Deep and Dark Web Round Up
Weekly Highlights
Malware/Ransomware
The advanced persistent threat (APT) WIRTE, believed to be associated with the Hamas-affiliated Gaza Cyber Gang, has expanded its cyber operations to target Israeli entities. The threat actor was previously engaged in espionage operations targeting the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt.
The Iranian threat actor TA455—also tracked as UNC1549 Yellow Dev 13—has been observed carrying out a fake job advertisement campaign aimed at the aerospace industry. According to the Israeli cybersecurity company ClearSky, the campaign—dubbed “Dream Job”—has been active since at least September 2023, and functions by distributing SnailResin malware. TA455 is believed to be a subgroup of the IRGC-affiliated threat actor Charming Kitten.
Kaspersky researchers have identified a new ransomware family dubbed “Ymir” that was used in an attack two days after RustyStealer infostealer malware infiltrated the targeted infrastructure. As highlighted in the report, Ymir stands out for its “in-memory execution, use of the African Lingala language in a code comment, use of PDF files as ransom notes, and its extension configuration options.”
Threat Actor Activity
The U.S. Department of Justice (DOJ) has charged Asif W. Rahman—who was formerly employed by the Central Intelligence Agency (CIA)—for allegedly leaking highly classified U.S. intelligence documents regarding Israel’s plans for a retaliatory strike against Iran. Rahman was charged with “two counts of illegal transmission of national defense information.”
The DOJ has announced the indictment of two suspected hackers—Connor Riley Moucka and John Erin Binns—for hijacking Snowflake cloud storage accounts to steal data. As many as 165 Snowflake customers may have been impacted by the hackers’ operations. As noted in the indictment, Moucka and Binns used stolen access credentials to gain access to the victims’ Cloud Computing Instances and to download data.
Notable Leaks and Breaches
On November 13, a threat actor on BreachForums claimed to have leaked data from the French news magazine Le Point (lepoint.fr). The breach allegedly exposes the data of 900k users and includes emails, names, phone numbers, and addresses.
On November 8, a threat actor on BreachForums claimed to have leaked data from thuocsi.vn, a popular site in Vietnam. The breach allegedly impacts 39,000 users and the exposed data includes emails.
On November 8, a threat actor on BreachForums claimed to have leaked data from Zappian Media LLC, “a US-based lead generation company specializing in high-quality leads for personal loans, payday loans, debt consolidation, auto loans, and more.” The leaked database allegedly includes 1,105,354 records of loan applicants in the United States. Exposed data includes SSNs, DOBs, addresses, first names, phones, email addresses, income types, monthly incomes, and credit scores.
Suggested Further Reading
About DarkOwl
DarkOwl uses machine learning to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching.
Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and secure manner without having to access the darknet itself.
DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. As importantly, DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. Our passion, our focus, and our expertise is the darknet.
For more information, visit www.darkowl.com.