedia.org/wiki/RSS), then add http://sosintel.co.uk/feed to your reader and you’ll see these automatically.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

We are your eyes and ears online, even in the darkest places.

"Lapsus$"/
Investigation

SOS Intelligence analysing Lapsus$ data and breaches

We’ve been tracking what Lapsus$ have been doing and we’ve been analysing the data from the latest breaches. Like most hacking collectives SOS Intelligence has been aware of and tracking the activity of the LAPSUS$ group for some time.

The group has contributed to some high profile and impact breaches in the last few months. They have been utilising what could be considered as fairly “low tech” methods to gain a foothold on their targets. Using our multi-faceted intelligence collection pipelines we are able to keep a track of the groups activities and announcements.

This time, the data included a large amount of GitHub source code that appears to belong to Globant, a major company with over 16000 employees and and $1.2 billion in revenue for 2021. This is with a number of repositories that contain “very sensitive information” such as TLS certificate private keys and chains, Azure keys and API keys for 3rd-party services.

TechCrunch have written about this and we were quoted on their article:

SOS Intelligence, a U.K-based threat intelligence provider that analyzed the leaked data, told TechCrunch that “the leak is legitimate and very significant, as far as Globant and Globant impacted customers are concerned.”

Techcrunch, March 30th 2022

Lapsus$ were only just in the news days ago with an Oxford teen accused of being multi-millionaire cyber-criminal connected with the group. Joe Tidy has an excellent article of what happened and how the teen in question was “doxxed” over on the BBC.

ITPro also cover this with comment from ourselves:

“From the paths I have looked at so far it looks like legitimate source code for mobile apps,” said Amir Hadžipašić, CEO and founder of SOS Intelligence to IT Pro. “It looks like there are internal microsites and data for them too, CVs and other personal information.

“That’s not all, they have full private keys for certs in most of the directories,” he added. “That there would be enough for me to stand up a website and serve their SSL and it be valid.”

IT Pro, 30th March 2022

Last but not least, we spoke to Bleeping Computer who have also covered this:

“In terms of legitimacy, going just by volume alone it’s hard to fabricate that amount of data – however samples of the data have been cross referenced with live systems and other methods that show the leak is legitimate and very significant as far as Globant and Globant’s impacted customers are concerned”.

Bleeping Computer, March 30 2022

For any size organisation, we help you sleep easier by giving you real time alerts of key phrases, emails and domains that appear on the Dark Web. For a demo, click here and we look forward to helping you.

Photo by Clint Patterson on Unsplash.

"JISC"/
Product news

“Cost-effective and timely threat intelligence”

JISC are the UK higher, further education and skills sectors’ not-for-profit organisation for digital services and solutions.

They are:

  • Dedicated entirely to the sectors’ individual and collective needs
  • Not a vendor: they deal with and/or work with vendors and publishers on the collective behalf
  • Not for profit: every pound is used for the sectors’ benefit
  • Objective, but not unbiased: they put the sectors’ interests above all else

We are delighted that JISC have chosen to use SOS Intelligence for their threat intelligence and are looking forward to working closely with them in the future.

“SOS Intelligence has provided us with cost-effective and timely threat intelligence. The dark web monitoring and alerting allows us to reassure and help our customers to mitigate potential attack vectors on their infrastructure. The platform is easy to use, with manageable alerting. SOS Intelligence has fantastic customer support and is always meeting our never-ending requirements with feature requests being implemented in record time.”

David Batho Head of protective services at Jisc

SOS Intelligence works with businesses, organisations and MSSPs.

"SOS
Product news

An essential MSSP Cyber Threat Tool

When we set out to develop and launch SOS Intelligence, we knew that one of our markets was MSSP providers.

As Gartner succinctly puts it, a managed security service provider (MSSP) provides outsourced monitoring and management of security devices and systems. Common services include managed firewall, intrusion detection, virtual private network, vulnerability scanning and anti-viral services.

Increasingly though, it’s all about Cyber Threats and Dark Web Threat Intelligence.

We are seeing more and more interest in what we do, especially real time breach alerting and reputation monitoring, plus the ability for MSSPs to use us on the behalf of their clients.

Our solution is ideal for managing your customer keywords with our bulk management tools, customer alert filtering and sub-customer dashboards. Once your customers are on boarded you can get started adding their monitoring keywords, receiving and responding to alerts and reviewing customer alerting performance.

One of most recent MSSP clients was kind enough to send this to us:

We have been looking for an intelligent and cost-effective means of Digital Risk Monitoring for our clients for a number of months. Having now implemented the SOS Intelligence solution, we are pleased we have explored a white-label service designed for MSSPs to provide digital risk monitoring.

Easy to use, constantly being improved and with terrific support, we are already seeing a steady stream of information which is benefitting our clients.

Director of Services for a UK MSSP

If you work for a MSSP, then please click here now to book a demo.

Photo by FLY:D on Unsplash

"SOS
Investigation, Ransomware

A Special Investigation exposing a ransomware group’s clear-web IP and their duplicate identities

Intro

Before we dive into this investigation it’s worth to just spend a brief moment to describe the Apache Server-Status page.

The Apache Server Status page is a diagnostics and metrics page provided by the mod_status module. When mod_status is enabled a metrics page is served via localhost on the /server-status path. 

This page is typically served via localhost only. It offers diagnostic information about the Apache service and client requests. It shows the full request URI and client IP information.

Serving this page in production, outside of localhost would be considered an information disclosure vulnerability and could offer an attacker information about client requests, essentially anything disclosed in a POST request URI or GET request. 

In the scope of Tor onion services where a Tor service is published it will inherently expose all localhost services to the entirety of Tor – therefore any services designed to be protected by the typically non externally routeable local loopback interface become externally accessible.

Locating Onions with Server-Status Pages

We must first export a list of all onions we are aware of that have server-status pages. One of the tasks we perform when crawling an onion service is to identify interesting paths and services. We perform a check for common directories such as server-status along with many others.

This process is identical to a directory enumeration, except for being far more optimised to ensure crawler performance is prioritised.

Therefore using our path API we are able to query for all onions we’ve found and that are operational with server status pages:

server path search for server-status pages API

We find that there are 1,370 results with server-status pages:

Search results JSON export

The next task is to compile a list of all known (relatively current) ransomware blogs. We do this by merging our own lists, those we’ve found via OSINT and other published ransomware group site lists.

Of those we find a total of 71 onion unique addresses, these include v2 and v3 onions.

Now we have a relatively straightforward task of cross-checking our server-status results against this list to see what ransomware group sites have server-status pages, if any.

We do this with a very simple bash script that uses the grep tool:

Checking out output we see that there are in total only 3 ransomware blogs/group sites:

Arvin Club, Haron & Midas

Checking the first, Arvin Club:

We see that the server status page presents a vhost of localhost, not much to go by!

We also note that the server is running Ubuntu and is located in the UTC time zone.

Haron Server-Status Page

Checking the Haron server-status page we see that again the vhost is localhost, the server is running Debian and the time zone is Moscow Standard Time (MSK)

Lastly, checking the Midas server status page:

Midas Server-Status Page

We see a VHOST that is not localhost, this time it shows as “Becquerel.selectel.ru”

A server running Debian and a time zone of Moscow standard time.

Becquerel.selectel.ru

The hostname exposed in the servers-status page for the Midas shows that the web server running the Midas blog is being hosted by Selectel a Russian cloud hosting company:


For at least a short period of time the clear web portion of the Midas blog was exposed to the internet allowing Google to crawl and index the server-status page. 

The Google Cache is of a AWS IP, Germany “3.70.39.23” . According to the Google Cache entry the server was exposed at least up to 27th of September 2021 likely some time before that date, possibly after the 2nd of October 2021. 

How are we sure that this cache entry is the Midas blog web-server? 

It could very likely have been another server if Selectel reprovision hostnames. The evidence contained in the server-status client requests for the Becquerel host cache page are unique to the files found on the current Midas blog. 

Identical files requested in the Google Cache as what exists on the Midas blog web server

We can say with strong certainty that the cache entry, the clear-web IP and hostname all belong to the Midas web server and that the host is current and operational. 

Linking Midas to Haron and Avaddon

Reviewing the client request on refresh revealed some interesting paths. These paths point to image and file locations. Further investigation of these paths uncovered content that is shared or identical to both the Haron and Midas blogs. 

For example…

Haron test.jpg image

Midas test.jpg image

Artist: https://twitter.com/JarekMadyda

Midas Victim file [redacted]

Identical victim file on the Haron web server

Midas Mess directory

Mess directory

Identical but older Mess directory on the Haron web server

Haron mess directory

There is significant cross referencing between folder structures and files to show that the Midas web blog is a copy of the Haron web blog, if we go by the last modified date stamps on all of the files we have been able to observe across both blog sites. 

Not only do the sharing of files and file structure suggest that this is the same group/operator but both web sites have each other’s logos.

Further, we can see logo “development” taking place with logo names such as “newlogo2.png” and “finalLogo.png”. We propose it would be very unusual for one seemingly competing group to have another group’s logo on their web server and indeed for them to have each others!

The curious case of Avaddon

On the topic of logos. Investigation showed that both Haron and Midas contained the logo file for Avaddon Ransomware group:

There were rumours that not only Haron / Midas were the same group but that there were links with Haron to Avaddon.

Forum post on the Dublikat (Duplicate) dark web forum:

“Haron is built on code copied from other ransomware. So, the researchers noticed the following “parallels”: to create binaries, Haron uses the old ransomware builder Thanos; The ransomware site, where victims are asked to negotiate and pay the ransom, is almost identical to Avaddon’s site (as is the site for leaking stolen data); the ransom letter contains large snippets of text copied from a similar Avaddon note; Haron’s server contains icons and images previously found on the official Avaddon website. What all these similarities are connected with is still unclear. The researchers believe that the Haron operators may have hired one of the former Avaddon members, but they clearly did not have access to the source code of the Avaddon ransomware.”

Translated.

We are now able to shed a bit more light on this forum post. It would seem that not only did Haron share resources, images text and icons but so does Midas now too, since it is just a copy of the Haron blog.

Although Avaddon is now defunct and their onion address is no longer valid we’ve been able to extract a html cache of their page from our index. 

Making minor changes to the HTML code, to refacing the Midas and Haron onion address we’ve effectively been able to “resurrect” the old Avaddon website.

Minor html updates to the Avaddon historic html source:

These minor updates allowed us to load the html source and have the page render in an almost exact way it would have done in the past.

Avaddon website resurrected loaded locally from a file:

And this is because the file and folder structure of the Haron / Midas websites still contain the original logo CSS and other content that were made for the Avaddon ransomware group website.

We are therefore able to put forward the claim supported by the evidence in this article that all previous suggestions that these groups were interlinked do appear to be correct.

We’ve confirmed the following Clear Web IPs for both Haron and Midas, both hosted by Selectel Russia:

45.146.164.58 – Midas

45.93.201.176 – Haron

This proves our assumption that the blogs are hosted on separate VMs both hosted at Selectel.

"MI6"/
Opinion

MI6 to work with more tech companies

In his first speech as the new MI6 boss, Richard Moore has made it very clear that they need to work with innovative technology companies to help protect the UK in the future. He spoke at The International Institute for Strategic Studies today.

“I cannot stress enough what a sea change this is in MI6’s culture, ethos and way of working, since we have traditionally relied primarily on our own capabilities to develop the world-class technologies we need to stay secret and deliver against our mission”.

Guardian
Richard Moore

He emphasised how we are living through times where adversaries are feeling emboldened and have greater than-ever resources. He said how our world is being transformed by digital connectivity, increases in data and computer power.

He said he is paid to look at the threats and he said that the cyber attacks are growing exponentially.

His mission as Chief is to oversee the modernisation of MI6 and investing in the skills that they need in the digital age and partner with the right people and companies to help them stay ahead of our adversaries.

What we do here at SOS Intelligence, Dark Web Threat Intelligence plays a small, but important role in enabling companies and organisations to monitor what is happening on the Dark Web.

Focus on cyber threats

MI6’s focus on cyber threats is nothing new. They explicitly list this on their website:

The world increasingly interacts digitally through cyber space. Alongside the many benefits, it leaves individuals, organisations and governments open to cyber risks. These include the possibility of hostile cyber intrusions or attacks against the UK and the UK’s interests. The National Security Strategy identifies this as one of the four main areas of security risk to the UK.

Working as part of a cross-government effort, including GCHQ and it’s National Cyber Security Centre (NCSC), MI5 and law enforcement, SIS provides secret intelligence to help protect the UK from current and future cyber threats. These can come from a range of cyber actors, such as malign states, terrorists and/or criminals.

MI6
"Ransomware"/
Ransomware, The Dark Web

Keeping track of the CL0P ransomware group

We’ve been featured again over on ITPro. This time it’s about the latest CL0P ransomware group and the news that they have been busy compromising Swire Pacific Offshore (SPO). They announced it had fallen victim to a cyber attack with “some confidential proprietary commercial information” along with personal information believed to be stolen.

ITPro. article

Sadly, this is an all to common occurrence and one which is increasing in frequency.

If you are concerned about your cyber security and need to monitor the Dark Web, then please schedule a demo. The best 30 minutes you’ve ever spent cold possibly be a slight exaggeration, but you never know!

You can also follow us on Twitter – @sosintel

Photo by Oxa Roxa on Unsplash.

"SOS
Product news

We are on the Cyber Runway

Plexal has announced the 108 cyber startups joining the Cyber Runway accelerator and we are delighted to have been chosen!

Cyber Runway is the UK’s most diverse community of cyber founders and entrepreneurs.

Cyber Runway has been designed to address some of the biggest challenges facing cybersecurity, such as diversity and inclusion and regional representation, and support the most promising innovators at various stages of growth. 

The full membership list confirms that Cyber Runway will not only be the largest cyber startup accelerator in the UK, but the most diverse community of cyber founders in the country. 

The cohorts are solving challenges like ransomware, cyber fraud, cyber-physical threats to critical national infrastructure, cloud security, improving threat intelligence and boosting education using emerging technologies such as AI, quantum and cloud security. 

45% of Cyber Runway members are female-led startups and 52% are run by founders from black, ethnic or minority backgrounds.

You can see a list of Grow members including us here.

Plexal has ensured inclusivity is at the heart of Cyber Runway by including under-represented groups in the design and delivery of the programme. Members will also have access to a diverse mentor pool of investors and industry experts. 

50% of member companies are based outside of London and the South East of England. From Ashford to Yeovil, members and their teams are based across the country and Cyber Runway will be delivered in person and virtually to maximise nationwide reach.   

The Cyber Runway membership represents some of the most innovative and high-potential cyber startups currently operating in the UK. Members include scaleups such as CybSafe, which raised £5m earlier this year for its security awareness software, SECQAI, which uses quantum technology and AI to combat cyber threats, Yorkshire-based Bob’s Business, which delivers cyber training, insurtech startup Regulativ.ai, which aims to disrupt cyber regulatory compliance, and Hack The Box, which raised £7m in April for its online cybersecurity training platform.

Member

Cyber Runway programme

Backed by the Department for Digital, Culture, Media and Sport and delivered by Plexal in partnership with CyLon, Deloitte and CSIT (the Centre for Secure Information Technologies), Cyber Runway will be an intensive six-month programme. Three distinct streams will deliver dedicated curricula for cyber startups based on their growth phase: Launch, Grow and Scale. 

Launch: 20 entrepreneurs will get support with launching their business, building a minimum viable product and creating a network. 

Grow: 68 startups and SMEs will get business support to help them address their growing pains, access funding and achieve commercial success. 

Scale: 20 scaleups will access support (including 1:1 mentoring) to help them grow rapidly in the UK and around the world. 

Cyber Runway has replaced and consolidated three DCMS-funded programmes: HutZero, Cyber 101 and Tech Nation’s cyber accelerator for startups. 

The accelerator is designed to strengthen the UK’s cyber ecosystem and accelerate the growth of a new generation of breakthrough cyber startups to improve national security, stimulate innovation and drive economic growth. 

Cyber Runway: member benefits

The 108 member companies will receive:

  • business masterclasses (both virtual and in person)
  • mentoring, engineering support from CSIT and access to CSIT’s data and testing centre
  • technical product development support
  • opportunities to connect with international cyber hubs 
  • regional events 
  • connections to investors and corporates to fuel growth

“We are delighted to have been selected to be a part of the Cyber Runway accelerator programme, we are excited to be participating in the excellent programme and to network with fellow cohorts. The Plexal team has put a lot of hard work into the programme and it shows. Many thanks to the team for making us feel so welcome.”

Amir Hadzipasic, CEO and Founder SOS Intelligence

“This is a golden age for the UK cyber startup ecosystem. Cyber startups are attracting record levels of investment and both the government and global tech giants are coming to British cyber companies to adopt emerging cyber technologies. The scale of Cyber Runway is testament to the enormous potential within the cyber startup community and will help stimulate the supply of innovative cyber solutions that will be needed by the economy and society. 

However, Cyber Runway is also specifically designed to address some of the challenges facing cyber startups as they scale. Our three programmes will connect cyber founders to the mentors, investors and corporates they need to accelerate their growth and access diverse talent. This is a significant moment for UK cyber and I have every confidence that the collaboration between the government and the private sector to create Cyber Runway will make the cyber ecosystem more successful, innovative and inclusive.”

Saj Huq, director of innovation at Plexal.

For more information on SOS Intelligence, please schedule a demo here.

1 2 20 21 22 23
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound