Deep and Dark Web Round Up

Weekly Highlights

• For continuing DarkOwl/overall analysis of the conflict between Israel and Hamas, and what cyber efforts accompany this ongoing situation, please see the first section titled “Middle East Conflict”
• US cell phone company employees receiving SIM swap offers
• Cisco issues warning about global increase in brute-force activity targeting various devices and services
• RAT operators arrested in US, Australia
• TA558 actors employ steganography in latest campaign

Middle East Conflict

There were no notable cyber activities going on this week with the latest Israel-Hamas conflict, but a few developments below will almost certainly influence continued physical and cyber activities and campaigns.

• ?As Iran and Israel attack each other with drones and missiles, the threat of cyber retaliation entered the conversation this week, when Israel pledged to respond to physical Iranian aggression with cyber-focused incidents.
• The world expects Israel to retaliate, but many countries are cautioning Israel to respond in kind and try to avoid serious Middle East conflict escalation.

?Malware/Ransomware

US cell phone company employees receive offers for SIM swapping

?Cyber actors are cold-contacting employees of various US cell phone companies and offering them cash in exchange for their participation in SIM swapping operations. In SIM swapping incidents, actors fool a wireless carrier, such as Verizon or T-Mobile (who were both targeted in this latest campaign) into rerouting services to a device controlled by the criminals themselves. Once the “swap” is completed, the victims lose access to most personal accounts and personal data attached to the cell phone account is also stolen and used in other malicious operations.

Cisco cautions of increase in brute-force attacks targeting VPN, SSH services

Citing TOR exit nodes as the origin, Cisco issued a warning about broad attacks targeting Cisco VPNs, web services, and Mikrotik routers. The brute-force attempts use tunnels and proxies for anonymization. Patching is one of the simplest ways to offer protection against this method.

Threat Actor Activity

Firebird RAT operator arrested in joint operation between US, Australia

Two people were arrested for the creation and use of the Firebird RAT, which was later titled the Hive RAT. An unnamed Australian man and US-citizen Edmond Chakmakhchyan, who operated online under the handle “Corruption”, sold the RAT on hacking forums. They accepted Bitcoin as payment and provided user support to those who purchased the malware. This operation was halted when the actors sold a license for the RAT to an undercover FBI agent.

TA558 embraces steganography to deliver malware

Malware such as Agent Tesla, Xworm, and keyloggers is showing up in documents with the exploits embedded in images. The targeted sectors include public services, electric/power entities, and construction entities in Latin America, but Romania, Russia, and Turkey have also been targeted in this campaign. Phishing emails are sent with a malicious Excel attachment to start the process of data theft. The stolen data is subsequently sent to Telegram bots which are controlled by user handle “joekoala.”

Notable Leaks and Breaches

• gianttiger.com - (2,700,087 entries)
• boat-lifestyle.com - (7,549,218 entries)
• shorttask.com - (249,195 entries)
• Le Slip Fran?ais - 1,495,127 breached accounts

Suggested Further Reading

• Palo Alto Networks zero-day exploited since March to backdoor firewalls
• Multiple botnets exploiting one-year-old TP-Link flaw to hack routers
• Hackers Exploit Fortinet Flaw, Deploy ScreenConnect, Metasploit in New Campaign
• OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt
• Russian APT Deploys New 'Kapeka' Backdoor in Eastern European Attacks
• Russian Sandworm hackers pose as hacktivists in water utility breaches
• Cisco discloses root escalation flaw with public exploit code
• FIN7 targets American automaker’s IT staff in phishing attacks

About DarkOwl

DarkOwl uses machine learning to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching.? ?

Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and? secure manner without having to access the darknet itself.?

DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. As importantly, DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. Our passion, our focus, and our expertise is the darknet.?

For more information, visit www.darkowl.com