Deep and Dark Web Round Up

Highlights

• For continuing DarkOwl/overall analysis of the conflict between Israel and Hamas, and what cyber efforts accompany this ongoing situation, please see the first section titled “Middle East Conflict”
• BHI Energy gives behind the scenes look at their Akira ransomware incident
• AF/PAK targeted by Indian cyber group DoNot Team
• New XSS hidden content requirement

Middle East Conflict

Cyber incidents continue to accompany the air and ground conflicts in the Middle East. The blur between digital operations, hacks, events, and attacks from physical conflicts is ongoing. DarkOwl analysts will remain vigilant to brief and distil the impacts of these events to our customers and their global business operations.

• Malicious Apps Spoof Israeli Attack Detectors: Conflict Goes Mobile
• Palestine crypto donation scams emerge amid Israel-Hamas war
• Stucx claimed an attack on an Israeli SCADA system:

• GlorySec alerted Israel to a firewall on Palestinian websites, which GlorySec felt indicated Palestine had prepared well in advance for a conflict in the cyber realm as well as the physical realm. They also said they’d release the data right to Israel to support their operations:

• Anonymous Algeria publicly warned the UAE and alerted its airline, Emirates, to a possible system compromise for what they view as “not supporting Palestine”:

Malware/Ransomware

Energy company BHI Energy reveals inside details of Akira ransomware incident

Akira actors first used stolen VPN credentials from a third-party contractor’s account to access internal BHI networks. This same account was used to conduct continued recon of the internal network. It took the actors just over a week (nine days) to take 767,000 files/690 GB of data. Exposed data included full names, SSNs, DOBs, and more PII of BHI customers.

An Indian Threat Actor’s Firebird Backdoor Targets AF/PAK Region

Threat group DoNot Team (aka APT-C-35) is using the Firebird backdoor in Pakistan and Afghanistan. DoNot is known for spear phishing emails and malicious Android apps.

Threat Actors

DarkOwl analysts ID new ransomware forum, advertisements from RAMP

The admin of Ramp posted an in-depth advertisement and endorsement for Ransomed Forums. This is a new forum that advertises topics related to ransomware. DarkOwl analysts additionally identified Ransomed Forums chatter has increased during the month of October, so anticipation from the wider threat actor community is likely high as this forum comes online.

DarkOwl analysts observe new XSS hidden content requirements

DarkOwl analysts observed a user on XSS advertising information as hidden content requiring 9,999 posts to reveal all content. The information relates to leaking the panel for a particular botnet.

Notable Leaks and Breaches

• D.C. Board of Elections: Hackers may have breached entire voter roll
• University of Michigan: Employee, student data stolen in cyberattack
• ASVEL basketball team confirms data breach after ransomware attack

Suggested Further Reading

• Spain arrests 34 cybercriminals who stole data of 4 million people
• Citrix warns admins to patch NetScaler CVE-2023-4966 bug immediately
• It's Time to Establish the NATO of Cybersecurity
• Cyberattackers Alter Implant on 30K Compromised Cisco IOS XE Devices
• 1Password discloses security incident linked to Okta breach
• September was a record month for ransomware attacks in 2023
• Malvertising Campaign Targets Brazil's PIX Payment System with GoPIX Malware

About DarkOwl

DarkOwl uses machine learning to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching.

Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and secure manner without having to access the darknet itself.

DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. As importantly, DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. Our passion, our focus, and our expertise is the darknet.

For more information, visit www.darkowl.com.