Deep and Dark Web Round Up

Weekly Highlights

• LockBit Claims ransomware attack on Fulton County, Georgia???
• Bumblebee malware attacks are back after 4-month break
• New Market My Fullz launched
• Russian Market ceases selling RDP Servers

Middle East Conflict

Recent activities include Iranian and US officials calling for an immediate de-escalation after three US service members lost their lives in a drone attack this week. Continued claims of cyber-attacks and incidents against both Israel and Palestine continue online, as cyber actors use digital means to further their respective causes and beliefs:

• ?Cyber security researches review the role that Iran has played in the conflict and how they have pivoted their cyber campaigns in light of the Oct 7 attacks.

Malware/Ransomware

LockBit Claims ransomware attack on Fulton County, Georgia?? ?

The LockBit ransomware gang claims to be behind the recent cyberattack on Fulton County, Georgia, and is threatening to publish "confidential" documents if a ransom is not paid. Fultton County have acknowledged they were a victim of a ransomware attack which impacted their systems at the end of January, but have not confirmed who the group behind this is. Lockbit claim they were able to access sensitive information relating to citizens which they will publish if the ransom is not paid. They have set a deadline of February 16.

Bumblebee malware attacks are back after 4-month break

Bumblebee is a malware loader which is believed to have been developed by Conti and Trickbot groups. Recent reporting indicates that is has been used to target thousands of organizations in the US in phishing campaigns. According to security researchers the malware is commonly distributed in phishing campaigns to drop additional payloads for initial network access and to conduct ransomware attacks. The use of the malware has not yet been attributed to a specific group.

Threat Actor Activity

New Market My Fullz launched

?A new market was identified by DarkOwl analysts called MyFullz. The marketplace claimed to commemorate their launch with the leak for 200,00 Fullz for free, which they advertised on other dark web forums known for financial crime.

Fullz are shared by cyber criminals and usually include information about an individual such as name, financial information, address, SSN and contact information. They can be used for identity theft or other forms of financial crime.

Russian Market ceases selling RDP Servers

DarkOwl analysts identified a message on popular dark web marketplace, Russian market stating that they had ceased the sale of RDP servers on their site permanently. Analysts had previously identified that that section of the website had been removed.

Although the admins did not give any explanation for the removal, they did recommend several Telegram channels for users to sell or purchase RDP, although they claimed to have no affiliation with Russian Market.

FBI seizes Warzone RAT infrastructure, arrests malware vendor

The FBI have seized four domains connected to the Warzone RAT, a commodity malware which offered a number of features including UAC bypass, hidden remote desktop, cookie and password stealing, keylogging, webcam recording and remote shell among others. They also arrested, in conjunction with Malta Police, an individual they said was behind the RAT as well as an individual based in Nigeria.

The individual based in Malta was also reported to have sold the Pegasus RAT for the Skynet corporation. DarkOwl have observed the Pegasus RAT being sold as recently as this week.?

Notable Leaks and Breaches

• etenders.gov.za
• Nonstophealth.com USA SSN Lead
• Spoutibles
• Trans-Northern Pipelines

Suggested Further Reading

• Microsoft: New critical exchange bug exploited as zero-day
• Bank of America warns customers of data breach after vendor hack
• Zoom patches critical privilege elevation flaw in Windows apps
• Ransomware Epidemic at Romanian Hospitals Tied to Healthcare App
• Microsoft, OpenAI: Nation-States Are Weaponizing AI in Cyberattacks
• 'Ov3r_Stealer' Malware Spreads Through Facebook to Steal Crates of Info

About DarkOwl

DarkOwl uses machine learning to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching.?Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and?secure manner without having to access the darknet itself.

DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. As importantly, DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. Our passion, our focus, and our expertise is the darknet.

For more information, visit www.darkowl.com.